Rubrik Threat Monitoring

Back


Id	0083cbc4-776e-42ca-8694-6950fd605df9
Rulename	Rubrik Threat Monitoring
Description	Rubrik Threat Monitoring matches Event Name and if match found then generate the incident for each object.
Severity	Medium
Tactics	Persistence
Techniques	T1546
Required data connectors	RubrikSecurityCloudAzureFunctions
Kind	Scheduled
Query frequency	10m
Query period	10m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/RubrikSecurityCloud/Analytic Rules/RubrikThreatMonitoring.yaml
Version	1.0.0
Arm template	0083cbc4-776e-42ca-8694-6950fd605df9.json

KQL

Rubrik_Events_Data_CL
| where custom_details_eventName_s endswith "AnalysisMatchesFound" or custom_details_eventName_s contains "ThreatMonitoringHashCatalogAnalysisFailed" or custom_details_eventName_s contains "ThreatMonitoringHashMatchesFound" or custom_details_eventName_s contains "ThreatMonitoringYaraMatchesFound"
| extend hashMatchCount = toint(extract("Found ([0-9]+) hash matches",1, summary_s)),    yaraMatchCount = toint(extract("Found ([0-9]+) YARA rule matches", 1, summary_s)),    fileHashMatchCount = toint(extract("Found file hash matches for ([0-9]+) files", 1, summary_s))
| extend count_ = coalesce(hashMatchCount,yaraMatchCount, fileHashMatchCount), eventname = substring(custom_details_eventName_s,16, strlen(custom_details_eventName_s) - 28)
| where count_ > 0
| summarize arg_max(TimeGenerated,*) by eventname, custom_details_objectId_g, count_

YAML

name: Rubrik Threat Monitoring
alertDetailsOverride:
  alertDisplayNameFormat: ThreatMonitoring Found {{count_}} {{eventname}} Matches for {{custom_details_objectName_s}}
version: 1.0.0
triggerThreshold: 0
id: 0083cbc4-776e-42ca-8694-6950fd605df9
triggerOperator: gt
query: |
  Rubrik_Events_Data_CL
  | where custom_details_eventName_s endswith "AnalysisMatchesFound" or custom_details_eventName_s contains "ThreatMonitoringHashCatalogAnalysisFailed" or custom_details_eventName_s contains "ThreatMonitoringHashMatchesFound" or custom_details_eventName_s contains "ThreatMonitoringYaraMatchesFound"
  | extend hashMatchCount = toint(extract("Found ([0-9]+) hash matches",1, summary_s)),    yaraMatchCount = toint(extract("Found ([0-9]+) YARA rule matches", 1, summary_s)),    fileHashMatchCount = toint(extract("Found file hash matches for ([0-9]+) files", 1, summary_s))
  | extend count_ = coalesce(hashMatchCount,yaraMatchCount, fileHashMatchCount), eventname = substring(custom_details_eventName_s,16, strlen(custom_details_eventName_s) - 28)
  | where count_ > 0
  | summarize arg_max(TimeGenerated,*) by eventname, custom_details_objectId_g, count_  
description: |
    'Rubrik Threat Monitoring matches Event Name and if match found then generate the incident for each object.'
kind: Scheduled
queryFrequency: 10m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/RubrikSecurityCloud/Analytic Rules/RubrikThreatMonitoring.yaml
severity: Medium
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    groupByCustomDetails:
    - ObjectName
    - ObjectId
    enabled: true
    reopenClosedIncident: false
    matchingMethod: Selected
    lookbackDuration: P7D
queryPeriod: 10m
requiredDataConnectors:
- dataTypes:
  - RubrikEventsData
  connectorId: RubrikSecurityCloudAzureFunctions
status: Available
customDetails:
  EventName: custom_details_eventName_s
  ObjectId: custom_details_objectId_g
  ClusterIdentifier: custom_details_clusterId_g
  ObjectName: custom_details_objectName_s
  Url: custom_details_url_s
  Summary: summary_s
  ObjectType: custom_details_objectType_s
eventGroupingSettings:
  aggregationKind: AlertPerResult
relevantTechniques:
- T1546
tactics:
- Persistence

ARM