Cribl has announced enhanced integration with AWS Security Hub, introducing support for the Open Cybersecurity Schema Framework (OCSF). This capability within Cribl Stream allows security teams to collect and transform disparate security findings into a standardized OCSF format, accelerating threat correlation and incident response by enabling unified search across AWS Security Hub data and other telemetry sources.
Cribl enhances its AWS Security Hub integration with support for the Open Cybersecurity Schema Framework (OCSF).
Cribl Stream can now transform third-party findings into OCSF v1.6 with AWS-specific context.
Security Hub events can be viewed and queried directly within Cribl Search alongside other security data.
The integration aims to accelerate incident correlation by standardizing data from multiple sources.
Cribl Copilot Editor uses AI to recommend optimal OCSF mappings, reducing manual pipeline work.
Findings can be stored in Cribl Lake for long-term retention and historical analysis.
A core challenge in security operations is correlating alerts from different tools that use disparate data formats. Cribl's enhanced integration addresses this by allowing Cribl Stream to convert security findings into the OCSF standard, version 1.6, while preserving AWS-specific resource details. This standardized format facilitates aggregated analysis and faster correlation across various telemetry systems, providing a unified foundation for investigation.
The integration enables security professionals to view AWS Security Hub findings directly within Cribl Search. This creates a centralized view, allowing teams to analyze Security Hub events alongside data from other sources without switching consoles. It also supports real-time observation by enabling the correlation of Security Hub findings with other AWS logs, such as CloudTrail events, as they are ingested via Amazon EventBridge.
To reduce the manual effort of data transformation, Cribl's Copilot Editor uses AI to recommend optimal mappings to the OCSF standard. This assists security operators in writing and debugging data pipelines more efficiently, streamlining the process of normalizing security data for analysis and long-term storage in destinations like Cribl Lake.
By breaking down data silos and providing a standardized, searchable repository, the enhanced capability is designed to significantly reduce the time to resolve incidents. Security teams can more easily correlate past incidents stored in Cribl Lake with real-time Security Hub findings, improving the speed and precision of threat investigation. “Security professionals can quickly correlate past incidents with real-time events,” said Abby Strong, Chief Market and Customer Officer at Cribl.
This update strengthens Cribl's role as a data engine for security, providing the plumbing needed to normalize, route, and analyze security telemetry at scale, thereby helping organizations achieve faster and more effective threat response.
About Cribl
Cribl, the Data Engine for IT and Security, empowers organizations to transform their data strategy for the AI era. Customers use Cribl’s vendor-agnostic solutions to analyze, collect, process, and route all IT and security data from any source or to any destination, delivering the choice, control, and flexibility required to adapt to their ever-changing needs. Cribl’s AI-powered product suite, which is used by Fortune 1000 companies globally, is purpose-built for IT and Security, including Cribl Stream, the industry’s leading observability pipeline; Cribl Edge, an intelligent vendor-neutral agent; Cribl Search, the industry’s first search-in-place solution; and, Cribl Lake and Lakehouse, turnkey open format storage solutions designed for telemetry volume and variety. Founded in 2018, Cribl is a remote-first workforce with an office in San Francisco, CA.
TechIntelPro empowers B2B technology decision-makers with the latest industry trends, deep insights, leadership perspectives and actionable intelligence to drive both organizational and professional milestones—and thrive on the tech pulse.