Cribl puts your IT and Security data at the center of your data management strategy and provides a one-stop shop for analyzing, collecting, processing, and routing it all at any scale. Try the Cribl suite of products and start building your data engine today!
Learn more ›Evolving demands placed on IT and Security teams are driving a new architecture for how observability data is captured, curated, and queried. This new architecture provides flexibility and control while managing the costs of increasing data volumes.
Read white paper ›Cribl Stream is a vendor-agnostic observability pipeline that gives you the flexibility to collect, reduce, enrich, normalize, and route data from any source to any destination within your existing data infrastructure.
Learn more ›Cribl Edge provides an intelligent, highly scalable edge-based data collection system for logs, metrics, and application data.
Learn more ›Cribl Search turns the traditional search process on its head, allowing users to search data in place without having to collect/store first.
Learn more ›Cribl Lake is a turnkey data lake solution that takes just minutes to get up and running — no data expertise needed. Leverage open formats, unified security with rich access controls, and central access to all IT and security data.
Learn more ›The Cribl.Cloud platform gets you up and running fast without the hassle of running infrastructure.
Learn more ›Cribl.Cloud Solution Brief
The fastest and easiest way to realize the value of an observability ecosystem.
Read Solution Brief ›Cribl Copilot gets your deployments up and running in minutes, not weeks or months.
Learn more ›AppScope gives operators the visibility they need into application behavior, metrics and events with no configuration and no agent required.
Learn more ›Explore Cribl’s Solutions by Use Cases:
Explore Cribl’s Solutions by Integrations:
Explore Cribl’s Solutions by Industry:
Try Your Own Cribl Sandbox
Experience a full version of Cribl Stream and Cribl Edge in the cloud.
Launch Now ›Get inspired by how our customers are innovating IT, security and observability. They inspire us daily!
Read Customer Stories ›Sally Beauty Holdings
Sally Beauty Swaps LogStash and Syslog-ng with Cribl.Cloud for a Resilient Security and Observability Pipeline
Read Case Study ›Experience a full version of Cribl Stream and Cribl Edge in the cloud.
Launch Now ›Transform data management with Cribl, the Data Engine for IT and Security
Learn More ›Cribl Corporate Overview
Cribl makes open observability a reality, giving you the freedom and flexibility to make choices instead of compromises.
Get the Guide ›Stay up to date on all things Cribl and observability.
Visit the Newsroom ›Cribl’s leadership team has built and launched category-defining products for some of the most innovative companies in the technology sector, and is supported by the world’s most elite investors.
Meet our Leaders ›Join the Cribl herd! The smartest, funniest, most passionate goats you’ll ever meet.
Learn More ›Whether you’re just getting started or scaling up, the Cribl for Startups program gives you the tools and resources your company needs to be successful at every stage.
Learn More ›Want to learn more about Cribl from our sales experts? Send us your contact information and we’ll be in touch.
Talk to an Expert ›With IT modernization and increased cloud usage, more organizations are looking to Software-as-a-Service offerings for their security and data needs. Microsoft Azure Sentinel is a cloud-based SIEM that security operation centers rely on for data analytics. Cribl makes it easier for Microsoft Azure Sentinel customers to get data into their security analytics platform.
Leveraging Cribl Packs, organizations can easily ingest data from various vendors with various formats while requiring little effort. Let’s take a little deeper dive into Cribl packs, how they work, and how they’re used to ease the burden of data ingestion by Microsoft Azure Sentinel customers.
Cribl Packs allow Cribl Stream customers to build and share configuration models, including pipelines, lookups, data, samples, and knowledge objects. These prebuilt configurations allow for faster time to value and prevent redundancy when creating pipelines. The Cribl Pack dispensary has a variety of pre-built packs for common use cases, data, sources, and destinations.
To make data ingestion easier for Microsoft Sentinel, we’ll take advantage of pre-and post-processing capabilities, which provide data transformations at both the Cribl source and the Cribl destination, which in this case is Microsoft Azure Sentinel. Cribl documentation provides information about event processing orders with Cribl Stream, but the TLDR is that data arrives at a source. There is an option to use a pre-processing pipeline to normalize data before the data proceeds further. Additionally, just before data is delivered to a destination, you can optionally leverage a post-processing pipeline to normalize the data before it is delivered. We will use some Cribl source packs to normalize data to Common Schema that we can then map to the Microsoft Azure Sentinel Common Security Log schema.
Let’s look at two source packs that map data into a Common Schema: The CEF Source and Palo Alto Networks Source packs. Often, firewall vendors provide options for the data format in which logs will be delivered, and Palo Alto Networks is no different. Data can be delivered in CSV or Common Event Format (CEF). The Palo Alto Networks Source pack assumes the data arrives in CSV format. For the CEF Source pack, you guessed it, it handles data in the Common Event Format. While both packs map data into a Common Schema, the CEF Source pack also creates an internal field with the CEF data. This provides more flexibility and options for the Microsoft Azure Sentinel Common Security Log destination pack. But first, let’s look at the internal fields the packs create.
By extracting information from the Palo Alto Networks Firewall Traffic event, the source pack maps that data into an internal field named __schema
. In order to see it you’ll need to select the gear icon in the Data Preview pane and select Show Internal Fields. The Common Schema structure maps details about source and destination IP addresses, ports, and interfaces, among other information. Instead of creating an individual pack for each source and destination combination, this normalization approach allows a single pack to map data for any number of destination packs. While discussing Microsoft Sentinel in this blog post, I noticed that other destination packs are compatible with the CEF and Palo Alto Networks source packs.
In addition, the internal __schema
field, the CEF Source pack also extracts the CEF fields to an internal __cef
field as shown below.
The __cef
internal field offers an alternative to the Common Schema that is helpful for many destinations. Microsoft’s Azure Sentinel is one of those and the documentation for the Common Security Log table schema outlines the CEF mapping.
It’s also important to note that the source packs are designed to be applied to the source for pre-processing. With Palo Alto Networks Firewall traffic arriving via Syslog we’ll add the source pack as a pre-processing pipeline. Navigate to Sources > Syslog, select the Syslog input > Processing Settings > Pre-Processing, and then select the source pack.
Now that we’ve seen two ways to normalize data to schemas as part of pre-processing when data arrives, let’s look at the Microsoft Sentinel Common Security Log destination pack that takes advantage of the schemas to format data fields correctly.
While some data may be arriving in the internal __cef field, others in the internal __schema field, and some already in the destinations format, the Microsoft Sentinel Common Security Log destination pack maps data based on an order of precedence. This is highlighted in the eval function in the common_security_log pipeline included in the pack.
When mapping into the Common Security Log table fields, the pack first looks for an existing field, followed by the corresponding CEF field in the internal __cef
schema, and last, the corresponding field in the internal __schema
field. This allows for the ability to override a field as part of a traditional pipeline. Additionally, Cribl users can easily change the order to meet additional requirements and use cases.
In conclusion, integrating Cribl Stream with Microsoft Azure Sentinel brings a powerful solution to the challenges of data ingestion and normalization in modern IT environments. Cribl Packs are pivotal in simplifying the process, allowing organizations to ingest data from diverse vendors in various formats effortlessly. The pre-built configurations offered through Cribl Packs significantly reduce the time required to set up pipelines, enhancing efficiency and preventing redundancy.
The utilization of Cribl Source Packs, exemplified by the CEF Source and Palo Alto Networks Source packs, showcases the platform’s capability to normalize data into a Common Schema. This not only streamlines the data integration process but also provides flexibility. Normalizing data at both the source and destination levels, with pre- and post-processing pipelines, demonstrates a comprehensive strategy for optimizing data flow.
Cribl, the Data Engine for IT and Security, empowers organizations to transform their data strategy. Customers use Cribl’s suite of products to collect, process, route, and analyze all IT and security data, delivering the flexibility, choice, and control required to adapt to their ever-changing needs.
We offer free training, certifications, and a free tier across our products. Our community Slack features Cribl engineers, partners, and customers who can answer your questions as you get started and continue to build and evolve. We also offer a variety of hands-on Sandboxes for those interested in how companies globally leverage our products for their data challenges.
Experience a full version of Cribl Stream and Cribl Edge in the cloud with pre-made sources and destinations.
Classic choice. Sadly, our website is designed for all modern supported browsers like Edge, Chrome, Firefox, and Safari
Got one of those handy?