Ingest data from Cribl - Ingest third-party data collected by Cribl. - Administrator Guide - Cortex XSIAM - Cortex

Abstract

Ingest third-party data collected by Cribl.

Note

The Cribl data collector is a beta feature.

The Cribl data collector is an out-of-the-box native integration which ingests data that Cribl collects from multiple data sources and streams to Cortex XSIAM, while ensuring that all downstream capabilities, including analytics, are available in Cortex XSIAM.

The onboarding process in Cribl has an impact on the output that is sent to Cortex XSIAM. Therefore, the onboarding process of some sources in Cribl might have to be implemented in a certain way in order to adhere to Cortex XSIAM requirements. These processes are described in more detail in Tasks 1 and 3, below.

Raw data must be collected by Cribl and streamed as-is from the passed through source, because any changes made by Cribl might affect the way that Cortex XSIAM handles the data.

For best results, we recommend ingesting data from Palo Alto Networks products, such as Next-Generation Firewall (NGFW) using the dedicated Cortex XSIAM data collectors, instead of source collectors provided by Cribl. Although you can ingest FW data through Cribl, ingesting it that way will omit a layer of data (EAL).

Note

We do not support email data collection via Cribl.

Workflow high-level overview:

Task 1: In Cribl, onboard data collection from your data sources.
Task 2: In Cortex XSIAM, create a Cribl data collector instance, and obtain the authorization token and the API URL.
Task 3: In Cribl, for each source, configure the destination, using the Cortex XSIAM authorization token, the Cortex XSIAM API URL, and the source UUID.
Task 4: Verify that data is streamed to Cortex XSIAM as expected, and perform ongoing maintenance.

Perform the following tasks in the order that they appear.

Prerequisite

Ensure that you have the credentials and IDs for each data source, such as Tenant ID, App ID and Client secret.

General guidelines specifically for Cortex XSIAM (for more information, refer to Cribl documentation):

If you have not already done so, create source collectors to onboard the desired data sources.
For some data sources, Cribl includes specific collectors in its catalog. If you can't find one in the catalog specifically for your source, use a generic collector.
Although some native Cribl source collectors allow you to ingest several data types using the same source collector, we do not recommend this approach. To ensure optimal Cortex XSIAM performance, configure a separate Cribl source collector for each data type. For reference purposes, this data source UUID list shows all the data types that can be onboarded.
For example, Microsoft 365 has several data types, such as users, groups, and contacts.

Note

Only one Cribl data collector instance can be configured in Cortex XSIAM.

Go to Settings → Configuration → Data Collection → Data Sources.
Search for Cribl.
Click the Cribl integration, and then click Connect.
In the Name field, enter a meaningful name for the integration.
Click Save & generate token.
Click the Copy icon to copy the authorization token.
Save the authorization token copy in a safe place for future use. You cannot access this token again, so take care to copy it and save it before you close the dialog box.
Click Close.
On the Data Sources page, in the row for the Cribl instance, click the link icon (Copy API URL). Save the API URL copy in a safe place for future use.

Prerequisite

Ensure that you have the copies of the Cortex XSIAM authorization token and API URL obtained in Task 2.

The following table includes guidelines that are relevant specifically for Cortex XSIAM. While you are configuring Cortex XSIAM destinations for your sources, configure the items listed in the table below as described.

For general information about configuring destinations, refer to Cribl documentation.

Item	Setting	Details
Cortex XSIAM URL	XSIAM Endpoint field	Paste the API URL obtained from Cortex XSIAM.
Authorization token	Authorization Token field	Paste the authorization token obtained from Cortex XSIAM.
Advanced Settings	Compress toggle	Ensure that Compress is disabled.
HTTP headers	Extra HTTP headers	Add extra HTTP headers for each data source: Source-identifier: Search the table supplied in this topic for the vendor and product. The Data source UUIDs table lists the data sources that can be identified by Cortex XSIAM, using their corresponding UUIDs. These UUIDs are required to map data collected by Cribl to the Cortex XSIAM destination. If you find the desired vendor and product, copy the corresponding UUID from the table and paste here. This UUID will allow Cortex XSIAM to leverage all the data ingested from the data source, such as identifiers, pipeline sources such as IP addresses, devices, and so on. Data from sources known to Cortex XSIAM are saved in the appropriate datasets–the same datasets as those used by dedicated data collectors in Cortex XSIAM. Note: Do not use the generic UUID for a data source that is known to Cortex XSIAM and appears in the table. If you can’t find the desired vendor and product source in the table, copy the generic UUID provided in the first row of the table, and paste here. Data from unknown sources are saved in a separate searchable dataset. The dataset name will reflect the Vendor and Product names that you enter next. Format: json Vendor: When using the UUID for unknown data sources, you must enter the vendor name. Product: When using the UUID for unknown data sources, you must enter the product name.
Mapping	Passthru option	Map the data source(s) that you created in Task 1 to the XSIAM data destination created in this task. Ensure that you select the Passthru option.
Deployment	Commit & Deploy Deploy	When mapping is complete, click Commit & Deploy, and then click Deploy.

Use the Disable and Delete options with extreme caution.

Disabling the integration will cease streaming from Cribl.
Deleting the integration will erase the integration completely and will require reconfiguration, because the original authorization token will be lost.

Disable the integration with Cribl

To disable the integration, in Cortex XSIAM, search for the Cribl integration on the Data Sources page, and clear the Enable checkbox.
In the Are you sure? dialog box, type disable, and then click Disable.

Delete the integration with Cribl

To delete the Cribl integration, in Cortex XSIAM, search for the integration on the Data Sources page, and click the integration's Delete icon.
In the Are you sure? dialog box, type delete, and then click Delete.

Ingest data from Cribl - Ingest third-party data collected by Cribl. - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Note

Note

Prerequisite

Note

Prerequisite