Cribl v4.18
What's New in Version 4.18?
Cribl 4.18 is about AI improvements: using your own AI, using our AI, monitoring AI. Cribl is the AI platform for telemetry, after all. For more complete release notes, check out the specific product release notes: Cribl Stream, Cribl Edge, Cribl Search, and Cribl Lake on our fantastic docs site. Below are a few highlights from the release.
BYO Model Improvements
- Model Selection by Capability Tier: Customers can now choose which of their models to use for Cribl AI capabilities across three tiers: small, frontier, and reasoning. Capabilities are mapped to each tier based on the level of processing complexity, context length, and accuracy they require, with those mappings clearly defined in both product and documentation.
- Additional Providers: Cribl AI BYOM now includes LiteLLM and OpenAI Retail.
Cribl Guard Enhancements
4.18 adds new model options for background detection in Cribl Guard, giving customers flexibility to choose between speed and depth. Teams can select from a balanced default model (cribl-privacy-2.0), a lightweight speed-optimized model (cribl-privacy-2.0-nano), or a more thorough, higher-compute model (cribl-privacy-2.0-pro), depending on their environment and priorities.
We're also adding a user-invoked agent to the Guard Findings page. With one click, it analyzes grouped detections and presents each detection group with context, a recommended action (ignore, create a new Guard rule, or use an existing rule), and a brief explanation of why the agent suggested it. This allows users to quickly review and act in place without jumping across product pages/features. Future phases planned to add scheduled and always-on workflows
Persistent Queue (PQ) to S3
When downstream systems fail or clusters scale up and down, PQ can land data durably in object storage and drain it back as capacity returns. Persistent Queue (PQ) is expanding so Kubernetes deployments can write queued data to a central S3 bucket instead of keeping everything on local disks.
New Sources
The following sources now have native support (tiles) in Stream:
- OpenAI Compliance: enabling ingest of OpenAI’s compliance API data (including prompts, responses, and related metadata) directly into Stream.
- ServiceNow: based on the ServiceNow Table API, the same API ServiceNow uses internally. This collector‑based source can access tens of thousands of ServiceNow tables, making incident, change, CMDB, and custom app data available as streaming telemetry in Cribl.
- Anthropic Compliance: enabling ingest of Anthropic’s Compliance API data (including prompts, responses, tools, and rich usage metadata) directly into Cribl Stream.
Apple Unified Log Source
Cribl Edge is adding an Apple Unified Log source so teams can collect Mac‑specific logs stored in Apple’s proprietary unified logging format. The initial release lets users specify the filters they need to pull targeted slices of unified log data into Cribl. Orgs with sizable Mac fleets can bring unified logs into the same pipelines as their Windows and Linux telemetry. It closes a competitive gap that has been blocking migrations from legacy agents, gives security and IT teams better visibility into macOS events, and sets the stage for future UX refinements on top of this foundation.
(AI) External Context Providers Integration
External Context Providers (MCP) plugs Investigations into a broad ecosystem of third-party tools (beyond Jira / Bitbucket / FireHydrant) via Model Context Protocol, so investigations can automatically pull live human and ticket context alongside telemetry.
(AI) Dataset Intelligence for Investigator
Dataset Intelligence automatically generates and maintains rich, AI-ready profiles for each dataset (both Lakehouse and federated), then exposes those profiles to Investigator so it “knows” what a dataset contains, how it’s used, and how it relates to others before it starts querying.
BYOS for Azure
Bring Your Own Storage (BYOS) for Azure enables Cribl Lake to connect directly to your Blob Storage, allowing you to easily create datasets and write them to Stream, and to instantly search them with Cribl Search. This delivers a fully integrated, search-in-place experience, without needing to move or duplicate data.
For those of you keeping track at home, this means Cribl Lake BYOS now supports AWS S3 and Azure Blob Storage.
A lot of these new features deal with LLMs and their use in your telemetry workflows. I can't easily show you BYOM or external context investigations or Guard enhancements. So I guess let's oggle a few new Source tiles and head out.