Cribl User CCOE

Question 1

Data without a particular format can be processed by Stream

Answer 1

True

Question 2

Cribl Stream is limited to ONLY processing JSON, CSV, Key-Value formats

Answer 2

False

Question 3

What are numeric respresentations of data measured over intervals of time?

Answer 3

Metrics

Question 4

Cribl Stream can process a wide variety of data and export it to RAW or JSON format.

Answer 4

True

Question 5

Metrics are the smallest unit of data.

Answer 5

False

Question 6

____ are a type of data that provides Cribl Stream with inputs for learning about an IT environment.

Answer 6

Logs

Question 7

The observability lake does not replace existing observability and security solutions - it augments them.

Answer 7

True

Question 8

Cribl Stream can work with a wide variety of agents.

Answer 8

True

Question 9

(Select all that apply) What are some common data tools?

Answer 9

Data Lakes and Object Storage, Agents, SIEM

Question 10

The three V’s of data are Volume, Value, and Variety

Answer 10

True

Question 11

In a distributed environment, the Leader Node is used to configure each Worker Node.

Answer 11

True

Question 12

It is best practice to install the Cribl application in the /opt directory

Answer 12

True

Question 13

Cribl Stream must be installed as a privileged user

Answer 13

False

Question 14

It is best practice to create a Cribl user to install Cribl

Answer 14

True

Question 15

Cribl Stream is a Free download from the Crible website

Answer 15

True

Question 16

Port 9001 must be open in order to deploy Cribl Stream

Answer 16

False, Port 9000 is the correct port

Question 17

What default port is used to deploy a distributed Cribl Stream environment?

Answer 17

Port 4200

Question 18

Crible Stream uses a different binary to install the workers?

Answer 18

False

Question 19

Cribl Stream supports the ability to use systemd or initd to start on boot

Answer 19

True

Question 20

Git is optional when installing Cribl Stream when in Distributed Mode.

Answer 20

False

Question 21

Cribl Leader Node

Answer 21

Manages both Worker Nodes and Edge Nodes by sending configuration information

Question 22

Cribl Stream

Answer 22

Uses Worker Nodes to process data. A Worker Group is a group of nodes with the same configuration.

Question 23

Cribl Edge

Answer 23

Uses Edge Nodes to gather data. A fleet or sub fleet is a group Edge Nodes that are of the same type or collecting the same kind of data.

Question 24

Cribl Stream: Sources

Answer 24

Stream supports both push and pull
Push-based: sources that send sata to Stream
Pull-based: Sources that fetches data from
Collectors: Ability to fetch data from local or remote sources on a schedule

Question 25

Crible Stream: Destinations

Answer 25

Cribl Stream supports Streaming and non-streaming destinations
Streaming: accepts events in real time/mini batches
Non-Streaming: accepts events in (large) groups or batches

Question 26

Routing Traffic:
QuickConnect

Answer 26

Allows you to visually connect Stream Sources to output Destinations through simple drag-and-drop

Question 27

Routing Traffic:
Routes

Answer 27

Allows you to completely configure the data path through Stream by defining a series of filter expressions to determine how to process the event.

Question 28

Routes

Answer 28

Direct data to Pipelines
Evaluate incoming events against filters
Each Route can be associated with only one Pipeline and one output
Evaluated in order
Routes default with “Final flag” set to Yes

Question 29

Route strategies

Answer 29

Most-specific first or the most general first
General goal is to minimize the number of filters/Routes an event get evaluated against

Question 30

Pipeline

Answer 30

a list of Functions that process events.
Events always move in the direction that points outside of the system
Functions are evaluated in order: Top > Down
Different Pipeline “types” or position in the system

Question 31

Functions

Answer 31

Building blocks of Pipelines
Discrete processing on an event
Javascript
Work only on events that match their Filter condition
Final toggle:
No - Pass resulting events down
Yes - Short-circuit Functions below
Comments allow for added documentation

Question 32

Cribl Stream Packs

Answer 32

Pre-built configurations designed to simplify the deployment and use of Cribl’s Stream product
Includes Almost Everything - Configurations include everything between Sources and Destinations
Packs enable plug and play deployments for specific use cases
Cribl Packs Dispensary - packs respository to quickly locate and download Packs

a collection of pipelines and knowledge objects that are bundled together for easy deployment and redeployment

Question 33

Event

Answer 33

a collection of key-value pairs (fields)

Question 34

What is the benfit of using Cribl Members?

Answer 34

It simplifies the process of managing user permissions within the system

Question 35

What do you call sources that send data to Cribl Stream?

Answer 35

Push-based

Question 36

What function do you use to extract timestamps?

Answer 36

Auto Timestamp

Question 37

What is another type of source that enables administrators to fetch data from local or remote sources both on-demand or scheduled?

Answer 37

Collectors

Question 38

Where can you view Cribl Stream current throughput?

Answer 38

Monitoring Tab

Question 39

You can find a regex library within Cribl Stream

Answer 39

true

Question 40

What collector types are currently supported in Cribl Stream?

Answer 40

All of the above:
FilesystemNFS
S3 Stores
Custom Scripts

Question 41

Cribl Stream does not prescribe a particular schema, and can work with events in any shape, this is called schema-agnostic

Answer 41

True

Question 42

Cribl Stream allows you to write your own custom JavaScript code.

Answer 42

True

Question 43

What is the name of the instance that distributes configuration to a worker group?

Answer 43

Leader Node

Question 44

What are used in Routes to select a stream of the data flow, and in Functions to scope or narrow down the applicability of the Function?

Answer 44

Filters

Question 45

What do you call sources that Cribl Stream fetches data from?

Answer 45

Pull-based

Question 46

What is a collection of worker nodes that share the same configuration?

Answer 46

Worker Group

Question 47

As with any incoming data stream on a compatible Source, Cribl Stream can use:

Answer 47

Default or custom event breaker definitions

Question 48

What function do you use to find and replace text?

Answer 48

Mask

Question 49

What function does the Final flag serve?

Answer 49

By setting the Final Flag to yes, the route will consume the event and it will NOT proceed further

Question 50

A Route can

Answer 50

be associated with multiple sources and a single destination

Question 51

Users can only be assigned one acces level in Cribl Members

Answer 51

False

Question 52

For non-streaming destinations, when any condition is met, staged files are moved to their destination

Answer 52

True

Question 53

What do live Datagens do?

Answer 53

Enable users to generate sample data to troubleshoot Routes, Pipelines, Functions, and general connectivity

Question 54

Cribl Projects allow for assigning granular access to specific data sources and destinations

Answer 54

True

Question 55

Cribl Members will eventually replace the need for local users and roles within Cribl products

Question 56

Cribl Projects are used to group users with similar roles

Answer 56

False

Question 57

Index-based searching

Answer 57

Data that needs to be collected, structured, and formatted in such a way that allows these tools to quickly find answers

Question 58

Search in Place

Answer 58

Does not require data to be pre-indexed; do not need to know in advanced about mapping the right terms and data

Question 59

Federated Search

Answer 59

Identify and correlate data from different sources, determine its value and then perform a deeper analysis

Question 60

Cribl Search required data to be indexed before searching

Answer 60

False

Question 61

Cribl Searh can only search cloud-based storage

Answer 61

False

Question 62

Which of the following statements is NOT true about Cribl Search?

Answer 62

It required pre-indexing of data before searching

These statements are TRUE:
It allows searching data at rest
It provides customizable dashboards for data visualization
It uses a familiar and easy-to-understand query language named Kusto

Question 63

Cribl Search is only available as a cloud-based service

Answer 63

True

Question 64

What query language is Cribl Search based on?

Answer 64

KQL

Question 65

Cribl Stream Packs

Answer 65

Pre-built configurations of Routes, Pipelines, Functions, Sample data files, Knowledge objects, etc. everything between Sources and Destinations
Packs enable plug & play simplicity
Access to a collection of Cribl and 3rd party created packs covering numerous use cases
Cribl Packs Dispensary - packs repository to quickly locate and download Packs

Question 66

Packs target users in

Answer 66

Medium/Large deployments sharing configurations and content across multiple worker groups

Question 67

In a distributed deployment, Packs are distributed to the worker group level

Answer 67

True

Question 68

Packs can…

Answer 68

Enable plug & play deployments for specific use cases
Improve time to value by reducing hurdles and providing Cribl Stream users with out of the box pipelines
Target users in medium/large deployments sharing configurations and contennt across multiple worker groups

Question 69

Packs can be imported using which of the following ways?

Answer 69

Import from a file
Import from a URL
Import from Git
Import from https://packs.cribl.io

Question 70

Users are allowed to create Packs and can share them with the community, if applicable

Answer 70

True

Question 71

What are pre-built configuration blocks designed to simplify the deployment and use of Cribl Stream?

Answer 71

Packs

Question 72

Cribl Stream only supports S3 as a long term storage object

Answer 72

False

Question 73

Once Replay is configured, how can a collector be controlled?

Answer 73

Scheduled, manual runs, or API calls

Question 74

When setting up and using Replay in Cribl Stream, where should you create a new destination?

Answer 74

Worker group config

Question 75

Cribl Stream Replay is compatible with “deep-freeze” storage that has long retrieval times

Answer 75

False

Question 76

Cribl recommends using JSON as the write out format

Answer 76

True

Question 77

Cribl Stream Replay allows you to write data out in either of two formats:

Answer 77

JSON or raw

Question 78

Please select all the reasons you could use Cribl Stream Replay

Answer 78

All of the below:
Ingest data into a new analytics platform
Ingest data to review a security issue
Ingest data from a company merger or acquisition

Question 79

Cribl Stream Replay allows you to store data in long term storage and then “replay” it for re-delivery to another tool

Answer 79

True

Question 80

Cribl Stream Replay can only be used to ingest data that has already been ingested

Answer 80

False

Question 81

Cribl recommends using Raw as the write out format

Answer 81

False

Question 82

What are Event Breaker Rules?

Answer 82

Rulesets used to break incoming streams from specific sources into individual events

Question 83

the Knowledge Tab allows you to see the current data throughput

Answer 83

False

Question 84

Global Variables are useful JavaScript expressions that can be leveraged by pipelines/functions to provide a service

Answer 84

True

Question 85

What are Parsers used to accomplish?

Answer 85

Common formats used to extract or re-format data

Question 86

Reusable JavaScript expressions are called?

Answer 86

Global Variables

Question 87

Cribl Stream allows you to create lookups in order to enrich incoming data

Answer 87

True

Question 88

Where would you look if you were trying to find common regex patterns for let’s say credit card formats?

Answer 88

Knowledge Tab

Question 89

The Cribl Stream Regex Knowledge Object provides the following Regexs by default

Answer 89

Social Security
Credit Card
MAC Address

Question 90

Cribl Stream provides some default Grok Patterns

Answer 90

True

Question 91

What is the Regexes Knowledge Object used for?

Answer 91

A set of common regex patterns (SSN, CC formats, etc)

Question 92

Select all regex shorthand character classes

Answer 92

\w or \W
\d or \D
\s or \S

Question 93

In regex, using a hyphen inside a character class

Answer 93

specifies a range of characters

Question 94

What function does the dollar sign $ serve in regex?

Answer 94

End of a string

Question 95

Correctly identify all regex quantifiers

Answer 95

a a+ a?
a{1,3}
ab|cd
All of the above

Question 96

Non-capturing groups take fewer CPU cycles and memory

Answer 96

True

Question 97

How can you group a specific part of a regular expression

Answer 97

By placing part of a regular expression inside round brackets or parentheses

Question 98

You can use regex to

Answer 98

Identify patterns in logs
Extract patterns in logs
replace patterns in logs
mask patterns in logs
all of the above

Question 99

You can use special character sequences to put non-printable characters in your regular expression

Answer 99

True

Question 100

In regex, “cat” does not match “Cat”

Answer 100

Always true unless you tell regex engine to ignore the differences in case

Question 101

Regex is short for

Answer 101

Regular expression

Question 102

What are the ways you can contact Cribl Support?

Answer 102

Email, Community Slack, Support Portal

Question 103

Cribl Support is available to everyone

Answer 103

False

Question 104

You can get support from the Cribl community through Slack using https://cribl-community.slack.com

Answer 104

True

Question 105

How does a Standard user become the Administrator for a customer account in the support portal?

Answer 105

Assigned by Cribl support

Question 106

What is required to access the Cribl Support Portal?

Answer 106

Cloud Account and email invitation

Question 107

What additional rights does the support portal account administrator have?

Answer 107

View all customer cases
Edit case information
Invite other users to the support portal
All of the above

Question 108

How many users can be assigned to a customers support account?

Answer 108

4

Question 109

What are some of the ways you can contact Cribl Support?

Answer 109

Email, Cribl community Slack, Support Portal

Question 110

what are numeric representations of data measured over intervals of time?

Question 111

Cribl Stream is limited to ONLY processing JSON, CSV, and Key-Value formats

Answer 111

False

Question 112

Metrics are the smallest unit of observability

Answer 112

False, Events is the right answer

Question 113

In a distributed environment, it is recommended to log into each Worker Node to configure it.

Answer 113

False

Question 114

How long does a typical Cribl Stream install take?

Answer 114

Wrong answers: 60 minutes

Question 115

What is the only preconfigured output in Cribl Stream?

Answer 115

DevNull

Question 116

What does the final toggle do when set to NO?

Answer 116

Passing resulting event down

Question 117

The basic interface concepts the users works with in Cribl Edge are:

Answer 117

Routes, Sources, Pipelines, Functions

Question 118

Which deployment instance is ideal for test, dev, QA, and evaluation purposes?

Answer 118

Single instance deployment

Question 119

What are sources that fetch data from Cribl Stream called?

Answer 119

Wrong answer: Fetch based

Question 120

What function does the user use to extract fields?

Answer 120

Parser

Question 121

An event is defined as a collection of key-value pairs?

Answer 121

True

Question 122

If a destination is unreachable, what provides durability by writing data to disk for the duration of the outage in Cribl?

Answer 122

Persistent Queuing

Question 123

as with any incoming data stream on a compatible Source, Cribl Stream can use:

Answer 123

Default of custom event breaker definitions

Question 124

The user must be using Cribl Stream to use Cribl Edge

Answer 124

False

Question 125

What can a route be associated with?

Answer 125

Multiple sources and a single destination

Question 126

What is processing that is based on discrete data entities commonly known as ?

Answer 126

Events

Question 127

What are meta-destinations that allow for rule-based (real) destinations selection in Cribl?

Answer 127

Output Routers

Question 128

What is a destination type that accepts events in (large) groups or batches?

Answer 128

Non-streaming destinations

Question 129

Internal fields are used outside of Cribl Stream and can be passed to destinations.

Answer 129

False

Question 130

what function does the user use to find and replace text?

Answer 130

Mask

Question 131

In regex, what does using a hyphen inside a character class do?

Answer 131

Specifies a range of characters

Question 132

All Packs that are created in Cribl will automatically be shared with the community.

Answer 132

False

Question 133

In a single instance deployment, packs are at the Worker Group level?

Answer 133

False

Question 134

Without Packs, an administrator must do all Pipeline configuration manually?

Answer 134

True

Question 135

Once Cribl Replay is configured, how can a collector be controlled?

Answer 135

Scheduling, manual runs, or API calls

Question 136

What are typical examples of use cases for using lookups in Cribl?

Answer 136

Wrong answrs: defining…

Question 137

Cribl Stream provides some default Grok Patterns

Answer 137

True

Question 138

What are Parsers used to accomplish?

Answer 138

Common formats used to extract or re-format data