Cribl is The Data Engine for Security and IT data, and integrations fuel our mission. Since day one, Cribl has been delivering new Stream integrations to meet customers where they are in their data management journey. No matter where customer data resides or needs to go, we want to be there for every customer. It’s your data, and Cribl was created to help you unlock it.
In May of this year, Cribl doubled down on its commitment to expanding its integration catalog with the introduction of Cribl’s Technology Alliance Partnership (TAP) program. They say you have to go together to go far, and TAP does just that. In joining the program, Cribl Alliance partners can work together with Cribl experts to deliver tight, native integrations with the full support of Cribl resources. One industry-leading vendor with a rich alliance history with Cribl that has taken advantage of the TAP program is CrowdStrike.
Cribl began its partnership with CrowdStrike in 2021 with a shared goal of helping customers collect, transform, and route data to the CrowdStrike platform for optimized search, storage, and analysis. In the 4.8.2 release, in partnership with CrowdStrike, we are happy to announce the new CrowdStrike Falcon Next-Gen SIEM Destination. This integration allows customers to route critical security and IT data to CrowdStrike’s Next-Gen SIEM destination, accelerating their SOC modernization.
CrowdStrike Falcon Next-Gen SIEM provides a modern approach to threat detection, investigation, and response. While traditional SIEMs collect and analyze logs from various IT systems to detect security incidents, they often struggle with scale, latency, and data integrity when put to the test of modern security teams. Falcon Next-Gen SIEM overcomes these challenges by leveraging a cloud-native architecture, advanced analytics, and AI to provide more effective and scalable security monitoring and threat detection. Plus, it accelerates investigations with workflow automation and blazing-fast search, up to 150x faster than legacy SIEMs. When you tack on Cribl Stream to unify data from multiple third-party sources, you can simplify data onboarding and routing for seamless migration from a legacy SIEM to a Falcon Next-Gen SIEM.
Setting up data flow from Cribl Stream to CrowdStrike Falcon Next-Gen SIEM will require action within both platforms. Before you start, ensure you have admin permissions in your Cribl Stream product and admin access in your CrowdStrike Falcon environment.
Setting Up a Data Connector in CrowdStrike
Log into CrowdStrike.
In the main menu, select Next-Gen SIEM, then Data onboarding.
On the Data Source page, search or scroll to the “Cribl Data Connector” and click the tile to start the connector setup.
In the Add new connector page, select a Vendor, select a Product, enter a Connector name, and enter a Description (optional). In the Parser details, choose from existing parsers or Create a new parser. Acknowledge the Terms and Conditions. Select Save.
The connector will begin initializing.
When the connector is ready, click the Generate API key option in the banner.
Copy the API key and API URL. These will be referenced when setting up the Cribl Stream destination.
Login to Cribl, navigate to Stream, and a worker group. Select Data > Destinations.
Search or scroll to the CrowdStrike Falcon Next-Gen SIEM tile. Click the tile and select Add Destination.
Enter an Output ID. Enter the Next-Gen SIEM endpoint, the same API URL you used during the CrowdStrike connector setup. Request format = JSON. Select the Authentication method you prefer.
Enter the API Key from the CrowdStrike connector setup in the Next-Gen SIEM auth token field for Manual.
Select Save.
Commit and Deploy.
Within Cribl Stream, after Committing and Deploying, the CrowdStrike Falcon Next-Gen SIEM destination will change from blue to green status.
Click anywhere in the destination line item to see Destination details.
Select the Test tab. The Test tab will have an event loaded by default. Use the Select sample dropdown to select other event samples. Use the default event sample, select a sample from the dropdown, and select Run Test. You will see a status message at the bottom: green will indicate a successful authentication and transmission of the data from Cribl Stream.
Log into CrowdStrike Falcon Next-Gen SIEM.
In CrowdStrike Falcon Next-Gen SIEM, select Event search from the menu.
In the Source dropdown, select Third Party. Select Run query.
Events will appear. Select an individual event to see more.
Learn more about Cribl’s Next Gen SIEM integration:
Experience a full version of Cribl Stream and Cribl Edge in the cloud with pre-made sources and destinations.