News

AppOmni and Cribl Team Up to Counter SaaS Supply Chain Attacks

• By David Ramel
• 09/23/2025

AppOmni and Cribl yesterday announced a new integration designed to help enterprises defend against SaaS-focused supply chain attacks like those attributed to threat groups UNC6395 and UNC6040. These campaigns have exploited OAuth approvals, app integrations, and trusted tokens to exfiltrate data and move laterally across Software-as-a-Service ecosystems.

"Cribl Cloud paired with AppOmni's valuable SaaS telemetry data help strengthen an organization's security posture and incident response capabilities," said AppOmni exec Vivek Kumar in a Sept. 22 post. "Leveraging Cribl Lake as a destination for this data allows for a comprehensive historical record of security events. Cribl Search empowers incident responders with fast, federated queries across Cribl Lake, data lakes, REST APIs, popular databases, and SIEMs, enabling rapid investigation without data movement. It unifies diverse data sources into a single search workflow for faster, more effective response."

Closing Gaps in SaaS Security
According to AppOmni, traditional defenses often fail to address the risks introduced by SaaS complexity. Its platform inventories connected applications, governs OAuth permissions, and analyzes behavior patterns to spot anomalies such as mass downloads or suspicious token use. Cribl adds data processing and routing capabilities, enabling security telemetry to be optimized and delivered to SIEMs, data lakes, and other analytics platforms without vendor lock-in.

Unified Data for Faster Response
AppOmni's SaaS telemetry combined with Cribl Lake and Cribl Search gives incident responders federated access to diverse data sources, including APIs and SIEMs, without data movement. This allows for faster detection and investigation of attacks. The companies said their joint solution not only enhances response but also simplifies compliance through long-term searchable storage of security activities.

Use Cases Highlighted
The companies provided this list of benefits:

• Forensic analysis: In the event of an incident, security teams can leverage this rich dataset to conduct thorough forensic investigations, understanding the scope and impact of the breach.
• Compliance and auditing: Long-term storage in Cribl Lake helps organizations simplify compliance audits by providing a searchable trail of security activities.
• Incident triage: Quickly identifying the origin and progression of an attack.
• Threat hunting: Proactively searching for signs of advanced threats that might have evaded initial detection.
• Root cause analysis: Understanding the underlying vulnerabilities that led to a breach, enabling more effective future prevention.

"Use Cribl and AppOmni to optimize your observability pipeline by ensuring the right data gets to the right destination in the right format," says a solution brief. "Cribl lets you choose where to send AppOmni events and alerts, providing full control over what fields to keep, which events to drop, and which logs to enrich with additional context."