In today’s landscape, what’s considered security data has expanded to encompass more diverse data types like network data, behavioral analytics, and application metrics. These sources are now essential for a comprehensive security strategy, and visibility into all that data makes proactive threat detection possible. That said, organizations often struggle to process data from various vendors and merge telemetry sets to gain a complete view of their environments. CrowdStrike and Cribl have partnered to bring you a new native capability that enables just that: CrowdStream.
Besides being your new favorite portmanteau (move over, Speidi, and brunch), CrowdStream brings the flexibility of Cribl Stream to CrowdStrike Falcon® LogScale. This enables security teams to ingest and normalize data from a wide range of sources seamlessly into Falcon LogScale or Amazon S3 (and S3 data lakes) for later replay and analysis.
But how does this work exactly? What’s the process for enabling and configuring CrowdStream? Why is it spicy?
This blog will cover the basic “What is this?” question as well as some quick steps to get started. Moving data into Falcon LogScale has never been easier.
You’re probably reading this blog because you already know one of the two products in the opening section, so I’ll keep the descriptions brief: Cribl Stream enables routing, enriching, and reducing data on its way to its destination(s). Cribl Stream is a great tool for those of us who have data that needs storage and/or analysis elsewhere. One of the “elsewhere”s is CrowdStrike Falcon LogScale.
Falcon LogScale delivers powerful log management and data analysis capabilities, built with high-scale use cases in mind. It enables security, IT, and DevOps teams to quickly search through, analyze, and visualize their data.
It only makes sense to put these two great products together. One helps you get data in (from anywhere and in the correct format), and the other helps you analyze it and find useful insights.
CrowdStream is a new native capability that directly connects any data source to Falcon LogScale using Cribl’s observability pipeline technology, and it’s available through Falcon LogScale. That is to say, you log into your Falcon LogScale account in order to access CrowdStream. All you really need is an API token from your account. Then you add a new Falcon LogScale destination in CrowdStream. Choose Manual authentication and paste in your token. You’ll also need to enter the endpoint, but if you made it this far you already know that part.
Once you’ve logged into your Falcon LogScale account, look on the right-hand side for a tile that says, CrowdStream and has a link to Set up Cribl. For more details on how to set up a destination and complete your CrowdStream deployment, check out our docs here or view LogScale’s documentation here.
Well, that’s how you access CrowdStream, but what do you do with this newfound power at your fingertips? Overthrow the… no, no. Let’s talk about what’s possible with CrowdStream.
Now that you have your very own CrowdStream, go take a look at where you can receive data from. That’s a lot of sources. And guess what? Now you can send them all to Falcon LogScale! I would say, “You’re gonna need a bigger/better SIEM,” but since Falcon LogScale is built to handle high-scale data analysis, it’s already big enough. Using CrowdStream, you can also format the data from all your sources in flight. Or you can send your data in its raw format to Amazon S3 for full-fidelity replay later. You know, for those unknown unknowns.
CrowdStream gives you visibility and control over your observability pipeline, so you granularly manage what data to route to Falcon LogScale or object storage. Plus, you can mask or encrypt personally identifiable information (PII) and other sensitive data for compliance before sending it to Falcon LogScale. But the best part is, that CrowdStream helps you dramatically accelerate time-to-value. With CrowdStream, onboarding data is a breeze, so you can unlock the power of Falcon LogScale faster and do even more with log management than ever before.
One great use case for CrowdStream is the ability to enhance threat hunting. CrowdStream leverages Cribl’s technology to centralize and normalize data within the CrowdStrike Falcon® platform. That unified data provides the real-time visibility needed to eliminate threats, run deep analytics, and hunt for adversaries.
With its blazing-fast search speed, Falcon LogScale provides the power to quickly hunt down targeted attacks, insider threats, and evasive malware. Your threat hunters can construct advanced queries, search for indicators of compromise, and swiftly scour petabytes of data to find threats. When you use CrowdStream to enrich that data with third-party information such as GeoIP info and threat intelligence before it’s collected by Falcon LogScale, your hunters have greater context to quickly analyze query results and speed up investigation and response.
While there are far too many data ingest scenarios to cover in this short blog, you can try out CrowdStream via the LogScale product page and get pre-made and curated data processing packs for additional use cases here. While you’re at it — join the Cribl Community or CrowdExchange for any questions you might have. We’re pumped to see what you do with CrowdStream!
Cribl, the Data Engine for IT and Security, empowers organizations to transform their data strategy. Customers use Cribl’s suite of products to collect, process, route, and analyze all IT and security data, delivering the flexibility, choice, and control required to adapt to their ever-changing needs.
We offer free training, certifications, and a free tier across our products. Our community Slack features Cribl engineers, partners, and customers who can answer your questions as you get started and continue to build and evolve. We also offer a variety of hands-on Sandboxes for those interested in how companies globally leverage our products for their data challenges.