Another odd month, another Cribl release. The wheel of Cribl turns and releases come and pass, leaving features that become GA. 4.18 is full AI steam ahead! You got AI? We got you!
Cribl.Cloud
Model selection by capability tier for Bring Your Own Model (BYOM)
Customers can now choose which of their models to use for Cribl AI capabilities across three tiers: small, frontier, and reasoning. Capabilities are mapped to each tier based on the level of processing complexity, context length, and accuracy they require, with those mappings clearly defined in both product and documentation. Thus customers have the flexibility and choice to match the right model to the right task, avoiding overuse of expensive models for simple workloads while ensuring advanced use cases have the depth and context they require. This improves performance consistency across features, drives better cost control, and allows teams to fully leverage existing AI investments while meeting internal requirements for latency, scale, and governance.
Additional providers for Bring Your Own Model (BYOM)
Customers can use Cribl AI features while retaining full control over their AI models, data, and infrastructure by configuring their own model provider, now including LiteLLM and OpenAI Retail. BYOM removes AI adoption barriers by enabling customers to use Cribl AI with their existing AI investments and deployment models, including fully on-prem environments. This addresses privacy, compliance, and IP concerns especially for highly regulated industries while giving customers choice, control, and visibility over data flows and AI infrastructure.
Stream
Cribl Guard enhancements
4.18 adds new model options for background detection in Cribl Guard, giving customers flexibility to choose between speed and depth. Teams can select from a balanced default model (cribl-privacy-2.0), a lightweight speed-optimized model (cribl-privacy-2.0-nano), or a more thorough, higher-compute model (cribl-privacy-2.0-pro), depending on their environment and priorities. Teams can now optimize for their specific needs by choosing the right balance of speed and accuracy. The nano model is ideal for high-volume environments where fast processing and scale matter most, while the pro model provides deeper, more thorough detection for higher-sensitivity use cases.
We’ve also added a user-invoked agent to the Guard Findings page. With one click, it analyzes grouped detections and presents each detection group with context, a recommended action (ignore, create a new Guard rule, or use an existing rule), and a brief explanation of why the agent suggested it. This allows users to quickly review and act in place without jumping across product pages/features. These Guard enhancements turn noisy PII detections into fast, reviewable actions, significantly reducing time and effort from detection to protection. Eliminates manual rule creation workflows while maintaining human-guided control, helping teams respond faster, reduce risk, and improve coverage with less toil.
Persistent Queue (PQ) to central S3 object storage including Kubernetes
When downstream systems fail or clusters scale up and down, PQ can land data durably in object storage and drain it back as capacity returns. Persistent Queue (PQ) is expanding so Kubernetes deployments can write queued data to a central S3 bucket instead of keeping everything on local disks. Therefore, platform teams running Cribl Stream get a stronger safety net against data loss during outages, upgrades, and autoscaling events. They can protect more traffic without over‑provisioning local storage, simplify PQ scale-down operations across Kubernetes clusters running Stream, and keep critical telemetry flowing even when the underlying infrastructure is in flux.
Edge
Mac Unified Log source
Cribl Edge is adding a Mac Unified Log source so teams can collect Mac‑specific logs stored in Apple’s proprietary unified logging format. The initial release lets users specify the filters they need to pull targeted slices of unified log data into Cribl. Orgs with sizable Mac fleets can then bring unified logs into the same pipelines as their Windows and Linux telemetry. It closes a competitive gap that has been blocking migrations from legacy agents, gives security and IT teams better visibility into macOS events, and sets the stage for future UX refinements on top of this foundation.
Search
(AI) External Context Providers integration
External Context Providers (MCP) plugs Investigations into a broad ecosystem of third-party tools (beyond Jira / Bitbucket / FireHydrant) via Model Context Protocol, so investigations can automatically pull live human and ticket context alongside telemetry, leading to:
Full incident picture in one place: Investigations can automatically pull related tickets, changes, code, and runbooks from dozens/hundreds of systems, so analysts don’t have to swivel between tools to understand impact and history.
Faster time-to-context for AI: Instead of hard-coding individual integrations, MCP gives agents a single, scalable way to discover and call external tools, reducing engineering overhead while giving AI much richer context to work with.
Safer, governed external access: Admin UX and policy controls ensure external tools are onboarded once, with read-only access and per-tool toggles, so teams can safely expose more context without losing control.
(AI) Dataset Intelligence for Investigator
Dataset Intelligence automatically generates and maintains rich, AI-ready profiles for each dataset (both lakehouse and federated), then exposes those profiles to Investigator so it “knows” what a dataset contains, how it’s used, and how it relates to others before it starts querying. Have fun as Dataset Intelligence brings the following benefits:
Eliminates AI cold-start on new datasets: Pre-computed intelligence (schema, entities, correlations, usage patterns) gives agents instant situational awareness, so they ask better questions and write better queries from the first step of an investigation.
Reduces hallucinations and bad field guesses: By grounding Investigator in real field definitions, behavior, and summaries from Data Explorer, dataset intelligence cuts down on invented field names and off-target searches.
Makes the data estate navigable for humans and AI: Curated dataset descriptions and intelligence files turn a sprawling lake of 10s–100s of datasets into a browsable catalog that both analysts and agents can use to quickly decide, “Where should I look next?”
Lake
BYOS for Azure
Bring Your Own Storage (BYOS) for Azure enables Cribl Lake to connect directly to your Blob Storage, allowing you to easily create datasets and write them to Stream, and to instantly search them with Cribl Search. This delivers a fully integrated, search-in-place experience, without needing to move or duplicate data. Why is this valuable? See below:
Total data control: Data stays in your Azure environment (Blob), supporting compliance and governance needs
Search without movement: Query data in place with no rehydration or duplication required
Faster time to value: Minimal setup with secure, role-based access to existing storage
Enterprise-ready security: Integrates with Azure Key Vault for encryption and key management
Flexible, scalable architecture: Works across storage classes for evolving data needs
Note: BYOS already supports AWS S3 as a backend. Azure Blob is in addition to our S3 support. Enjoy more choice, flexibility and control!
Integrations
In this new section, we’ll cover new ways the Cribl connects your telemetry together. In today’s blog it mainly focuses on new Sources in Stream, but hey a win is a win.
New sources
A new OpenAI Compliance source lets teams ingest OpenAI’s compliance API data (including prompts, responses, and related metadata) directly into Stream. OpenAI usage becomes a first‑class telemetry stream, ready for shaping, routing, enrichment, and correlation alongside existing security and observability data.
Cribl is adding a ServiceNow source based on the ServiceNow Table API, the same API ServiceNow uses internally. This collector‑based source can access tens of thousands of ServiceNow tables, making incident, change, CMDB, and custom app data available as streaming telemetry in Cribl.
Datadog traces expansion
Cribl is expanding its Datadog integration to pull richer APM trace data alongside existing metrics and logs. Teams can ingest detailed spans from Datadog, reshape them, and route them in concert with other telemetry streams. Observability teams gain finer‑grained control over high‑volume Datadog traces, like what to retain, what to sample, and where to send it. That helps cut costs by trimming noisy spans, boost fidelity on critical services, and reuse the same trace data across multiple backends without rewriting instrumentation.
Conclusion
Many new features! Much wow! Thanks for stopping by! Remember, the Cribl release cycle is monthly. If you need more to do in between releases, why not try a sandbox or watch a video, or start Cribl-ing for free by signing up at Cribl.Cloud. See you next release day! XOXO Cribl Girl
