On This Page

Home /Learn About Cribl Guard

Learn About Cribl Guard

Organizations frequently make headline news for leaking millions of customers' personal information in data breaches. With Cribl Guard, we can help protect you from the same fate.

With Cribl Guard configured in your Cribl Stream Workspace, you can scan incoming data streams in real time to identify sensitive data in your events, and apply mitigation to that data before it leaves Cribl and reaches your downstream destinations.

Sensitive data can include credit card numbers, API keys, authentication tokens, IP addresses, names, birth dates, phone numbers, and any other type of personal information.

Cribl Guard Intelligently Detects Sensitive Data

Cribl Guard can automatically protect your Destinations when you enable the Protect toggle found on the Guard homepage, or you can customize Cribl Guard using the Cribl Guard Function in your Pipelines.

Many data management tools require users to manually identify personal information, which is an error-prone and time-consuming process. Rigid pattern-matching approaches, such as regex, often either miss critical data or over-flag irrelevant content.

Regex alone can’t interpret the context of event data, making it nearly impossible to distinguish between strings of data (like serial numbers vs. social security numbers).

Cribl Guard addresses this challenge with intelligent detection capabilities combined with anchor terms. This improves the match confidence of your data strings by adding context.

Common Cribl Guard Use Applications

Wondering if Cribl Guard is right for you? Check out these use applications:

Preventing Sensitive Data Exposure from Reaching AnalyticsContinuous Compliance AssuranceIncident Response and Risk ReductionCustom Actions Based on Detection
Organizations often route large volumes of data into analytic systems, where not all users should have access to sensitive information like social security numbers, credit card details, or internal system credentials. Cribl Guard enables proactive scanning so you can mask, redact, encrypt, or delete PII before data reaches the Destination, minimizing unauthorized exposure and reducing the risk of breaches.
Cribl Guard helps you meet and maintain compliance with privacy regulations such as GDPR, HIPAA, PCI, and CCPA. By automatically identifying and remediating sensitive data in real time, you can avoid costly regulatory fines and maintain an auditable trail for regulators, improving governance and trust.
Automated detection and immediate remediation of sensitive data reduces manual effort and accelerates incident response. Organizations can prevent sensitive information from being stored at rest or sent to insecure environments, lowering the likelihood and impact of a security incident.
With Cribl Guard, you can define custom actions—such as redacting, tagging for review, or smart routing (for example: sending events with detected PII to a quarantine Destination or to teams with security clearance). This flexibility is crucial for tailoring sensitive data handling to specific business or compliance needs.

Differentiating Cribl Guard from the mask Function

Wait, doesn’t Cribl already let you protect sensitive data with the mask Function? While the mask Function does obfuscate personal data, you have to manually find the data or know it exists before you can apply the Function. Cribl provides visibility into your data with Live Capture, but there can still be gaps in identifying all instances of PII. And, if you change Sources, you’re still going to want insurance that PII won’t leak to your Destinations.

Enter Cribl Guard, a sensitive data scanner that provides real-time PII identification, masking or other mitigation, and Destination protection.

Where to Find Cribl Guard

To access Cribl Guard, navigate to one of these places within Cribl Stream:

From the sidebar navigation, select Guard.

Cribl Guard sidebar navigation
Cribl Guard sidebar navigation

From within a Pipeline:

  1. Open a Worker Group.
  2. Select Processing > Pipelines > [Select a Pipeline] > Add Function > Standard > Cribl Guard.
Cribl Guard Pipeline Function
Cribl Guard Pipeline Function

From the Knowledge Library, select Processing > Knowledge > Guard Rules.

Cribl Guard knowledge object
Cribl Guard knowledge object

Want to dive right in? Skip ahead to Configure Cribl Guard.

This feature accrues billing charges in addition to the ingest charges you incur with Cribl Stream.

How Cribl Guard Works

Cribl Guard sits inside your Pipelines as a Function, scanning for sensitive data in real time. The Cribl Guard Function is a combination of powerful out-of-the-box and custom rulesets that provide a high confidence of sensitive data detection.

Once Cribl Guard detects personal data, you can apply a range of actions, such as masking, redacting, or rerouting the data before it egresses the pipeline. This approach effectively minimizes data leakage, reduces false positives, accelerates response times, and ensures robust compliance without extensive manual intervention.

Glossary of Terms

These are the terms you’ll need to know to better understand the Cribl Guard documentation. We use these terms in a proprietary context, not a general context.

TermDefinition
ProtectThe toggle on the Cribl Guard homepage that adds a Post-Processing Pipeline to the target Destination with the Cribl Guard Function. Credit consumption begins as soon as data flows through the Cribl Guard Function.
Scanning RulesetsIn the Cribl Guard Function, scanning rulesets are combinations of rules and anchor terms that identify sensitive data in your event streams.
Pattern to matchThe regular expression pattern that identifies strictly on patterns in your event data. For example, a pattern to match on credit cards would look for strings of numbers between 0-9, including hyphens or periods, in a specific order.
Anchor termsThe optional terms or characters that you can add to Cribl Guard rules. Anchor terms help improve the accuracy of data matching and limit unnecessary data redaction.
  • For example, adding the anchor terms cc, creditcard, and visa could help identify a 16-digit number string as a credit card instead of a similar, 16-digit UUID. Matches are highlighted in the sample events panel.
  • You can add up to a maximum of six anchor terms to a Cribl Guard rule.

Customizing Cribl Guard Rules with or without AI

To help you create custom Cribl Guard rules within the Cribl Knowledge Library, you can use the Copilot AI Rule Builder, an optional AI feature. When creating rules with with the AI Rule Builder, we recommend an iterative approach. For more details on creating Cribl Guard Rules, go to the Guard Rules Library docs.