From 553d047c972613d65b69ed67157090b547d1c5e7 Mon Sep 17 00:00:00 2001
From: Kamilo Amir <kamilo@gmail.com>
Date: Thu, 26 Jun 2025 14:38:25 -0400
Subject: [PATCH] Added CriblStream Plugin for Security CoPilot

---
 .../CriblStream/CriblStream_Manifest.yaml     |  23 +++
 .../CriblStream/CriblStream_openapi.yaml      | 173 ++++++++++++++++++
 .../Published Plugins/CriblStream/readme.md   |  91 +++++++++
 3 files changed, 287 insertions(+)
 create mode 100644 Plugins/Published Plugins/CriblStream/CriblStream_Manifest.yaml
 create mode 100644 Plugins/Published Plugins/CriblStream/CriblStream_openapi.yaml
 create mode 100644 Plugins/Published Plugins/CriblStream/readme.md

diff --git a/Plugins/Published Plugins/CriblStream/CriblStream_Manifest.yaml b/Plugins/Published Plugins/CriblStream/CriblStream_Manifest.yaml
new file mode 100644
index 00000000..d372901c
--- /dev/null
+++ b/Plugins/Published Plugins/CriblStream/CriblStream_Manifest.yaml	
@@ -0,0 +1,23 @@
+Descriptor:
+  Name: CriblStreamAPI 
+  DisplayName: Cribl Stream API
+  DescriptionDisplay: Cribl Stream is an AI-powered data pipeline platform that enables security teams to collect, transform, and route telemetry data from any source to any destination, delivering clean, analytics-ready data for faster threat detection and investigationis an AI-powered data pipeline platform that enables security teams to collect, transform, and route telemetry data from any source to any destination, delivering clean, analytics-ready data for faster threat detection and investigation
+  Description: |-
+    Use this skill-set to call the Cribl Stream API to see what sources and destinations are configured. Additionally, it will determine if there are gaps in your telemetry data collection strategy.
+    - This skill only invokes the Cribl Stream API.
+    - Classifies the source as necessary or not required for the detections.
+    - Published by Microsoft and Cribl Stream
+  Category: Other
+  Icon: 
+  SupportedAuthTypes:
+    - ApiKey
+  Authorization:
+    Type: APIKey
+    Key: Key
+    Location: Header
+    AuthScheme: ''
+
+SkillGroups:
+  - Format: API
+    Settings:
+      OpenApiSpecUrl: 'https://gist.githubusercontent.com/amiracle/9329c74a9986f8319e18fef99690cc04/raw/73cde5a488b45ff303be6bf5469724beb091f011/criblstreamapi.yaml'
\ No newline at end of file
diff --git a/Plugins/Published Plugins/CriblStream/CriblStream_openapi.yaml b/Plugins/Published Plugins/CriblStream/CriblStream_openapi.yaml
new file mode 100644
index 00000000..46ebc036
--- /dev/null
+++ b/Plugins/Published Plugins/CriblStream/CriblStream_openapi.yaml	
@@ -0,0 +1,173 @@
+openapi: 3.0.3
+info:
+  title: Cribl Stream API
+  description: OpenAPI definition for a subset of the Cribl Stream API on Cribl.Cloud.
+  version: "1.0.0"
+servers:
+  - url: https://{instance}.cribl.cloud/api/v1
+    variables:
+      instance:
+        default: main-instanceid
+        description: Your Cribl.Cloud instance ID
+
+components:
+  securitySchemes:
+    BearerAuth:
+      type: http
+      scheme: bearer
+      bearerFormat: JWT
+  parameters:
+    ProductParam:
+      name: product
+      in: query
+      description: Product name (e.g., "stream")
+      required: false
+      schema:
+        type: string
+
+security:
+  - BearerAuth: []
+
+paths:
+  /master/groups:
+    get:
+      summary: Get a list of Worker Groups
+      description: Returns a list of ConfigGroup objects (worker groups) for the specified product.
+      parameters:
+        - $ref: '#/components/parameters/ProductParam'
+      responses:
+        '200':
+          description: List of worker groups
+          content:
+            application/json:
+              schema:
+                type: object
+                properties:
+                  items:
+                    type: array
+                    items:
+                      type: object
+                      properties:
+                        id:
+                          type: string
+                        name:
+                          type: string
+                        description:
+                          type: string
+        '401':
+          description: Unauthorized
+
+  /master/workers:
+    get:
+      summary: List all Workers and their Status
+      description: Returns a list of all Cribl Workers and Edge Nodes connected to the Leader.
+      responses:
+        '200':
+          description: List of workers
+          content:
+            application/json:
+              schema:
+                type: object
+                properties:
+                  items:
+                    type: array
+                    items:
+                      type: object
+                      properties:
+                        info:
+                          type: object
+                          properties:
+                            hostname:
+                              type: string
+                            cribl:
+                              type: object
+                              properties:
+                                startTime:
+                                  type: integer
+                        status:
+                          type: string
+        '401':
+          description: Unauthorized
+
+  /m/{group}/system/inputs/{input}:
+    get:
+      summary: Get Input Configuration
+      description: Retrieves the configuration for a specific input in a worker group.
+      parameters:
+        - name: group
+          in: path
+          required: true
+          schema:
+            type: string
+        - name: input
+          in: path
+          required: true
+          schema:
+            type: string
+      responses:
+        '200':
+          description: Input configuration
+          content:
+            application/json:
+              schema:
+                type: object
+        '401':
+          description: Unauthorized
+
+    patch:
+      summary: Update Input Configuration
+      description: Updates the configuration for a specific input in a worker group.
+      parameters:
+        - name: group
+          in: path
+          required: true
+          schema:
+            type: string
+        - name: input
+          in: path
+          required: true
+          schema:
+            type: string
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              type: object
+      responses:
+        '200':
+          description: Updated input configuration
+          content:
+            application/json:
+              schema:
+                type: object
+        '401':
+          description: Unauthorized
+
+  /auth/login:
+    post:
+      summary: Authenticate (Self-Hosted Only)
+      description: Obtain a bearer token by providing username and password (for self-managed deployments).
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              type: object
+              properties:
+                username:
+                  type: string
+                password:
+                  type: string
+      responses:
+        '200':
+          description: Bearer token
+          content:
+            application/json:
+              schema:
+                type: object
+                properties:
+                  token:
+                    type: string
+        '401':
+          description: Invalid credentials
\ No newline at end of file
diff --git a/Plugins/Published Plugins/CriblStream/readme.md b/Plugins/Published Plugins/CriblStream/readme.md
new file mode 100644
index 00000000..1bc5ba18
--- /dev/null
+++ b/Plugins/Published Plugins/CriblStream/readme.md	
@@ -0,0 +1,91 @@
+# Cribl Stream Plugin for Security Copilot
+**Author: Kam Amir**
+**Publisher: Microsoft + Cribl**
+
+The **Cribl Stream Plugin for Security Copilot** empowers security and IT teams to seamlessly query their Cribl Stream environments. This integration provides instant visibility into configured sources and destinations, their operational status, and enables comprehensive gap analysis for detection coverage within SIEM platforms.
+
+## Features
+
+- **Source \& Destination Inventory**
+    - [Instantly list all configured sources (e.g., Splunk, HTTP, Kafka) and destinations (e.g., SIEM, data lakes, cloud storage) within your Cribl Stream instance][^4].
+- **Operational Health Monitoring**
+    - [Check the health and operational status of all sources and destinations to ensure data is flowing as expected][^1].
+- **Detection Gap Analysis**
+    - [Identify coverage gaps in your SIEM by mapping available data sources against required detection use cases, helping you close blind spots in your security monitoring][^2].
+- **Natural Language Queries**
+    - Leverage Security Copilot’s natural language interface to ask questions about your Cribl Stream setup, such as:
+        - “What sources are configured and are they healthy?”
+        - “Which destinations are currently failing?”
+        - “Do I have coverage for endpoint logs in my SIEM?”.
+- **Actionable Recommendations**
+    - Receive best-practice guidance for optimizing data flows, improving detection coverage, and remediating issues—all powered by AI.
+
+
+## How It Works
+
+1. **Connect Security Copilot to Cribl Stream**
+    - Authenticate and connect your Security Copilot environment to one or more Cribl Stream instances.
+2. **Query Your Environment**
+    - Use natural language or pre-built prompts to request inventories, health checks, or gap analyses.
+3. **Review Results and Take Action**
+    - View real-time status dashboards and actionable insights, and receive recommendations for remediation or optimization.
+
+## Example Use Cases
+
+- **Onboarding New Data Sources**
+    - [Instantly verify that new log sources (e.g., firewall, endpoint, cloud) are properly configured and flowing to your SIEM][^10].
+- **Incident Response**
+    - Quickly determine if critical telemetry (e.g., authentication logs, network flows) is being ingested and available for investigation.
+- **Compliance \& Audit**
+    - Generate reports showing which data sources are covered and identify any compliance-relevant gaps.
+- **Continuous Improvement**
+    - Regularly assess your detection coverage and receive AI-driven recommendations for expanding or optimizing your data pipeline.
+
+
+## Getting Started
+
+1. **Install the Plugin**
+    - Deploy the Cribl Stream Plugin for Security Copilot via your Security Copilot marketplace or integration settings.
+2. **Configure Connection**
+    - Provide credentials and endpoint information for your Cribl Stream instances.
+3. **Enable Permissions**
+    - Ensure the plugin has read access to Cribl Stream configuration and health APIs.
+4. **Start Querying**
+    - Use Security Copilot’s chat interface or dashboards to begin querying your Cribl Stream environment.
+
+## Requirements
+
+- Cribl Stream v4.0 or higher
+- Security Copilot with plugin integration enabled
+- Appropriate API credentials with read permissions on Cribl Stream
+
+## Resources \& Documentation
+
+- [Cribl Stream Documentation][^5]
+- [Cribl Copilot Overview][^2]
+- [Cribl CoPilot Demo Video][^3]
+- [Security Copilot Integration Guide][^8] 
+- [Cribl Sandbox Create a source][^6]
+- [Cribl Sandbox Query Assistance][^7]
+
+## Support
+
+For troubleshooting or feature requests, please contact your Cribl or Security Copilot support representative.
+
+*Empower your security operations with unified visibility and actionable insights—directly from your Cribl Stream environment.*
+
+[^1]: https://cribl.io/products/copilot/
+
+[^2]: https://docs.cribl.io/copilot/
+
+[^3]: https://www.youtube.com/watch?v=oB7uU8DRnSA
+
+[^4]: https://docs.cribl.io/stream/sources/
+
+[^5]: https://docs.cribl.io/stream/
+
+[^6]: https://sandbox.cribl.io/coursedocs/overview-copilot/docs/creating-a-source-dest
+
+[^7]: https://sandbox.cribl.io/coursedocs/overview-copilot/docs/query-assistance
+
+[^8]: https://learn.microsoft.com/en-us/copilot/security/
\ No newline at end of file