1. Expel Help Center
  2. Connect Your Technology
  3. A-C Integrations

Cribl Setup for Workbench

This guide covers how to set up Cribl Search with Workbench.

Prerequisites

  1. You must have admin access in Workbench to set up this integration.
  2. You must have Admin permissions in Cribl to allow you to manage API credentials and invite Organization Members.

Quick Links

Setup includes the following steps (select any step for detailed instructions):

  1. Create an Expel User for Console Access
  2. Generate API Credentials in Cribl
  3. Add Cribl as a Security Device in Workbench

Step 1: Create an Expel User for Console Access

Having read-only access to the interface of your technology allows Expel to dig deeper during incident investigations. Our device health team uses this access to investigate potential health issues with your tech. For more information, see Why Expel Asks for Console Access.

Note
Expel secures all login information our SOC analysts need about your devices in an MFA password product. Access to this login information is protected using our internal MFA processes.

  1. Log in to Cribl.
  2. In the top navigation, select Products > Organization.
  3. In the left navigation (expand it if needed), select Members.
  4. Select Invite Member.
  5. Configure the new user as follows:
    • First name - enter "Expel".
    • Last name - enter "SOC".
    • Email - enter "soc+<Your_Organization_Name>@expel.io".
      • For example, if your organization were Acme Corp, the format would be "soc+acme_corp@expel.io". 
    • Organization Role - select Admin.
  6. Select Send Invite.
  7. Notify your Customer Success Manager (CSM) or Expel Support that the new Cribl account is created and the invitation email was sent. Expel will create an account and complete console access configuration in Workbench on your behalf.

Step 2: Generate API Credentials in Cribl

Next you will create API credentials to connect Cribl to Workbench.

Note
The Cribl Member who creates these API credentials appears in the audit logs as the creator of any searches executed through Workbench. If you'd prefer the audit logs indicate Expel as the creator of those searches, Expel can create those API credentials after you've sent the invitation to create our console access Member. Notify your CSM if that is the case, and we will complete the integration on your behalf.

  1. Navigate to the API Credentials section in the side navigation.
  2. Select Add Credential.
  3. Configure the credentials as follows:
    • Name - enter "Expel key".
    • Description (optional) - enter "API credentials to provide Expel access via Workbench".
    • Enabled - ensure this is toggled on.
    • Organization Permissions - select User.
  4. Select Save.
  5. On the next screen, find your newly created credentials in the list. Copy and save the Client ID and Secret values in a safe place for use in the next step.
    cribl-api-creds.png
  6. Next, use the upper-left menu to select Products > Search.
  7. To obtain the Server address, select everything in the URL to the left of "/search". The resulting URL should have a format similar to: https://main-xxxxx-xxx-xxxxx.cribl.cloud

Step 3: Add Cribl as a Security Device in Workbench

  1. Log in to Workbench.
  2. In the side menu, navigate to Organization Settings > Security Devices.
  3. Select Add Security Device.
  4. In the search box, type “Cribl” and then select the Cribl integration.
    cribl-add-a-device.png
  5. A configuration pane displays. Complete the fields as follows:
    1. Name - enter a name that might help you more easily identify this integration, such as “CompanyName Cribl”; this name will display in Workbench under the Name column, and is a text string that you can filter on.
    2. Location - enter the location of your integration, for example “cloud.” This is also a text string that you can filter on, so we recommend being consistent with location naming across your Expel integrations.
    3. Server address - enter the server address you saved in Step 2.
    4. Client ID - enter the client ID you saved in Step 2.
    5. Password - enter the client secret you saved in Step 2.
  6. Select Save.
  7. On the console access screen, select Set up later, as Expel will complete this on your behalf.
  8. Select Save.
  9. Your device should be created successfully within a few seconds. A few reminders:
    • After your connection is healthy, it will take some time for your device to begin polling.
    • To check on the status, select the downward arrow for your device in the first column and choose View details.
    • If your device does not begin polling within 15 minutes, contact our support team for help. You must refresh the page to see updates.

       

Related articles