Get started with SecOps
Take a spin on our SecOps demo. Our mission in this demo is to improve the performance of our SIEM–sending the data we know we need to reduce risk and respond quickly.We’ll show you how Cribl supercharges your visibility into your environment and offers you more choice, control and flexibility over how you monitor security.
New vendor, who dis?
New to Cribl? Click the 'Tell me more' button below to learn more about the Cribl suite of products and how they work together to form a powerful Data Engine for IT and security.
Not so new? Or just impatient? Click "Start Demo".
Get your logs moving
In this environment, we have DNS logs coming in, and we are dropping any of the top 1,000 common domains since those are a low security risk, then sending the optimized logs to Microsoft Sentinel.
For Palo Alto Networks (PAN) traffic, we are transforming the logs into the proper format, enriching them with GeoIP, and then sending them to Microsoft Sentinel. Additionally, we are sending a full-fidelity copy of both PAN and DNS logs to our SecOps data lake.
Let's take a closer look at a few pipelines and packs.
Drop it like a bad habit
We are dropping all private (internal) addresses and ACCEPT actions in the flow logs, as we are primarily concerned with REJECT actions involving internal addresses being sent to your SIEM of choice.
Aggregating
We are aggregating our events every 10 seconds. Since VPC flow logs are voluminous, this will help reduce our output.
Let's take a look at our PAN logs.
Initial log state
Here’s an example of a typical PAN log. But let’s make it more valuable for our SecOps team.
Enriching PAN
We have a pipeline here with a series of functions to transform the data. We are extracting and using a lookup for GeoIP information using a MaxMind database.
The GeoIP lookup
The following functions use Cribl’s GeoIP feature to retrieve geographic data (latitude, longitude, city, and country codes) for public IP addresses, using a MaxMind.com database.
This database also supports ASN lookups to identify the organization and network number (ASN) associated with an IP. By combining these functions, you can determine not only the location of an IP address (e.g., Ashburn, Virginia, USA) but also identify the network owner.
The transformation
The pipeline transforms Syslog CSV into JSON, adding fields for readability. It also enriches this data in the stream with metadata, including location details (latitude, longitude, city, country) for external IPs, the organization owning the external IP, the group using the internal IP, and whether any IPs are on a watchlist of compromised systems.
Let’s go take a look at our Webserver Dashboard.
Sustained high CPU
It looks like we have an issue with our Coffee Fleet. Let's run a search against the top hitters and see if we detect any anomalies.
Searching top-hitters of weblogs
Over a 10-minute window, we are searching for client IPs with over 1,000 requests, as that's highly abnormal behavior.
We found two IPs that fit that description, so we can now create a lookup and block those IPs via the firewall.
Let's run one more search to demonstrate the power of search once again.
Federated Search
Many security teams face the challenge of different teams working on various cloud and on-prem environments. With Cribl Search, you can gain visibility, be unstoppable, and perform federated searches across all clouds, APIs, and existing SIEMs.
Find all the valuable insights and identify bad actors without needing any other help.
Feeling Super?
In today’s demo, we showcased our streamlined approach for handling and enriching network logs before forwarding them to Microsoft Sentinel.
For DNS logs, we filter out the top 1,000 common domains—which represent a low security risk; to optimize our data flow. For Palo Alto Networks traffic, we reformat the logs, add GeoIP enrichment, and then forward them to Sentinel.
Additionally, a complete copy of both PAN and DNS logs is archived in our SecOps data lake for full-fidelity analysis. Finally, we explored federated search to seamlessly integrate and analyze data from multiple sources.
Feel free to shedule a demo or try cribl by clicking on either.