Public production architecture teardown
Yale New Haven Health — SIEM modernization with Cribl + Sentinel
A major US health system hit its Splunk license ceiling when a Palo Alto software update added 63 fields to every firewall log, pushing daily ingest from 400 GB to 600–700 GB. Working with the partner Security Risk Advisors, the security team moved to Microsoft Sentinel as the SIEM and Azure Data Explorer as the data lake, with Cribl Stream already sitting in front as the pipeline tier. The healthcare-specific lesson is that the pipeline layer, not the SIEM, is where a regulated provider regains control of log economics.
Reduction in Palo Alto firewall log volume — enough to bring daily ingest back under the 400 GB/day license, down from 600–700 GB — with a reported 40% cut in SIEM spend. The new SIEM and data lake stood up in about two weeks because Cribl Stream was already in place; leaving Splunk meant repointing outputs. These are vendor-published customer figures (Cribl customer story / Microsoft Ignite 2025), named and on the record, not independently reproduced.
The pipeline
-
Sources
~30,000 endpoints
Hospital endpoints, Palo Alto firewalls, and diverse healthcare log sources
-
Route
Cribl Stream
Collection, normalization, and filtering; forwards only high-value logs
-
SIEM
Microsoft Sentinel
Detection + analyst tier; replaced Splunk in ~2 weeks by repointing Cribl outputs
-
Lake
Azure Data Explorer (ADX)
Lower-cost retention tier for full-fidelity logs alongside Sentinel
-
Serve
Health-system SOC
Detection + investigation; migration run with partner Security Risk Advisors
What composes, what’s brittle
- 40% log cut. Palo Alto firewall volume reduced by forwarding only high-value, filtered logs — back under the 400 GB/day cap from 600–700.
- What triggered it. A Palo Alto update added 63 fields per firewall log; a 30–45% volume jump blew the Splunk license. The trigger was schema bloat, not more traffic.
- Two-week cutover. Cribl Stream already sat in front of Splunk, so switching SIEMs meant repointing outputs — Sentinel + ADX came up in ~2 weeks.
- Pipeline is the control point. Log-cost control was regained at the pipeline tier (Cribl), not by changing SIEM vendors — the SIEM swap rode on top of it.
- Healthcare relevance. A named US health system across ~30,000 endpoints — the only public healthcare SOC-telemetry case in this catalog.
- What's vendor-reported. Figures are Cribl/Microsoft-published with the customer named; treat the architecture as durable, the 40% multipliers as the vendor's and customer's own.
Sources: Cribl customer story, "Yale New Haven Health Reduced SIEM Spend by 40% with Cribl" (cribl.io/customers/yale-new-haven-health) · Microsoft Ignite 2025 session THRSP885, "How Yale New Haven Health modernized security with Sentinel and Cribl" · Security Risk Advisors (SRA), migration partner.