x
Cribl Search and TInes

Leveraging Tines and Cribl Search for Security Automation

October 23, 2023
Written by
Igor Gifrin's Image

Igor is a Principal Security Solutions Engineer at Cribl. In the past 20+ years he has be... Read Moreen helping organizations to find the best, and, more importantly, the simplest solutions to their security and IT problems. He also builds tools like InfoSec app for Splunk used by 5000+ security teams. He is very passionate about getting sense out of all kinds of data, and has very strong opinions about vendors using ML and AI just because it is flashy. Read Less

Categories: Cribl Search, Engineering

At Cribl, we have the privilege of helping our customers achieve their strategic data goals by giving them visibility and control over all of their observability data. The reality today is that data is commonly stored across many places. Whether intentional (such as using Cribl Stream to create a security data lake) or unintentional (because of silos and tool sprawl), organizations desire the ability to access and analyze all of this information at any time. One such time could be during a security investigation, like when our analytics tool or SIEM has signaled a potential indicator of compromise (IOC). What if we had a way to send that signal to a simple, intuitive workflow engine that could help automatically search our data estate for possible related logs over a period of time? And what if we could get those results and route or store them to our choice of destination(s)? Since it’s #CybersecurityAwarenessMonth, we’d like to give you a jump start on your incident alerting and SOAR processes!

Enter Tines, the platform purpose-built to automate and integrate processes like this security orchestration, automation, and response (SOAR) playbook we need. With Tines and Cribl Search, we can take an IOC from our SIEM and search our data in place to return any relevant results in an automated runbook. There’s no reason to push data around needlessly or query it manually!

How It Fits Together

Consider the scenario where we have data stored outside of our SIEM that we need to query based on our IOC, a suspicious IP address:

Tines Cribl Search

Our SIEM kicks off an alert (1) that is received by Tines and includes a suspicious IP address. Tines help construct a query that will be sent to the Cribl Search API for a configured time range and this IOC (2). Cribl Search executes the query against our data in-place – data that may not have been sent to the SIEM originally, is still on the host, or perhaps has aged out of the SIEM and archived to a data lake. The relevant results are returned by Search to Tines (3), which can parse and format them to be delivered to the desired destination (4).

Cribl Search and Tines: Making It Easy

No one likes starting from scratch (except during the pandemic when baking was all the rage), so Tines has a Library with hundreds of prebuilt workflows to get you going quickly. The Cribl Story is available for you today to get a jump start on your automation and playbooks. It has everything you need to get started, including places to set authentication and the API calls to get the queries going:

Cribl Search and TInes

And with Cribl Search, organizations are shifting their thinking when it comes to where to keep their data. Previously, we would have had to do something else to get our results. One option would be to send all data to the SIEM and retain it there. This normally results in increased license and storage costs and forces us to put an additional load on the software. Another option could be to use a form of rehydration. This might mean reloading old data index files or re-ingesting large amounts of data. Processing in this way is cumbersome, time-consuming, and usually has high labor and infrastructure costs. Finally, we might leverage a storage provider’s native capability to search the data. While helpful, using these tools usually includes a high learning curve and doesn’t help with data stored in other providers.

Search allows us to store information in cost-effective ways, like with object storage, and gives us control and flexibility over retention and lifecycle policies. Data lakes quickly become even more valuable with the ability to easily search them in place. Having data in multiple places is no longer an obstacle; we can access this across platforms at will. All of this in turn lets us maximize the value we can achieve out of our other analytics tools.

Next Steps

If you haven’t already, you should try out Tines! What will you build with their smart, secure workflow platform? Sign up for free today or talk to their team to learn more. Cribl Search is available with every Cribl Cloud account. Sign-up today for a free account to gain instant access to Cribl Search!


 

Cribl, the Data Engine for IT and Security, empowers organizations to transform their data strategy. Customers use Cribl’s suite of products to collect, process, route, and analyze all IT and security data, delivering the flexibility, choice, and control required to adapt to their ever-changing needs.

We offer free training, certifications, and a generous free usage plan across our products. Our community Slack features Cribl engineers, partners, and customers who can answer your questions as you get started. We also offer a hands-on Sandbox for those interested in how companies globally leverage our products for their data challenges.

.
Blog
data migration guide

How to Build a Data Migration Plan? A Step By Step Guide

Read More
.
Blog
Feature Image

How to Slash Cyber Security Costs with Cribl Stream

Read More
.
Blog
Feature Image

Cribl and CrowdStrike Deepen Partnership with Falcon Next-Gen SIEM integration

Read More
pattern

Try Your Own Cribl Sandbox

Experience a full version of Cribl Stream and Cribl Edge in the cloud with pre-made sources and destinations.

box

So you're rockin' Internet Explorer!

Classic choice. Sadly, our website is designed for all modern supported browsers like Edge, Chrome, Firefox, and Safari

Got one of those handy?