Cribl puts your IT and Security data at the center of your data management strategy and provides a one-stop shop for analyzing, collecting, processing, and routing it all at any scale. Try the Cribl suite of products and start building your data engine today!
Learn more ›Evolving demands placed on IT and Security teams are driving a new architecture for how observability data is captured, curated, and queried. This new architecture provides flexibility and control while managing the costs of increasing data volumes.
Read white paper ›Cribl Stream is a vendor-agnostic observability pipeline that gives you the flexibility to collect, reduce, enrich, normalize, and route data from any source to any destination within your existing data infrastructure.
Learn more ›Cribl Edge provides an intelligent, highly scalable edge-based data collection system for logs, metrics, and application data.
Learn more ›Cribl Search turns the traditional search process on its head, allowing users to search data in place without having to collect/store first.
Learn more ›Cribl Lake is a turnkey data lake solution that takes just minutes to get up and running — no data expertise needed. Leverage open formats, unified security with rich access controls, and central access to all IT and security data.
Learn more ›The Cribl.Cloud platform gets you up and running fast without the hassle of running infrastructure.
Learn more ›Cribl.Cloud Solution Brief
The fastest and easiest way to realize the value of an observability ecosystem.
Read Solution Brief ›Cribl Copilot gets your deployments up and running in minutes, not weeks or months.
Learn more ›AppScope gives operators the visibility they need into application behavior, metrics and events with no configuration and no agent required.
Learn more ›Explore Cribl’s Solutions by Use Cases:
Explore Cribl’s Solutions by Integrations:
Explore Cribl’s Solutions by Industry:
September 25 | 10am PT / 1pm ET
Hold my beer: lessons from one team’s data pipeline journey
Register ›Try Your Own Cribl Sandbox
Experience a full version of Cribl Stream and Cribl Edge in the cloud.
Launch Now ›Get inspired by how our customers are innovating IT, security and observability. They inspire us daily!
Read Customer Stories ›Sally Beauty Holdings
Sally Beauty Swaps LogStash and Syslog-ng with Cribl.Cloud for a Resilient Security and Observability Pipeline
Read Case Study ›Experience a full version of Cribl Stream and Cribl Edge in the cloud.
Launch Now ›Transform data management with Cribl, the Data Engine for IT and Security
Learn More ›Cribl Corporate Overview
Cribl makes open observability a reality, giving you the freedom and flexibility to make choices instead of compromises.
Get the Guide ›Stay up to date on all things Cribl and observability.
Visit the Newsroom ›Cribl’s leadership team has built and launched category-defining products for some of the most innovative companies in the technology sector, and is supported by the world’s most elite investors.
Meet our Leaders ›Join the Cribl herd! The smartest, funniest, most passionate goats you’ll ever meet.
Learn More ›Whether you’re just getting started or scaling up, the Cribl for Startups program gives you the tools and resources your company needs to be successful at every stage.
Learn More ›Want to learn more about Cribl from our sales experts? Send us your contact information and we’ll be in touch.
Talk to an Expert ›We see unfriendly customer practices all around in the SIEM space. For example, some major SIEM vendors use an Events Per Second (EPS) license model to monetize access to their tools. Typically, these vendors will drop data above the EPS license or stop data ingestion to incentive license compliance if you run over your EPS license. These license controls disrupt operations and risk enterprise security posture, which can cause chaos. The only option for most enterprises is to drop broad categories of data, such as an entire Windows event ID, since they don’t have reasonable options for being more selective. Unfortunately, this creates the risk of missing something important.
Enterprises need options for managing their EPS license. So they can own their security observability data and take control of how they use their tools instead of the vendors being in control. Cribl Stream offers enterprises the unique ability to manage their EPS license with surgical precision to minimize risk and get the most out of their existing license. Only Stream can provide this powerful capability with minimal effort due to Stream easy-to-use UI.
It is super common for SecOps teams to be running over their SIEM EPS license. The usual reaction is to start dropping events such as Windows Security event id 4674. Most log shippers require you to drop the entire event from all servers with limited selective options or make changes to the endpoint OS with either method involving touching every endpoint. This is added risk and effort since they lose visibility to the entire event id. What if it makes sense to keep event id 4674, but only for certain users? SecOps teams have minimal options.
Let’s turn this idea around and consider event id 4624. This is a critical id, but when you need to drop events, you look everywhere. Event id 4624 comprises ten login types with different security values depending on your use case.
2. Interactive (logon at keyboard and screen of system)
3. Network (i.e. connection to a shared folder on this computer from elsewhere on the network)
4. Batch (i.e., scheduled task)
5. Service (Service startup)
7. Unlock (i.e., unattended workstation with password-protected screen saver)
8. NetworkCleartext (Logon with credentials sent in the clear text. Most often indicates a logon to IIS with “basic authentication”)
9. NewCredentials such as RunAs or mapping a network drive with alternate credentials. This logon type does not seem to show up in any events. If you want to track users attempting to logon with alternate credentials, see event id 4648. MS says, “A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.”
10. RemoteInteractive (Terminal Services, Remote Desktop or Remote Assistance)
11. CachedInteractive (logon with cached domain credentials such as when logging on to a laptop when away from the network)
What if you work in an enterprise where inbound file sharing is disabled? You do not need Logon Type 3. Stream makes it easy to drop only Logon Type 3 event ids and nothing else.
These fields will give you the foundation to build a filter only to drop these events.
Add the Drop function to your pipeline to tell Stream which events to drop using the below filter.
index=='endpoint' && source=='WinEventLog:Security' && __eventCode=='4624' && __logon_Type=='3'
Apply this pipeline to your windows sources to start dropping only these events from your event stream. It is that simple to control your events and manage your EPS license.
Stream enables SecOps teams to pick and choose each event it sends to its Security tools to get the most value and take the least risk. The Stream UI makes this quick and easy work to free up the SecOps teams for business value-focused work. Cribl Stream enables value and improves enterprise security posture.
Try Cribl’s free, hosted Stream Sandbox. I’d love to hear your feedback; after you run through the sandbox, connect with me on LinkedIn, or join our community Slack and let’s talk about your experience!
The fastest way to get started with Cribl Stream is to sign-up at Cribl.Cloud. You can process up to 1 TB of throughput per day at no cost. Sign-up and start using Stream within a few minutes.
Experience a full version of Cribl Stream and Cribl Edge in the cloud with pre-made sources and destinations.
Classic choice. Sadly, our website is designed for all modern supported browsers like Edge, Chrome, Firefox, and Safari
Got one of those handy?