Skip to content

Added CriblStream Plugin for Security CoPilot #204

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
+287 −0
Open

Added CriblStream Plugin for Security CoPilot #204

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 23 additions & 0 deletions Plugins/Published Plugins/CriblStream/CriblStream_Manifest.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
Descriptor:
Name: CriblStreamAPI
DisplayName: Cribl Stream API
DescriptionDisplay: Cribl Stream is an AI-powered data pipeline platform that enables security teams to collect, transform, and route telemetry data from any source to any destination, delivering clean, analytics-ready data for faster threat detection and investigationis an AI-powered data pipeline platform that enables security teams to collect, transform, and route telemetry data from any source to any destination, delivering clean, analytics-ready data for faster threat detection and investigation
Description: |-
Use this skill-set to call the Cribl Stream API to see what sources and destinations are configured. Additionally, it will determine if there are gaps in your telemetry data collection strategy.
- This skill only invokes the Cribl Stream API.
- Classifies the source as necessary or not required for the detections.
- Published by Microsoft and Cribl Stream
Category: Other
Icon:
SupportedAuthTypes:
- ApiKey
Authorization:
Type: APIKey
Key: Key
Location: Header
AuthScheme: ''

SkillGroups:
- Format: API
Settings:
OpenApiSpecUrl: 'https://gist.githubusercontent.com/amiracle/9329c74a9986f8319e18fef99690cc04/raw/73cde5a488b45ff303be6bf5469724beb091f011/criblstreamapi.yaml'
173 changes: 173 additions & 0 deletions Plugins/Published Plugins/CriblStream/CriblStream_openapi.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,173 @@
openapi: 3.0.3
info:
title: Cribl Stream API
description: OpenAPI definition for a subset of the Cribl Stream API on Cribl.Cloud.
version: "1.0.0"
servers:
- url: https://{instance}.cribl.cloud/api/v1
variables:
instance:
default: main-instanceid
description: Your Cribl.Cloud instance ID

components:
securitySchemes:
BearerAuth:
type: http
scheme: bearer
bearerFormat: JWT
parameters:
ProductParam:
name: product
in: query
description: Product name (e.g., "stream")
required: false
schema:
type: string

security:
- BearerAuth: []

paths:
/master/groups:
get:
summary: Get a list of Worker Groups
description: Returns a list of ConfigGroup objects (worker groups) for the specified product.
parameters:
- $ref: '#/components/parameters/ProductParam'
responses:
'200':
description: List of worker groups
content:
application/json:
schema:
type: object
properties:
items:
type: array
items:
type: object
properties:
id:
type: string
name:
type: string
description:
type: string
'401':
description: Unauthorized

/master/workers:
get:
summary: List all Workers and their Status
description: Returns a list of all Cribl Workers and Edge Nodes connected to the Leader.
responses:
'200':
description: List of workers
content:
application/json:
schema:
type: object
properties:
items:
type: array
items:
type: object
properties:
info:
type: object
properties:
hostname:
type: string
cribl:
type: object
properties:
startTime:
type: integer
status:
type: string
'401':
description: Unauthorized

/m/{group}/system/inputs/{input}:
get:
summary: Get Input Configuration
description: Retrieves the configuration for a specific input in a worker group.
parameters:
- name: group
in: path
required: true
schema:
type: string
- name: input
in: path
required: true
schema:
type: string
responses:
'200':
description: Input configuration
content:
application/json:
schema:
type: object
'401':
description: Unauthorized

patch:
summary: Update Input Configuration
description: Updates the configuration for a specific input in a worker group.
parameters:
- name: group
in: path
required: true
schema:
type: string
- name: input
in: path
required: true
schema:
type: string
requestBody:
required: true
content:
application/json:
schema:
type: object
responses:
'200':
description: Updated input configuration
content:
application/json:
schema:
type: object
'401':
description: Unauthorized

/auth/login:
post:
summary: Authenticate (Self-Hosted Only)
description: Obtain a bearer token by providing username and password (for self-managed deployments).
requestBody:
required: true
content:
application/json:
schema:
type: object
properties:
username:
type: string
password:
type: string
responses:
'200':
description: Bearer token
content:
application/json:
schema:
type: object
properties:
token:
type: string
'401':
description: Invalid credentials
91 changes: 91 additions & 0 deletions Plugins/Published Plugins/CriblStream/readme.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,91 @@
# Cribl Stream Plugin for Security Copilot
**Author: Kam Amir**
**Publisher: Microsoft + Cribl**

The **Cribl Stream Plugin for Security Copilot** empowers security and IT teams to seamlessly query their Cribl Stream environments. This integration provides instant visibility into configured sources and destinations, their operational status, and enables comprehensive gap analysis for detection coverage within SIEM platforms.

## Features

- **Source \& Destination Inventory**
- [Instantly list all configured sources (e.g., Splunk, HTTP, Kafka) and destinations (e.g., SIEM, data lakes, cloud storage) within your Cribl Stream instance][^4].
- **Operational Health Monitoring**
- [Check the health and operational status of all sources and destinations to ensure data is flowing as expected][^1].
- **Detection Gap Analysis**
- [Identify coverage gaps in your SIEM by mapping available data sources against required detection use cases, helping you close blind spots in your security monitoring][^2].
- **Natural Language Queries**
- Leverage Security Copilot’s natural language interface to ask questions about your Cribl Stream setup, such as:
- “What sources are configured and are they healthy?”
- “Which destinations are currently failing?”
- “Do I have coverage for endpoint logs in my SIEM?”.
- **Actionable Recommendations**
- Receive best-practice guidance for optimizing data flows, improving detection coverage, and remediating issues—all powered by AI.


## How It Works

1. **Connect Security Copilot to Cribl Stream**
- Authenticate and connect your Security Copilot environment to one or more Cribl Stream instances.
2. **Query Your Environment**
- Use natural language or pre-built prompts to request inventories, health checks, or gap analyses.
3. **Review Results and Take Action**
- View real-time status dashboards and actionable insights, and receive recommendations for remediation or optimization.

## Example Use Cases

- **Onboarding New Data Sources**
- [Instantly verify that new log sources (e.g., firewall, endpoint, cloud) are properly configured and flowing to your SIEM][^10].
- **Incident Response**
- Quickly determine if critical telemetry (e.g., authentication logs, network flows) is being ingested and available for investigation.
- **Compliance \& Audit**
- Generate reports showing which data sources are covered and identify any compliance-relevant gaps.
- **Continuous Improvement**
- Regularly assess your detection coverage and receive AI-driven recommendations for expanding or optimizing your data pipeline.


## Getting Started

1. **Install the Plugin**
- Deploy the Cribl Stream Plugin for Security Copilot via your Security Copilot marketplace or integration settings.
2. **Configure Connection**
- Provide credentials and endpoint information for your Cribl Stream instances.
3. **Enable Permissions**
- Ensure the plugin has read access to Cribl Stream configuration and health APIs.
4. **Start Querying**
- Use Security Copilot’s chat interface or dashboards to begin querying your Cribl Stream environment.

## Requirements

- Cribl Stream v4.0 or higher
- Security Copilot with plugin integration enabled
- Appropriate API credentials with read permissions on Cribl Stream

## Resources \& Documentation

- [Cribl Stream Documentation][^5]
- [Cribl Copilot Overview][^2]
- [Cribl CoPilot Demo Video][^3]
- [Security Copilot Integration Guide][^8]
- [Cribl Sandbox Create a source][^6]
- [Cribl Sandbox Query Assistance][^7]

## Support

For troubleshooting or feature requests, please contact your Cribl or Security Copilot support representative.

*Empower your security operations with unified visibility and actionable insights—directly from your Cribl Stream environment.*

[^1]: https://cribl.io/products/copilot/

[^2]: https://docs.cribl.io/copilot/

[^3]: https://www.youtube.com/watch?v=oB7uU8DRnSA

[^4]: https://docs.cribl.io/stream/sources/

[^5]: https://docs.cribl.io/stream/

[^6]: https://sandbox.cribl.io/coursedocs/overview-copilot/docs/creating-a-source-dest

[^7]: https://sandbox.cribl.io/coursedocs/overview-copilot/docs/query-assistance

[^8]: https://learn.microsoft.com/en-us/copilot/security/