Skip to main content

On (Cribl) Guard!

Next stop, Cribl Stream!

Cribl Guard part Deux: Background Detection

Part Deux, Part deux. Background Detection in Cribl Guard is an AI-driven capability that scans data flowing through Pipelines and analyzes it in the background to uncover previously unknown sensitive data patterns. Instead of relying solely on predefined rules, Background Detection uses a family of purpose-built transformer models to proactively surface new findings (such as PII, secrets, or regulated data) so customers can review, ignore, or immediately mitigate them with additional Guard rules before they reach downstream Destinations. Let's go check it out!

Is what I would say if this was a cooking show and we had a fully prepped meal already in the oven. But since this is a software demo and we don't have a pre-cooked meal to show you, let's go through the steps to enable Background Detection in Cribl Guard so you can see how it works in action. Like any good story, we'll start at the beginning: making a Destination.

Start at the End?
  1. Click Products at the top left
  2. Under Stream click Worker Groups
  3. Click into the default Worker Group
  4. Click Data > Destinations up top
  5. Find and click on Webhook (you can just start typing webhook in the search bar to live filter the list)
  6. Click Add Destination at the top right
  7. Fill out sbx_webhook for the ID
  8. Turn off Load balancing (we don't do that here)
  9. Fill out the URL with http://webhook.cribl.io/genericsiem
  10. Click Save
  11. Take a breather
  12. Click Commit (or Commit and Deploy if you don't have a separate Commit button)
  13. On the resulting modal, click Commit & Deploy

Now let's check out Guard and how to enable its new Background Detection feature.

On Guard!
  1. On the left menu, click Guard
  2. If you're not familiar with Guard, read the tabs here before continuing (if you want, I'm not your parent)
  3. Click Get Started

So... Since Guard Background Detection is AI-driven, we do need to accept some supplemental terms in order to enable Copilot, which will allow us to enable Background Detection.

Accept the terms!
  1. Click the link to Global Settings > AI Settings at the top middle
  2. Check the box to indicate you have read the terms and agree to them (you definitely read them by clicking the link in the text, right?)
  3. Click Turn On Cribl Copilot
  4. Click to enable Background Detection so we can get back to our regularly scheduled programming
  5. Click Guard in the left-hand menu
  6. Click to enable Guard on the left-most column coincidentally labeled Guard
  7. Click Enable in the Background Detection tile at the top of the list
  8. Read the resulting pop-up and click Enable

Et Voila! On Guard! Oui Oui! Et une quatrième chose française! You get the idea. Now, if we had real data flowing in a real environment, Cribl Guard would be analyzing it in the background and surfacing any new sensitive data patterns it finds for you to review, ignore, or mitigate with additional rules. But since this is a demo environment and we don't have real data flowing, you'll have to use your ✨🌈imagination🌈✨

Pack-to-Pack champions!

Ok, enough imagining. Let's get Pack to it (ehh?). You can now route data between Packs and globally defined objects instead of forcing everything to stay trapped inside a single Pack. Teams can send data from a Pack into global routes or point global sources and routes into specific Packs, enabling Pack‑to‑Pack, Pack‑to‑global, and global‑to‑Pack paths. Let's add two packs and try it ourselves.

Two Packs a day
  1. Click Worker Groups on the left-hand menu
  2. Click into the default Worker Group
  3. Up top, click Processing > Packs
  4. At the top right, click Add Pack > Add from Dispensary
  5. Find the cribl-palo-alto-networks Pack, click into it, and click Add Pack at the top right
  6. Repeat the previous step for the cribl-cisco-meraki Pack

Quick tip: All this global routing magic happens when Packs have internal Sources and Destinations configured. So let's set that up real quick to enable all this fancy routing logic introduced in 4.17.

Just a little further Sam
  1. Click into the cribl-cisco-meraki Pack
  2. Click Sources up top
  3. Click into the Syslog tile and click Add Source at the top right
  4. Fill out blue_triceratops for the ID
  5. Fill out 33239 for the UDP Port
  6. Click Save
  7. Click Destinations in the subnav up top
  8. Select Webhook for the Destination Type
  9. Click Add Destination at the top right
  10. Fill out black_mammoth for the ID
  11. Turn off Load balancing (we still don't do that here 👀)
  12. Fill out the URL with http://webhook.cribl.io/genericsiem
  13. Click Save
  14. Up in the top breadcrumbs, click Packs to get back to the list of Packs

I hope you played with a lot of Power Rangers toys as a kid, cause we're gonna be morphin routing data between these two Packs like they're part of the (Dino) Megazord!

It's Morphin Routin' Time!
  1. Click Routing > Data Routes up top
  2. Click Add Route at the top right
  3. Fill out the Route information as follows:
    • ID: megazord
    • Filter: sourcetype=="ranger"
    • Pipeline: Pack cribl-palo-alto-networks
    • Destination: Pack cribl-cisco-meraki
  4. Click Save

And that's how you route data Pack-to-Pack! You can also do Pack-to-global though... I guess we can be like Daft Punk (RIP) and configure stuff One More Time!

One More Time!
  1. Click back into Processing > Packs up top
  2. Click into the cribl-cisco-meraki Pack
  3. Click Add Route at the top right
  4. Fill out morphin_time for the ID
  5. Fill out sourcetype=="blue_ranger" for the Filter
  6. Select passthru for the Pipeline
  7. Select Send to Worker Group Routes for the Destination
  8. Click Save

Now let's make like Daft Punk again and be done forever, leaving our fans devastated and heartbroken but also with an amazing legacy of music data routing capabilities to remember us by.