Cribl

This guide provides step-by-step instructions for integrating AlphaSOC with Cribl Stream using a REST Collector. By following this guide, you will configure Cribl to:

1. Collect refined alerts from the AlphaSOC REST API.
2. Handle large API responses (over 10MB) and pagination.
3. Process and split events for downstream workflows.

By the end of this guide, you'll have a fully configured Cribl Stream setup to ingest, process, and route AlphaSOC alerts efficiently.

Prerequisites

• Cribl Stream Instance: Access to a running Cribl Stream instance (Cloud or on-premise).
• AlphaSOC API Key: A valid API key from AlphaSOC, available in the customer web-based console.
• Event Breakers and Pipelines: Ability to configure custom event breakers and pipelines in Cribl Stream.

Create the AlphaSOC REST Collector

1. Log in to your Cribl Stream instance with an admin account.
2. Navigate to Data > Sources > REST Collectors and click Add Collector.

Click on the Configure as JSON tab and replace the default JSON with the JSON template that follows or import the JSON configuration file available through your AlphaSOC console. With the former method, you will have to ensure to replace [Your Base64-encoded API key] with the correct value for your environment.

Once the JSON configuration has been loaded, your screen should look like follows:

Go ahead and save the configuration and close the REST configuration dialog.

Collector JSON Template

Use the following JSON template for configuring the REST collector or download the template from your AlphaSOC console:

{
  "type": "collection",
  "ttl": "4h",
  "removeFields": [],
  "resumeOnBoot": false,
  "schedule": {
    "cronSchedule": "*/5 * * * *",
    "maxConcurrentRuns": 1,
    "skippable": true,
    "run": {
      "rescheduleDroppedTasks": false,
      "maxTaskReschedule": 1,
      "logLevel": "info",
      "jobTimeout": "3m",
      "mode": "run",
      "timeRangeType": "relative",
      "timeWarning": {},
      "expression": "true",
      "minTaskSize": "1MB",
      "maxTaskSize": "10MB",
      "stateTracking": {
        "stateUpdateExpression": "{follow: JSON.parse(_raw).follow}",
        "stateMergeExpression": "newState",
        "enabled": true
      }
    },
    "resumeMissed": false,
    "enabled": true
  },
  "streamtags": [],
  "workerAffinity": false,
  "collector": {
    "conf": {
      "discovery": {
        "discoverType": "none"
      },
      "collectMethod": "get",
      "pagination": {
        "type": "response_body",
        "maxPages": 0,
        "attribute": [
          "more",
          "follow"
        ],
        "lastPageExpr": "more === false"
      },
      "authentication": "none",
      "timeout": 0,
      "useRoundRobinDns": false,
      "disableTimeFilter": false,
      "decodeUrl": false,
      "rejectUnauthorized": true,
      "captureHeaders": true,
      "safeHeaders": [],
      "retryRules": {
        "type": "backoff",
        "interval": 1000,
        "limit": 5,
        "multiplier": 2,
        "maxIntervalMs": 20000,
        "codes": [
          429,
          503
        ],
        "enableHeader": true,
        "retryConnectTimeout": false,
        "retryConnectReset": false,
        "retryHeaderName": "retry-after"
      },
      "__scheduling": {
        "stateTracking": {}
      },
      "loginUrl": "`https://localhost:9000/api/v1/auth/login`",
      "loginBody": "`{ \"username\": \"${username}\", \"password\": \"${password}\" }`",
      "authHeaderKey": "Authorization",
      "authHeaderExpr": "`Bearer ${token}`",
      "collectUrl": "`https://api.alphasoc.net/v1/findings?format=ocsf`",
      "collectRequestHeaders": [
        {
          "name": "Authorization",
          "value": "'Basic [Your Base64-encoded API key]'"
        },
        {
          "name": "Accept",
          "value": "'application/json'"
        }
      ],
      "collectRequestParams": [
        {
          "name": "follow",
          "value": "`${state && ((follow || \"\") < state.follow) ? state.follow : follow}`"
        }
      ]
    },
    "destructive": false,
    "encoding": "utf8",
    "type": "rest"
  },
  "input": {
    "type": "collection",
    "staleChannelFlushMs": 10000,
    "sendToRoutes": true,
    "preprocess": {
      "disabled": true
    },
    "throttleRatePerSec": "0",
    "breakerRulesets": [
      "AlphaSOC Large Response Event Breaker"
    ],
    "metadata": []
  },
  "savedState": {
    "restCollectorState": {
      "data": {}
    }
  },
  "id": "AlphaSOC REST"
}

Note: Replace [Your Base64-encoded API key] with the key obtained from your AlphaSOC console.

Configure the AlphaSOC Large Response Event Breaker

The AlphaSOC Large Response Event Breaker ensures Cribl can handle large API responses (over the Cribl default maximum of 10MB) and prepares the data for further processing.

Steps to Configure the Event Breaker

1. Go to Processing > Knowledge > Event Breaker Rules and click Add Ruleset.
2. Click on Manage as JSON
3. Paste the following JSON snippet into the config file:

{
  "id": "AlphaSOC Large Response Event Breaker",
  "minRawLength": 256,
  "rules": [
    {
      "condition": "true",
      "type": "regex",
      "timestampAnchorRegex": "/^/",
      "timestamp": {
        "type": "auto",
        "length": 1500
      },
      "timestampTimezone": "local",
      "timestampEarliest": "-420weeks",
      "timestampLatest": "+1week",
      "maxEventBytes": 10000000,
      "disabled": false,
      "parserEnabled": false,
      "shouldUseDataRaw": false,
      "eventBreakerRegex": "/[\\n\\r]+(?!\\s)/",
      "jsonExtractAll": false,
      "name": "large",
      "fields": [],
      "jsonArrayField": "alerts",
      "jsonTimeField": "JSO"
    }
  ]
}

Your configuration window should look as follows:

Click OK to go back to the main Event Breaker configuration, at which point you can save it to finalize its configuration.

Configure the AlphaSOC Alerts Event Breaker

The AlphaSOC Alerts event breaker takes the alerts array and breaks it down into individual events.

To create this event breaker:

1. Go to Processing > Knowledge > Event Breaker Rules and click Add Ruleset
2. Click on the JSON Configuration
3. Replace the default skeleton configuration with the following:

{
  "id": "AlphaSOC API",
  "minRawLength": 256,
  "tags": "alphasoc",
  "rules": [
    {
      "condition": "true",
      "type": "json_array",
      "timestampAnchorRegex": "/^/",
      "timestamp": {
        "type": "auto",
        "length": 1000
      },
      "timestampTimezone": "local",
      "timestampEarliest": "-420weeks",
      "timestampLatest": "+1week",
      "maxEventBytes": 134217728,
      "disabled": false,
      "parserEnabled": false,
      "shouldUseDataRaw": false,
      "jsonExtractAll": false,
      "eventBreakerRegex": "/[\\n\\r]+(?!\\s)/",
      "name": "API default",
      "jsonArrayField": "alerts",
      "fields": [],
      "jsonTimeField": "event.ts"
    }
  ]
}

Configure the AlphaSOC Pipeline (Recommended)

This pipeline splits bulk alert data into individual events for granular processing and monitoring.

Create and Configure the Pipeline

1. Go to Processing > Pipelines and click Add Pipeline.
2. Name the pipeline AlphaSOC Split Alerts and once again the most effective way is to load up the JSON view and replace the default config with the following code:

{
  "id": "AlphaSOC Pipeline",
  "conf": {
    "output": "default",
    "streamtags": [],
    "groups": {},
    "asyncFuncTimeout": 1000,
    "functions": [
      {
        "id": "eval",
        "filter": "true",
        "conf": {
          "add": [
            {
              "disabled": false,
              "name": "follow",
              "value": "JSON.parse(_raw).follow"
            }
          ]
        }
      },
      {
        "id": "event_breaker",
        "filter": "true",
        "disabled": false,
        "conf": {
          "existingOrNew": "existing",
          "shouldMarkCriblBreaker": true,
          "existingRule": "AlphaSOC API"
        }
      }
    ]
  }
}

Save the configuration and exit. The AlphaSOC REST connector is now configured and ready to fetch new alerts every 5 minutes.