Cribl
Back to the blog
10
Cribl StreamEngineering

Game On: How Cribl and Fabric Real-Time Intelligence give security teams the edge

GB
Glenn Block 
 

Last edited: September 17, 2025

Security teams are constantly looking for ways to get faster visibility into threats across the organization. This can be challenging due to the ever-growing set of data sources and volumes of data. By using Microsoft Fabric Real-Time Intelligence, you can instantly extract threat intel from across the universe of data where it resides and use powerful visualizations to drive decision-making. In this blog, we’ll show you how you can use Cribl’s Azure Event Hubs Destination to route events to Eventstream in Fabric Real-Time Intelligence.

Why use Cribl Stream with Fabric Eventstream?

Cribl Stream gives you a powerful solution to collect telemetry and observability data (metrics, events, logs, and traces) from multiple systems, then filter, enrich, transform, and optimize that data before routing it to Fabric RTI for analysis.

Benefits:

Stronger security insights: You can ensure that only high-fidelity, well-structured data from across a virtually unlimited catalog of data sources lands in Fabric Eventstream, improving detection accuracy and accelerating investigations.

Lower operational costs: Filtering and routing only the data that you need helps avoid paying to ingest, store, and analyze redundant or low-value data in Fabric.

Faster analytics and decision-making: With clean, enriched data, teams can build dashboards, run queries, and operationalize insights more quickly.

Prerequisites

To use Cribl Stream with Fabric, you’ll need the following accounts:

Cribl.Cloud Account

  • An active Cribl.Cloud account. If you don’t have one, you can sign up here for free.

  • Admin permissions on a Cribl Worker Group

Microsoft Fabric Account

  • An active Fabric or Power BI Account. If you don’t have one, sign up for a free trial here.

  • Contributor or higher permissions in a Fabric workspace

Setup

To enable sending from Fabric with Cribl Stream, you’ll perform the following steps.

  • Create a new Eventstream in Microsoft Fabric

  • Create an Azure Event Hubs Destination in Cribl

  • Send data to the new destination

Create an Eventstream in Fabric

The first step will be to create a new Eventstream in Fabric. This will create an event hub behind the scenes, which we can use for sending from Cribl.

Create a Workspace

  • Log in to Microsoft Fabric https://app.fabric.microsoft.com

  • Select “New workspace” and provide a name (“Cribl”) and an optional description.

  • If you are not using a trial account, click “Advanced” and select “Fabric capacity” for License mode.

  • Click “Apply” and your new workspace will be created.

Learn more about workspace creation here.

Create the Eventstream

  • Click “New item”

  • Select “Eventstream”

  • Provide a name like “Cribl”

  • Click “Create”

  • Once created, it will direct you to its homepage.

unnamed.png

Learn more about creating an event stream here.

Add the Custom Endpoint Source

Adding a custom endpoint source will enable sending events to Eventstream via Event Hub or Kafka protocol.

  • Click “Use custom endpoint” on the homepage of the Eventstream just created.

  • Provide a source name “Cribl-Source” and click “Add”

  • After adding the source, it will be added to the Eventstream you previously created.

  • Click “Publish” to bring the custom endpoint live.

Copy the Connection Information

To route data from Cribl, you’ll need to copy several pieces of information and save them for the Cribl configuration.

  • Click on the new source that you created.

  • Click on “Kafka” in the Details pane.

  • Click on “SAS Key Authentication”.

  • Copy “Bootstrap server”, “Topic Name”, and “Connection string-primary key” values.

unnamed.png

Your Eventstream is now up and running. Let’s wire up Cribl.

Learn more about creating a custom endpoint source here.

Create an Event Hubs Destination in Cribl

Since Eventstream supports receiving events via Event Hubs, we’ll use Cribl’s Event Hub destination to send the data.

  • Log in to your Cribl instance and head to Stream.

  • Choose the worker group that you will use for creating your new destination.

  • Click on “QuickConnect”

  • Click “Add Destination”

  • In the search window, type “Azure”, and you’ll see a list of available Azure tiles.

unnamed.png

  • Click “Add New” on the “Azure Event Hubs” tile.

unnamed.png

  • Specify the ID (“fabric_eventstream”)

  • Copy the “Bootstrap Server” value you previously copied to the “Broker” field.

  • Copy the “Topic name” value to the “Event Hub name” field.

  • Click on “Authentication”

  • In the “Authentication Method” dropdown, select “Secret”

unnamed.png

  • Click “Create” next to the Password field.

  • Copy the “Connection-string primary key” you previously copied to the “Value” and click save.

unnamed.png

  • Open the new Destination you just created.

  • Click on “Status.” You should see a host listed with a green check box. This indicates that your Cribl environment is connected to Event Hubs and is ready to start streaming events.

unnamed.png

Send Data to Eventstream

Now that your Event Hub Destination is configured, it is time to send some data.

  • In QuickConnect, choose a source to connect to your new Destination and wire it up. If you don’t have one, an easy option is to create a “Datagen” source and select “big_json.log” as the “Data Generator File Name”.

unnamed.png

  • Make sure the source is enabled.

  • Open the “Event Hubs” destination you just created.

  • Click on “Live Data” and press the “Capture” button using the defaults. You should shortly see live events flowing.

unnamed.png

  • Switch to the Fabric portal.

  • Click on your new eventstream.

  • After the Data preview refreshes, you should see the events that have been sent from Cribl!

unnamed.png

Processing, Analyzing, and Visualizing Events with Real-Time Intelligence

As Cribl sends events into Microsoft Fabric, Eventhouse efficiently manages this diverse and time-sensitive data. Purpose-built to handle structured, semi-structured, and unstructured formats, Eventhouse is ideal for processing the wide variety of message types commonly collected from Cribl sources.

Incoming data is automatically indexed and partitioned by ingestion time, enabling fast and efficient querying. Within Eventhouse, you can create Kusto Query Language (KQL) databases to store and explore your data. These databases provide a flexible environment for real-time analysis and data management using the familiar KQL.

To support real-time visualization, you can export KQL queries directly to a Real-Time Dashboard in Real-Time Intelligence. This integrated experience lets you refine queries, adjust formatting, and interact with live streaming data in one place. You can monitor, analyze, and visualize insights as they happen.

Below you can see that I am routing the data to my cribl_house eventhouse resource.

unnamed.png

Wrapping up

In a world of ever-increasing data volume, getting a clear view of your security landscape is more critical than ever. In this post, you’ve seen how the integration of Cribl Stream with Microsoft Fabric's Real-Time Intelligence offers a direct, powerful solution to this challenge. Filter and enrich your data at the source, ensuring that only the most relevant, high-fidelity information reaches your security teams. The result? Faster, more accurate threat detection, reduced operational costs, and the ability to turn data into decisive action, giving your organization a clear advantage. This is just the beginning. Stay tuned for more ways to harness the power of Cribl and Microsoft Fabric Real-Time intelligence in the future.

Cribl, the Data Engine for IT and Security, empowers organizations to transform their data strategy. Customers use Cribl’s suite of products to collect, process, route, and analyze all IT and security data, delivering the flexibility, choice, and control required to adapt to their ever-changing needs.

We offer free training, certifications, and a free tier across our products. Our community Slack features Cribl engineers, partners, and customers who can answer your questions as you get started and continue to build and evolve. We also offer a variety of hands-on Sandboxes for those interested in how companies globally leverage our products for their data challenges.

Previous articleNext article

More from the blog

D-1807_Collectors and Packs.png
Cribl Stream
Announcements
9/17/2025

Get your Collectors and Packs on the same page (and into the same place!)

Giovanni Mola Headshot
Desi Gavis-Hughson
Giovanni Mola and 
Desi Gavis-Hughson  
9.png
Cribl Stream
Engineering
9/15/2025

Sending Cribl internal logs to Microsoft Sentinel using a custom table

Josh Rice
Josh Rice  
ai assisted threat hunting blog OG image.png
Cribl Search
Engineering
9/12/2025

Ai-assisted threat hunting: Copilot for Cribl Search puts a new analyst in your browser

Jeff Klumpp
Jeff Klumpp  

get started

Choose how to get started

See

Cribl

See demos by use case, by yourself or with one of our team.

Schedule a demo
Interactive Demo Center

Try

Cribl

Get hands-on with a Sandbox or guided Cloud Trial.

Try a Sandbox
Start a Cloud Trial

Free

Cribl

Process up to 1TB/day, no license required.

Cribl.Cloud account
Download