Rubrik Threat Monitoring

Back


Id	0083cbc4-776e-42ca-8694-6950fd605df9
Rulename	Rubrik Threat Monitoring
Description	Rubrik Threat Monitoring matches Event Name and if match found then generate the incident for each object.
Severity	Medium
Tactics	Persistence
Techniques	T1546
Required data connectors	RubrikSecurityCloudAzureFunctions
Kind	Scheduled
Query frequency	10m
Query period	10m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/RubrikSecurityCloud/Analytic Rules/RubrikThreatMonitoring.yaml
Version	1.0.0
Arm template	0083cbc4-776e-42ca-8694-6950fd605df9.json

KQL

Rubrik_Events_Data_CL
| where custom_details_eventName_s endswith "AnalysisMatchesFound" or custom_details_eventName_s contains "ThreatMonitoringHashCatalogAnalysisFailed" or custom_details_eventName_s contains "ThreatMonitoringHashMatchesFound" or custom_details_eventName_s contains "ThreatMonitoringYaraMatchesFound"
| extend hashMatchCount = toint(extract("Found ([0-9]+) hash matches",1, summary_s)),    yaraMatchCount = toint(extract("Found ([0-9]+) YARA rule matches", 1, summary_s)),    fileHashMatchCount = toint(extract("Found file hash matches for ([0-9]+) files", 1, summary_s))
| extend count_ = coalesce(hashMatchCount,yaraMatchCount, fileHashMatchCount), eventname = substring(custom_details_eventName_s,16, strlen(custom_details_eventName_s) - 28)
| where count_ > 0
| summarize arg_max(TimeGenerated,*) by eventname, custom_details_objectId_g, count_

YAML

tactics:
- Persistence
relevantTechniques:
- T1546
triggerOperator: gt
name: Rubrik Threat Monitoring
id: 0083cbc4-776e-42ca-8694-6950fd605df9
description: |
    'Rubrik Threat Monitoring matches Event Name and if match found then generate the incident for each object.'
incidentConfiguration:
  groupingConfiguration:
    lookbackDuration: P7D
    enabled: true
    reopenClosedIncident: false
    matchingMethod: Selected
    groupByCustomDetails:
    - ObjectName
    - ObjectId
  createIncident: true
queryFrequency: 10m
alertDetailsOverride:
  alertDisplayNameFormat: ThreatMonitoring Found {{count_}} {{eventname}} Matches for {{custom_details_objectName_s}}
severity: Medium
eventGroupingSettings:
  aggregationKind: AlertPerResult
status: Available
query: |
  Rubrik_Events_Data_CL
  | where custom_details_eventName_s endswith "AnalysisMatchesFound" or custom_details_eventName_s contains "ThreatMonitoringHashCatalogAnalysisFailed" or custom_details_eventName_s contains "ThreatMonitoringHashMatchesFound" or custom_details_eventName_s contains "ThreatMonitoringYaraMatchesFound"
  | extend hashMatchCount = toint(extract("Found ([0-9]+) hash matches",1, summary_s)),    yaraMatchCount = toint(extract("Found ([0-9]+) YARA rule matches", 1, summary_s)),    fileHashMatchCount = toint(extract("Found file hash matches for ([0-9]+) files", 1, summary_s))
  | extend count_ = coalesce(hashMatchCount,yaraMatchCount, fileHashMatchCount), eventname = substring(custom_details_eventName_s,16, strlen(custom_details_eventName_s) - 28)
  | where count_ > 0
  | summarize arg_max(TimeGenerated,*) by eventname, custom_details_objectId_g, count_  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/RubrikSecurityCloud/Analytic Rules/RubrikThreatMonitoring.yaml
queryPeriod: 10m
triggerThreshold: 0
customDetails:
  ObjectId: custom_details_objectId_g
  Url: custom_details_url_s
  Summary: summary_s
  ObjectType: custom_details_objectType_s
  ObjectName: custom_details_objectName_s
  ClusterIdentifier: custom_details_clusterId_g
  EventName: custom_details_eventName_s
kind: Scheduled
version: 1.0.0
requiredDataConnectors:
- dataTypes:
  - RubrikEventsData
  connectorId: RubrikSecurityCloudAzureFunctions

ARM