Microsoft → Cribl → CrowdStrike NG SIEM

🔷

Select a source from the left panel

Choose a Microsoft data source to see the end-to-end configuration flow: log origin → Azure transport → Cribl Stream → CrowdStrike NG SIEM via Cribl Connector.

Filter:

Data Source↕	Log Collection Method↕	Cribl Ingest / Collect Method↕	NG SIEM Connector	NG SIEM Parser Name↕	Supported Parser

Click any row to open source detail. Click column headers to sort. Parser IDs from CrowdStrike NG SIEM. Ingestion methods from docs.cribl.io/stream.

Build Your Collection Run Sheet

Select the sources you want to onboard. A numbered step-by-step run sheet will be generated below with reference links for each source.

Available Sources

Selected (0)

Select sources above to generate your run sheet

Resources & Best Practices

Curated reference links and architectural best practice guidance for the Microsoft → Cribl → CrowdStrike NG SIEM pipeline. Information sourced from publicly available documentation.

Architectural Best Practices

⚡

Azure Event Hub Design

Microsoft Transport Layer

One Event Hub per log source type. Mixing log types in a single hub causes Kafka consumer group rebalancing in Cribl, which interrupts all sources sharing that Group ID.
Standard+ tier only. The Basic tier does not support the SASL PLAIN authentication method required by Cribl Stream.
Size your namespace throughput units (TUs) before go-live. Each TU supports 1 MB/s or 1,000 events/s ingress — whichever is hit first. A Premium namespace supports up to 100 partitions per hub.
Enable 7-day retention on Event Hubs during initial setup to allow replay if Cribl is misconfigured or offline at launch.
Use dedicated Shared Access Policies per hub rather than reusing the root RootManageSharedAccessKey in production.
Firewall rules may be required. Event Hubs uses binary TCP (not HTTP) — ensure port 9093 is open from Cribl workers to the Event Hub namespace endpoint.

⚙️

Cribl Stream Configuration

Pipeline & Routing

Unique Group ID per Event Hub source. Sharing a Group ID across sources means a state change (Worker crash, config deploy) will trigger rebalancing across all sources in that group, causing data loss windows.
Never use $Default as a Group ID in production — this is a shared group that other consumers may also subscribe to.
Always add an Event Breaker Function in-pipeline for Event Hub sources. Azure Event Hubs does not natively support Event Breakers — batched records[] arrays will not be split without it.
Fix per-event timestamps with Eval. Event Hub batches carry a group-level timestamp; individual events need their own timestamp extracted from the raw payload.
Enable Persistent Queues (PQ) on the CrowdStrike NG SIEM destination to buffer events during backpressure or downstream outages without data loss.
Clone to object storage (Azure Blob / S3) for compliance archive and replay capability. Cribl Search can query the archive using KQL.
Set Ingestion lag > 0 on O365 Activity Sources. Microsoft's delivery delay is 60–90 minutes — leaving this at default 0 causes missed events.
Manage O365 subscriptions externally. Cribl cannot start or stop Office 365 Management Activity API subscriptions — use curl or a dedicated script before enabling the source in Cribl.

🔴

CrowdStrike NG SIEM

Connector & Parser

Always use the Cribl Data Connector — not a generic HEC connector. The Cribl-specific connector unlocks future enhancements and allows filtering by Cribl Data Connector in NG SIEM.
One connector per vendor/product pair. Each connector generates its own HEC endpoint and API key. Do not reuse a connector for multiple log sources.
Preserve _raw. Default NG SIEM parsers expect data in the vendor's original format. Do not restructure or re-key events before sending — only filter, redact, or sample.
Clone default parsers before editing. NG SIEM will not allow editing of built-in parsers in-place — clone first, then modify the copy.
Test parsers with real _raw samples. Copy _raw from Cribl's sample data output → paste into the NG SIEM Parser editor → Add test → Test Parser to validate field extraction before go-live.
Enable round-robin DNS on the Cribl NG SIEM destination for load balancing across LogScale nodes.
Validate post-deployment via NG SIEM Event Search → Source: Third Party. Destination status in Cribl: blue = pending, green = active.

🔌

API Pull Sources (O365)

Activity, Message Trace, Services

Application permissions only. All O365 API sources (Activity, Services, Message Trace) require Application-type permissions in Azure AD. Delegated permissions are not sufficient and will fail silently.
Message Trace date offsets. Always configure Date range start: -3h@h and Date range end: -2h@h to compensate for delivery delay. Without this, recent events will be missed on every poll cycle.
Polling intervals must divide evenly into 60. O365 Services Source uses a cron-based schedule — intervals like 23 or 45 minutes will be rejected. Use: 1, 2, 3, 4, 5, 6, 10, 12, 15, 20, or 60.
Monitor the Job Inspector for stuck jobs. Scheduled collector jobs can enter a zombie state — set a Job Timeout to auto-terminate long-running stuck jobs. Navigate to Monitoring › System › Job Inspector.

Documentation & Reference Links

Cribl Stream — Microsoft Sources

📄

Azure Event Hubs Source

docs.cribl.io/stream/sources-azure-event-hubs

📄

Azure Event Hubs Integration Guide

docs.cribl.io/stream/usecase-azure-event-hubs

📄

Office 365 Activity Source

docs.cribl.io/stream/sources-office-365-activity

📄