At Cribl, we have the privilege of helping our customers achieve their strategic data goals by giving them visibility and control over all of their observability data. The reality today is that data is commonly stored across many places. Whether intentional (such as using Cribl Stream to create a security data lake) or unintentional (because of silos and tool sprawl), organizations desire the ability to access and analyze all of this information at any time. One such time could be during a security investigation, like when our analytics tool or SIEM has signaled a potential indicator of compromise (IOC). What if we had a way to send that signal to a simple, intuitive workflow engine that could help automatically search our data estate for possible related logs over a period of time? And what if we could get those results and route or store them to our choice of destination(s)? Since it’s #CybersecurityAwarenessMonth, we’d like to give you a jump start on your incident alerting and SOAR processes!
Enter Tines, the platform purpose-built to automate and integrate processes like this security orchestration, automation, and response (SOAR) playbook we need. With Tines and Cribl Search, we can take an IOC from our SIEM and search our data in place to return any relevant results in an automated runbook. There’s no reason to push data around needlessly or query it manually!
Consider the scenario where we have data stored outside of our SIEM that we need to query based on our IOC, a suspicious IP address:
Our SIEM kicks off an alert (1) that is received by Tines and includes a suspicious IP address. Tines help construct a query that will be sent to the Cribl Search API for a configured time range and this IOC (2). Cribl Search executes the query against our data in-place – data that may not have been sent to the SIEM originally, is still on the host, or perhaps has aged out of the SIEM and archived to a data lake. The relevant results are returned by Search to Tines (3), which can parse and format them to be delivered to the desired destination (4).
No one likes starting from scratch (except during the pandemic when baking was all the rage), so Tines has a Library with hundreds of prebuilt workflows to get you going quickly. The Cribl Story is available for you today to get a jump start on your automation and playbooks. It has everything you need to get started, including places to set authentication and the API calls to get the queries going:
And with Cribl Search, organizations are shifting their thinking when it comes to where to keep their data. Previously, we would have had to do something else to get our results. One option would be to send all data to the SIEM and retain it there. This normally results in increased license and storage costs and forces us to put an additional load on the software. Another option could be to use a form of rehydration. This might mean reloading old data index files or re-ingesting large amounts of data. Processing in this way is cumbersome, time-consuming, and usually has high labor and infrastructure costs. Finally, we might leverage a storage provider’s native capability to search the data. While helpful, using these tools usually includes a high learning curve and doesn’t help with data stored in other providers.
Search allows us to store information in cost-effective ways, like with object storage, and gives us control and flexibility over retention and lifecycle policies. Data lakes quickly become even more valuable with the ability to easily search them in place. Having data in multiple places is no longer an obstacle; we can access this across platforms at will. All of this in turn lets us maximize the value we can achieve out of our other analytics tools.
If you haven’t already, you should try out Tines! What will you build with their smart, secure workflow platform? Sign up for free today or talk to their team to learn more. Cribl Search is available with every Cribl Cloud account. Sign-up today for a free account to gain instant access to Cribl Search!
Cribl, the Data Engine for IT and Security, empowers organizations to transform their data strategy. Customers use Cribl’s suite of products to collect, process, route, and analyze all IT and security data, delivering the flexibility, choice, and control required to adapt to their ever-changing needs.
We offer free training, certifications, and a generous free usage plan across our products. Our community Slack features Cribl engineers, partners, and customers who can answer your questions as you get started. We also offer a hands-on Sandbox for those interested in how companies globally leverage our products for their data challenges.
Experience a full version of Cribl Stream and Cribl Edge in the cloud with pre-made sources and destinations.