Scenarios that Require Specific Configuration

Some Cribl logs require additional configuration in order to be parsed effectively in Exabeam. To ensure these logs reach the appropriate Exabeam parsers, the necessary steps must be performed in Cribl Stream. Follow the links in the scenarios listed below for information about the required configurations:

Collecting Data from a Splunk Source – Configure a pipeline in your Cribl Stream connection that extracts a specific subset of the _raw field of a Cribl log file.
Targeting Parsers that Require Augmented Metadata – Configure a pipeline in your Cribl Stream connection that includes a Mask function with a regex replace statement that inserts the necessary metadata key-value pairs into the _raw field of Cribl log files.

Collecting Data from a Splunk Source

To collect Cribl logs from a Splunk source, a specific subset of information in the _raw field of the log is required. In order for Splunk data to be collected and parsed appropriately in Exabeam, this subset of information must be extracted and used to replace the original _raw field in the log.

To streamline this extract and replace process, Exabeam provides a JSON code snippet. When included in a pipeline, this JSON code creates an Eval function that filters for the required information in the _raw field, extracts it, and overwrites the original field with the result.

To implement this configuration:

Open your Splunk Search source and navigate to the Configuration screen. Click Event Breakers and use the Ruleset drop down to switch from the default Splunk ruleset to the Cribl ruleset called Cribl Event breaking rules for line delimited json data. Save the change.

Copy the following JSON code snippet and save it.

{
  "id": "Splunk_Search_Extract_Raw",
  "conf": {
    "output": "default",
    "streamtags": [],
    "groups": {},
    "asyncFuncTimeout": 1000,
    "functions": [
      {
        "filter": "result != null && result._raw != null",
        "conf": {
          "add": [
            {
              "disabled": false,
              "name": "_raw",
              "value": "result._raw"
            }
          ]
        },
        "id": "eval",
        "description": "Update Splunk search results (broken as JSON) to overwrite _raw with result._raw"
      }
    ]
  }
}

In your Cribl Stream worker group, navigate to Processing -> Pipelines.
Create a new pipeline using the Import from File option. See Adding Pipelines in the Cribl documentation.
Navigate to where you saved the JSON code in Step 2 and select the file. Click Import and then Save.
In Cribl Stream, navigate to Routing and select QuickConnect or Data Routes to route data to a specific destination based on the standard your organization uses.
Create a connection between your Splunk source on the left and your Exabeam destination on the right. See QuickConnect in the Cribl documentation.
Note
If you have multiple Exabeam destinations configured, make sure you select the one associated with the appropriate Cribl Cloud Collector.
When the Connection Configuration dialog box is displayed, click the Pipeline option. The Add Pipeline to Connection dialog box opens.
Select the radio button next to the pipeline you created in Step 4 and click Save. The pipeline is added to the connection between your Splunk source and your Exabeam destination.

When the pipeline configuration is complete, verify that Splunk data is collected successfully in your Cribl Cloud Collector and that the collected logs are parsed correctly in downstream Exabeam services.

Targeting Parsers that Require Augmented Metadata

Some Exabeam parsers require a specific metadata key-value pair to be present in log messages that are ingested from Cribl. This metadata must be present in the _raw field of a Cribl log file in order for the log to be evaluated by the appropriate Exabeam parser. To determine if you are using parsers that require augmented metadata, and to find the exact conditions that must be added to outgoing logs, see the table in Parsers that Require Augmented Metadata.

One method for augmenting Cribl logs with the required metadata, is to create a pipeline and apply it to the connection between the source and your Exabeam destination. Add a Mask function to the pipeline that includes Regex statements that will insert the required exact conditions into outgoing logs. The steps below outline this procedure. However, depending on the source you are using, additional filtering logic is sometimes required. Consult your Cribl representative for help in such cases.

To implement this method of augmenting log metadata:

In your Cribl Stream worker group, navigate to Processing -> Pipelines.
Create a new pipeline using the Create Pipeline option. See Adding Pipelines in the Cribl documentation.
Open the new pipeline and add a standard Mask function to it. Configure the following information:
- Match Regex statement – Add a Regex expression that will find the start of the log message.
- Replace Expression – Enter the exact condition required for a specific parser designed for a specific vendor and product. To find the exact condition, see the table in Parsers that Require Augmented Metadata.
The image below shows an example of a configured Mask function. For more information, see Function/Mask in the Cribl documentation.
To verify that the exact condition is added properly to the front of outgoing logs, use the Simple Preview to check the outgoing message. It should look similar to the example below.
Save the pipeline configuration.
Navigate to Routing -> QuickConnect.
Create a connection between a specific source on the left and your Exabeam destination on the right. See QuickConnect in the Cribl documentation.
When the Connection Configuration dialog box is displayed, click the Pipeline option
Select the radio button next to the pipeline you just created and click Save. The pipeline is added to the connection between your source and your Exabeam destination.

When the pipeline configuration is complete, verify that data from the relevant source is collected successfully in your Cribl Cloud Collector and that the collected logs are parsed correctly in downstream Exabeam services. If the data is not parsed as expected, you might need add further logic to the pipeline. Consult your Cribl representative for help.

Parsers that Require Metadata Augmentation

This table lists Exabeam parsers, by vendor and product, that require augmentation in a Cribl log message in order for the log to be evaluated by the appropriate parser. For example, in order for a Cribl log message to be parsed by the Amazon AWS CloudTrail parser (amazon-awscloudtrail-sk4-app-activity-aws), the log message must contain a key/value pair in the form of the following exact condition: 'destinationServiceName=AWS'.

Vendor	Product	Exabeam Parser	Exact Condition
Amazon	AWS CloudTrail	`amazon-awscloudtrail-sk4-app-activity-aws`	`'destinationServiceName=AWS'`
		`amazon-awscloudtrail-sk4-app-activity-success-redshift`	`'destinationServiceName=AWS', 'dproc=Redshift'`
	AWS CloudWatch	`amazon-awscloudwatch-cef-network-traffic-success-cloudwatch`	`'destinationServiceName=AWS', 'dproc=CloudWatch Logs'`
		`amazon-awscloudwatch-sk4-app-activity-aws`	`'destinationServiceName=AWS', 'dproc=CloudWatch'`
Bitglass	Bitglass CASB	`bitglass-casb-sk4-alert-trigger-success-cloudsummary`	`'dproc=cloudsummary'`
BlackBerry	BlackBerry Protect	`blackberry-protect-sk4-alert-trigger-success-cyclaneprotect`	`'destinationServiceName=CylanceProtect'`
Box	Box Cloud Content Management	`box-ccm-cef-file-success-box`	`'destinationServiceName=Box'`
		`box-ccm-cef-file-success-contentaccess`	`'destinationServiceName=Box'`
		`box-ccm-sk4-app-login-success-login`	`'destinationServiceName=Box'`
Cisco	Cisco Meraki MX applicance	`cisco-mma-cef-alert-trigger-success-classification`	`'destinationServiceName=Cisco Meraki'`
	Cisco Umbrella	`cisco-umbrella-cef-dns-response-success-adusers`	`'destinationServiceName=Cisco Umbrella'`
		`cisco-umbrella-cef-dns-response-success-responsecode`	`'destinationServiceName=Cisco Umbrella'`
		`cisco-umbrella-cef-http-session-proxy`	`'destinationServiceName=Cisco Umbrella ', 'dproc=Proxy '`
		`cisco-umbrella-sk4-dns-response-success-roamingclient`	`'destinationServiceName=Cisco Umbrella'`
	Duo Access	`cisco-duo-cef-app-login-destservicenameduo`	`' destinationServiceName=DUO '`
		`cisco-duo-cef-endpoint-authentication-newenrollment`	`' destinationServiceName=DUO ', 'dproc=authentication-logs'`
		`cisco-duo-cef-vpn-login-fail-loginfailure`	`' destinationServiceName=DUO '`
		`cisco-duo-sk4-vpn-login-success-newenrollment`	`' destinationServiceName=DUO '`
Citrix	Citrix Gateway	`citrix-cgateway-sk4-app-activity-success-sharessend`	`'destinationServiceName=Citrix ShareFile', 'dproc=SharesSend'`
	Citrix ShareFile	`citrix-sharefile-cef-file-download-success-download`	`'destinationServiceName=Citrix ShareFile'`
		`citrix-sharefile-cef-file-upload-success-fileupload`	`'destinationServiceName=Citrix ShareFile'`
		`citrix-sharefile-sk4-app-activity-success-editnote`	`'destinationServiceName=Citrix ShareFile'`
		`citrix-sharefile-sk4-app-activity-success-usermodifiedpermission`	`'destinationServiceName=Citrix ShareFile'`
		`citrix-sharefile-sk4-app-login-fail-failedlogin`	`'destinationServiceName=Citrix ShareFile'`
		`citrix-sharefile-sk4-app-login-fail-loginlocked`	`'destinationServiceName=Citrix ShareFile'`
		`citrix-sharefile-sk4-app-login-fail-tfaloginfail`	`'destinationServiceName=Citrix ShareFile'`
		`citrix-sharefile-sk4-app-login-success-loginactivity`	`'destinationServiceName=Citrix ShareFile'`
		`citrix-sharefile-sk4-app-login-success-tfalogin`	`'destinationServiceName=Citrix ShareFile'`
Cloudflare	Cloudflare Insights	`cloudflare-insights-sk4-app-member-success-cloudflare`	`'destinationServiceName=cloudflare'`
		`cloudflare-insights-sk4-app-member-success-cloudflare-1`	`'destinationServiceName=cloudflare'`
	Cloudflare WAF	`cloudflare-waf-sk4-network-traffic-success-fwnetworktraffic`	`'destinationServiceName=Cloudflare', 'dproc=Firewall'`
Delinea	Centrify Zero Trust Privilege Serivices	`delinea-centrifyztps-sk4-app-login-centrify`	`'destinationServiceName=Centrify'`
Egnyte	Egnyte	`egnyte-e-cef-app-activity-success-create`	`'destinationServiceName=Egnyte'`
		`egnyte-e-cef-app-activity-success-disable`	`'destinationServiceName=Egnyte'`
		`egnyte-e-cef-app-login-success-eventlogin`	`'destinationServiceName=Egnyte'`
		`egnyte-e-cef-file-permission-modify-success-assigner`	`'destinationServiceName=Egnyte', 'dproc=permissions-audit-report'`
		`egnyte-egnyte-sk4-app-activity-success-addedtogroup`	`'destinationServiceName=Egnyte'`
		`egnyte-egnyte-sk4-app-activity-success-delete`	`'destinationServiceName=Egnyte'`
		`egnyte-egnyte-sk4-app-activity-success-enable`	`'destinationServiceName=Egnyte'`
		`egnyte-egnyte-sk4-app-activity-success-passwordchange`	`'destinationServiceName=Egnyte'`
		`egnyte-egnyte-sk4-app-activity-success-passwordreset`	`'destinationServiceName=Egnyte'`
		`egnyte-egnyte-sk4-app-activity-success-removedfromgroup`	`'destinationServiceName=Egnyte'`
		`egnyte-egnyte-sk4-app-activity-success-subject`	`'destinationServiceName=Egnyte'`
		`egnyte-egnyte-sk4-app-activity-success-upgradedtopower`	`'destinationServiceName=Egnyte'`
		`egnyte-egnyte-sk4-app-activity-success-verificationdisable`	`'destinationServiceName=Egnyte'`
		`egnyte-egnyte-sk4-app-activity-success-verificationenable`	`'destinationServiceName=Egnyte'`
		`egnyte-egnyte-sk4-app-activity-success-verified`	`'destinationServiceName=Egnyte'`
		`egnyte-egnyte-sk4-app-login-fail-username`	`'destinationServiceName=Egnyte'`
		`engyte-e-cef-app-activity-success-update`	`'destinationServiceName=Egnyte'`
GitHub	GitHub	`github-g-sk4-repository-create-success-github`	`'destinationServiceName=GitHub'`
Google	GCP CloudAudit	`google-gcpca-sk4-app-activity-stackdriverevents`	`'destinationServiceName=Google Cloud Platform (GCP)'`
	Google Cloud Platform	`google-cloudplatform-json-app-database-success-database`	`'dproc=Cloud PubSub'`
		`google-cloudplatform-json-app-notificatation-success-textpayload`	`'dproc=Cloud PubSub'`
	Google Workspace	`google-workspace-cef-app-activity-success-audit`	`'destinationServiceName=Google Apps', 'dproc=Gmail Logs'`
		`google-workspace-cef-app-login-uniquequalifier`	`'destinationServiceName=Google Apps'`
		`google-workspace-sk4-app-activity-success-admin`	`'destinationServiceName=Google Apps'`
		`google-workspace-sk4-app-activity-success-calendar`	`'destinationServiceName=Google Apps'`
		`google-workspace-sk4-app-activity-success-groups`	`'destinationServiceName=Google Apps'`
		`google-workspace-sk4-app-activity-success-mobile`	`'destinationServiceName=Google Apps'`
		`google-workspace-sk4-app-login-success-googleapps2`	`'destinationServiceName=Google Apps'`
		`google-workspace-sk4-app-success-activity`	`'destinationServiceName=Google Apps'`
		`google-workspace-sk4-app-success-token`	`'destinationServiceName=Google Apps'`
		`google-workspace-sk4-email-send-gmaillogs`	`'destinationServiceName=Google Apps', 'dproc=Gmail Logs'`
		`google-workspace-sk4-user-password-success-changepassword`	`'destinationServiceName=Google Apps'`
Illumio	Illumio Core	`illumio-ic-mix-network-traffic-illumiopce`	`'"src_hostname":"'`
LastPass	LastPass	`lastpass-l-cef-app-login-fail-failedloginattempt`	`'dproc=EventReporting', 'destinationServiceName=LastPass'`
		`lastpass-l-sk4-app-activity-success-report`	`'dproc=EventReporting', 'destinationServiceName=LastPass'`
		`lastpass-l-sk4-app-login-success-actionlogin`	`'dproc=EventReporting', 'destinationServiceName=LastPass'`
		`lastpass-l-sk4-app-login-success-adminconsole`	`'dproc=EventReporting', 'destinationServiceName=LastPass'`
Microsoft	Azure AD Activity Logs	`microsoft-azuread-cef-app-login-clientappused`	`'destinationServiceName=Office 365', 'dproc=Graph Sign-In'`
	Azure Monitor	`microsoft-azuremon-cef-app-activity-category`	`'destinationServiceName=Azure'`
		`microsoft-azuremon-sk4-app-activity-alert`	`'destinationServiceName=Azure'`
		`microsoft-azuremon-sk4-app-activity-loganalyticsomsworkspace`	`'destinationServiceName=Azure', 'dproc=Log Analytics OMS Workspace'`
		`microsoft-azuremon-sk4-app-activity-operationname`	`'destinationServiceName=Azure'`
		`microsoft-o365-cef-app-file-success-storageanalyticsevents`	`'destinationServiceName=Azure', 'dproc=iaas-storage-analytics-events'`
	M365 Audit Logs	`microsoft-m365auditlogs-sk4-app-activity-managementgeneral`	`'destinationServiceName=Office 365', 'dproc=management-general'`
	Microsoft 365	`microsoft-o365-cef-alert-trigger-success-spoofmail`	`'destinationServiceName=Office 365'`
		`microsoft-o365-cef-app-file-success-displayname`	`'destinationServiceName=Office 365'`
		`microsoft-o365-json-app-activity-graphdirectoryauditlogs`	`'"destinationServiceName":"Office 365"', '"dproc":"Graph Directory Audit logs"'`
		`microsoft-o365-sk4-alert-trigger-success-graphidentity`	`'destinationServiceName=Office 365', 'dproc=graph-identity-protection-risk-detection'`
		`microsoft-o365-sk4-app-activity-appactivity`	`'destinationServiceName=Office 365'`
		`microsoft-o365-sk4-app-activity-auditevent`	`'destinationServiceName=Office 365'`
		`microsoft-o365-sk4-app-file-workload`	`'destinationServiceName=Office 365'`
		`microsoft-o365-sk4-file-write-success-filecreatedonremovablemedia`	`'destinationServiceName=Office 365'`
	Microsoft CAS	`microsoft-mcas-json-alert-trigger-success-mcasalerts`	`'dproc=mcas-alerts'`
	Microsoft Defender for Endpoint	`microsoft-azure-kv-network-traffic-eventhubbeat`	`'@timestamp'`
		`microsoft-defenderep-sk4-alert-trigger-success-securityalerts`	`'dproc=Graph Security Alerts'`
	Microsoft DNS Log	`microsoft-windows-json-dns-request-success-windns`	`'@timestamp":'`
		`microsoft-windows-json-dns-response-success-logtype`	`'@timestamp":'`
	Network Security Group Flow Logs	`microsoft-azure-sk4-network-traffic-nsgflow`	`'destinationServiceName=Azure', 'dproc=NSG Flow Logs'`
Mimecast	Mimecast Secure Email Gateway	`mimecast-seg-cef-app-activity-success-messageviewlogs`	`'destinationServiceName=Mimecast Email Security', 'dproc='`
		`mimecast-seg-cef-app-login-fail-logonauthfailed`	`'destinationServiceName=Mimecast Email Security'`
		`mimecast-seg-cef-app-login-success-audittype`	`'destinationServiceName=Mimecast Email Security', 'dproc='`
		`mimecast-seg-cef-email-hold`	`'destinationServiceName=Mimecast Email Security'`
		`mimecast-seg-sk4-app-activity-success-auditevents`	`'destinationServiceName=Mimecast Email Security', 'dproc=Audit Events'`
Netskope	Netskope Security Cloud	`netskope-sc-cef-app-login-success-loginsuccessful`	`'destinationServiceName=Netskope'`
		`netskope-sc-cef-app-logout-logoutsuccessful`	`'destinationServiceName=Netskope'`
		`netskope-sc-cef-file-browse`	`'destinationServiceName=Netskope'`
		`netskope-sc-cef-file-download-success-download`	`'destinationServiceName=Netskope'`
		`netskope-sc-cef-file-read-success-viewall`	`'destinationServiceName=Netskope'`
		`netskope-sc-cef-file-upload-success-upload`	`'destinationServiceName=Netskope'`
		`netskope-sc-sk4-alert-trigger-success-breach`	`'destinationServiceName=Netskope'`
		`netskope-sc-sk4-alert-trigger-success-dlp`	`'destinationServiceName=Netskope'`
		`netskope-sc-sk4-alert-trigger-success-malsite`	`'destinationServiceName=Netskope'`
		`netskope-sc-sk4-alert-trigger-success-malwaretype`	`'destinationServiceName=Netskope'`
		`netskope-sc-sk4-alert-trigger-success-netskope`	`'destinationServiceName=Netskope'`
		`netskope-sc-sk4-app-activity-success-download`	`'destinationServiceName=Netskope'`
		`netskope-sc-sk4-app-activity-success-like`	`'destinationServiceName=Netskope'`
		`netskope-sc-sk4-app-activity-success-pageprefetched`	`'destinationServiceName=Netskope'`
		`netskope-sc-sk4-app-activity-success-upload`	`'destinationServiceName=Netskope'`
Okta	Okta Adaptive MFA	`okta-amfa-sk4-app-appactivity`	`'destinationServiceName=Okta'`
		`okta-amfg-cef-endpoint-login-fail-invalidtoken`	`'destinationServiceName=Okta'`
OneLogin	OneLogin	`onelogin-o-cef-app-login-assumingactinguserid`	`'destinationServiceName=OneLogin'`
Ping Identity	PingOne	`pingidentity-pingone-sk4-app-activity-ping`	`'destinationServiceName=Ping'`
		`pingidentity-pingone-sk4-app-activity-ping-1`	`'destinationServiceName=Ping'`
		`pingidentity-pingone-sk4-vpn-login-success-pingauthsuccess`	`'destinationServiceName=Ping'`
Salesforce	Salesforce	`salesforce-sf-cef-file-download-success-cloud`	`'destinationServiceName=Sales Cloud'`
		`salesforce-sf-cef-file-upload-success-cloud`	`'destinationServiceName=Sales Cloud'`
		`salesforce-sf-sk4-app-activity-success-auditevent`	`'destinationServiceName=Sales Cloud'`
ServiceNow	ServiceNow	`servicenow-s-cef-file-syscreated`	`'destinationServiceName=ServiceNow'`
Slack	Slack	`slack-s-cef-file-success-action`	`'destinationServiceName=Slack'`
Symantec	Symantec Advanced Threat Protection	`symantec-edr-json-app-notification-success-21`	`'"destinationServiceName":"Symantec"'`
	Symantec CloudSOC	`symantec-cloudsoc-cef-file-activity-symanteccloudsoc`	`'destinationServiceName=Symantec CloudSOC'`
		`symantec-cloudsoc-sk4-alert-trigger-success-fromdetect`	`'destinationServiceName=Symantec CloudSOC', 'dproc=Detect App'`
	Symantec Web Security Service	`symantec-fireglass-cef-http-session-url`	`'destinationServiceName=Symantec WSS'`
		`symantec-wss-sk4-http-session-denied`	`'destinationServiceName=Symantec WSS'`
		`symantec-wss-sk4-http-session-observed`	`'destinationServiceName=Symantec WSS'`
		`symantec-wss-sk4-http-session-proxied`	`'destinationServiceName=Symantec WSS'`
		`symantec-wss-sk4-http-session-symantecwss`	`'destinationServiceName=Symantec WSS'`
Tenable.io	Tenable.io	`tenable-t-sk4-alert-trigger-vulnerability-1`	`'destinationServiceName=Tenable.io'`
VMware	Carbon Black CES	`vmware-carbonblack-sk4-app-activity-auditlogs`	`'destinationServiceName=CB Defense', 'dproc=auditlogs'`
		`vmware-carbonblack-sk4-app-activity-cbdefense`	`'destinationServiceName=CB Defense'`
	Carbon Black EDR	`vmware-carbonblackedr-sk4-app-notification-success-carbonblackcloud`	`'destinationServiceName=Carbon Black Cloud'`
		`vmware-carbonblackedr-sk4-endpoint-activity-apicall`	`'destinationServiceName='`
Zoom	Zoom	`zoom-z-sk4-app-activity-success-operator`	`'destinationServiceName=Zoom'`
		`zoom-z-sk4-app-login-success-signin`	`'destinationServiceName=Zoom'`

CollectorsCloud Collectors Administration Guide

Table of ContentsTable of Contents