Cribl puts your IT and Security data at the center of your data management strategy and provides a one-stop shop for analyzing, collecting, processing, and routing it all at any scale. Try the Cribl suite of products and start building your data engine today!
Learn more ›Evolving demands placed on IT and Security teams are driving a new architecture for how observability data is captured, curated, and queried. This new architecture provides flexibility and control while managing the costs of increasing data volumes.
Read white paper ›Cribl Stream is a vendor-agnostic observability pipeline that gives you the flexibility to collect, reduce, enrich, normalize, and route data from any source to any destination within your existing data infrastructure.
Learn more ›Cribl Edge provides an intelligent, highly scalable edge-based data collection system for logs, metrics, and application data.
Learn more ›Cribl Search turns the traditional search process on its head, allowing users to search data in place without having to collect/store first.
Learn more ›Cribl Lake is a turnkey data lake solution that takes just minutes to get up and running — no data expertise needed. Leverage open formats, unified security with rich access controls, and central access to all IT and security data.
Learn more ›The Cribl.Cloud platform gets you up and running fast without the hassle of running infrastructure.
Learn more ›Cribl.Cloud Solution Brief
The fastest and easiest way to realize the value of an observability ecosystem.
Read Solution Brief ›Cribl Copilot gets your deployments up and running in minutes, not weeks or months.
Learn more ›AppScope gives operators the visibility they need into application behavior, metrics and events with no configuration and no agent required.
Learn more ›Explore Cribl’s Solutions by Use Cases:
Explore Cribl’s Solutions by Integrations:
Explore Cribl’s Solutions by Industry:
September 25 | 10am PT / 1pm ET
Hold my beer: lessons from one team’s data pipeline journey
Register ›Try Your Own Cribl Sandbox
Experience a full version of Cribl Stream and Cribl Edge in the cloud.
Launch Now ›Get inspired by how our customers are innovating IT, security and observability. They inspire us daily!
Read Customer Stories ›Sally Beauty Holdings
Sally Beauty Swaps LogStash and Syslog-ng with Cribl.Cloud for a Resilient Security and Observability Pipeline
Read Case Study ›Experience a full version of Cribl Stream and Cribl Edge in the cloud.
Launch Now ›Transform data management with Cribl, the Data Engine for IT and Security
Learn More ›Cribl Corporate Overview
Cribl makes open observability a reality, giving you the freedom and flexibility to make choices instead of compromises.
Get the Guide ›Stay up to date on all things Cribl and observability.
Visit the Newsroom ›Cribl’s leadership team has built and launched category-defining products for some of the most innovative companies in the technology sector, and is supported by the world’s most elite investors.
Meet our Leaders ›Join the Cribl herd! The smartest, funniest, most passionate goats you’ll ever meet.
Learn More ›Whether you’re just getting started or scaling up, the Cribl for Startups program gives you the tools and resources your company needs to be successful at every stage.
Learn More ›Want to learn more about Cribl from our sales experts? Send us your contact information and we’ll be in touch.
Talk to an Expert ›Cribl’s integration catalog is ever-expanding. At Cribl, we constantly collect feedback on where to integrate next and channel it to deliver more high-impact integrations into our catalog. Whether it is Sources, Collectors, or Destinations, we constantly add new integrations to expand our reach in the IT security and observability ecosystem.
A big investment this year has been in the Azure security space. Customers and partners have requested a native integration for sending data to Microsoft Sentinel. Sentinel is Microsoft’s cloud SIEM & SOAR platform that provides users with security threat detection, incident analysis, and automated threat response tools. In the 4.2 release, we released our native integration for Sentinel, allowing customers the ability to write to four built-in tables in Sentinel. These include:
Let’s tour how Cribl can be used to send security data to Sentinel’s built-in tables.
Log into the Azure portal at portal.azure.com. In the search bar, search for “App registrations.” Open the App registrations section. Click “+ New registration”.
Take note of the “Application (client) ID” and “Directory (tenant) ID.” These will be required later.
Select “certificates & secrets” in the Manage menu. Under the “Client secrets” section, select “+ New client secret.”
Add a description and select an expiration. Click “Add”. After the client secret has been created, note the “Value.” The Value is the OAuth Secret.
To enable Sentinel, go to your Azure portal and select Microsoft Sentinel.
Select an existing workspace to add Sentinel or “Create a new workspace”. Adding a new workspace will prompt you to select Resource Group and Region.
From Log Analytics Workspaces, select the workspace to which Sentinel was added.
Select “Tables” and notice the built-in tables available: CommonSecurityLog
, SecurityEvents
, WindowsEvents
, and Syslog
.
Note: Syslog may not show up until data is written to it.
From the Overview section of Log Analytics Workspace, open the “JSON View” of your workspace. Take note of the Resource ID. This will be used as the “Workspace Resource ID” in an upcoming step.
Once Sentinel has been added to the Azure Log Analytics workspace, we will create a Data Collection Endpoint and add Data Collection Rules (DCRs) to get data flowing to one of the four built-in Sentinel tables.
In the Azure portal search bar, search for “Monitor” and open the Monitor service.
Navigate to the “Data Collection Endpoints” section under settings and create a new “Data Collection Endpoint.” Ensure that the Region in the Endpoint matches the Azure Log Analytics Workspace region.
Click “Review+create” and then “Create.” Open the data collection endpoint you created and select “JSON View.” Copy the “Resource ID”. This will be used as the “Endpoint Resource ID” in an upcoming step.
In the Azure search bar, search for “template.” Select “Deploy a custom template” under Services.
Select “Build your own template in the editor.” Paste in the template provided here. Click “Save.”
Please name it and enter the Workspace Resource ID and Endpoint Resource ID captured in the previous steps.
Click “Review + Create” and then “Create.” When your deployment is complete, open the DCR resource by clicking “Go To Resource.”
Select “JSON View” and copy the immutableID
.
Open the “Access control (IAM)” section on the left navigation within the Data Collection Rule and select “Add role assignment.”
Search and select the “Monitoring Metrics Publisher” role and then click “Next.”
Click “+ Select members” and select the Application created when you added Credentials (first step). Click “Select” and “Review + assign” to add the assignment.
Once Sentinel is set up, we can go into Cribl Stream to set up the Sentinel Destination to write data to the native Sentinel tables. Please note that a single Cribl Sentinel Destination will correspond to one built-in table in Sentinel. If you wish to write to multiple built-in tables, you will need a Cribl Sentinel destination configured for each.
From Stream, in the Manage >> Data >> Destinations menu, navigate (or search) to the Sentinel Destination.
Select the tile and click “Add Destination.”
In configuring the new Sentinel destination, you will need the URL of your DCE and DCR. You can find this by navigating to the “Resource Graph Explorer” using the search bar and running the following query:
Resources
| where type =~ 'microsoft.insights/datacollectionrules'
|mv-expand Streams= properties['dataFlows']
| project name, id, DCE = tostring(properties['dataCollectionEndpointId']), ImmutableId = properties['immutableId'],
StreamName = Streams['streams'][0]
| join kind=leftouter (Resources
| where type =~ 'microsoft.insights/datacollectionendpoints'
| project name, DCE = tostring(id), endpoint = properties['logsIngestion']['endpoint']) on DCE
| project name, StreamName, Endpoint = strcat(endpoint, '/dataCollectionRules/',ImmutableId,'/streams/',StreamName,'?api-version=2021-11-01-preview')
You will see four endpoints associated with your DCR because the DCR routes to 4 different built-in tables.
If you do not have permission to run the query, the URL can be built as follows:
In the Authentication tab, enter the Login URL, OAuth secret, and Client ID.
The Login URL will be:
Once the Configure options are all entered in the Sentinel Destination, you can send sample test data to Sentinel to validate the connection.
From the Sentinel Destination, select the “Test” tab. In the “Select sample” dropdown, you will see four samples for the four Sentinel built-in tables. Select a sample and select “Run Test.”
You can also take advantage of Sentinel sample data in the DataGen source. In Cribl Stream, navigate to Manage >> Data >> Sources and search for the DataGen source. Select “Add Source” to add a new DataGen.
The Data Generator File dropdown has several Sentinel data samples to select from. After selecting a sample, you can associate the DataGen with the Sentinel Destination by selecting “Connected Destinations.”
Select “QuickConnect”, and assign “passthru
” as the Pipeline/Pack, and select the corresponding Sentinel Destination that you configured. Be sure to Save and Commit and Deploy.
To validate that data is landing in Sentinel, navigate to your Sentinel workspace and select “Logs.”
In the Query window, type in the built-in table where Cribl is writing data. For Example “CommonSecurityLog”. Select “Run”. Results will be displayed in the table.
To view data in a chart view, run the following query:
${nativetablename} |
summarize count() by bin(TimeGenerated, 1m), TenantId |
render timechart
If you want to use Cribl to write more data for Sentinel, please reference our “Microsoft Sentinel” Pack in the Cribl Packs Dispensary. This pack is designed to convert Palo Alto, Syslogs, Windows Events, Fortinet, and CEF logs into the formats necessary for writing to Sentinel. If you’re new to Cribl and want to learn more, you can create a free Cribl.Cloud account for instant access to all our products, try our Sandboxes, or start a free certification class.
Cribl, the Data Engine for IT and Security, empowers organizations to transform their data strategy. Customers use Cribl’s suite of products to collect, process, route, and analyze all IT and security data, delivering the flexibility, choice, and control required to adapt to their ever-changing needs.
We offer free training, certifications, and a free tier across our products. Our community Slack features Cribl engineers, partners, and customers who can answer your questions as you get started and continue to build and evolve. We also offer a variety of hands-on Sandboxes for those interested in how companies globally leverage our products for their data challenges.
Experience a full version of Cribl Stream and Cribl Edge in the cloud with pre-made sources and destinations.
Classic choice. Sadly, our website is designed for all modern supported browsers like Edge, Chrome, Firefox, and Safari
Got one of those handy?