Skip to content
/ phantom-cribl Public

The Splunk Phantom App for Cribl supports the ability to automatically replay or collect logs from defined LogStream collectors for analysis by your SIEM tools.

License

MIT license
11 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

bdalpe/phantom-cribl

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
.github/workflows
.github/workflows
 
 
phcribl
phcribl
 
 
LICENSE.md
LICENSE.md
 
 
README.md
README.md
 
 
build.sh
build.sh
 
 

Repository files navigation

Phantom App for Cribl

Introduction

The Splunk Phantom App for Cribl supports the ability to automatically replay or collect logs from defined LogStream collectors for analysis by your SIEM tools.

Save SIEM license and infrastructure costs by forwarding logs as needed using just-in-time delivery.

Supports: Cribl 2.3+, Phantom 4.10+

Installation

The app can be downloaded from the Github Releases page in this repo.

App Setup and Configuration

App configuration options:

Setting Description Required
URL The URL of the Cribl LogStream master node.
Worker Group The name of the LogStream worker group. Leave blank if using a standalone instance.
Username Your username. Must have permissions to run collector jobs.
⚠️ OIDC authentication is not supported.
Password The password of the user.
Verify SSL Server Cert? True/False - Verify the SSL certificate signer is valid and trusted by Phantom.

Supported Actions

run collector job

  1. Obtains collector configuration from the LogStream master node
  2. Submit job to LogStream master node with configuration settings below
  3. (If waitForJobCompletion == True) Checks the job status on a 5 second interval until status == finished is returned.

It is recommended that you use a format block for building the filter and/or earliest/latest filters in this action.

Job configuration options:

Parameter Description Accepted Value Required?
collector The id of the Cribl LogStream collector. Must exist in the system. string
filter The JavaScript expression to use for filtering logs. string
earliest The earliest time for event filtering. Absolute timeRangeType: Epoch timestamp
Relative timeRangeType: Time modifier
latest The earliest time for event filtering. Absolute timeRangeType: Epoch timestamp
Relative timeRangeType: Time modifier
timeRangeType Select the time mode for collector run. absolute or relative
waitForJobCompletion Should the playbook wait for the logs to finish collecting before continuing execution? True or False

Issues

If you encounter a bug, please raise an issue: https://github.com/bdalpe/phantom-cribl/issues

⚠️ Do not paste logs or configurations with sensitive data!

Developing and Releasing

To compile the app, you will need to run the following commands from a Phantom server:

su phantom
git clone https://github.com/bdalpe/phantom-cribl
cd phantom-cribl
phenv python /opt/phantom/bin/compile_app.pyc -i

The compiled app will be placed in the parent directory and named phantom-cribl.tgz.

About

The Splunk Phantom App for Cribl supports the ability to automatically replay or collect logs from defined LogStream collectors for analysis by your SIEM tools.

Topics

python phantom cribl

Resources

Readme

License

MIT license
Activity

Stars

11 stars

Watchers

3 watching

Forks

0 forks
Report repository

Releases 1

Release v1.1.0 Latest
Feb 4, 2021

Languages