Protect the Business with Cribl Packs: Webinar Recap

Art Chavez
Written by Art Chavez

May 3, 2022

The second in our Feature Highlights webinar series, Protect the Business with Cribl Packs, highlights Packs and security use cases.

Packs enable you to share complex Stream/Edge configurations across multiple Worker Groups/Fleets, between Stream/Edge deployments or with the Cribl Community. Packs roll up best practices to ensure Site Reliability Engineering (SRE) teams have the required data to protect the business. The full webinar is in Cribl’s resources section. I was honored to have James Curtis, Lead Site Reliability Engineer and Cribl community member join me. James’ SRE knowledge and experience delivered key insights and according to a live attendee “…one bad to the bone!” demo.

How Packs Protect the Business

We discussed three SRE challenges:

  • What do customers see on our site?
  • How are servers running?
  • What threat data do we need?

The first two questions are operational. These health measurements ensure the customer experience meets or exceeds the service level indicators (SLIs). James highlighted a Nginx web server Pack that he is building. It provides insight into customer web experience by shaping and routing HTTP responses to Splunk for dashboarding and alerting.

The Cribl Pack for Nix is Cribl authored by Alex Cain. It processes Linux OS data to increase operational visibility of key health measurements i.e. disk space available, memory, and CPU utilization. These logs are shared with the Splunk Technology Add-On(TA) for Nix, which James demonstrated.

James and team also rely on the data enrichment powered by the Palo Alto Networks Pack (authored by Brendan Dalpe) which shortens incident response times. James pointed out how the ‘pan_threat’ pipeline used Lookup and Auto Timestamp functions to set the event timestamp to the “generated time,” an important correlation point when researching and remediating threats.

 

These Packs enable SRE teams to shape, route, and enrich logs to protect the organization.

How Do I Get Started Creating My Own Pack?

Pack creation requires four straightforward steps:

  1. Create and Save the initial Pack
  2. Build, Test and Refine Routes, Pipelines etc.
  3. Export the Pack to a .crbl file
  4. Publish to Cribl Packs Dispensary

You will invest creativity and craftmanship during Step 2. A pro-tip: use the Live-capturing Data steps to create a sample log file to work with, and include an anonymized version in the published pack.

When you’re ready to get started, here are several Pack building resources:

Customer Q&A

We regularly poll webinar attendees. It’s a great way to hear directly from attendees.

The first question we asked was, “What is your most requested security data source?”

  • Syslog
  • Splunk
  • Amazon S3
  • Other (Let us know in Chat)

The options are listed in order of popularity. The poll responses mirrored this.

We also asked, “How do you use Packs today?” We wanted to understand how attendees used Packs to protect their organizations.

The options included:

  1. Dev / Test environment
  2. Route and Enrich security logs
  3. Don’t use it now, but definitely in the future
  4. Not yet clear on why I should use them

The results were interesting. A solid 30% use Packs to route and shape security logs, proving the value of Packs. A larger percentage, over 50%, were learning from the webinar conversation.

Engaging the community and educating on feature capabilities, highlighting real-world use cases, are goals of the Feature Highlights webinar series. It’s good to see these being confirmed.

Your Questions

Several questions were answered live during the webinar. I thought it’d be useful to recap them.

Once the Packs are installed (Palo Alto, for example), are there any additional enhancements that need to be done? That is, is a Pack similar to a Splunk TA?

Packs include the processing steps needed to shape the log data for example. Source and Destination configuration is required to get data flowing through the Pack. Population of Knowledge Objects like a Lookup file is also needed. For example, devices_info.csv in the Palo Alto Pack needs details specific to your security infrastructure and timezones.

Packs look like a wonderful turnkey way to apply Cribl towards general / community adopted use cases. Is there a request queue or community voting for focusing efforts of Cribl engineering for new Packs?

The Cribl Packs Dispensary is populated with the most requested Packs; Palo Alto Networks, MS Windows Events, and Syslog are among the most popular. Please submit Pack recommendations to the #packs channel in the Cribl Slack Community, or ask questions about Packs at Cribl Curious, our newly launched Q&A site. An anonymous sample data file would most certainly jump-start the process. You may find a like-minded community member to collaborate with.

Where Can I Find Available Packs?

The Cribl Packs Dispensary is the place to find and install Packs.

Wrap Up

Packs enable you to share complex configurations across multiple Worker Groups/Fleets, between Stream/Edge deployments or with the Cribl Community at large and are a great way to share expertise and best practices that lighten the administrative load for Cribl products.

Join the fun and “Roll your Own” Pack! Contest information is detailed in the blog: 4/20 and It’s Time to Roll Your Own…Packs That Is

Start Packing!

Learn More

Ready to go deeper with Cribl’s solutions? Explore our sandboxes, join the Cribl Community, and Cribl Curious. Cribl Stream and Edge, by design, support an ever expanding number of sources (explore the entire list).

Questions about our technology? We’d love to chat with you.