Cribl puts your IT and Security data at the center of your data management strategy and provides a one-stop shop for analyzing, collecting, processing, and routing it all at any scale. Try the Cribl suite of products and start building your data engine today!
Learn more ›Evolving demands placed on IT and Security teams are driving a new architecture for how observability data is captured, curated, and queried. This new architecture provides flexibility and control while managing the costs of increasing data volumes.
Read white paper ›Cribl Stream is a vendor-agnostic observability pipeline that gives you the flexibility to collect, reduce, enrich, normalize, and route data from any source to any destination within your existing data infrastructure.
Learn more ›Cribl Edge provides an intelligent, highly scalable edge-based data collection system for logs, metrics, and application data.
Learn more ›Cribl Search turns the traditional search process on its head, allowing users to search data in place without having to collect/store first.
Learn more ›Cribl Lake is a turnkey data lake solution that takes just minutes to get up and running — no data expertise needed. Leverage open formats, unified security with rich access controls, and central access to all IT and security data.
Learn more ›The Cribl.Cloud platform gets you up and running fast without the hassle of running infrastructure.
Learn more ›Cribl.Cloud Solution Brief
The fastest and easiest way to realize the value of an observability ecosystem.
Read Solution Brief ›Cribl Copilot gets your deployments up and running in minutes, not weeks or months.
Learn more ›AppScope gives operators the visibility they need into application behavior, metrics and events with no configuration and no agent required.
Learn more ›Explore Cribl’s Solutions by Use Cases:
Explore Cribl’s Solutions by Integrations:
Explore Cribl’s Solutions by Industry:
Try Your Own Cribl Sandbox
Experience a full version of Cribl Stream and Cribl Edge in the cloud.
Launch Now ›Get inspired by how our customers are innovating IT, security and observability. They inspire us daily!
Read Customer Stories ›Sally Beauty Holdings
Sally Beauty Swaps LogStash and Syslog-ng with Cribl.Cloud for a Resilient Security and Observability Pipeline
Read Case Study ›Experience a full version of Cribl Stream and Cribl Edge in the cloud.
Launch Now ›Transform data management with Cribl, the Data Engine for IT and Security
Learn More ›Cribl Corporate Overview
Cribl makes open observability a reality, giving you the freedom and flexibility to make choices instead of compromises.
Get the Guide ›Stay up to date on all things Cribl and observability.
Visit the Newsroom ›Cribl’s leadership team has built and launched category-defining products for some of the most innovative companies in the technology sector, and is supported by the world’s most elite investors.
Meet our Leaders ›Join the Cribl herd! The smartest, funniest, most passionate goats you’ll ever meet.
Learn More ›Whether you’re just getting started or scaling up, the Cribl for Startups program gives you the tools and resources your company needs to be successful at every stage.
Learn More ›Want to learn more about Cribl from our sales experts? Send us your contact information and we’ll be in touch.
Talk to an Expert ›For today’s IT and security professionals, threats come in many forms – from external actors attempting to breach your network defenses, to internal threats like rogue employees or insecure configurations. These threats, if left undetected, can lead to serious consequences such as data loss, system downtime, and reputational damage. However, detecting these threats can be challenging, due to the sheer volume and complexity of data generated by today’s IT systems.
This blog post will guide you through using Cribl Search to analyze failed SSH login attempts, a common sign of intrusion attempts. Let’s see how Search can help us distinguish malicious threats from milder vulnerabilities. If you missed part 1, be sure to check it out.
Imagine a situation where an organization has recently noticed an increase in the volume of failed login attempts across multiple Edge Nodes. This is suspicious, but it’s not clear whether it’s an organized attack or a random spike in activity. In this scenario, a SecOps engineer could use Cribl Search to sift through the vast amounts of log data generated by the organization’s systems, searching for patterns that could indicate a coordinated attempt to gain unauthorized access.
This first query provides us with an overview of our data:
dataset="cribl_edge_system_logs" source=*auth.log sshd user | limit 1000
In this initial step, we are fetching the first 100 logs from the cribl_edge_system_logs
dataset where the source is any file matching auth.log
. We are filtering these logs further to those that contain both sshd
and user
, which are keywords we expect to find in logs related to SSH login attempts.
Next, we want to extract more specific information from the logs. We modify our query to:
dataset="cribl_edge_system_logs" source=*auth.log sshd user | extract type=regex @'Invalid user (?\S+) from (?\S+)'| limit 100
This query still fetches logs from the same dataset and source but reduces the initial limit. However, we add a regular expression to extract details about failed login attempts. Our regular expression looks for the pattern “Invalid user [user] from [source address]” in the log entries. It then captures the username and source IP into fields named invalid_user
and srcaddr
respectively. These fields are then available for further operations.
Finally, we remove the limit and null values, and summarize the data:
dataset="cribl_edge_system_logs" source=*auth.log sshd user | extract type=regex @'Invalid user (?\S+) from (?\S+)'| where isnotnull (invalid_user) | summarize count() by invalid_user
This final version of the query refines the data by removing any logs where invalid_user
is null. In other words, we only want to consider logs where an actual invalid username was attempted, as opposed to an empty field. This helps remove potential noise from our results.
The last part of the query, summarize count() by invalid_user
, counts the number of logs for each invalid user. This gives us a summary view of who our most active intruders are.
Scrolling down through the list, there are some gems like fastfart
, dadmin
, or simply satisfactory. Attackers never fail to entertain with their creativity.
With our comprehensive view of unauthorized login attempts and the IP addresses associated with these attempts (srcaddr
), we now have powerful insights into possible threats facing our systems.
So, what next? Now that we have a list of suspicious IP addresses and usernames, we can put them into a lookup table. This simple, yet effective, technique allows us to compile a database of potential threats.
We can then create a scheduled search to periodically run and search against these IP addresses and usernames. If these nefarious actors dare to return, they’ll find themselves identified and their actions blocked. In our next blog post, we will dive deeper into this topic, guiding you on constructing this proactive defense system using Cribl Search’s lookup tables, scheduled searches, and notifications.
Here’s a quick hint for an additional layer of security: you can use a tactic called honeypotting. The principle is straightforward – set up traps for potential attackers in the form of vulnerable systems. This might sound counterintuitive, but it’s an incredibly effective way to preemptively identify potential threats.
How do you do this? Simply set up a few inexpensive EC2 instances with open ports and minimal information. The vulnerable appearance of these instances will attract attackers to scan your environment for weak points. While they are busy probing these dummy systems, their IP addresses will be logged, providing valuable information for your defense strategy.
Once these addresses are identified, you can add them to your lookup table and subsequently block them, leaving your would-be attackers hitting a brick wall. This continuous process of logging and blocking will substantially strengthen your cybersecurity defenses.
We hope this blog post has provided you with valuable insights on how to leverage Cribl Search for intrusion detection, and we look forward to diving deeper into these tactics in future posts.
Cribl, the Data Engine for IT and Security, empowers organizations to transform their data strategy. Customers use Cribl’s suite of products to collect, process, route, and analyze all IT and security data, delivering the flexibility, choice, and control required to adapt to their ever-changing needs.
We offer free training, certifications, and a generous free usage plan across our products. Our community Slack features Cribl engineers, partners, and customers who can answer your questions as you get started. We also offer a hands-on Sandbox for those interested in how companies globally leverage our products for their data challenges.
Experience a full version of Cribl Stream and Cribl Edge in the cloud with pre-made sources and destinations.
Classic choice. Sadly, our website is designed for all modern supported browsers like Edge, Chrome, Firefox, and Safari
Got one of those handy?