University of Pittsburgh Logo

How the University of Pittsburgh Streamlined Security Data Processing with Cribl

For years, the University of Pittsburgh used Splunk Cloud to manage its ever-growing security event data demands. However, the IT Security team realized that they were unable to fully leverage the value of their data. Despite investing considerable time and effort in cleaning and parsing specific datasets to enable searchability and identify incidents, the vast majority lacked the necessary structure and normalization.


After onboarding Splunk Enterprise Security (ES), the team identified a need to enhance Common Information Model (CIM) for compliance across varied data sources. They sought to streamline log formats from various environments, including firewalls, Windows, Linux, and cloud systems.

In pursuit of optimizing their security data management, the University made the strategic decision to transition to Microsoft Sentinel. They implemented Cribl Stream and Cribl Edge to facilitate a seamless transition, allowing for data transformation and enrichment in-flight, ensuring adherence to Sentinel’s formatting and analytic requirements before reaching the SIEM. 

Streamlined SIEM Migration in Just 68 Days

The migration from Splunk to Sentinel was completed efficiently in just 68 days, thanks to Cribl's pivotal role in expediting the process. By integrating Cribl, the team established pre-processing pipelines that parsed, normalized, and enriched log data in real-time, readying it for immediate ingestion and analysis by Sentinel.

“Compared to our previous setup, Cribl has significantly improved our data management, making operations smoother. As a small team with extensive responsibilities, Cribl has been an invaluable asset.”

Richard McIver,
Senior Security Engineer at the University of Pittsburgh 

Because the University of Pittsburgh team leveraged Cribl to parse, filter, and compress data, and eliminate unnecessary fields, for their migration, they not only achieved their primary goal but also realized a major added benefit: significant cost savings. For a large organization generating approximately 4TB of data daily, the resulting reduction in data volume sent to Sentinel was a key priority for senior leadership due to the substantial ingestion costs.

Ease of Use and Centralized Management

The University of Pittsburgh’s IT Security team greatly valued the simplicity and efficiency of Cribl’s unified platform, which streamlined their operations compared to the multiple tools and complex configuration files they navigated in their previous stand-alone Splunk environment.

Being able to manage all their data processing, normalization, and routing through a single pane of glass in Cribl Stream and Cribl Edge has streamlined their workflows and made them much more efficient. What’s more, the intuitive interfaces and cross-training Cribl provides enabled their small team to get up to speed quickly.

“Having everything in one place so we can work with all our data in a single pane of glass is helpful. And, you know, for those local file sources that we're pulling in, just manipulating that data and working with it is much easier now.”

Richard McIver,
Senior Security Engineer at the University of Pittsburgh 

Smooth Implementation across 1000+ Servers

The University of Pittsburgh IT Security team anticipated that rolling out Cribl Edge across over 1000 servers would be a major challenge. However, in reality, the process was remarkably smooth. 

The team was able to work with system and service owners to easily push out the Cribl Edge agents, organize the nodes, and share configurations across their different server groups. What’s more, updating these agents has also been simple, allowing the team to keep the platform up-to-date with minimal effort.

“Upgrading the agents has been really easy. We’re in the middle of doing our first upgrade, but so far, it's been very, very smooth and easy. Organizing the nodes and the fleets to help keep them organized and share configs across different groups of systems has been helpful."

Richard McIver,
Senior Security Engineer at the University of Pittsburgh


TL;DR
  • The University of Pittsburgh migrated from Splunk to Microsoft Sentinel in just 68 days.

  • The migration addressed long-standing challenges related to data parsing and normalization, improving searchability and maximizing data value.

  • Cribl Stream and Cribl Edge enabled the team to normalize data from many disparate sources into a usable format for Microsoft Sentinel, while reducing ingest costs and streamlining data management.

  • Cribl Edge simplified configuration management across 1,000+ servers.

  • Cribl’s intuitive UI and centralized control allowed the small security team to gain full visibility into their data, detect and respond to threats faster, and operate more efficiently across the board.

About Cribl

Cribl makes open observability a reality for today’s tech professionals. The Cribl product suite defies data gravity with radical levels of choice and control. Wherever the data comes from, wherever it needs to go, Cribl delivers the freedom and flexibility to make choices, not compromises. It’s enterprise software that doesn’t suck, enables tech professionals to do what they need to do, and gives them the ability to say “Yes.” With Cribl, companies have the power to control their data, get more out of existing investments, and shape the observability future. Founded in 2017, Cribl is a remote-first company with an office in San Francisco, CA. For more information, visit cribl.io or our LinkedIn, Twitter, or Slack community.

get started

Choose how to get started

See

Cribl

See demos by use case, by yourself or with one of our team.

Try

Cribl

Get hands-on with a Sandbox or guided Cloud Trial.

Free

Cribl

Process up to 1TB/day, no license required.