Cribl
Back to the blog
Security

Securing the Identity Perimeter with Cribl and Push Security

Alex Crusco
Alex Crusco 
 

Last edited: May 22, 2025

As organizations heavily invest in SaaS, their identity surfaces expand fast and are often invisible. Shadow IT, weak or reused passwords, and increasingly advanced attackers create gaps that traditional security tooling cannot see. Identity threats are no longer a concern; they are the primary attack vector.

Security teams can’t afford to treat identity alerts as just another signal. Combining Cribl and Push Security gives defenders a powerful advantage: visibility into how users are being targeted by browser-based phishing or session hijacking, and how they access SaaS services so you can act on that data quickly and efficiently.

Visibility, but How?

The browser is now the default battle frontier and is largely unmonitored. In today’s environments, most SaaS access happens in the browser, no longer in thick clients like most of us grew up with (maybe I am dating myself). That means identity risk lives in a place where traditional visibility falls short.

Users authenticate in unpredictable ways:

  • Re-used credentials that are often leaked

  • Unsanctioned SSO providers (Google, Meta, etc.)

  • BYO and personal accounts galore (GitHub, anyone?)

If you can’t see it, you can’t defend it. And most organizations can’t see:

  • All the shadow IT is accumulating in their environments

  • Authentication methods (SAML, passkeys, reused passwords, etc.)

  • Where risky behaviors like MFA gaps or credential stuffing are taking root

Identity Visibility at the Source

Push Security tackles the visibility problem described above by making the browser the front line of SaaS access. With a lightweight extension, Push captures identity-related telemetry directly from the user’s interaction with apps, delivering near-real-time insight into the user and any potential threats impacting their experience. This data is high-signal, close to the user, and ready for action.

The Gatherer: Cribl Stream + Push Security

People log into SaaS apps constantly. You don’t need more noise, but you do need context-rich identity data routed with intent. The Push agent generates high-quality telemetry from the browser. Cribl specializes in getting that data to the right place and in the correct format without overwhelming your pipeline.

Using a REST API collector and pre-built Cribl stream packs, security teams can:

  • Ingest and normalize identity telemetry from Push in real time

  • Route high-value alerts and events to your SIEM, XDR, SOAR, or cold storage for later usage

  • Enrich Push data with other sources like endpoint EDR or IAM logs

  • Maintain architectural flexibility while improving signal fidelity

You get the data you need into your SIEM, which is prioritized and actionable. You can send it all to Cribl Lake for real-time search or combine both.

Check out the Cribl <> Push Rest Collector here and the Cribl Stream Pack in our Pack dispensary here

The Hunter: Cribl Search + Push Security

The best identity data in the world is useless if you can’t act on it. That’s where Cribl Search and Cribl Lake come in.

With Cribl’s tooling, threat hunters can:

  • Search Push identity events in place, no reindexing or massive ingestion required

  • Correlate identity telemetry with other data sources (EDR, cloud logs, etc.)

  • Hunt for behaviors like:

    • Credential reuse across apps

    • Suspicious login methods (e.g., raw credentials instead of SSO)

    • Signs of browser-based phishing or session hijacking

    • Use the identity profile dashboard to monitor for insider threat activities over a period of time

  • Monitor exposure trends and patterns across the entire organization with built-in dashboards

You get early warning for credential misuse or account compromise with the ability to ask and answer questions in seconds, not days.

Check out the Cribl <> Push Search Pack here.

The Bigger Picture

This isn’t about replacing your current identity security stack. It’s about filling the identity visibility gap that most security teams still have. Many organizations already have strong log coverage for endpoints and cloud infrastructure, but the SaaS authentication surface is largely unmonitored.

Thanks to Cribl’s Push Security packs, teams can:

  • Deploy in hours, not months

  • Start routing and enriching identity data immediately

  • Visualize SaaS access risks without writing custom parsers or dashboards

  • Focus on high-value detections instead of pipeline engineering

You get the high-fidelity identity data into your SIEM, enriched and prioritized, while keeping full search capability across all your telemetry via Cribl. It’s cost-aware and security savvy. It's flexible without compromising detection capabilities. SWEET!

Cribl, the Data Engine for IT and Security, empowers organizations to transform their data strategy. Customers use Cribl’s suite of products to collect, process, route, and analyze all IT and security data, delivering the flexibility, choice, and control required to adapt to their ever-changing needs.

We offer free training, certifications, and a free tier across our products. Our community Slack features Cribl engineers, partners, and customers who can answer your questions as you get started and continue to build and evolve. We also offer a variety of hands-on Sandboxes for those interested in how companies globally leverage our products for their data challenges.

Previous articleNext article

get started

Choose how to get started

See

Cribl

See demos by use case, by yourself or with one of our team.

Schedule a demo
Interactive Demo Center

Try

Cribl

Get hands-on with a Sandbox or guided Cloud Trial.

Try a Sandbox
Start a Cloud Trial

Free

Cribl

Process up to 1TB/day, no license required.

Cribl.Cloud account
Download