We’re thrilled to announce our partnership with Cribl to make it much easier to snapshot, transform, and query Push telemetry using Cribl’s data management solutions.
We’re thrilled to announce our partnership with Cribl to make it much easier to snapshot, transform, and query Push telemetry using Cribl’s data management solutions.
In the midst of an identity security investigation when every minute counts, there are few sentences more painful to say than:
“We didn’t snapshot that data, so we didn’t have the right time period.”
“We didn’t send those logs to the SIEM, so we couldn’t do the correlation we needed to rule out [bad thing].”
“We didn’t have any user behavior telemetry in the browser, so we didn’t know if they entered their password on the phishing page or not.”
“We had no way of determining what other accounts they were using that compromised password on.”
Security teams use Push and Cribl so they never have to utter those words. So we’re especially thrilled to announce our partnership with Cribl to make it much easier to snapshot, transform, and query Push telemetry using Cribl’s data management solutions.
Push uses a browser agent deployed across all your workforce browsers to do real-time detection and response for identity-based attacks like credential phishing, account takeover, and session token theft.
As the Push browser agent learns your environment, it also automatically inventories all the apps that your employees log in to, their authentication methods and MFA usage, and the security posture of their accounts. We call this an organization’s identity attack surface because it represents the risks posed by insecure accounts and apps — even the ones you didn’t know about — that are increasingly targeted by attackers.
From this unique vantage point in the browser, Push can block identity attacks like credential phishing while also generating telemetry that security teams rely on for knowing what happened during an incident, such as what the user saw and did, and how big the blast radius is in terms of other compromised accounts.
By integrating with Cribl, Push customers can now:
Quickly ingest and transform Push data into Cribl in order to route it to their SIEM, SOAR, or other third-party system — without overwhelming their pipeline or running up costs on log volume.
Get immediate insights into identity security threats and posture across their environment by using Cribl’s out-of-the-box dashboards for Push telemetry.
Easily create a snapshot of Push data to allow for historical comparisons and queries.
Correlate Push data with other log sources such as their EDR and identity provider to get a fuller picture of identity security risks and incidents.
Hunt across their data for risky user behaviors like suspicious login methods, signs of credential phishing or stolen sessions, and credential reuse.
Here’s a closer look at what we built together and how you can use it.
Tooling built by the teams that actually use it
The truth is, we selfishly had the idea to build this integration because we use Cribl at Push — and they use Push at Cribl.
As mutual users (and fans!) of each other’s products, our security teams had firsthand experience with the use cases, data, and possibilities that combining our capabilities presented.
“Our team had been using Push for a while, and I was already a big fan of their approach,” explains Alex Crusco, staff security engineer at Cribl. “So when we decided to build out-of-the-box security packs in Cribl, they were the first partner that came to mind. Identity is a top attack vector, and defending it isn’t easy. The combined power of Cribl and Push gives security teams the clarity and control to turn identity from a blind spot into a defensible asset.”
So here’s what we built:
Cribl Stream pack for Push
Using the Cribl Stream pack for Push, you get a preconfigured parser for individual Push events that automatically cleans and formats them for your exact use case so you can query the data directly in Cribl or route it somewhere else.
By sending Push data to Cribl, you can enable your security team to:
Ingest and normalize telemetry on the employees, accounts, browsers, security findings, and detections observed by Push across your environment.
Route specific alerts and events to your SIEM or other tool.
Enrich Push data with other sources to expand the context for understanding events, or look for wider patterns.
Push logs are pretty lightweight out of the box, but the Stream pack streamlines them further. By transforming or dropping some of the event fields (such as event headers), you can reduce your event size by 50%. This gives security teams the opportunity and flexibility to save on costs when sending events to systems that charge by log volume while also getting the data that security teams need where they need it.
You can get the Cribl Stream pack for Push via the Cribl Dispensary.
Cribl Search pack for Push
The other half of the equation is the Cribl Search pack for Push. Once you’ve got your Push data into Cribl, you can use it to populate pre-built dashboards provided by the Search pack.
Using the Cribl Search pack dashboards, you can:
Monitor the state of your Push Security deployment and identify any gaps in browser extension coverage.
Get a snapshot of security issues such as suspicious or unapproved login methods (e.g. local password logins on SSO apps); credential reuse; or signs of adversary-in-the-middle phishing incidents or stolen sessions.
Deep dive into behavior data for a specific employee, to assist threat hunters and analysts with investigations or incident response.
With the Search pack, you can also take a daily snapshot of your Push data to see trends across time when searching, or to conduct historical investigations.
You can get the Cribl Search pack for Push via the Cribl Dispensary.
Get started
To get started, you’ll need to be using both Cribl and Push.
To get started using the Stream pack, you’ll need to configure a Stream source to receive data over HTTPS, then create a webhook in the Push admin console that points to your Cribl Stream source and download and install the Cribl Stream pack for Push. Follow the instructions in the Stream pack description for guidance.
To get started using the Search pack, you’ll need to also set up the Push REST collectors in Cribl Stream to ingest your Push data. Then import the Search pack into your Cribl instance. Follow the instructions in the Search pack description for guidance.
Not yet a user of Push yet, but want to learn more about how our data enables detection, response, and security investigations? Book a demo with our team to chat.