Welcome one and all to a new blog series: What’s New? This blog will cover fun and exciting new features from Cribl releases on a monthly (:fingers-crossed:) basis. If, say, you watched our new What’s New video series and wanted a slightly more in-depth read to accompany it, you’ve found the right spot. Or maybe you went to the What’s New sandbox and saw that there weren’t easily demo-able features but still wanted fancy pictures to look at. Also came to the right place. Basically, if you enjoy reading blogs and want to know what features are in Cribl releases, this 👏is 👏the 👏right 👏 place 👏 Let’s dive right in!
Cribl.Cloud
Insights
Cribl Insights provides central monitoring and alerting for your Cribl environment with seven days of retained data for anomaly detection. That means you’re not just catching what’s happening right now, rather you have enough historical context to understand what “normal” looks like and quickly spot deviations. Whether it’s a sudden drop in data volume, a change in format, or a pipeline that stops flowing, Cribl Insights surfaces the issue and sends actionable alerts straight to your workflow. This proactive, built-in monitoring gets you ahead of potential problems, helps you make informed decisions, and keeps business-critical data flowing smoothly with no downtime.
Stream
Pack Upgrades
Stream Packs are widely used and loved amongst our customers[citation needed lol]. As such, we took it upon ourselves to… listen to our customers and improve them! The biggest pain point so far has been moving packs between Worker Groups. You bet your sweet Aspercreme we fixed that right quick!
Worker Group Variables
Group Variables let teams define environment-specific settings at the Worker Group level and reference them directly from Sources and Destinations within Packs. Instead of hard-coding values into every Pack, Stream now treats Worker Groups like an environment layer, so configurations can stay portable while still adapting to regions, tenants, or tool-specific details.
Operations, observability, and security teams now get environment-aware Packs that can be reused across Worker Groups without constant rework. Cut down on one-off Pipelines, reduce configuration drift, and roll out consistent patterns across multi-region or multi-tenant deployments.
Dependent Worker Group Object Cloning
You can now check "include Dependent Worker Group Objects" to automatically carry over externally-referenced certificates, Secrets, and Worker Variables when copying Packs to additional Worker Groups. Instead of manually recreating every externally-dependent object, you can push a Pack to new Worker Groups and know the external objects the Pack needs will be created or preserved as appropriate. With this new feature, you can easily scale proven Pack-based patterns across environments in a few clicks, without hunting for missing certs, Secrets, or Variables. Shrink time-to-value for new use cases, reduce misconfigurations during rollout, and keep Stream deployments cleaner as environments grow.
Wiz Defend Destination Tile
A native Stream integration that delivers data to the Wiz Defend platform via an optimized webhook (HEC-based). Wiz Defend receives this inbound data via a dedicated Cribl Stream Connector; giving you immediate visibility into cloud threats with full context, correlating Wiz alerts across environments, and reducing MTTR while controlling storage and egress costs by sending only the right data to each tool.
Stream & Edge
Outpost
Outpost is a native relay feature that simplifies scaling Cribl Edge and Stream across restricted or distributed environments. Acting as a local relay node, Outpost eliminates networking roadblocks by securely relaying connections between distributed Worker / Edge nodes and the Leader; thus reducing manual networking work, accelerating large-scale deployments, and maintaining compliance by eliminating the need to punch firewall holes or manage third-party proxy tools.
Edge
macOS Support
Cribl Edge now supports deployment on macOS devices. macOS support expands visibility and reduces agent management overhead by using Cribl Edge for a unified collection of security and observability data across all key platforms - Linux, Windows, Kubernetes, and now MacOS
Debian Package
So nice, we did it twice: we are adding the additional Cribl Edge installation option of a Debian Package (.deb) for certain Linux operating systems, including Ubuntu. This provides an easier, native installation method for customers using Debian-based distributions. Giving customers another installation option (as some customer environments require Debian packages) is awesome! You should try it sometime.
Search
RBAC for APIs
Additional granularity on automated access. This new feature expands Cribl’s access control model to include API credentials in addition to users and teams. You can now specify which API credentials are allowed to access particular datasets, giving you fine-grained control over what can be searched or retrieved through the API. This enables more secure, least-privilege access and aligns API-based interactions with the same access restrictions used for individual users and teams. Basically, we can AI now. Can you?
Notebook PDFs
For those of you who still use PDFs (this was written by a Gen Z apparently), Cribl Notebooks now support exporting investigations directly to PDF, giving teams a polished, portable artifact that captures their full analysis. This export can be attached to lifecycle management tools like PagerDuty or ServiceNow, seamlessly connecting Cribl-powered investigation results to existing workflows. Customers can now close the loop on investigations with a clear, shareable record of proof-of-work—no screenshots, copy/paste, or manual documentation required. This not only speeds incident response and collaboration, but also ensures consistent, auditable evidence for tickets, handoffs, and post-incident reviews. But do you really use PDFs? Be honest.
HTTP API Provider
Cribl Search now supports robust HTTP pagination for API-based datasets, so queries can automatically follow next-page links and tokens to retrieve complete result sets from modern REST APIs. Instead of stopping at the first page, Search can walk through as many pages as you allow, giving you full coverage of large or long-running datasets without extra scripting or manual work. Teams can reliably pull back all relevant records from tools like Jira, Bitbucket, GitHub, and other APIs even when responses span hundreds or thousands of items. This reduces blind spots from “first-page-only” results, eliminates brittle custom collectors, and makes it far easier to stand up rich context datasets that keep investigations and troubleshooting workflows fully informed as data grows.
Lake
New (Lower) Lakehouse Pricing
Lakehouse is cheaper! We’ve lowered the price of Lakehouse and now allow you to set Lakehouse retention independently from Cribl Lake. Retention in Lakehouse can now be configured anywhere from 1 day to 1 year, and storage is priced at $0.05/GB. You’re welcome.
Conclusion
Many new features! Much wow! Thanks for stopping by! Remember, the Cribl release cycle is monthly. If you need more to do in between releases, why not try a sandbox or watch a video, or start Cribl-ing for free by signing up at Cribl.Cloud. See you next release day!
XOXO Cribl Girl
