Library
Instant gratification, packaged
Tenzir packages are snackable bundles of pipelines and enrichment tables—so you can parse, enrich, and route like a boss without starting from scratch.
Library
Instant gratification, packaged
Tenzir packages are snackable bundles of pipelines and enrichment tables—so you can parse, enrich, and route like a boss without starting from scratch.
Library
Instant gratification, packaged
Tenzir packages are snackable bundles of pipelines and enrichment tables—so you can parse, enrich, and route like a boss without starting from scratch.
Packages
Packages
Pipelines
Pipelines
Contexts
Contexts
alphaMountain
alphaMountain
alphaMountain
alphaMountain provides up-to-date domain and IP intelligence for cybersecurity investigational and protection platforms.
This package provides the alphamountain-threats
context for enrichment and pipelines that periodically update the feed.
4
2
Amazon Security Lake
Amazon Security Lake
Amazon Security Lake
Amazon Security Lake automatically centralizes security data from cloud, on-premises, and custom sources.
This package provides pipelines for writing OCSF events to Amazon Security Lake using the S3-based ingestion format.
NOTE: Before you can write events to the Security Lake, you must configure a custom source per event type in Security Lake and ensure the Tenzir Node has write permissions to the S3 bucket in the respective source directory. The package assumes that you adhere to the Tenzir naming scheme tnz-ocsf-XXXX
where XXXX
is the class UID of an OCSF event class.
51
AWS VPC Flow Logs
AWS VPC Flow Logs
AWS VPC Flow Logs
AWS VPC Flow Logs capture information about IP traffic going to and from network interfaces in your VPC. This package provides utilities for ingesting, parsing, and analyzing VPC Flow Log data.
This package provides:
Raw VPC Flow Log events on the
aws
topic asaws.vpc_flow
eventsOCSF-formatted network activity events on the
ocsf
topic asocsf.network_activity
events
To use this package, you must configure your AWS VPC to log to S3 in text format as described in the AWS documentation.
2
Cisco Umbrella
Cisco Umbrella
Cisco Umbrella
The Cisco Umbrella package onboards DNS Log data from a Cisco Umbrella S3 Bucket.
2
DCSO TIE
DCSO TIE
DCSO TIE
The DCSO Threat Intelligence Engine (TIE) provides premium threat intelligence feeds from Deutsche Cyber-Sicherheitsorganisation (DCSO), a leading European provider of threat intelligence services. DCSO delivers high-fidelity APT and threat intelligence with deep analysis of threats and campaigns, offering European sovereign intelligence sources for enhanced security operations.
For detailed API documentation and IOC schema definitions, refer to the DCSO TIE API documentation.
This package provides the dcso-tie
context for enrichment and pipelines that periodically update the feed, enabling real-time threat detection and intelligence-driven security workflows.
2
Demo Data Generator
Demo Data Generator
Demo Data Generator
This package provides a live Zeek and Suricata event feed for demo purposes. It generates synthetic network security events based on realistic patterns, including DNS queries, HTTP traffic, SSL connections, and potential security alerts. The generated data is ideal for testing pipelines, developing detections, and demonstrating Tenzir's capabilities without requiring actual network traffic or production data.
2
Demo Node
Demo Node
Demo Node
This package provides sample data and example pipelines to play with. Every cloud-hosted demo node has this package installed by default.
The package imports a Zeek and Suricata logs that run on a PCAP from a modified version of the M57-Patents dataset, a forensics research corpus generated by Woods at al. in 2001. We enhanced this PCAP by also injecting traffic from malware samples.
2
Feodo Abuse Blocklist
Feodo Abuse Blocklist
Feodo Abuse Blocklist
Feodo Tracker is a project of abuse.ch with the goal of sharing botnet C&C servers associated with Dridex, Emotet (aka Heodo), TrickBot, QakBot (aka QuakBot / Qbot) and BazarLoader (aka BazarBackdoor). It offers various blocklists, helping network owners to protect their users from these banking trojans and malware families.
This package provides a lookup table context that automatically updates hourly with the latest aggressive IP blocklist, enabling real-time threat detection and prevention against known botnet infrastructure.
1
1
Fortinet FortiGate
Fortinet FortiGate
Fortinet FortiGate
Fortinet FortiGate appliances provide network security by combining firewall, VPN, and intrusion prevention features.
This package makes it easy to onboard the logs that FortiGate generates, publishing the events to the fortinet
topic.
1
FoxIO JA4+
FoxIO JA4+
FoxIO JA4+
The FoxIO JA+ Database provides context for various JA+ fingerprints, such as operating system, device, library, user agent.
This package provides multiple contexts for enrichment, each of which contains a subset of the JA4+ database for a particular JA4+ type and a corresponding pipeline that periodically refreshes the context.
8
7
Geo Open
Geo Open
Geo Open
Free IP geolocation using Geo Open MMDB databases from CIRCL, the Computer Incident Response Center Luxembourg. Geo Open provides daily snapshots of IP-to-country and IP-to-ASN mappings in MaxMind database format, offering a privacy-respecting alternative to commercial geolocation services.
This package provides two GeoIP contexts for IP enrichment: country-only lookups for basic geographic attribution and combined country+ASN lookups for more detailed network analysis, with automatic daily updates to ensure accuracy.
3
2
NXLog
NXLog
NXLog
NXLog is a cross-platform log management solution that collects, parses, and forwards logs from various sources using a modular architecture. It supports a wide range of input and output modules, enabling seamless integration with different log sources and destinations across Windows, Linux, and other platforms.
This package provides pipelines to receive and process NXLog data in JSON format via TCP or TLS connections, making it easy to centralize log collection from distributed NXLog agents.
1
OCSF OSINT Enrichment
OCSF OSINT Enrichment
OCSF OSINT Enrichment
This package provides a lookup table context for enriching OCSF events with OCSF OSINT objects, enabling threat intelligence integration within your security data pipeline. The OSINT context allows you to correlate events with known threat indicators from various open-source intelligence feeds. By enriching OCSF-formatted security events with threat intelligence data, analysts can quickly identify malicious activity and prioritize incident response efforts.
2
1
OCSF Trimming
OCSF Trimming
OCSF Trimming
Reduces the size of OCSF events by trimming optional and recommended fields based on configurable size settings. Supports three trimming levels:
S (Small): removes optional and recommended fields
M (Medium): removes optional fields only
L (Large): keeps all fields and derives string fields for enum fields
1
Palo Alto Networks
Palo Alto Networks
Palo Alto Networks
Palo Alto Networks solutions analyze and control network traffic by identifying applications and users, facilitating effective policy enforcement and threat prevention.
This package simplifies the process of integrating and managing logs generated by Palo Alto Networks devices.
1
Send to Slack
Send to Slack
Send to Slack
The Slack package makes it easy to send data from a pipeline to a Slack channel using incoming webhooks, enabling real-time security alerts and notifications. Configure the package with your Slack app's webhook URL to automatically forward critical events, detection results, or aggregated metrics directly to your team's communication channels. This integration supports custom message formatting and allows security teams to stay informed about important events without leaving their collaboration workspace.
1
Sophos
Sophos
Sophos
The Sophos package onboards data from various Sophos APIs. OCSF mapping pipelines create the respective findings.
5
Splunk
Splunk
Splunk
This package enables seamless data export to Splunk via the HTTP Event Collector (HEC), allowing you to integrate Tenzir pipelines with your existing Splunk infrastructure.
Configure the package with your HEC endpoint and token to stream processed security events, metrics, or any structured data directly into Splunk indexes. The integration supports both cloud and on-premises Splunk deployments, making it easy to leverage Tenzir's data processing capabilities while maintaining your Splunk-based analytics and alerting workflows.
1
SSLBL
SSLBL
SSLBL
The SSL Blocklist (SSLBL) is a project of abuse.ch that identifies and tracks SSL certificates used by malware or botnet C&C servers.
This package provides a lookup table containing SHA1 hashes of blacklisted certificates, automatically refreshed hourly from the abuse.ch API. Security teams can use this context to detect and block malicious SSL/TLS connections by enriching network traffic logs with certificate reputation data.
1
1
Suricata
Suricata
Suricata
Suricata is an open-source network monitoring and threat detection tool.
This package provides pipelines to onboard Suricata logs, as well as mapping pipelines that translate Suricata EVE JSON to OCSF events.
17
ThreatFox
ThreatFox
ThreatFox
ThreatFox is a free platform from abuse.ch with the goal of sharing indicators of compromise (IOCs) associated with malware with the infosec community, AV vendors and threat intelligence providers. The platform collects and validates IOCs from vetted researchers and automatically tracks malware campaigns across various threat families. This package provides multiple lookup table contexts for different IOC types (IPs, domains, URLs, and hashes) with pipelines that periodically refresh from the ThreatFox API, enabling automated threat detection and enrichment across your security data.
5
4
Zeek
Zeek
Zeek
Zeek is an open-source network security monitor that provides rich logs about network activity.
This package provides pipelines to onboard Zeek logs, as well as mapping pipelines that translate Zeek logs to OCSF events.
12
Zscaler Internet Access
Zscaler Internet Access
Zscaler Internet Access
Zscaler Internet Access (ZIA) is a cloud-native secure web gateway that provides comprehensive security for users accessing the internet from any location or device.
This package enables ingestion and processing of ZIA logs, including web traffic, firewall, DNS, and tunnel events, providing visibility into your organization's internet activity and security posture. The package includes OCSF mapping pipelines that transform ZIA events into standardized formats, making it easy to correlate Zscaler data with other security tools in your environment.
3
© 2025 Tenzir GmbH. All rights reserved.
© 2025 Tenzir GmbH. All rights reserved.
© 2025 Tenzir GmbH. All rights reserved.