alphaMountain provides up-to-date domain and IP intelligence for cybersecurity investigational and protection platforms.

This package provides the alphamountain-threats context for enrichment and pipelines that periodically update the feed.

Amazon Security Lake automatically centralizes security data from cloud, on-premises, and custom sources.

This package provides pipelines for writing OCSF events to Amazon Security Lake using the S3-based ingestion format.

NOTE: Before you can write events to the Security Lake, you must configure a custom source per event type in Security Lake and ensure the Tenzir Node has write permissions to the S3 bucket in the respective source directory. The package assumes that you adhere to the Tenzir naming scheme tnz-ocsf-XXXX where XXXX is the class UID of an OCSF event class.

AWS VPC Flow Logs capture information about IP traffic going to and from network interfaces in your VPC. This package provides utilities for ingesting, parsing, and analyzing VPC Flow Log data.

This package provides:

• Raw VPC Flow Log events on the aws topic as aws.vpc_flow events

• OCSF-formatted network activity events on the ocsf topic as ocsf.network_activity events

To use this package, you must configure your AWS VPC to log to S3 in text format as described in the AWS documentation.

The Cisco Umbrella package onboards DNS Log data from a Cisco Umbrella S3 Bucket.

The DCSO Threat Intelligence Engine (TIE) provides premium threat intelligence feeds from Deutsche Cyber-Sicherheitsorganisation (DCSO), a leading European provider of threat intelligence services. DCSO delivers high-fidelity APT and threat intelligence with deep analysis of threats and campaigns, offering European sovereign intelligence sources for enhanced security operations.

For detailed API documentation and IOC schema definitions, refer to the DCSO TIE API documentation.

This package provides the dcso-tie context for enrichment and pipelines that periodically update the feed, enabling real-time threat detection and intelligence-driven security workflows.

This package provides a live Zeek and Suricata event feed for demo purposes. It generates synthetic network security events based on realistic patterns, including DNS queries, HTTP traffic, SSL connections, and potential security alerts. The generated data is ideal for testing pipelines, developing detections, and demonstrating Tenzir's capabilities without requiring actual network traffic or production data.

This package provides sample data and example pipelines to play with. Every cloud-hosted demo node has this package installed by default.

The package imports a Zeek and Suricata logs that run on a PCAP from a modified version of the M57-Patents dataset, a forensics research corpus generated by Woods at al. in 2001. We enhanced this PCAP by also injecting traffic from malware samples.

Feodo Tracker is a project of abuse.ch with the goal of sharing botnet C&C servers associated with Dridex, Emotet (aka Heodo), TrickBot, QakBot (aka QuakBot / Qbot) and BazarLoader (aka BazarBackdoor). It offers various blocklists, helping network owners to protect their users from these banking trojans and malware families.

This package provides a lookup table context that automatically updates hourly with the latest aggressive IP blocklist, enabling real-time threat detection and prevention against known botnet infrastructure.

Fortinet FortiGate appliances provide network security by combining firewall, VPN, and intrusion prevention features.

This package makes it easy to onboard the logs that FortiGate generates, publishing the events to the fortinet topic.

The FoxIO JA+ Database provides context for various JA+ fingerprints, such as operating system, device, library, user agent.

This package provides multiple contexts for enrichment, each of which contains a subset of the JA4+ database for a particular JA4+ type and a corresponding pipeline that periodically refreshes the context.

Free IP geolocation using Geo Open MMDB databases from CIRCL, the Computer Incident Response Center Luxembourg. Geo Open provides daily snapshots of IP-to-country and IP-to-ASN mappings in MaxMind database format, offering a privacy-respecting alternative to commercial geolocation services.

This package provides two GeoIP contexts for IP enrichment: country-only lookups for basic geographic attribution and combined country+ASN lookups for more detailed network analysis, with automatic daily updates to ensure accuracy.

NXLog is a cross-platform log management solution that collects, parses, and forwards logs from various sources using a modular architecture. It supports a wide range of input and output modules, enabling seamless integration with different log sources and destinations across Windows, Linux, and other platforms.

This package provides pipelines to receive and process NXLog data in JSON format via TCP or TLS connections, making it easy to centralize log collection from distributed NXLog agents.

This package provides a lookup table context for enriching OCSF events with OCSF OSINT objects, enabling threat intelligence integration within your security data pipeline. The OSINT context allows you to correlate events with known threat indicators from various open-source intelligence feeds. By enriching OCSF-formatted security events with threat intelligence data, analysts can quickly identify malicious activity and prioritize incident response efforts.

Reduces the size of OCSF events by trimming optional and recommended fields based on configurable size settings. Supports three trimming levels:

• S (Small): removes optional and recommended fields

• M (Medium): removes optional fields only

• L (Large): keeps all fields and derives string fields for enum fields

Palo Alto Networks solutions analyze and control network traffic by identifying applications and users, facilitating effective policy enforcement and threat prevention.

This package simplifies the process of integrating and managing logs generated by Palo Alto Networks devices.

The Slack package makes it easy to send data from a pipeline to a Slack channel using incoming webhooks, enabling real-time security alerts and notifications. Configure the package with your Slack app's webhook URL to automatically forward critical events, detection results, or aggregated metrics directly to your team's communication channels. This integration supports custom message formatting and allows security teams to stay informed about important events without leaving their collaboration workspace.

The Sophos package onboards data from various Sophos APIs. OCSF mapping pipelines create the respective findings.

This package enables seamless data export to Splunk via the HTTP Event Collector (HEC), allowing you to integrate Tenzir pipelines with your existing Splunk infrastructure.

Configure the package with your HEC endpoint and token to stream processed security events, metrics, or any structured data directly into Splunk indexes. The integration supports both cloud and on-premises Splunk deployments, making it easy to leverage Tenzir's data processing capabilities while maintaining your Splunk-based analytics and alerting workflows.

The SSL Blocklist (SSLBL) is a project of abuse.ch that identifies and tracks SSL certificates used by malware or botnet C&C servers.

This package provides a lookup table containing SHA1 hashes of blacklisted certificates, automatically refreshed hourly from the abuse.ch API. Security teams can use this context to detect and block malicious SSL/TLS connections by enriching network traffic logs with certificate reputation data.

Suricata is an open-source network monitoring and threat detection tool.

This package provides pipelines to onboard Suricata logs, as well as mapping pipelines that translate Suricata EVE JSON to OCSF events.

ThreatFox is a free platform from abuse.ch with the goal of sharing indicators of compromise (IOCs) associated with malware with the infosec community, AV vendors and threat intelligence providers. The platform collects and validates IOCs from vetted researchers and automatically tracks malware campaigns across various threat families. This package provides multiple lookup table contexts for different IOC types (IPs, domains, URLs, and hashes) with pipelines that periodically refresh from the ThreatFox API, enabling automated threat detection and enrichment across your security data.

Zeek is an open-source network security monitor that provides rich logs about network activity.

This package provides pipelines to onboard Zeek logs, as well as mapping pipelines that translate Zeek logs to OCSF events.

Zscaler Internet Access (ZIA) is a cloud-native secure web gateway that provides comprehensive security for users accessing the internet from any location or device.

This package enables ingestion and processing of ZIA logs, including web traffic, firewall, DNS, and tunnel events, providing visibility into your organization's internet activity and security posture. The package includes OCSF mapping pipelines that transform ZIA events into standardized formats, making it easy to correlate Zscaler data with other security tools in your environment.