Skip to main content

Cribl

This guide explains how to configure the AlphaSOC Findings REST Collector Pack for Cribl Stream. The Pack collects AlphaSOC OCSF Detection Findings from the AlphaSOC API on a schedule and routes them to your configured Cribl destinations, including Cribl Lake, Cribl Search, a SIEM, or another output.

Prerequisites

  • Cribl Stream 4.17.0 or later (cloud or on-premise).
  • Permission to import Packs, configure Pack variables, run collectors, configure Worker Group routes, and Commit and Deploy changes.
  • An AlphaSOC account configured to receive findings. For assistance, contact support@alphasoc.com.
  • An AlphaSOC API key from the AlphaSOC console. For instructions, see Adding a new API key.

Configuration

Install the Pack

note

This Pack includes a REST Collector. Do not insert this Pack as a Pipeline in the global routes table. The Pack collects data itself and sends collected findings back to Worker Group routes.

Install the AlphaSOC Findings REST Collector IO Pack:

  1. In your Worker Group, go to Processing > Packs.
  2. Click Add Pack.
  3. Click Add from Dispensary, search for "AlphaSOC Findings REST Collector IO", and click the blue Add Pack button, or add a previously downloaded pack from a file.

Configure the AlphaSOC API key

After importing the Pack:

  1. Open the Pack.
  2. Go to Knowledge > Variables.
  3. Click on the alphasoc-api-key. 00-cribl-rest-asoc-key
  4. Set the encrypted alphasoc-api-key variable to your AlphaSOC API key. 00-cribl-rest-asoc-key-edit
  5. Click Save.

Configure routing and destination

The Pack route sends collected findings to Worker Group routes. To receive findings:

  1. In the Worker Group, create or update a route under Routing > Data Routes.
  2. Set the filter to:
__collectible.collectorId.startsWith('cc-stream-alphasoc-rest-io')
note

This filter assumes the Pack uses the default Pack ID. If you changed the Pack ID during import, update the filter to match your Pack ID.

00-cribl-rest-filter

  1. Route matching events to your desired destination, such as Cribl Lake, Cribl Search, Splunk, or Amazon S3.
  2. Click Save.

Commit and deploy

After configuring the API key and Worker Group route, perform a Commit and Deploy so Worker Nodes receive the complete configuration and can run the collector in the correct Pack context.

Verify the integration

The collector fetches findings every 5 minutes. After deploying, wait for the next scheduled run and verify that findings arrive at your destination.

To validate the collector manually:

  1. Open the Pack.
  2. Go to Sources > Collectors > REST.
  3. Open AlphaSOC_Findings.
  4. Run the collector in Preview mode to confirm that findings are collected and split into individual events.
  5. Run the collector in Full Run mode to confirm that your Worker Group route receives events.
note

The collector saves its position after each successful run and retrieves only new findings. Follow-up runs may return no events if there are no new findings available. To refetch older findings during testing, delete the saved state for the AlphaSOC_Findings collector and run it again.

Troubleshooting

  • 401 or 403 responses usually indicate an invalid, missing, or unauthorized AlphaSOC API key. Confirm the alphasoc-api-key variable value.
  • Collection succeeds but returns no events — your AlphaSOC workspace may not currently have findings. Check the AlphaSOC console to verify that findings exist.
  • No events reach your destination — recheck the Worker Group route filter and destination configuration.
  • Collector fails on Worker Nodes after import — perform a Commit and Deploy so the Pack context and encrypted variable are available to the workers.