Aura Integration Spotlight: Cribl

Aura Asset Intelligence has been built with the goal of enabling Security and IT teams to have actionable, accurate and up-to-date asset and identity information through our process of continuous asset discovery for Splunk. This means organizations leveraging Splunk can now have a complete understanding of all of the assets on their network and speed up Security investigations by having actionable and accurate asset and identity information instantly available. This post shines a spotlight on the new integration functionality between Aura AI and Cribl.

Why Cribl?

Enter Cribl, Cribl’s LogStream platform has become a go to solution for Splunk customers looking to implement an observability pipeline that allows them to parse, restructure, and enrich data in flight. LogStream provides customers the control they need, better yet desire, over their data so they can get the right data, where they want, in the formats they need.

That is why with the most recent release of Aura Asset Intelligence 2.2 we are excited to announce an out-of-the-box integration providing the ability to push Asset and Identity information directly to Cribl LogStream!

Assets and Identities in your Observability Pipeline!

Using the power of Aura, customers now have the ability to integrate and enrich data flowing through any LogStream observability pipeline with accurate, up-to-date, asset and identity information. Some of the immediate value-add’s you will get out of this integration are:

  • Speed up security investigations: Enrich any event, in any pipeline, with accurate and up to date asset and identity data.
  • Enrich any data, being routed anywhere: No matter where Cribl is routing data, that data can benefit from Aura’s continuous asset discovery functionality.
  • Control and flexibility: Customize the fields and scope of data being pushed to LogStream so that you only work with what you need.

Use Case: Firewall Data Enrichment

Let’s take a look at how the new Aura Cribl Sync integration works with a use case for enriching a one of the most commonly accessed data sources, firewall data, with important context not traditionally found within this type data; complete asset and identity information.

First, let’s start off with the configuration of the Aura Cribl Sync integration within Aura Asset Intelligence. The first step is to choose what Assets or Identities data that you wish to push to Cribl, in this case we will look at all of the network assets stored in the Aura Network Asset Inventory. The search to gather this asset data is then written in the form of a Splunk Alert. In the screenshot below, the Splunk search is built to return Network Asset Inventory records and run at a frequency of every 5 minutes to ensure the most up-to-date Asset information is available.

Next, we scroll down in the Edit Alert screen to the Trigger Actions section. From here we select the Aura Cribl Sync alert action. Within the alert action setup screen, we will need to provide a Filename, this will be the lookup filename that is created within Cribl LogStream. Additionally, we have the options to compress the lookup, which is extremely beneficial when dealing with a large number of network assets. We can also enable debugging of the push integration or simply execute in Dry Run mode, where no changes will be executed to Cribl.

Cribl Alert Action

Now that we have our integration configured, let’s login and validate that our Network Asset Inventory is being pushed to Cribl by navigating to the Knowledge tab and selecting Lookups from the left side pane to see the list of available lookup files.

Cribl Lookup Page

Voila! As you can see our lookup has been successfully pushed to Cribl.

Now that the Network Asset Inventory is available as a lookup within Cribl, the fun begins! As seen in the screenshot below, we have loaded in some sample data from a Check Point Firewall. A Pipeline has been created for enriching the Check Point Firewall data, but currently the data is in its original form. Next, we add a Regex Extract function to the Pipeline to extract the src field, representative of the Source IP, from the Check Point Firewall data as this will be the field that we use to apply the Lookup function against.

Checkpoint Firewall Observability Pipeline

Now that we have our Lookup pushed and available in Cribl, Check Point Firewall data in a pipeline ready to be enriched, and a Regex Extract function defined to extract the Source IP (src) field from the data it’s time to add a Lookup function to our Pipeline and make the magic happen!

In the screenshot below, you will see a Lookup function has been added to the Check Point enrichment pipeline. Within the definition of this Lookup function, we have specified the field in the event (src) and the corresponding field name in the Lookup to match against (ip). For any match, we then specify the Output field(s) to enrich the Check Point Firewall events with. In this example we will be enriching the Check Point Firewall data with the NT Hostname, Operating System, MAC Address, Asset Type and last known User ID associated to the Network Asset. On the right hand side of the screen you can now see a preview of the enriched Check Point Firewall events with the fields we have chosen.

Adding Lookup Enrichment to Cribl Pipeline

Amazing, our Check Point Firewall data is now enriched with accurate and insightful Asset information! That is how easy it is to leverage the new Aura Cribl Sync integration within Aura Asset Intelligence.

In a matter of minutes, we went from regular, boring, Check Point Firewall data which provides no Asset or Identity information alongside the firewall activity, to having rich, meaningful and, most importantly, actionable firewall data that will save security analysts and investigators endless hours of previously manual asset correlation effort.

Contact us today to learn how Aura Asset Intelligence with Cribl integration can help your Security and IT teams work faster and work smarter!

© Discovered Intelligence Inc., 2020. Unauthorised use and/or duplication of this material without express and written permission from this site’s owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Discovered Intelligence, with appropriate and specific direction (i.e. a linked URL) to this original content.