Cribl
App Vendor: Cribl
App Category: Data Lake & Analytics
Connector Version: 2.0.0
API Version: v1
About App
The Cribl app enables you to manage, search, and analyze your data for faster insights and smoother security operations.
The Cribl app is configured with Cyware Orchestrate to perform the following actions:
Action Name | Description |
|---|---|
Clone Lookup File Object | This action clones a lookup file object based on the specified ID. |
Commit Pending Changes | This action commits all pending configuration or lookup file changes to the Cribl repository or context. |
Create Dataset in Lake | This action creates a new dataset in the specified lake. |
Create Lookup File Object | This action creates a new lookup file object. |
Delete Dataset from a Lake | This action deletes a dataset from the specified lake. |
Delete Lookup File Object | This action deletes a lookup file object based on the specified ID. |
Deploy Modified Lookup File | This action deploys the modified lookup file selectively without restarting any workers. |
Download Lookup File Object | This action downloads a lookup file so you can access its contents locally. |
Execute Search Query | This action executes a search query to retrieve records from a Cribl dataset based on your specified parameters. |
Generic Action | This is a generic action used to make requests to any Cribl endpoint. |
Get a Dataset from a Lake | This action retrieves a dataset from the specified lake. |
Get Info of Latest Modified Lookup File | This action retrieves information about the latest modified lookup file, including the commit number, context, file name, and version number. |
Get Lookup File Object | This action retrieves a lookup file object based on the specified ID. |
Get Search Results | This action retrieves the results of a completed search query. |
Get Search Status | This action retrieves the current status of a search query. |
List Datasets from a Lake | This action retrieves all datasets from the specified lake. |
List Lookup File Objects | This action retrieves a list of all lookup file objects. |
Update a Dataset in a Lake | This action updates an existing dataset in the specified lake. |
Update Lookup File Object | This action updates a lookup file object based on the specified ID. |
Upload Lookup File Object | This action uploads a lookup file to Cribl. |
Configuration Parameters
The following configuration parameters are required for the Cribl app to communicate with the Cribl enterprise application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Base URL | Enter the base URL to access the Cribl API. | Text | Required | Allowed formats: https://${workspacename}-${organizationid}.cribl.cloud/api/v1 and https://${hostname}:${port}/api/v1. |
Client ID or Username | Enter the client ID for cloud-based authentication or the username for customer-deployed (on-prem) authentication. | Text | Required | |
Client Secret or Password | Enter the client secret for cloud-based authentication or the password for customer-deployed (on-prem) authentication. | Password | Required | |
Deployment Type | Choose true if your Cribl instance is customer-deployed (on-premises). In this case, use the username and password for authentication. Choose false if your instance is cloud-managed, which uses client ID and client secret for authentication. | Boolean | Required | |
Timeout | Enter the timeout value (in seconds) for the api request. | Integer | Optional | Allowed range: 15-120 Default value: 15 |
Verify | Choose to verify SSL/TLS certification. allowed values are true and false. | Boolean | Optional | By default, verification is enabled. |
Action: Clone Lookup File Object
This action clones a lookup file object based on the specified ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Lookup File ID | Enter the unique ID of the lookup file object you want to clone. Example: test_lookup.csv | Text | Required | |
Context Type | Enter the type of the target context that defines where the lookup file will be cloned. Example: packs | Text | Required | |
Context ID | Enter the target context ID where the lookup file object will be cloned. Example: hellopacks | Text | Required | |
Updated Lookup File ID | Enter the new ID to assign to the cloned lookup file object. Example: cloned_lookup.csv | Text | Required | |
Worker Group Name | Enter the worker group name where you want to clone the lookup file object. For more information, see Manage Worker Groups. | Text | Optional |
Example Request
[
{
"lookup_id": "model_relative_entropy_top_domains.csv",
"context_id": "“hellopacks",
"context_type": "“packs",
"new_lookup_id": "“cloned_lookup.csv"
}
]Action: Commit Pending Changes
This action commits all pending configuration or lookup file changes to the Cribl repository or context.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Commit Message | Enter the commit message describing the changes. Example: 'updated lookup configuration' | Text | Required | |
Effective | Choose true to make the commit effective immediately. | Boolean | Optional | By default, commits are saved but not deployed. |
File | Enter the file path to commit specific changes. You can leave this blank to commit all pending files. | Text | Optional | |
Worker Group Name | Enter the worker group name to commit the modified changes to. For more information, see Manage Worker Groups. | Text | Optional |
Action: Create Dataset in Lake
This action creates a new dataset in the specified lake.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Lake ID | Enter the ID of the lake where you want to create the dataset. | Text | Required | |
Dataset ID | Enter the ID of the dataset you want to create. Example: aws-vpc-flow-logs-dataset | Text | Required | |
Dataset Details | Enter the dataset details in JSON format to create the dataset. Example: $json[{"retentionperiodindays":30}] | Any | Optional | Allowed keys: acceleratedFields, bucketName, cacheConnection, backfillStatus, cacheRef, createdAt, lakehouseConnectionType, migrationQueryId, retentionInDays, deletionStartedAt, description, format, httpDAUsed, id, retentionPeriodInDays, searchConfig, datatypes, metadata, latestRunInfo, scanMode, storageLocationId, viewName |
Worker Group Name | Enter the worker group name to create the dataset within a specific group. For more information, see Manage Worker Groups. | Text | Optional |
Example Request
[
{
"lake_id": "default",
"dataset_id": "aws-vpc-flow-logs-dataset",
"payload_json": {
"retentionPeriodInDays": 30
}
}
]Action: Create Lookup File Object
This action creates a new lookup file object.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Lookup file ID | Enter the unique ID for the lookup file object to create. Example: test_lookup | Text | Required | |
Mode | Enter where the lookup file will be stored. Example: memory | Text | Required | |
File Name | Enter the filename associated with the lookup file object. Example: test_lookup.csv | Text | Required | |
Description | Enter a description for the lookup file object. Example: This is a test lookup file. | Text | Required | |
Size | Enter the size of the lookup file object in bytes. Example: 128 | Integer | Required | |
Tag | Enter the tag to associate with the lookup file object. Example: testtag | Text | Optional | |
Worker Group Name | Enter the worker group name to create the object within a specific group. For more information, see Manage Worker Groups. | Text | Optional |
Example Request
[
{
"mode": "memory",
"size": "250",
"tags": "important",
"file_name": "test_2.csv.pVA2gVu.tmp",
"lookup_id": "test_lookup_35",
"description": "Create Incident"
}
]Action: Delete Dataset from a Lake
This action deletes a dataset from the specified lake.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Lake ID | Enter the ID of the lake that contains the dataset. | Text | Required | |
Dataset ID | Enter the ID of the dataset to delete. | Text | Required | |
Worker Group Name | Enter the worker group name to delete the dataset within a specific group. For more information, see Manage Worker Groups. | Text | Optional |
Example Request
[
{
"lake_id": "default",
"dataset_id": [
"csol_test_new_dataset"
]
}
]Action: Delete Lookup File Object
This action deletes a lookup file object based on the specified ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Lookup File ID | Enter the unique ID of the lookup file object you want to delete. Example: test_lookup.csv | Text | Required | |
Worker Group Name | Enter the worker group name where you want to delete the lookup file object. For more information, see Manage Worker Groups. | Text | Optional |
Example Request
[
{
"lookup_id": "model_relative_entropy_top_domains.csv"
}
]Action: Deploy Modified Lookup File
This action deploys the modified lookup file selectively without restarting any workers.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Worker Group Name | Enter the worker group name where you want to deploy the modified lookup. For more information, see Manage Worker Groups. | Text | Required | |
Version | Enter the commit version of the modified lookup file. This is the value of the commit attribute. Example: a1b2c3d4 | Text | Required | |
Context | Enter the context of the modified lookup file. This is the value of the lookupdeployments.context attribute. | Text | Optional | |
File | Enter the file name of the modified lookup file. This is the value of the lookupdeployments.lookups.file attribute. | Text | Optional | |
File Version | Enter the version of the modified lookup file. This is the value of the lookupdeployments.lookups.version attribute. | Text | Optional |
Example Request
[
{
"version": "90ae982",
"group_name": "default"
}
]Action: Download Lookup File Object
This action downloads a lookup file so you can access its contents locally.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Lookup File ID | Enter the unique ID of the lookup file you want to download. Example: test_lookup.csv | Text | Required | |
Worker Group Name | Enter the worker group name where the lookup file exists. For more information, see Manage Worker Groups. | Text | Optional |
Example Request
[
{
"lookup_id": "model_relative_entropy_top_domains.csv"
}
]Action: Execute Search Query
This action executes a search query to retrieve records from a Cribl dataset based on your specified parameters.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query | Enter the search query string to retrieve records from a Cribl dataset. Example: {"query": "cribl dataset=\"goatherd_sample_dataset\""} | Text | Required | |
Earliest Time | Enter the start time for the search query to define the earliest data to include. Example: -24h | Text | Optional | |
Latest Time | Enter the end time for the search query to define the latest data to include. Example: now | Text | Optional | |
Sample Rate | Enter the sample rate to limit the number of results returned. Example: 0.1 | Text | Optional |
Example Request
[
{
"query": "dataset=\"cribl_search_sample\" | limit 1"
}
]Action: Generic Action
This is a generic action used to make requests to any Cribl endpoint.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Method | Enter the HTTP method to make the request. | Text | Required | Allowed values: GET, PUT, POST, DELETE |
Endpoint | Enter the endpoint to make the request to. Example: system/lookups | Text | Required | |
Query Params | Enter the query parameters to pass to the API. | Key Value | Optional | |
Payload | Enter the payload to pass to the api. Example: {"bucketname": "cribl-data-archive"} | Any | Optional | |
Extra Fields | Enter the extra fields to pass to the API. | Key Value | Optional | Allowed keys: headers, payload_data, custom_output, download, filename, files, retry_wait, retry_count, and response_type |
Example Request
[
{
"method": "GET",
"endpoint": "m/default/system/outputs",
"extra_fields": {},
"query_params": {}
}
]Action: Get a Dataset from a Lake
This action retrieves a dataset from the specified lake.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Lake ID | Enter the ID of the lake that contains the dataset. | Text | Required | |
Dataset ID | Enter the ID of the dataset to retrieve. | Text | Required | |
Worker Group Name | Enter the worker group name to retrieve the dataset from a specific group. For more information, see Manage Worker Groups. | Text | Optional |
Example Request
[
{
"lake_id": "default",
"dataset_id": "default_events"
}
]Action: Get Info of Latest Modified Lookup File
This action retrieves information about the latest modified lookup file, including the commit number, context, file name, and version number.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Worker Group Name | Enter the worker group name to retrieve the latest modified lookup information. For more information, see Manage Worker Groups. | Text | Required | |
Fields | Enter the fields to include in the response. | Text | Optional | By default, git.log, git.commit, git.localchanges, and lookups are included. |
Example Request
[
{
"fields": "git.log",
"group_name": "default"
}
]Action: Get Lookup File Object
This action retrieves a lookup file object based on the specified ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Lookup File ID | Enter the unique ID of the lookup file you want to retrieve. Example: test_lookup.csv | Text | Required | |
Worker Group Name | Enter the worker group name to retrieve the lookup file object from a specific group. For more information, see Manage Worker Groups. | Text | Optional |
Example Request
[
{
"lookup_id": "model_relative_entropy_top_domains.csv"
}
]Action: Get Search Results
This action retrieves the results of a completed search query.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Job ID | Enter the ID of the search job whose results you want to retrieve. Example: 1349305736255.acp7er | Text | Required | |
Limit | Enter the maximum number of results to retrieve. | Integer | Optional | Default value: 100 |
Offset | Enter the starting position of the results to retrieve. For the first page, use 0. | Integer | Optional |
Example Request
[
{
"job_id": "1761911037622.DWA2QD"
}
]Action: Get Search Status
This action retrieves the current status of a search query.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Job ID | Enter the ID of the search job whose status you want to check. Example: 1349305736255.acp7er | Text | Required |
Example Request
[
{
"job_id": "1761911037622.DWA2QD"
}
]Action: List Datasets from a Lake
This action retrieves all datasets from the specified lake.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Lake ID | Enter the ID of the lake to retrieve its datasets. | Text | Required | |
Worker Group Name | Enter the worker group name to retrieve datasets from a specific group. For more information, see Manage Worker Groups. | Text | Optional |
Example Request
[
{
"lake_id": "default"
}
]Action: List Lookup File Objects
This action retrieves a list of all lookup file objects.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Worker Group Name | Enter the worker group name to retrieve lookup file objects from a specific group. For more information, see Manage Worker Groups. | Text | Optional |
Example Request
[
{
"group_name": "default"
}
]Action: Update a Dataset in a Lake
This action updates an existing dataset in the specified lake.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Lake ID | Enter the ID of the lake that contains the dataset. | Text | Required | |
Dataset ID | Enter the ID of the dataset to update. | Text | Required | |
Dataset Details | Enter the dataset details in JSON format to update the dataset. Example: $json[{"retentionperiodindays":30}] | Any | Required | Allowed keys: acceleratedFields, bucketName, cacheConnection, backfillStatus, cacheRef, createdAt, lakehouseConnectionType, migrationQueryId, retentionInDays, deletionStartedAt, description, format, httpDAUsed, id, retentionPeriodInDays, searchConfig, datatypes, metadata, latestRunInfo, scanMode, storageLocationId, viewName |
Worker Group Name | Enter the worker group name to update the dataset within a specific group. For more information, see Manage Worker Groups. | Text | Optional |
Example Request
[
{
"lake_id": "default",
"dataset_id": "test-dataset",
"payload_json": {
"description": "Indicator Enrichment Playbooks"
}
}
]Action: Update Lookup File Object
This action updates a lookup file object based on the specified ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Lookup File ID | Enter the unique ID of the lookup file object you want to update. Example: test_lookup.csv | Text | Required | |
Updated Lookup File ID | Enter the updated ID for the lookup file object. Example: updated_lookup.csv | Text | Optional | |
Description | Enter the new description for the lookup file object. | Text | Optional | |
Tag | Enter tags to associate with the lookup file object. Example: testtag | List | Optional | |
Mode | Enter where the lookup file will be stored. Example: memory | Text | Optional | |
Size | Enter the size for the lookup file object in bytes to update. Example: 256 | Integer | Optional | |
Filename | Enter the existing file whose content will replace the current lookup file. Example: test_lookup.csv | Text | Optional | |
Worker Group Name | Enter the worker group name where you want to update the lookup file object. For more information, see Manage Worker Groups. | Text | Optional |
Example Request
[
{
"lookup_id": "model_relative_entropy_top_domains.csv"
}
]Action: Upload Lookup File Object
This action uploads a lookup file to Cribl.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
File Content | Enter the raw CSV content of the lookup file you want to upload. Each line should represent a row in the CSV file. Example: id,name\n1,john doe\n2,jane smith | Text | Required | |
Filename | Enter a custom name for the file you are uploading. Example: test_lookup.csv | Text | Required | |
Worker Group Name | Enter the worker group name to upload the lookup file within a specific group. For more information, see Manage Worker Groups. | Text | Optional |
Example Request
[
{
"content": "id,name\n1,john doe\n2,jane smith”,
"filename": "test_2.csv"
}
]