Security teams are under constant pressure to keep pace with explosive data growth, increasingly sophisticated threats, and evolving compliance mandates. The new integration between Cribl Stream and SentinelOne Singularity AI SIEM is designed to help organizations of all sizes (and the MSSPs that support them) take control of their security data, optimize operations, and accelerate threat detection.
That’s right: Cribl Stream now natively integrates with Singularity AI SIEM, enabling you to seamlessly route, filter, and enrich high-volume security data from any source. This means you can send only the most actionable information to SentinelOne’s analytics engine, reducing noise, improving SOC efficiency, and driving down SIEM storage and analysis costs.
SentinelOne’s Singularity AI SIEM provides a unified approach — combining endpoint, cloud, identity, EDR, SOAR, and AI-driven SIEM capabilities into a single platform. This integration brings together SentinelOne’s AI-powered SIEM solution and Cribl Stream’s vendor-agnostic data routing to give security teams unprecedented flexibility and control.
Key Benefits for Security Teams
Optimize your SIEM investment: Filter and enrich data before ingestion, ensuring only relevant events reach Singularity AI SIEM.
Accelerate threat detection: Enable faster investigations and more effective threat hunting with context-rich, actionable data.
Streamline migration and compliance: Simultaneously route data to your legacy SIEM and Singularity AI SIEM, preserving historical data and ensuring compliance during POC, testing, and transition.
Flexible, vendor-agnostic routing: Support analytics, compliance, and data lake initiatives by sending data to multiple destinations as needed.
No additional agents required: Simplify deployment with direct integration. (No extra collectors or agents necessary!)
How It Works
With this integration, Cribl Stream acts as the central nervous system for your security data, aggregating and transforming information from third-party sources and delivering it directly to Singularity AI SIEM. Whether you’re modernizing your SIEM, optimizing costs, or supporting compliance initiatives, Cribl Stream empowers your team to extract maximum value from every event.
If you’re planning a migration from a legacy SIEM to Singularity AI SIEM, Cribl Stream enables you to route security-relevant data to both platforms in parallel. This reduces migration costs, minimizes downtime, and ensures historical data is preserved for compliance and analysis.
The following section walks through how to get started with the integration, including API key creation, configuration, and validation steps.
Getting Started
Before you begin, ensure that you have Admin access to both platforms. You will create an API token in the Singularity AI SIEM platform and input that token into the new Singularity AI SIEM destination in Cribl Stream. This will be conducted on a per-data-source basis in Cribl Stream which provides a direct mapping into the Singularity AI SIEM parsers as you will see below. That’s it; no custom Pipelines required (use the passthru Pipeline). Should you choose to optimize events to maximize your SentinelOne investment before sending them to Singularity AI SIEM, be sure to understand the impact on the parsers. For particularly voluminous data sources, this is an incredibly important strategy for making quantifiable strides in coverage of the Cybersecurity Framework (e.g., MITRE ATT&CK) of your choosing by maximizing the number of data sources powering various activities in your SOC.
Generate Your API Key in Singularity SIEM
Log into your Singularity AI SIEM console, select “Policy & Settings” from the left menu then select “API Keys” to create your API key. Be sure to set your API Access set to “write” as Cribl Stream will be sending events into the API. Copy that key as we will be using that when we create each instance of the Singularity AI SIEM destination using a per-data-source approach. Also note that a “Parsers” option is listed just above the “API Keys” option. This is where you can locate the exact name of the parser you need to specify in the Stream Singularity AI SIEM tile configuration.
Generate Corelight Traffic for Testing in Singularity AI SIEM
Cribl Stream’s datagen feature enables you to generate sample data for the purposes of troubleshooting Routes, Pipelines, Functions, and validation of received in Singularity AI SIEM.
Several datagen template files ship with the product, out of the box. You can create others from sample files, imports, or live captures. For this example, I downloaded this Corelight Pack from the Cribl Packs Dispensary for access to sample data that will be used to create a datagen for sending Corelight HTTP events into Singularity AI SIEM. Our goal is to verify that the Corelight events Cribl Stream is sending are parsed correctly.
Perform the Following to Create a Corelight Datagen for HTTP Events:
After the pack is installed using the above links, examine the various samples included in the Corelight pack and click the edit icon next to the file named “CL_HTTP_300.log”.
Click “Edit Sample” to copy one or more of the events you would like to replay and edit the events in a text editor to include only the original raw event text, one per line.
Next, we need to create a datagen but we need to exit from the Corelight pack scope. Click on the Default Worker Group at the top of the Stream menu then select “Processing” and “Pipelines”.
Click “Import Data”, provide a file name, select “Create a Datagen File”, paste your Corelight HTTP events, and select “Save as Datagen File”.
From the top of your Stream menu, select “Data” then select “Sources”
Near the bottom of the Sources pane, click on the Datagen tile.
Click on the “Add Source” button.
Provide an Input ID that you will use later for routing and select your datagen from the dropdown like it is detailed below. We don’t want to flood our SIEM with events so we set the Events Per Second Per Worker Node equal to 1.
Configure an Instance of the Singularity AI SIEM Destination in Cribl Stream
We are going to create an instance of our Singularity AI SIEM destination for each data source. In this case we are going to send the Cribl Stream datagen’d Corelight HTTP data directly to Singularity AI SIEM by first creating an instance of the new destination then connecting our datagen source to our Singularity AI SIEM via routing. Make sure you have your API Token that was created in the Singularity console from above.
You should now see a new destination in your Cribl Stream Data > Destinations collection titled Singularity AI SIEM. Click the “Add Destination” button and populate the fields like the below.
Select “Event Fields” on the left menu to provide Singularity AI SIEM with context about each event. The help text for each of the fields is listed below. The “parser expression” field value needs to match the exact parser name as it is listed in the Singularity AI SIEM parser listing. Populate your fields like the below.
Help text for each of the fields:
serverHost expression - JavaScript expression to compute serverHost value to be inserted into events
logFile expression - JavaScript expression to compute logFile value to be inserted into events
parser expression - JavaScript expression to compute parser value to be inserted into events and used to parse data into AI SIEM. If you have a custom parser, replace 'dottedJson' with the name of your parser
dataSource.category expression - JavaScript expression to compute dataSource.category value to be inserted into events. The default is 'security' to leverage additional features in SentinelOne AI SIEM
dataSource.name expression - JavaScript expression to compute dataSource.name value to be inserted into events. This value should reflect the name of the type of data being inserted into AI SIEM
dataSource.vendor expression - JavaScript expression to compute dataSource.vendor value to be inserted into events. This value should reflect the vendor of the data being inserted into AI SIEM
event.type expression - JavaScript expression to compute event.type value to be inserted into events (optional). The event.type acts as a label, grouping events into meaningful categories like "Process Creation", "File Modification", "Network Connection", etc
Configure Routing
At the top of the Cribl Stream menu, click “Routing” and “Data Routes”. We need to connect our datagen to our Corelight HTTP instance of Singularity AI SIEM by clicking “Add Route” and configuring your route like the below. You should have the Filter and Destination values populated in the dropdowns from the previous steps. Make certain the route appears before the “default” route. Click “Save”, “Commit”, then “Update”.
Validate Successful Parsing in Singularity AI SIEM
Log into your Singularity console and select “Event Search” to examine how the events are landing in Singularity AI SIEM and to validate that they are being parsed properly. Select “All Data” and filter the events to isolate our Corelight datagen with “event.type=’Corelight-http’”.
Click on one of the events in the results pane to look more closely at the event metadata which validates that the parser is correctly extracting fields into the Singularity AI SIEM Open Cybersecurity Schema Framework (OCSF) data schema.
For more information on why SentinelOne chose to standardize on OCSF and the benefits it provides, review this blog: “What is OCSF (Open Cybersecurity Schema Framework)?”.
Ready to Get Started?
The integration between Cribl Stream and SentinelOne Singularity AI SIEM empowers security and IT teams to modernize their operations, optimize costs, and accelerate threat detection — all with the flexibility and control required by today’s dynamic environments. By filtering, enriching, and routing only the most actionable data to SIngularity AI SIEM, you can boost SOC efficiency, simplify compliance, and ensure your organization is ready for whatever comes next.
Whether you’re migrating over from a legacy SIEM, tackling compliance requirements, or looking to maximize the value of your security data, this partnership delivers a future-proof solution trusted by leading enterprises and MSSPs worldwide.
