Cribl User CCOE Flashcards
1
Q
Data without a particular format can be processed by Stream
A
True
2
Q
Cribl Stream is limited to ONLY processing JSON, CSV, Key-Value formats
A
False
3
Q
What are numeric respresentations of data measured over intervals of time?
A
Metrics
4
Q
Cribl Stream can process a wide variety of data and export it to RAW or JSON format.
A
True
5
Q
Metrics are the smallest unit of data.
A
False
6
Q
____ are a type of data that provides Cribl Stream with inputs for learning about an IT environment.
A
Logs
7
Q
The observability lake does not replace existing observability and security solutions - it augments them.
A
True
8
Q
Cribl Stream can work with a wide variety of agents.
A
True
9
Q
(Select all that apply) What are some common data tools?
A
Data Lakes and Object Storage, Agents, SIEM
10
Q
The three V’s of data are Volume, Value, and Variety
A
True
11
Q
In a distributed environment, the Leader Node is used to configure each Worker Node.
A
True
12
Q
It is best practice to install the Cribl application in the /opt directory
A
True
13
Q
Cribl Stream must be installed as a privileged user
A
False
14
Q
It is best practice to create a Cribl user to install Cribl
A
True
15
Q
Cribl Stream is a Free download from the Crible website
A
True
16
Q
Port 9001 must be open in order to deploy Cribl Stream
A
False, Port 9000 is the correct port
17
Q
What default port is used to deploy a distributed Cribl Stream environment?
A
Port 4200
18
Q
Crible Stream uses a different binary to install the workers?
A
False
19
Q
Cribl Stream supports the ability to use systemd or initd to start on boot
A
True
20
Q
Git is optional when installing Cribl Stream when in Distributed Mode.
A
False
21
Q
Cribl Leader Node
A
Manages both Worker Nodes and Edge Nodes by sending configuration information
22
Q
Cribl Stream
A
Uses Worker Nodes to process data. A Worker Group is a group of nodes with the same configuration.
23
Q
Cribl Edge
A
Uses Edge Nodes to gather data. A fleet or sub fleet is a group Edge Nodes that are of the same type or collecting the same kind of data.
24
Q
Cribl Stream: Sources
A
Stream supports both push and pull
Push-based: sources that send sata to Stream
Pull-based: Sources that fetches data from
Collectors: Ability to fetch data from local or remote sources on a schedule
25
Crible Stream: Destinations
Cribl Stream supports Streaming and non-streaming destinations
Streaming: accepts events in real time/mini batches
Non-Streaming: accepts events in (large) groups or batches
26
Routing Traffic:
QuickConnect
Allows you to visually connect Stream Sources to output Destinations through simple drag-and-drop
27
Routing Traffic:
Routes
Allows you to completely configure the data path through Stream by defining a series of filter expressions to determine how to process the event.
28
Routes
Direct data to Pipelines
Evaluate incoming events against filters
Each Route can be associated with only one Pipeline and one output
Evaluated in order
Routes default with "Final flag" set to Yes
29
Route strategies
Most-specific first or the most general first
General goal is to minimize the number of filters/Routes an event get evaluated against
30
Pipeline
a list of Functions that process events.
Events always move in the direction that points outside of the system
Functions are evaluated in order: Top > Down
Different Pipeline "types" or position in the system
31
Functions
Building blocks of Pipelines
Discrete processing on an event
Javascript
Work only on events that match their Filter condition
Final toggle:
No - Pass resulting events down
Yes - Short-circuit Functions below
Comments allow for added documentation
32
Cribl Stream Packs
Pre-built configurations designed to simplify the deployment and use of Cribl's Stream product
Includes Almost Everything - Configurations include everything between Sources and Destinations
Packs enable plug and play deployments for specific use cases
Cribl Packs Dispensary - packs respository to quickly locate and download Packs
a collection of pipelines and knowledge objects that are bundled together for easy deployment and redeployment
33
Event
a collection of key-value pairs (fields)
34
What is the benfit of using Cribl Members?
It simplifies the process of managing user permissions within the system
35
What do you call sources that send data to Cribl Stream?
Push-based
36
What function do you use to extract timestamps?
Auto Timestamp
37
What is another type of source that enables administrators to fetch data from local or remote sources both on-demand or scheduled?
Collectors
38
Where can you view Cribl Stream current throughput?
Monitoring Tab
39
You can find a regex library within Cribl Stream
true
40
What collector types are currently supported in Cribl Stream?
All of the above:
FilesystemNFS
S3 Stores
Custom Scripts
41
Cribl Stream does not prescribe a particular schema, and can work with events in any shape, this is called schema-agnostic
True
42
Cribl Stream allows you to write your own custom JavaScript code.
True
43
What is the name of the instance that distributes configuration to a worker group?
Leader Node
44
What are used in Routes to select a stream of the data flow, and in Functions to scope or narrow down the applicability of the Function?
Filters
45
What do you call sources that Cribl Stream fetches data from?
Pull-based
46
What is a collection of worker nodes that share the same configuration?
Worker Group
47
As with any incoming data stream on a compatible Source, Cribl Stream can use:
Default or custom event breaker definitions
48
What function do you use to find and replace text?
Mask
49
What function does the Final flag serve?
By setting the Final Flag to yes, the route will consume the event and it will NOT proceed further
50
A Route can
be associated with multiple sources and a single destination
51
Users can only be assigned one acces level in Cribl Members
False
52
For non-streaming destinations, when any condition is met, staged files are moved to their destination
True
53
What do live Datagens do?
Enable users to generate sample data to troubleshoot Routes, Pipelines, Functions, and general connectivity
54
Cribl Projects allow for assigning granular access to specific data sources and destinations
True
55
Cribl Members will eventually replace the need for local users and roles within Cribl products
56
Cribl Projects are used to group users with similar roles
False
57
Index-based searching
Data that needs to be collected, structured, and formatted in such a way that allows these tools to quickly find answers
58
Search in Place
Does not require data to be pre-indexed; do not need to know in advanced about mapping the right terms and data
59
Federated Search
Identify and correlate data from different sources, determine its value and then perform a deeper analysis
60
Cribl Search required data to be indexed before searching
False
61
Cribl Searh can only search cloud-based storage
False
62
Which of the following statements is NOT true about Cribl Search?
It required pre-indexing of data before searching
These statements are TRUE:
It allows searching data at rest
It provides customizable dashboards for data visualization
It uses a familiar and easy-to-understand query language named Kusto
63
Cribl Search is only available as a cloud-based service
True
64
What query language is Cribl Search based on?
KQL
65
Cribl Stream Packs
Pre-built configurations of Routes, Pipelines, Functions, Sample data files, Knowledge objects, etc. everything between Sources and Destinations
Packs enable plug & play simplicity
Access to a collection of Cribl and 3rd party created packs covering numerous use cases
Cribl Packs Dispensary - packs repository to quickly locate and download Packs
66
Packs target users in
Medium/Large deployments sharing configurations and content across multiple worker groups
67
In a distributed deployment, Packs are distributed to the worker group level
True
68
Packs can...
Enable plug & play deployments for specific use cases
Improve time to value by reducing hurdles and providing Cribl Stream users with out of the box pipelines
Target users in medium/large deployments sharing configurations and contennt across multiple worker groups
69
Packs can be imported using which of the following ways?
Import from a file
Import from a URL
Import from Git
Import from https://packs.cribl.io
70
Users are allowed to create Packs and can share them with the community, if applicable
True
71
What are pre-built configuration blocks designed to simplify the deployment and use of Cribl Stream?
Packs
72
Cribl Stream only supports S3 as a long term storage object
False
73
Once Replay is configured, how can a collector be controlled?
Scheduled, manual runs, or API calls
74
When setting up and using Replay in Cribl Stream, where should you create a new destination?
Worker group config
75
Cribl Stream Replay is compatible with "deep-freeze" storage that has long retrieval times
False
76
Cribl recommends using JSON as the write out format
True
77
Cribl Stream Replay allows you to write data out in either of two formats:
JSON or raw
78
Please select all the reasons you could use Cribl Stream Replay
All of the below:
Ingest data into a new analytics platform
Ingest data to review a security issue
Ingest data from a company merger or acquisition
79
Cribl Stream Replay allows you to store data in long term storage and then "replay" it for re-delivery to another tool
True
80
Cribl Stream Replay can only be used to ingest data that has already been ingested
False
81
Cribl recommends using Raw as the write out format
False
82
What are Event Breaker Rules?
Rulesets used to break incoming streams from specific sources into individual events
83
the Knowledge Tab allows you to see the current data throughput
False
84
Global Variables are useful JavaScript expressions that can be leveraged by pipelines/functions to provide a service
True
85
What are Parsers used to accomplish?
Common formats used to extract or re-format data
86
Reusable JavaScript expressions are called?
Global Variables
87
Cribl Stream allows you to create lookups in order to enrich incoming data
True
88
Where would you look if you were trying to find common regex patterns for let's say credit card formats?
Knowledge Tab
89
The Cribl Stream Regex Knowledge Object provides the following Regexs by default
Social Security
Credit Card
MAC Address
90
Cribl Stream provides some default Grok Patterns
True
91
What is the Regexes Knowledge Object used for?
A set of common regex patterns (SSN, CC formats, etc)
92
Select all regex shorthand character classes
\w or \W
\d or \D
\s or \S
93
In regex, using a hyphen inside a character class
specifies a range of characters
94
What function does the dollar sign $ serve in regex?
End of a string
95
Correctly identify all regex quantifiers
a a+ a?
a{1,3}
ab|cd
All of the above
96
Non-capturing groups take fewer CPU cycles and memory
True
97
How can you group a specific part of a regular expression
By placing part of a regular expression inside round brackets or parentheses
98
You can use regex to
Identify patterns in logs
Extract patterns in logs
replace patterns in logs
mask patterns in logs
all of the above
99
You can use special character sequences to put non-printable characters in your regular expression
True
100
In regex, "cat" does not match "Cat"
Always true unless you tell regex engine to ignore the differences in case
101
Regex is short for
Regular expression
102
What are the ways you can contact Cribl Support?
Email, Community Slack, Support Portal
103
Cribl Support is available to everyone
False
104
You can get support from the Cribl community through Slack using https://cribl-community.slack.com
True
105
How does a Standard user become the Administrator for a customer account in the support portal?
Assigned by Cribl support
106
What is required to access the Cribl Support Portal?
Cloud Account and email invitation
107
What additional rights does the support portal account administrator have?
View all customer cases
Edit case information
Invite other users to the support portal
All of the above
108
How many users can be assigned to a customers support account?
4
109
What are some of the ways you can contact Cribl Support?
Email, Cribl community Slack, Support Portal
110
what are numeric representations of data measured over intervals of time?
111
Cribl Stream is limited to ONLY processing JSON, CSV, and Key-Value formats
False
112
Metrics are the smallest unit of observability
False, Events is the right answer
113
In a distributed environment, it is recommended to log into each Worker Node to configure it.
False
114
How long does a typical Cribl Stream install take?
Wrong answers: 60 minutes
115
What is the only preconfigured output in Cribl Stream?
DevNull
116
What does the final toggle do when set to NO?
Passing resulting event down
117
The basic interface concepts the users works with in Cribl Edge are:
Routes, Sources, Pipelines, Functions
118
Which deployment instance is ideal for test, dev, QA, and evaluation purposes?
Single instance deployment
119
What are sources that fetch data from Cribl Stream called?
Wrong answer: Fetch based
120
What function does the user use to extract fields?
Parser
121
An event is defined as a collection of key-value pairs?
True
122
If a destination is unreachable, what provides durability by writing data to disk for the duration of the outage in Cribl?
Persistent Queuing
123
as with any incoming data stream on a compatible Source, Cribl Stream can use:
Default of custom event breaker definitions
124
The user must be using Cribl Stream to use Cribl Edge
False
125
What can a route be associated with?
Multiple sources and a single destination
126
What is processing that is based on discrete data entities commonly known as ?
Events
127
What are meta-destinations that allow for rule-based (real) destinations selection in Cribl?
Output Routers
128
What is a destination type that accepts events in (large) groups or batches?
Non-streaming destinations
129
Internal fields are used outside of Cribl Stream and can be passed to destinations.
False
130
what function does the user use to find and replace text?
Mask
131
In regex, what does using a hyphen inside a character class do?
Specifies a range of characters
132
All Packs that are created in Cribl will automatically be shared with the community.
False
133
In a single instance deployment, packs are at the Worker Group level?
False
134
Without Packs, an administrator must do all Pipeline configuration manually?
True
135
Once Cribl Replay is configured, how can a collector be controlled?
Scheduling, manual runs, or API calls
136
What are typical examples of use cases for using lookups in Cribl?
Wrong answrs: defining...
137
Cribl Stream provides some default Grok Patterns
True
138
What are Parsers used to accomplish?
Common formats used to extract or re-format data
139
140
