New to observability? Find out everything you need to know.
Cribl Stream is a vendor-agnostic observability pipeline that gives you the flexibility to collect, reduce, enrich, normalize, and route data from any source to any destination within your existing data infrastructure.
Learn More >Cribl Edge provides an intelligent, highly scalable edge-based data collection system for logs, metrics, and application data.
Learn More >Cribl Search turns the traditional search process on its head, allowing users to search data in place without having to collect/store first.
Learn More >The Cribl.Cloud platform gets you up and running fast without the hassle of running infrastructure.
Learn More >Cribl.Cloud Solution Brief
The fastest and easiest way to realize the value of an observability ecosystem.
Read Solution Brief >AppScope gives operators the visibility they need into application behavior, metrics and events with no configuration and no agent required.
Learn More >Explore Cribl’s Solutions by Integrations:
Explore Cribl’s Solutions by Industry:
Get this Gartner® report and learn why telemetry pipeline solutions represent a robust and largely untapped source of business insight beyond event and incident response.
Download Report >Observability Pipelines: Optimize Your Cloud with Exabeam and Cribl
It’s not about collecting ALL the data; it’s about collecting the RIGHT data.
Watch On-Demand >Try Your Own Cribl Sandbox
Experience a full version of Cribl Stream and Cribl Edge in the cloud.
Launch Now >Get inspired by how our customers are innovating IT, security and observability. They inspire us daily!
Read Customer Stories >Sally Beauty Holdings
Sally Beauty Swaps LogStash and Syslog-ng with Cribl.Cloud for a Resilient Security and Observability Pipeline
Read Case Study >Experience a full version of Cribl Stream and Cribl Edge in the cloud.
Launch Now >Take Control of Your Observability Data with Cribl
Learn More >Cribl Corporate Overview
Cribl makes open observability a reality, giving you the freedom and flexibility to make choices instead of compromises.
Get the Guide >Stay up to date on all things Cribl and observability.
Visit the Newsroom >Cribl’s leadership team has built and launched category-defining products for some of the most innovative companies in the technology sector, and is supported by the world’s most elite investors.
Meet our Leaders >Join the Cribl herd! The smartest, funniest, most passionate goats you’ll ever meet.
Learn More >Want to learn more about Cribl from our sales experts? Send us your contact information and we’ll be in touch.
Talk to an Expert >In this live stream, Sidd Shah and I discuss how Cribl Stream can empower Security Operations Admins to make the most of their CrowdStrike FDR data. They address the challenges faced by CrowdStrike customers, who generate a vast amount of valuable data each day but struggle to leverage it fully due to complexity and size. They also explain how Cribl Stream can help SecOps admins extract the right data for their SIEM while moving the rest to their security data lake, enabling them to get the maximum value from their data and be cost-effective at the same time.
The post below is an excerpt from this conversation — highlighting a case study where Sidd was able to help a customer reduce their CrowdStrike FDR data from 1TB per day down to 250GB.
CrowdStrike FDR collects all sorts of near real-time data about your environment, including asset and identity detections. The data is very high quality, but the amount it collects is non-trivial, and customers typically are not prepared or equipped to get value from it — we’ve seen such high amounts that it would have doubled some customers’ SIEM licenses.
In these large quantities, you simply can’t afford to send all the data through your systems of analysis, and it’s tough to get full value from a tool like this if you can’t utilize the data it generates. Part of the reason for the quantity issue is that CrowdStrike data is redundant — this isn’t unique to them necessarily, but if you take a close look, you’ll find that CrowdStrike even creates logs about the data it’s sending to itself!
One of the trends we’re starting to see, especially in the security community, is the idea of sending only what’s necessary for detection and response to the SIEM and sending everything else to a security data lake or object storage like an S3 bucket. This way, enterprises can get better, cheaper analytics options and still meet compliance and regulatory requirements, all while keeping control of their data.
Being able to send a copy of data to an object store lets you manage your retention in a world where data growth is far outpacing the budgets available to manage it and allows you to decouple your retention requirements from your SIEM. Then, you can use Stream if you ever have to bring that data back, or you can use Cribl Search to query that data in place on an as-needed basis.
To get started handling the quantities of data the CrowdStrike and other tools are sending your way, Cribl offers a series of packs available in our Cribl Packs Dispensary. The packs are a set of configurations that match a use case — the CrowdStrike-specific pack helps users look at common data sources or data types that come in via CrowdStrike FDR and gives some of the best practices around parsing, filtering, reducing, or aggregating this data.
We configured this integration with network security data admins in mind, removing as many pain points associated with onboarding new tools as possible. When we showed a recent customer how to set CrowdStrike up as a source in Stream, it took about 15 minutes as opposed to the hour they were expecting it to take — everyone on that call got a nice bonus of 45 minutes of their day back.
After we set this up, our customer turned CrowdStrike FDR back on and got about 1TB per day of data as opposed to the 60GB they were expecting. This would have completely eaten up their SIEM license if it continued, so we used Stream to figure out what event types were there, turned them into metrics, and sent them to their metrics store. That way, as we worked through it every day, we could go back to that metric storage and see which data sources were the largest and tackle those first.
After that, we worked with them to demonstrate how to turn each of the dials up and down on their own because they need to be able to calibrate things to create the right balance between filtering out unneeded data and still getting value from what’s left. In the end, they were able to reduce the 1TB per day they were ingesting to about 250GB per day, and still come in under their SIEM license.
Not only that, but they made the data they decided to keep even more valuable by moving on to enrichment with Redis, DNS data, and timestamping. Their new configuration will also make it easier to do threat hunting in the future, because of the huge increase in the ratio of signal to noise and the ease with which they’ll be able to search data in their data lake instead of their SIEM.
Watch the entire live stream on Getting the Most Value from CrowdStrike FDR Data with Cribl Stream to see how you are able to make all these changes and watch how the data is being transformed in real-time, without any trial and error or finger crossing and hoping for the best. If you’re a SecOps admin looking to make the most of your data — this video is for you.
Experience a full version of Cribl Stream and Cribl Edge in the cloud with pre-made sources and destinations.