Cribl User CCOE Flashcards
Data without a particular format can be processed by Stream
True
Cribl Stream is limited to ONLY processing JSON, CSV, Key-Value formats
False
What are numeric respresentations of data measured over intervals of time?
Metrics
Cribl Stream can process a wide variety of data and export it to RAW or JSON format.
True
Metrics are the smallest unit of data.
False
____ are a type of data that provides Cribl Stream with inputs for learning about an IT environment.
Logs
The observability lake does not replace existing observability and security solutions - it augments them.
True
Cribl Stream can work with a wide variety of agents.
True
(Select all that apply) What are some common data tools?
Data Lakes and Object Storage, Agents, SIEM
The three V’s of data are Volume, Value, and Variety
True
In a distributed environment, the Leader Node is used to configure each Worker Node.
True
It is best practice to install the Cribl application in the /opt directory
True
Cribl Stream must be installed as a privileged user
False
It is best practice to create a Cribl user to install Cribl
True
Cribl Stream is a Free download from the Crible website
True
Port 9001 must be open in order to deploy Cribl Stream
False, Port 9000 is the correct port
What default port is used to deploy a distributed Cribl Stream environment?
Port 4200
Crible Stream uses a different binary to install the workers?
False
Cribl Stream supports the ability to use systemd or initd to start on boot
True
Git is optional when installing Cribl Stream when in Distributed Mode.
False
Cribl Leader Node
Manages both Worker Nodes and Edge Nodes by sending configuration information
Cribl Stream
Uses Worker Nodes to process data. A Worker Group is a group of nodes with the same configuration.
Cribl Edge
Uses Edge Nodes to gather data. A fleet or sub fleet is a group Edge Nodes that are of the same type or collecting the same kind of data.
Cribl Stream: Sources
Stream supports both push and pull
Push-based: sources that send sata to Stream
Pull-based: Sources that fetches data from
Collectors: Ability to fetch data from local or remote sources on a schedule
Crible Stream: Destinations
Cribl Stream supports Streaming and non-streaming destinations
Streaming: accepts events in real time/mini batches
Non-Streaming: accepts events in (large) groups or batches
Routing Traffic:
QuickConnect
Allows you to visually connect Stream Sources to output Destinations through simple drag-and-drop
Routing Traffic:
Routes
Allows you to completely configure the data path through Stream by defining a series of filter expressions to determine how to process the event.
Routes
Direct data to Pipelines
Evaluate incoming events against filters
Each Route can be associated with only one Pipeline and one output
Evaluated in order
Routes default with “Final flag” set to Yes
Route strategies
Most-specific first or the most general first
General goal is to minimize the number of filters/Routes an event get evaluated against
Pipeline
a list of Functions that process events.
Events always move in the direction that points outside of the system
Functions are evaluated in order: Top > Down
Different Pipeline “types” or position in the system
Functions
Building blocks of Pipelines
Discrete processing on an event
Javascript
Work only on events that match their Filter condition
Final toggle:
No - Pass resulting events down
Yes - Short-circuit Functions below
Comments allow for added documentation
Cribl Stream Packs
Pre-built configurations designed to simplify the deployment and use of Cribl’s Stream product
Includes Almost Everything - Configurations include everything between Sources and Destinations
Packs enable plug and play deployments for specific use cases
Cribl Packs Dispensary - packs respository to quickly locate and download Packs
a collection of pipelines and knowledge objects that are bundled together for easy deployment and redeployment
Event
a collection of key-value pairs (fields)
What is the benfit of using Cribl Members?
It simplifies the process of managing user permissions within the system
What do you call sources that send data to Cribl Stream?
Push-based
What function do you use to extract timestamps?
Auto Timestamp
What is another type of source that enables administrators to fetch data from local or remote sources both on-demand or scheduled?
Collectors
Where can you view Cribl Stream current throughput?
Monitoring Tab
You can find a regex library within Cribl Stream
true
What collector types are currently supported in Cribl Stream?
All of the above:
FilesystemNFS
S3 Stores
Custom Scripts
Cribl Stream does not prescribe a particular schema, and can work with events in any shape, this is called schema-agnostic
True
Cribl Stream allows you to write your own custom JavaScript code.
True
What is the name of the instance that distributes configuration to a worker group?
Leader Node
What are used in Routes to select a stream of the data flow, and in Functions to scope or narrow down the applicability of the Function?
Filters
What do you call sources that Cribl Stream fetches data from?
Pull-based
What is a collection of worker nodes that share the same configuration?
Worker Group
As with any incoming data stream on a compatible Source, Cribl Stream can use:
Default or custom event breaker definitions
What function do you use to find and replace text?
Mask
What function does the Final flag serve?
By setting the Final Flag to yes, the route will consume the event and it will NOT proceed further
A Route can
be associated with multiple sources and a single destination
Users can only be assigned one acces level in Cribl Members
False
For non-streaming destinations, when any condition is met, staged files are moved to their destination
True
What do live Datagens do?
Enable users to generate sample data to troubleshoot Routes, Pipelines, Functions, and general connectivity
Cribl Projects allow for assigning granular access to specific data sources and destinations
True
Cribl Members will eventually replace the need for local users and roles within Cribl products
Cribl Projects are used to group users with similar roles
False
Index-based searching
Data that needs to be collected, structured, and formatted in such a way that allows these tools to quickly find answers
Search in Place
Does not require data to be pre-indexed; do not need to know in advanced about mapping the right terms and data
Federated Search
Identify and correlate data from different sources, determine its value and then perform a deeper analysis
Cribl Search required data to be indexed before searching
False
Cribl Searh can only search cloud-based storage
False
Which of the following statements is NOT true about Cribl Search?
It required pre-indexing of data before searching
These statements are TRUE:
It allows searching data at rest
It provides customizable dashboards for data visualization
It uses a familiar and easy-to-understand query language named Kusto
Cribl Search is only available as a cloud-based service
True
What query language is Cribl Search based on?
KQL
Cribl Stream Packs
Pre-built configurations of Routes, Pipelines, Functions, Sample data files, Knowledge objects, etc. everything between Sources and Destinations
Packs enable plug & play simplicity
Access to a collection of Cribl and 3rd party created packs covering numerous use cases
Cribl Packs Dispensary - packs repository to quickly locate and download Packs
Packs target users in
Medium/Large deployments sharing configurations and content across multiple worker groups
In a distributed deployment, Packs are distributed to the worker group level
True
Packs can…
Enable plug & play deployments for specific use cases
Improve time to value by reducing hurdles and providing Cribl Stream users with out of the box pipelines
Target users in medium/large deployments sharing configurations and contennt across multiple worker groups
Packs can be imported using which of the following ways?
Import from a file
Import from a URL
Import from Git
Import from https://packs.cribl.io
Users are allowed to create Packs and can share them with the community, if applicable
True
What are pre-built configuration blocks designed to simplify the deployment and use of Cribl Stream?
Packs
Cribl Stream only supports S3 as a long term storage object
False
Once Replay is configured, how can a collector be controlled?
Scheduled, manual runs, or API calls
When setting up and using Replay in Cribl Stream, where should you create a new destination?
Worker group config
Cribl Stream Replay is compatible with “deep-freeze” storage that has long retrieval times
False
Cribl recommends using JSON as the write out format
True
Cribl Stream Replay allows you to write data out in either of two formats:
JSON or raw
Please select all the reasons you could use Cribl Stream Replay
All of the below:
Ingest data into a new analytics platform
Ingest data to review a security issue
Ingest data from a company merger or acquisition
Cribl Stream Replay allows you to store data in long term storage and then “replay” it for re-delivery to another tool
True
Cribl Stream Replay can only be used to ingest data that has already been ingested
False
Cribl recommends using Raw as the write out format
False
What are Event Breaker Rules?
Rulesets used to break incoming streams from specific sources into individual events
the Knowledge Tab allows you to see the current data throughput
False
Global Variables are useful JavaScript expressions that can be leveraged by pipelines/functions to provide a service
True
What are Parsers used to accomplish?
Common formats used to extract or re-format data
Reusable JavaScript expressions are called?
Global Variables
Cribl Stream allows you to create lookups in order to enrich incoming data
True
Where would you look if you were trying to find common regex patterns for let’s say credit card formats?
Knowledge Tab
The Cribl Stream Regex Knowledge Object provides the following Regexs by default
Social Security
Credit Card
MAC Address
Cribl Stream provides some default Grok Patterns
True
What is the Regexes Knowledge Object used for?
A set of common regex patterns (SSN, CC formats, etc)
Select all regex shorthand character classes
\w or \W
\d or \D
\s or \S
In regex, using a hyphen inside a character class
specifies a range of characters
What function does the dollar sign $ serve in regex?
End of a string
Correctly identify all regex quantifiers
a a+ a?
a{1,3}
ab|cd
All of the above
Non-capturing groups take fewer CPU cycles and memory
True
How can you group a specific part of a regular expression
By placing part of a regular expression inside round brackets or parentheses
You can use regex to
Identify patterns in logs
Extract patterns in logs
replace patterns in logs
mask patterns in logs
all of the above
You can use special character sequences to put non-printable characters in your regular expression
True
In regex, “cat” does not match “Cat”
Always true unless you tell regex engine to ignore the differences in case
Regex is short for
Regular expression
What are the ways you can contact Cribl Support?
Email, Community Slack, Support Portal
Cribl Support is available to everyone
False
You can get support from the Cribl community through Slack using https://cribl-community.slack.com
True
How does a Standard user become the Administrator for a customer account in the support portal?
Assigned by Cribl support
What is required to access the Cribl Support Portal?
Cloud Account and email invitation
What additional rights does the support portal account administrator have?
View all customer cases
Edit case information
Invite other users to the support portal
All of the above
How many users can be assigned to a customers support account?
4
What are some of the ways you can contact Cribl Support?
Email, Cribl community Slack, Support Portal
what are numeric representations of data measured over intervals of time?
Cribl Stream is limited to ONLY processing JSON, CSV, and Key-Value formats
False
Metrics are the smallest unit of observability
False, Events is the right answer
In a distributed environment, it is recommended to log into each Worker Node to configure it.
False
How long does a typical Cribl Stream install take?
Wrong answers: 60 minutes
What is the only preconfigured output in Cribl Stream?
DevNull
What does the final toggle do when set to NO?
Passing resulting event down
The basic interface concepts the users works with in Cribl Edge are:
Routes, Sources, Pipelines, Functions
Which deployment instance is ideal for test, dev, QA, and evaluation purposes?
Single instance deployment
What are sources that fetch data from Cribl Stream called?
Wrong answer: Fetch based
What function does the user use to extract fields?
Parser
An event is defined as a collection of key-value pairs?
True
If a destination is unreachable, what provides durability by writing data to disk for the duration of the outage in Cribl?
Persistent Queuing
as with any incoming data stream on a compatible Source, Cribl Stream can use:
Default of custom event breaker definitions
The user must be using Cribl Stream to use Cribl Edge
False
What can a route be associated with?
Multiple sources and a single destination
What is processing that is based on discrete data entities commonly known as ?
Events
What are meta-destinations that allow for rule-based (real) destinations selection in Cribl?
Output Routers
What is a destination type that accepts events in (large) groups or batches?
Non-streaming destinations
Internal fields are used outside of Cribl Stream and can be passed to destinations.
False
what function does the user use to find and replace text?
Mask
In regex, what does using a hyphen inside a character class do?
Specifies a range of characters
All Packs that are created in Cribl will automatically be shared with the community.
False
In a single instance deployment, packs are at the Worker Group level?
False
Without Packs, an administrator must do all Pipeline configuration manually?
True
Once Cribl Replay is configured, how can a collector be controlled?
Scheduling, manual runs, or API calls
What are typical examples of use cases for using lookups in Cribl?
Wrong answrs: defining…
Cribl Stream provides some default Grok Patterns
True
What are Parsers used to accomplish?
Common formats used to extract or re-format data
