decrypt
The decrypt function decrypts data with a key managed by a Cribl Stream Worker Group.
For more information on how to set up encryption keys, see the Cribl Stream docs:
- Encryption of Data in Motion
- Create and Manage Encryption Keys
- C.Crypto - Data Encryption and Decryption
Search Admins, Organization Admins, and Organization Owners can view the results of all searches in the Organization, for as long as they’re kept in the history. Mind that results from the
decryptfunction are stored as decrypted plaintext. To reduce the visibility, consider adjusting the Search history TTL limit.
Syntax
decrypt(value, workerGroup)
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
value | string | Yes | A valid KQL expression, containing data encrypted with a key from the specified workerGroup. |
workerGroup | string | Yes | The name of the Stream Worker Group that has the encryption key. |
Returns
Returns the input data, decrypted using the key from the specified Stream Worker Group.
Permissions
You need access to the Stream Worker Group that contains the encryption key.
Examples
Get the results of a past search (with ID 1704236905683.wgocax), and decrypt a specific field (dstport).
dataset="$vt_results" jobId='1704236905683.wgocax'
| extend dstport = decrypt(dstport, <workerGroup>)