Detect Sensitive Data with Cribl Background Detection
Background detection in Cribl Guard is an AI-driven feature that continuously samples data in your Pipelines, scans it for new sensitive data patterns, and surfaces findings. You can then review findings, ignore them, or mitigate them by adding Guard rules.
Background detection workflow at-a-glance:
- Enable background detection in AI Settings and on Destinations.
- Commit & Deploy. Background detection runs in the background, sampling data streams for new patterns.
- Review and act on findings from the Guard page (create rules, mark mitigated, or ignore).
- Optionally refine scope per Pipeline or disable when needed.
Before You Start
- Cribl Guard must be enabled for at least one Destination. See Configure Cribl Guard.
- Environment: Background detection is available only in Cribl Stream when the Cloud Worker Group is hosted on AWS, in:
- Hybrid environments with Cribl-managed Cloud Workers, or
- Cribl.Cloud-only environments.
Enable Background Detection
Use this path to turn on background detection for your Workspace and choose which Destinations use it. Default sampling size and interval apply.
In your Cribl Workspace, select Cribl Stream.
Go to Settings > AI Settings.
Find Background Detection and toggle it On. This will enable the background detection tile on the Guard homepage.
AI Settings with background detection toggle In the sidebar, select Guard.
In the Background Detection column, select Enable Detection for each Destination you want to monitor.
Guard homepage with background detection column and Enable Detection After you enable a Destination, the Background Detections tile shows total findings and a Review All link.
Select Commit & Deploy to push AI Settings, Guard config, and background detection scope to your Workers.
Background detection is now running. Next: Review and act on findings.
Review and Act on Findings
This is the main workflow after background detection is on: see what was found, then create rules, mark as mitigated, or ignore.
Open the Guard homepage, then either:
- Select Review All in the Background Detections tile, or
- Select the yellow detections count in the Background Detection column for a specific Pipeline.
Review the type of data found. Select a detection type (for example, CREDIT_CARD_NUMBER) to view sampled events.
Events viewer with detection type and sampled events Take action via the three dots in the Actions column (or from the events viewer):
- Create Guard Rule: Cribl creates a rule; you add it to a Scanning Ruleset in your Cribl Guard Pipeline and Commit & Deploy so it mitigates data going forward. Successful rules mask those sensitive entities in data.
- Mark as Mitigated: Labels the finding as mitigated for history; does not change rules or Pipelines. Use this after you create a Guard rule.
- Ignore Datatype: Cribl ignores future detections for this PII type.
Optional: Refine the Scope of Background Detection
Use these options if you want to limit where background detection runs or turn it off for specific Pipelines.
Enable Per Pipeline
You can turn background detection on for specific Pipelines in a Worker Group so only certain data streams use it.
- Open a Pipeline that contains the Cribl Guard Function.
- Expand the Function and scroll to the bottom.
- Toggle Background Detection on.
Turn Off in Specific Pipelines
To disable background detection for Pipelines with highly sensitive or constrained data:
- Open the Worker Group, then Processing > Pipelines and the Pipeline that contains the Guard Function.
- Toggle Background Detection off for that Pipeline.
Disable Background Detection
You can turn background detection off for a single Pipeline, for a Destination, or for the whole Workspace.
For One Pipeline
- Open the Worker Group, then Processing > Pipelines and the Pipeline with the Guard Function.
- Expand the Cribl Guard Function and toggle Background Detection off.
For One Destination
- Open each Pipeline that sends data to that Destination.
- Turn off Background Detection in every Cribl Guard Function in those Pipelines.
For the Whole Workspace
- In the Workspace, select Cribl Stream.
- Go to Settings > AI Settings.
- Set Background Detection to Off.
Then Commit & Deploy so changes apply to your Workers.
When it’s off: If background detection is disabled in a Pipeline, PII in that Pipeline won’t get a Guard mitigation rule and won’t appear as a detection on the Guard page. If it’s off in global AI Settings, PII detected across Pipelines without a Guard rule won’t be shown as a detection on the Guard page.
Why Use Background Detection?
| Benefit | Description |
|---|---|
| Find unknowns in your data | Catches sensitive data that existing Guard rulesets missed (new types, sources, formats) before it reaches Destinations. |
| Better compliance and reporting | One place to see new findings, open issues, and past remediations. |
| Faster path to protection | Findings are surfaced automatically; you choose whether to ignore or mitigate (e.g., by creating a Guard rule). |
Common Use Cases
| Use Case | Stream User Persona | Description |
|---|---|---|
| Prove and improve data risk posture | CISO & CIO | Continuously see where new PII, secrets, or regulated data enter telemetry; show that Guard catches previously unknown patterns and keep an evidence trail after remediation. |
| Continuous protection for high-risk Destinations | Compliance / Observability | Use background detection on high-value Destinations (SIEM, data lake, observability, ticketing) to ensure unintended PII doesn’t reach them as Pipelines change; adjust Guard rules or routing when detections appear. |
| Monitor schema and data drift | Operators | Use findings as a signal when upstream teams add fields, change formats, or onboard apps; tune Guard rulesets or Pipeline filters instead of manually checking after every change. |
| Internal reporting and audits (Auditors / Risk) | Auditor & Risk Management | Export or summarize detections to report where sensitive data was found, how fast it was remediated, and what guardrails were added, for risk reviews, third-party assessments, and due diligence. |