On This Page

Home / Edge/ Sending Data/Exabeam

Exabeam Security Operations Platform

Cribl Edge supports sending data to the Exabeam security operations platform or (as some people think of it) SIEM.

The Exabeam Destination supersedes and improves upon the “old way” to get data from Cribl Edge to Exabeam using the Cribl Webhook Destination.

Type: Non-Streaming | TLS Support: Yes | PQ Support: No

Understanding How Exabeam and Cribl Edge Work Together

Exabeam parsers expect to receive events in original, unmodified form. To make sure this happens, you’ll sometimes need to use a combination of Event Breakers and Pipelines. In general, knowing this can help you avoid problems or troubleshoot any that do crop up.

When you send data to Exabeam, Cribl Packs are your friends, because Cribl and Exabeam have partnered to create a set of Exabeam-specific Packs, each of which ensures that events from one common data source arrives at Exabeam in precisely the expected form. Cribl Packs also give you the option of dropping events on a per-data-source basis, so that Cribl Edge never sends irrelevant events to Exabeam. To view the Exabeam-specific Cribl Packs, navigate to the Manage Packs page’s New Pack submenu, select Add from Dispensary, then enter Exabeam in the filter field.

Cribl strongly recommends that you use only the Exabeam-specific, Cribl-authored Packs with this Destination. Other Packs can perform transformations – especially reduction – that prevent the Exabeam parsers from triggering.

When the original data source is Microsoft Active Directory (AD) or LDAP, you’ll need to set up an Exabeam Site Collector to perform the initial data capture.

Because Exabeam runs in the Google Cloud Storage (GCS) platform, some setting names include references to GCS.

Finally, Cribl recommends placing Cribl Edge Edge Nodes as close as possible to the sources of the events you want to send to Exabeam. This reduces the length of the path that data must traverse before Cribl Edge optimizes it with compression, reduction, dropping events, and/or redacting sensitive information.

Configuring Cloud Storage Permissions

For Cribl Edge to send data to Exabeam buckets, the following access permissions must be set on the Cloud Storage side:

  • Fine-grained access control must be enabled on the buckets.
  • The Google service account or user must have the Storage Admin or Owner role.

For details, see the Cloud Storage Overview of Access Control and Understanding Roles documentation.

Creating the Cribl Cloud Collector in Exabeam

Log into the Exabeam Security Operations Platform, and in the Home page, click Cloud Collectors. In the resulting page, click the Cribl tile to see a list of Cribl Collectors (the first time you do this, the list will be empty).

Click New Collector, and in the resulting Collector for Cribl drawer:

  1. Enter a name for your new Cribl Cloud Collector.
  2. Optionally, in Advanced Settings, configure the Metadata value TIMEZONE
  3. If your desired site already exists, select it from the SITE drop-down.
    • If your desired site does not exist yet, skip the drop-down and click the manage your sites link underneath. This will take you to a separate UI where you will enter a value for the Metadata value SITENAME, and Exabeam will generate the associated metadata value SITE ID. When you have done this, Exabeam will take you back to the previous UI, and you must then select your newly-created site from the SITE drop-down.
  4. Click Install.

A Hooray! confirmation modal will now replace the Collector for Cribl drawer. In this modal:

  1. Click the copy icon to the right of the encoded Connection String. Save this string in a secure and handy location – it is required when configuring the Cribl Edge Exabeam Destination.
  2. Click Go to Overview to exit the modal.

Although optional, configuring metadata is useful because it allows a single instance of the Exabeam SIEM to differentiate between data from multiple sources. This is relevant for large enterprises whose IT infrastructure comprises many sources whose IP addresses overlap.

Configuring Cribl Edge to Output to Cloud Storage Destinations

From the top nav, click Manage, then select a Fleet to configure. Next, you have two options:

To configure via the graphical QuickConnect UI, click Collect (Edge only). Next, click Add Destination at right. From the resulting drawer’s tiles or the Destinations left nav, select Exabeam. Next, click either Add Destination or (if displayed) Select Existing. The resulting drawer will provide the options below.

Or, to configure via the Routing UI, click Data > Destinations (Stream) or More > Destinations (Edge). From the resulting page’s tiles, select Exabeam. Next, click Add Destination to open a New Destination modal that provides the options below.

General Settings

Output ID: Enter a unique name to identify this Exabeam Destination definition.

Click Autofill with Exabeam Connection String to automatically enter the values for the following Exabeam Settings.

  • Google Cloud Storage bucket: Name of the destination bucket – in Exabeam’s Cribl Cloud Collector this is called GCS Bucket Name. This value can be a constant, or a JavaScript expression that can be evaluated only at init time. For example, you can reference a Global Variable like this: myBucket-${C.vars.myVar}.

  • Google Cloud Storage bucket region: In Exabeam’s Cribl Cloud Collector this is called GCS Bucket Region. It is the GCS region where the bucket is located.

  • Collector instance ID: In Exabeam’s Cribl Cloud Collector this is called Instance ID.

  • Access key: In Exabeam’s Cribl Cloud Collector this is called Access Key.

  • Secret: In Exabeam’s Cribl Cloud Collector this is called Secret Key.

  • Site name: In Exabeam’s Cribl Cloud Collector this is called SITENAME.

  • Site ID: In Exabeam’s Cribl Cloud Collector this is called SITE ID.

  • Timezone offset: In Exabeam’s Cribl Cloud Collector this is called TIMEZONE.

Processing Settings

Post‑Processing

Pipeline: Pipeline to process data before sending the data out using this output.

System fields: A list of fields to automatically add to events that use this output. By default, includes cribl_pipe (identifying the Cribl Edge Pipeline that processed the event). Supports c* wildcards. Other options include:

  • cribl_host – Cribl Edge Node that processed the event.
  • cribl_input – Cribl Edge Source that processed the event.
  • cribl_output – Cribl Edge Destination that processed the event.
  • cribl_route – Cribl Edge Route (or QuickConnect) that processed the event.
  • cribl_wp – Cribl Edge Worker Process that processed the event.

Advanced Settings

Backpressure behavior: Select whether to block or drop events when all receivers are exerting backpressure. (Causes might include an accumulation of too many files needing to be closed.) Defaults to Block.

Max file open time (sec): Maximum amount of time to write to a file. Files open for longer than this limit will be closed and moved to final output location. Defaults to 300 seconds (5 minutes).

Max file idle time (sec): Maximum amount of time to keep inactive files open. Files open for longer than this limit will be closed and moved to final output location. Defaults to 30.

Max open files: Maximum number of files to keep open concurrently. When exceeded, the oldest open files will be closed and moved to final output location. Defaults to 100.

Cribl Edge will also close any files larger than 10 MB.

Remove empty staging dirs: When toggled on (the default), deletes empty staging directories after moving files. This prevents the proliferation of orphaned empty directories. When enabled, exposes this additional option:

  • Staging cleanup period: How often (in seconds) to delete empty directories when Remove empty staging dirs is enabled. Defaults to 300 seconds (every 5 minutes). Minimum configurable interval is 10 seconds; maximum is 86400 seconds (every 24 hours).

Reuse connections: Whether to reuse connections between requests. The default setting (Yes) can improve performance.

Reject unauthorized certificates: Whether to accept certificates (such as self-signed certificates, for example) that cannot be verified against a valid Certificate Authority. Defaults to Yes.

Environment: If you’re using GitOps, optionally use this field to specify a single Git branch on which to enable this configuration. If empty, the config will be enabled everywhere.

Tags: Optionally, add tags that you can use to filter and group Destinations in Cribl Edge’s Manage Destinations page. These tags aren’t added to processed events. Use a tab or hard return between (arbitrary) tag names.

Internal Fields

Cribl Edge uses a set of internal fields to assist in forwarding data to a Destination.

Field for this Destination:

  • __partition

Troubleshooting

Verify that you are sending the original, unmodified events. Study the applicable Exabeam parsers to make sure you understand exactly what they’re doing. If you need to modify events, make sure that when you do, the relevant parsers still trigger.

Nonspecific messages from Google Cloud of the form Error: failed to close file can indicate problems with the permissions listed above.