Rubrik Threat Monitoring

Back


Id	0083cbc4-776e-42ca-8694-6950fd605df9
Rulename	Rubrik Threat Monitoring
Description	Rubrik Threat Monitoring matches Event Name and if match found then generate the incident for each object.
Severity	Medium
Tactics	Persistence
Techniques	T1546
Required data connectors	RubrikSecurityCloudAzureFunctions
Kind	Scheduled
Query frequency	10m
Query period	10m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/RubrikSecurityCloud/Analytic Rules/RubrikThreatMonitoring.yaml
Version	1.0.0
Arm template	0083cbc4-776e-42ca-8694-6950fd605df9.json

KQL

Rubrik_Events_Data_CL
| where custom_details_eventName_s endswith "AnalysisMatchesFound" or custom_details_eventName_s contains "ThreatMonitoringHashCatalogAnalysisFailed" or custom_details_eventName_s contains "ThreatMonitoringHashMatchesFound" or custom_details_eventName_s contains "ThreatMonitoringYaraMatchesFound"
| extend hashMatchCount = toint(extract("Found ([0-9]+) hash matches",1, summary_s)),    yaraMatchCount = toint(extract("Found ([0-9]+) YARA rule matches", 1, summary_s)),    fileHashMatchCount = toint(extract("Found file hash matches for ([0-9]+) files", 1, summary_s))
| extend count_ = coalesce(hashMatchCount,yaraMatchCount, fileHashMatchCount), eventname = substring(custom_details_eventName_s,16, strlen(custom_details_eventName_s) - 28)
| where count_ > 0
| summarize arg_max(TimeGenerated,*) by eventname, custom_details_objectId_g, count_

YAML

customDetails:
  ObjectId: custom_details_objectId_g
  ObjectType: custom_details_objectType_s
  EventName: custom_details_eventName_s
  Url: custom_details_url_s
  Summary: summary_s
  ClusterIdentifier: custom_details_clusterId_g
  ObjectName: custom_details_objectName_s
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/RubrikSecurityCloud/Analytic Rules/RubrikThreatMonitoring.yaml
triggerOperator: gt
alertDetailsOverride:
  alertDisplayNameFormat: ThreatMonitoring Found {{count_}} {{eventname}} Matches for {{custom_details_objectName_s}}
query: |
  Rubrik_Events_Data_CL
  | where custom_details_eventName_s endswith "AnalysisMatchesFound" or custom_details_eventName_s contains "ThreatMonitoringHashCatalogAnalysisFailed" or custom_details_eventName_s contains "ThreatMonitoringHashMatchesFound" or custom_details_eventName_s contains "ThreatMonitoringYaraMatchesFound"
  | extend hashMatchCount = toint(extract("Found ([0-9]+) hash matches",1, summary_s)),    yaraMatchCount = toint(extract("Found ([0-9]+) YARA rule matches", 1, summary_s)),    fileHashMatchCount = toint(extract("Found file hash matches for ([0-9]+) files", 1, summary_s))
  | extend count_ = coalesce(hashMatchCount,yaraMatchCount, fileHashMatchCount), eventname = substring(custom_details_eventName_s,16, strlen(custom_details_eventName_s) - 28)
  | where count_ > 0
  | summarize arg_max(TimeGenerated,*) by eventname, custom_details_objectId_g, count_  
requiredDataConnectors:
- dataTypes:
  - RubrikEventsData
  connectorId: RubrikSecurityCloudAzureFunctions
incidentConfiguration:
  groupingConfiguration:
    groupByCustomDetails:
    - ObjectName
    - ObjectId
    enabled: true
    matchingMethod: Selected
    lookbackDuration: P7D
    reopenClosedIncident: false
  createIncident: true
relevantTechniques:
- T1546
kind: Scheduled
name: Rubrik Threat Monitoring
tactics:
- Persistence
severity: Medium
queryFrequency: 10m
description: |
    'Rubrik Threat Monitoring matches Event Name and if match found then generate the incident for each object.'
eventGroupingSettings:
  aggregationKind: AlertPerResult
triggerThreshold: 0
queryPeriod: 10m
version: 1.0.0
id: 0083cbc4-776e-42ca-8694-6950fd605df9

ARM