Page 8 of 9
Schedule, execute, refine, and redact Splunk searches
Source
Run simple or complex queries against Splunk software search heads, including real-time searches. Cribl’s integrations provide controls for scheduling searches, breaking events, and redacting and transforming event fields.
This is a built-in integration between Splunk software Search and Cribl Stream’s Splunk software Search Source or Collector.
Configure Cribl Stream to read data from Splunk software Search via Sources > (Collector >) Splunk software Search.
Specify the search head/endpoint, query, schedule, output format, and optional authentication, Breaker, and other parameters.
Stream will start ingesting Splunk software data on the schedule you specify.
Monitor and analyze your organization's operational and security data
Source
Splunk software Enterprise/Cloud is a data platform for investigating, monitoring, analyzing and acting on operational and security data.
This integration is facilitated through the Cribl Stream Splunk software Source and/or Destination. Both Splunk TCP and HEC are supported.
Splunk software as Source and Stream as a destination
Configure Stream to listen for Splunk software data via Sources > Splunk TCP/HEC.
On the Splunk software side, configure the system (UF/HF) to send to LogStream.
Splunk software as Destination and Stream as a source
On the Splunk software side, configure the system to receive data over Splunk TCP/HEC.
Configure Stream to send data to Splunk software via Destinations > Splunk Load Balanced.
Monitor and analyze your organization's operational and security data
Destination
Splunk software Enterprise/Cloud is a data platform for investigating, monitoring, analyzing and acting on operational and security data.
This integration is facilitated through the Cribl Stream Splunk software Source and/or Destination. Both Splunk TCP and HEC are supported.
Splunk software as Source and Stream as a destination
Configure Stream to listen for Splunk software data via Sources > Splunk
TCP/HEC.
On the Splunk software side, configure the system (UF/HF) to send to LogStream.
Splunk software as Destination and Stream as a source
On the Splunk software side, configure the system to receive data over Splunk TCP/HEC.
Configure Stream to send data to Splunk software via Destinations > Splunk Load Balanced.
Aggregate, summarize, and relay application metrics over UDP or TCP
Destination
StatsD Extended is an expanded StatsD metric protocol, which supports dimensions and a sample rate for counter metrics. As with StatsD, downstream components listen for application metrics over UDP or TCP, can aggregate and summarize those metrics, and can relay them to virtually any graphing or monitoring backend.
This is a built-in integration through the Cribl Stream StatsD Extended Destination.
Configure Stream to send data via Destinations > StatsD Extended.
Specify the destination protocol, host, port, backpressure behavior (for TCP), and optional parameters.
Stream will start sending data as it becomes available.
Extend StatsD metrics handling with dimensions and sample rate
Destination
StatsD Extended is an expanded StatsD metric protocol, which supports dimensions and a sample rate for counter metrics. As with StatsD, downstream components listen for application metrics over UDP or TCP, can aggregate and summarize those metrics, and can relay them to virtually any graphing or monitoring backend.
This is a built-in integration through the Cribl Stream StatsD Extended Destination.
Configure Stream to send data via Destinations > StatsD Extended.
Specify the destination protocol, host, port, backpressure behavior (for TCP), and optional parameters.
Stream will start sending data as it becomes available.
Real-time, cloud-based analytics and alerts powered by machine learning
Destination
Sumo Logic is a cloud-based machine data analytics company focusing on security, operations and Business Intelligence use cases. It provides log management and analytics services that leverage machine-generated big data to deliver real-time IT insights.
This integration is facilitated through the Cribl Stream Sumo Logic Destination.
Configure Stream to send to Sumo Logic via Destinations > Sumo Logic.
Supply your configuration settings and API URL.
Collect and send metrics and events from multiple sources
Source
Telegraf is an open-source, plugin-driven, server agent for collecting and sending metrics and events from databases, systems, and IoT sensors. Written in Go, Telegraf compiles into a single binary with no external dependencies, requiring a minimal memory footprint. Telegraf has well-defined integrations with InfluxDB for storage, Chronograf for visualizations, and Kapacitor for alerting.
This is an integration facilitated through Cribl Stream’s Metrics, HTTP/S, StatsD, or TCP JSON Source.
Configure Telegraf to output data via TCP, UDP, StatsD, HTTP or JSON. (Some of these options require a Telegraf plugin.)
Configure Stream to ingest Telegraf data via Sources > Metrics (for TCP, UDP, or StatsD), or via a different Source corresponding to your Telegraf output format.
Specify the address to bind on, port to listen on, and optional parameters.
Stream will start receiving Telegraf data as it becomes available.
Real-time metrics monitoring, streaming analytics, and proactive alerting
Destination
Wavefront is a high-performance streaming analytics platform that supports observability via metrics, histograms, and traces/spans. Wavefront can scale to very high data ingestion rates and query loads.
This is a built-in integration between Cribl Stream and Wavefront.
Configure Stream to send data to Wavefront via Destinations > Wavefront.
Specify the WaveFront API authentication token, WaveFront domain name, backpressure behavior, and optional parameters.
Stream will start sending data as it becomes available.
Collect events from remote computers on a collector computer
Source
Collect events from remote computers via subscriptions, and store them in a combined local event log. Cribl’s integration can replace multiple Windows Event Collector (WEC) servers, offering better scaling and simplified administration.
This is a built-in integration via Cribl Stream’s/Edge’s Windows Event Forwarder Source.
Send Windows Event Collector logs to Cribl Stream/Edge.
Configure Cribl Stream/Edge to read the incoming data via Sources > Windows Event Forwarder.
Specify your Input ID, Address, Port, Private key path, and other parameters.
Cribl Stream/Edge will start receiving data as it becomes available.
Transform how security teams handle runtime alerts, cloud risks, and compliance needs with the Wiz API and Cribl Stream integration.
Source
Cribl and Wiz simplify compliance adherence by integrating compliance-focused data into long-term retention systems – reducing the operational complexities. Combining Wiz’s deep cloud security analysis with Cribl’s powerful data processing capabilities helps organizations to quickly identify and address critical risks, misconfigurations, network exposures, and vulnerabilities across their cloud environments.
Cribl Stream supports collecting data from the Wiz cloud security platform. The Wiz API Source will communicate with APIs that your organization’s Wiz portal exposes: Audit Logs, Configuration Findings (sometimes called Cloud Configuration), Issues, and Vulnerabilities.
Benefits:
Gain immediate visibility into your cloud security: Wiz comprehensively scans across cloud resources, identifies risks, and prioritizes them.
Shape and route your data: Use Cribl Stream to flexibly transform and route data from Wiz to multiple destinations, enhancing overall data visibility and access.
Boost operational efficiency: Optimize data routing, reduce data redundancy, and enhance the overall operational efficiency of data security management.
Comprehensive risk views: Facilitate audits and regulatory reporting by providing complete and easily accessible views of enterprise risks.
Simplify storage and compliance: Streamline the integration of compliance-focused data into long-term storage solutions to ease adherence to regulatory standards.
This is a built-in integration between Crib and Wiz.
From within the Wiz API source, enter the following Wiz provided information: GraphQL endpoint, Authentication URL, Client ID, and the Client Secret.
You can enable the collection of Audit, Configuration, Issues, and Vulnerability findings.
Set the desired API query frequency and optionally modify the Content Query to fine tune what is retrieved from the Wiz API Endpoint.
Enable State tracking to ensure there are no gaps or overlaps in the retrieved data.
Click Save, then Commit & Deploy.
Verify that data is making it to Cribl Stream by viewing the Live Data feed from the Source then configure routing to the destinations of your choosing.
Gain immediate visibility into cloud threats and reduce MTTR with the Wiz Defend and Cribl Stream integration.
Destination
The native Wiz Defend Destination in Cribl Stream uses an optimized, HEC-based webhook to reliably deliver curated security data into the Wiz Defend platform via a dedicated Cribl Stream connector. Security teams get immediate visibility into cloud threats with full context, can correlate Wiz alerts across environments, and cut mean time to respond (MTTR) while controlling storage and egress by sending only the right data to each tool.
Benefits:
Faster investigations and reduced MTTR: By processing logs in real-time, Cribl Stream accelerates delivery to Wiz Defend so teams move from hours-long investigations to minutes-level response windows. This means faster triage, threat hunting, and remediation by unifying runtime alerts, cloud risks, and enriched context into actionable views.
Enhanced security posture and visibility: Close visibility gaps in multi-cloud estates by streaming sources like CloudTrail and other cloud telemetry into Wiz Defend for continuous, context-rich monitoring. Security teams can proactively detect threats, track compliance drift, and correlate Wiz alerts with upstream signals across accounts, regions, and providers.
Flexible, scalable security operations: Route processed Wiz Defend-relevant data not only to Wiz, but to SIEM, SOAR, data lakes, or Cribl Lake and Search too, so teams can consolidate tooling without losing optionality. As cloud environments grow, this fan-out model reduces integration overhead, keeps pipelines consistent, and scales security operations without ballooning data and infrastructure costs.
This is a built-in integration between Cribl Stream and Wiz.
Configure a Wiz Defend Destination in Cribl Stream:
The Wiz Defend console will provide you with the following values that need to be entered into the Wiz Defend Configure -> General Settings menu:
Wiz Data Center (example: us1, us3, eu3, etc).
Wiz Environment.
Wiz Connector ID. this is a unique identifier for the specific Cribl Connector in Wiz Defend (alphanumeric format: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx)
Wiz Defend Source Type. This must match the specific source type name in Wiz Defend that will parse the data sent from Cribl Stream.
Authentication token.
Select Save to finalize your new Wiz Defend Destination configuration.
Repeat the above for each data source you need to send to Wiz Defend. Each Wiz Defend Destination supports, by design, assigning a single sourcetype. Each Destination will have a corresponding Wiz Connector ID associated with it.
Configure your routing to send your desired data source(s) into your configured Wiz Destination(s).
Please note that there are no tagging requirements or modifications of the original events prior to sending to the Wiz Defend Destination tile. The Wiz Defend tile embeds the configuration context into the connection when sending events in their original raw format.
Transform how security teams handle runtime alerts, cloud risks, and compliance needs with the Wiz Webhook and Cribl Stream integration.
Source
Together, Cribl and Wiz enable you to enhance your security operations, improve data quality, and make more efficient use of your security tools. By leveraging a standard HTTP-based webhook, Stream can capture real-time alert data from Wiz, process it, and route it to your preferred destinations, whether that's a SIEM, data lake, or analytics tool.
Cribl Stream supports receiving Wiz Defend Alert data. Wiz Webhook, an HTTP-based Source, listens on a specific port, captures every HTTP request to that port, and creates a corresponding event that it pushes to its configured Event Breakers.
Benefits:
Gain immediate visibility into your cloud security: Wiz’s agentless-first approach comprehensively scans across cloud resources, identifies risks, and prioritizes them.
Shape and route your data: Use Cribl Stream to flexibly transform and route data from Wiz to multiple destinations, enhancing overall data visibility and access.
Boost operational efficiency: Optimize data routing, reduce data redundancy, and enhance the overall operational efficiency of data security management.
Comprehensive risk Views: Facilitate audits and regulatory reporting by providing complete and easily accessible views of enterprise risks.
Simplify storage and compliance: Streamline the integration of compliance-focused data into long-term storage solutions to ease adherence to regulatory standards.
Read the integration blog post: https://cribl.io/blog/getting-started-with-the-wiz-webhook-source-in-cribl-stream/
This is a built-in integration between Cribl Stream and Wiz.
Configure the Wiz Webhook source in Cribl Stream
Create a token to authenticate to this new webhook.
Configure the optional settings and optionally, adjust the TLS, Persistent Queue Settings, Processing and Advanced settings, or Connected Destinations.
Select Save, then Commit and Deploy.
Provide the Cribl Stream URL when configuring the Wiz UI which you can find under the menu Products -> Cribl -> Data Sources.
From within the Wiz Webhook source, enter the port that Cribl Stream should have the webhook listen on for incoming connections from Wiz.
Create your Authentication token which needs to be referred to from within the Wiz console to enable logging an external Cribl Stream instance.
Verify that data is making it to Cribl Stream by viewing the Live Data feed from the Source then configure routing to the destinations of your choosing.