Cribl
This guide provides step-by-step instructions for integrating AlphaSOC with Cribl Stream using a REST Collector. By following this guide, you will configure Cribl to:
- Collect refined alerts from the AlphaSOC REST API.
- Handle large API responses (over 10MB) and pagination.
- Process and split events for downstream workflows.
By the end of this guide, you'll have a fully configured Cribl Stream setup to ingest, process, and route AlphaSOC alerts efficiently.
Prerequisites
- Cribl Stream Instance: Access to a running Cribl Stream instance (Cloud or on-premise).
- AlphaSOC API Key: A valid API key from AlphaSOC, available in the customer web-based console.
- Collectors and Event Breakers: Ability to configure custom collectors and event breakers in Cribl Stream.
Create the AlphaSOC REST Collector
- Log in to your Cribl Stream instance with an admin account.
- Navigate to Data > Sources > REST Collectors and click Add Collector.
Click on the Configure as JSON tab and replace the default JSON with the following JSON template.
Once the JSON configuration has been loaded, your screen should look like follows:
Click Save button which will open prompt asking you for you API key from AlphaSOC, available in the customer web-based console.
Then click Replace Values to complete the collector setup.
Collector JSON Template
Use the following JSON template for configuring the REST collector:
{
"type": "collection",
"ttl": "4h",
"removeFields": [],
"resumeOnBoot": false,
"schedule": {
"cronSchedule": "*/5 * * * *",
"maxConcurrentRuns": 1,
"skippable": true,
"run": {
"rescheduleDroppedTasks": false,
"maxTaskReschedule": 1,
"logLevel": "info",
"jobTimeout": "3m",
"mode": "run",
"timeRangeType": "relative",
"timeWarning": {},
"expression": "true",
"minTaskSize": "1MB",
"maxTaskSize": "10MB",
"stateTracking": {
"stateUpdateExpression": "{follow: __collectible.resHeaders['x-stream-follow']}",
"stateMergeExpression": "newState",
"enabled": true
},
"discoverToRoutes": false,
"timestampTimezone": "UTC",
"earliest": "-30d",
"latest": ""
},
During configuration you should be prompted to replace <API Key|Provide your AlphaSOC API Key> with the key obtained from your AlphaSOC console.
Configure the AlphaSOC Records Event Breaker
The AlphaSOC Records Event Breaker ensures Cribl splits each result into
separate events.
Steps to Configure the Event Breaker
- Go to Processing > Knowledge > Event Breaker Rules and click Add Ruleset.
- Click on Manage as JSON.
- Paste the following JSON snippet into the config file:
{
"id": "AlphaSOC Records Event Breaker",
"minRawLength": 256,
"tags": "alphasoc",
"description": "Splits records JSON array of into single events ",
"rules": [
{
"condition": "true",
"type": "json_array",
"jsonArrayField": "records",
"timestampAnchorRegex": "/^/",
"timestamp": {
"type": "auto",
"length": 350
},
"timestampTimezone": "local",
"maxEventBytes": 10485760,
"disabled": false,
"parserEnabled": false,
"shouldUseDataRaw": false,
"name": "split"
}
]
}
Your configuration window should look as follows:
Click OK to go back to the main Event Breaker configuration, at which point you can click Save to finalize its configuration.
The AlphaSOC REST connector is now configured and ready to fetch new alerts every 5 minutes.
Next steps
After configuration of AlphaSOC REST connector you might also want to configure Cribl Data Routes and Processing Pipelines to modify and route findings to their final destination. To get further informations about this configuration visit Cribl Stream Documentation.