Connect Cribl Search to Azure API
Configure Cribl Search to query an Azure API endpoint.
Microsoft Azure is a public cloud computing platform that offers a range of services that include Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS).
In this guide, you’ll set up a Dataset Provider and a Dataset to search the disks, networkSecurityGroups, virtualMachines, and webapps endpoints in the Azure API.
Azure API Authorization
Set up an Azure service account with a client secret credential for Search. For details, see Create a Microsoft Entra application and service principal that can access resources. You will need the account credentials to Create a Dataset Provider.
Also, you can assign the built-in role of Reader to the application so it has read access to all endpoints. To limit access to the current Cribl Search endpoints (listed below), create a custom role:
- Microsoft.Compute/disks
- Microsoft.Network/networkSecurityGroups
- Microsoft.Compute/virtualMachines
- Microsoft.Web/sites
You can modify permissions as the application adds more endpoints. For details, see Create an Azure custom role.
Add an Azure API Dataset Provider
A Dataset Provider tells Cribl Search where to query and contains access credentials. Here, you will add an Azure API Dataset Provider.
To add a new Dataset Provider, select Data, then Dataset Providers, then Add Provider.
Set the following configurations in the New Dataset Provider modal:
- ID is a unique identifier for the Dataset Provider. This is how you’ll reference it when assigning Datasets to
it. Start the ID with a letter; the rest of the ID can use letters, numbers, and underscores (for example,
my_dataset_provider_1). - Description is optional.
- Set Dataset Provider Type to Azure API.
- Select Add Configuration to specify your Azure account(s).
- Account Name is the Azure account name.
- Tenant ID is the ID of the Microsoft Entra ID to retrieve information from.
- Client ID is the ID of the application that will connect to Microsoft Entra ID Active Directory. For details, see Register an application.
- Client Secret is the key that will be used as the secret in the connection to Microsoft Entra ID. For details, see Add a client secret.
- Select Save when finished.
Add an Azure API Dataset
Now you’ll add a Dataset that tells Cribl Search what data to search from the Dataset Provider.
To add a new Dataset, select Data, then Datasets, then Add Dataset.
Set the following configurations in the New Dataset modal:
- ID is an identifier unique for both Cribl Search and Cribl Lake. You’ll use this to specify the
Dataset in a query’s scope, telling Cribl Search to search the Dataset. Start the ID with a letter; the rest of the ID can use letters, numbers, and underscores (for example,
my_dataset_1). - Description is optional.
- Set Dataset Provider to the ID of an Azure API Dataset Provider.
- Select Add endpoint to select the endpoints for your Dataset.
- Enabled endpoints: Select an endpoint from the drop-down menu. Your options are:
- Subscription IDs is a list of the Subscription IDs within the tenant to query with this Dataset.
- In Processing, you can apply rules for breaking data into discrete events. For more information, see Datatypes.
- In Snapshots, you can set up API Snapshots.
- Select Save when finished.
Search Azure API
Now that you have a Dataset Provider and Dataset, you’re ready to start searching.
Search results can start showing up within a second or two, but when the search completes depends on how much data there is in the account.