A single, scalable experience that surfaces the true value of Cloud SIEM integrations — from day one and beyond.
Cloud SIEM has dozens of integrations — each bundled with detection rules, dashboards, and workflows. But customers had no single place to see what was available or how to turn it on.
Detection rules lived in one part of the product. Dashboards in another. Docs on a separate site. Users who wanted to enable an integration had to visit three or four different pages, figure out the right log source configuration (which lived in an entirely separate product — Logs), and hope they got everything right.
The result: missed signals, broken setups, and support tickets from customers who thought they were configured but were actually missing critical log sources. The value was there — customers just couldn't find it or activate it.
Customers were paying for Cloud SIEM but not getting its full value — because the activation path was too fragmented to navigate.
Enabling one integration meant configuring log sources in Logs, finding detection rules in SIEM, then discovering dashboards elsewhere. Miss a step and the whole chain breaks silently.
Users had no way to preview what an integration would give them before committing to configuration. Decisions about which integrations to prioritize were made blind.
No shared pattern for surfacing content or monitoring health. Each integration had its own structure, making it impossible to scale onboarding as Datadog added more sources.
Three months from exploration to GA. Designed a system that launched with 53 integrations and is still scaling.
Ran heuristic reviews across every SIEM setup flow. Identified that the biggest drop-off happened between "I found an integration" and "I have it working" — the activation gap. Catalogued high-value content scattered across docs, product UI, and GTM materials.
Defined a three-level information architecture: Gallery (browse all integrations) → Content Pack (see everything one integration offers) → Activation Panel (configure and verify). Introduced pre-activation and post-activation states so the UI adapts to where you are in the setup journey.
Built and tested three UI directions: tile-based grid, side panel drill-in, and accordion expand. Validated with stakeholders and detection PMs. Landed on gallery + detail panel for the best balance of discoverability and depth at scale.
One reusable pattern that shows what each integration delivers, guides activation, and catches misconfigurations before they become silent failures.
Each Content Pack bundles everything for a single integration — detection rules, dashboards, workflows, documentation — into one scrollable page. No more jumping between four different product areas to understand what an integration offers.
Users can browse every detection rule, dashboard, and workflow before they configure anything. An "Activate This Content Pack" CTA makes the commitment clear. Empty states explain exactly what log sources to configure — making invisible prerequisites visible.
After activation, status indicators show whether log sources are actually flowing. "Broken Configuration" banners surface problems before they cause missed signals. Newly added content — like a dashboard update — appears instantly instead of getting buried in a changelog.
A single browsable index of all available integrations — what is activated, what is available, what is partially configured. The top 5 integrations are surfaced on the Cloud SIEM Overview page. This became the starting point for every security onboarding flow.
We designed for 30+ integrations. We shipped 53 at launch, with 20+ in the roadmap. The same pattern is now shared across Cloud SIEM, CSM, and ASM — and engineering is reusing the pack layout for Marketplace rule publishing.
Launched with 53 Content Packs. Now the default onboarding pattern for all security products at Datadog.
Dropped from 2.5 days to 1.4 days. 22% more orgs enabled at least one integration in their first week.
Content Pack Gallery visits increased 2.7× after launch. Top integrations now visible directly on the Cloud SIEM Overview.
Audit Logs misconfiguration tickets dropped 38%. Empty state nudges drove a 48% increase in proper log ingestion.
Up from 3.1 to 4.3 out of 5. Global source enablements increased 35% across the platform.
20+ more in the roadmap. The pattern now powers all Security Onboarding and Setup flows.
Engineering reusing the layout in Marketplace publishing. Architecture supports future AI recommendations and usage insights.