HMAC (Hash-based Message Authentication Code) Functions are keyed hashing functions that you use with REST Collectors in Cribl, enabling you to ensure the integrity and authenticity of messages.

Practical Uses for HMAC Functions

​

HMAC Functions are used in REST Collectors. They are configured to generate a signature for each request, which is then included in the request headers. The server receiving the request can then verify the signature to ensure the request’s integrity and authenticity.

• Security: HMAC Functions provide a way to verify the integrity and authenticity of messages, ensuring that data has not been altered in transit.

• Authentication: They help authenticate the source of the message, ensuring that it comes from a trusted entity.

• Compliance: Using HMAC Functions can help meet security compliance requirements by adding an additional layer of security to your data collection processes.

  For a practical example of how to use HMAC functions, refer to the Cribl REST Collector Configuration for the Duo API in Cribl’s Collector Templates repository.

Create an HMAC Function

​

You can create an HMAC Function in the Knowledge library:

1. In the sidebar, select Worker Groups and choose a Worker Group.

2. On the Worker Groups submenu, select Processing, then Knowledge, then HMAC Functions.

3. Select Add HMAC Function.

4. Fill out the New HMAC Function form:

   Field	Description	Notes
   ID	A unique identifier for this HMAC Function.	None
   Description	A description.	Optional
   Tags	Used to filter and group HMAC Functions.	Optional
   HMAC signature strings	A list that Cribl evaluates and concatenates to form the HMAC signature string. This specifies the components on the request to include in the HMAC signature.	You might include the HTTP method, URL, and certain headers to ensure that the signature is unique and secure. Expressions returned as undefined or null are ignored and not added to the final signature string. Each string can access the following variables: method: Uppercase HTTP verb used for the request: GET, PUT, POST, DELETE, and so on. urlObj: A standard JS URL object containing details of the URL and query string passed with the request, along with object properties. headers: An alphabetically ordered list of headers (by name) and values to send with the request. You can access the header elements by name, as in a JS array. body: The contents of the HTTP body (if present) passed with the request.
   Signature string delimiter	A character to use when you join the HMAC signature strings for evaluation.	For example, ':', '-', and '\n'. The value must be a JavaScript expression (which can evaluate to a constant value), enclosed in quotes or backticks. Leave blank to join without spaces.
   Authorization header name	Contains the HMAC signature. Defaults to signature. This ensures the server knows where to find the signature in the request headers.	None
   Authorization header expression	Forms the HMAC signature.	The expression should incorporate the following: signatureString: This contains the concatenated result of the HMAC signature strings. HMAC generation: Use the C.Crypto.createHmac function to calculate the HMAC signature based on the signatureString, a specified secret (either as a text secret or inline), the SHA256 algorithm, and hexadecimal encoding. For example: ${C.Crypto.createHmac(`${signatureString}`, C.Secret('myTextSecret', 'text').value, 'sha256', 'hex')}

5. Select Save, then Commit and Deploy your changes.