SIEM Migration Simplified with Cribl and Data Pipelining

Client Overview

The client is a prominent British bank. They have been using Splunk as their SIEM (Security Information and Event Management) solution, supported by a third-party Security Operations Centre (SOC). Their Splunk deployment integrates data from diverse sources such as firewalls, audit logs, VPN logs, ServiceNow, and device logs, primarily for generating stakeholder reports and addressing detective use cases like blocked IP detection. Our client decided to migrate from Splunk to Sentinel; here is how they approached it.

 

Migration Strategy

The transition is structured around a phased, risk-managed approach:

1. Development Environment Setup:
   • Simulate data migration into a development environment.
   • Retain Splunk for production use while simultaneously testing Sentinel and Cribl.
2. Sample Data Testing:
   • Forward sample data from Splunk to Sentinel via Cribl to validate use case translations and infrastructure compatibility.
3. Dual Live Running:
   • After development testing, a dual-forwarding setup will allow Splunk and Sentinel to operate in parallel for a limited period.
   • This ensures stability and continuity while minimising risks during the transition.
4. Full Production Rollout:
   • Once testing is complete, Sentinel will replace Splunk as the primary SIEM, supported by optimised data pipelines through Cribl.

 

Role of Data Pipelines in Transition

The migration leverages advanced data pipelining techniques to streamline and optimise the transition:

• Cribl Integration:
  Cribl is used extensively to manage and transform data before ingestion into Sentinel, ensuring efficiency and compliance.
  • Sample Logs: Extract, parse, and map data to Sentinel’s schemas (Advanced Security Information Model – ASIM and CommonSecurityLog).
  • Pipeline Creation: Establish two pipelines for data processing:
    1. Full-Fidelity Pipeline: Forward raw logs to an S3 bucket or data lake for compliance and replay purposes.
    2. Processed Pipeline: Transform, tag, and map logs for Sentinel ingestion, discarding unnecessary data to reduce storage costs.

 

Specific Use of Cribl Products

• Cribl Edge:
  Used on certain data sources to forward raw logs into Cribl Stream.
• Cribl Stream:

The primary tool in this engagement, Stream performs pre- and post-processing on data, including:

• • Parsing and mapping logs to Sentinel-specific schemas.
  • Forwarding full-fidelity logs to an S3 bucket/data lake.
  • Reducing data volume sent to Sentinel by dropping unnecessary logs and applying transformations.
  • Maintaining separate pipelines for raw and processed data to ensure flexibility and compliance.
• Replay Functionality:
  The only scenario where data from the lake or bucket is pulled involves Cribl’s “replay” feature, allowing retrieval of full-fidelity logs for further analysis if required.

 

Outcome and Benefits

By transitioning to Microsoft Sentinel and optimising their data pipelines with Cribl, the client expects to achieve:

• Improved Compliance:
  Retention of full-fidelity data in a compliant storage format ensures regulatory requirements are met.
• Operational Efficiency:
  In-house familiarity with Sentinel, combined with streamlined data pipelines, reduces reliance on third-party contractors.
• Scalability:
  A future-proofed SIEM setup capable of handling growing data volumes without prohibitive cost increases.

 

Conclusion

This case study demonstrates how a strategic migration from Splunk to Sentinel, enhanced by Cribl’s data processing capabilities and operational efficiency. For this British bank, the transition marks a crucial step towards modernising its security infrastructure while meeting business and regulatory needs.