Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Rubrik Threat Monitoring

Rubrik Threat Monitoring

Back
Id0083cbc4-776e-42ca-8694-6950fd605df9
RulenameRubrik Threat Monitoring
DescriptionRubrik Threat Monitoring matches Event Name and if match found then generate the incident for each object.
SeverityMedium
TacticsPersistence
TechniquesT1546
Required data connectorsRubrikSecurityCloudAzureFunctions
KindScheduled
Query frequency10m
Query period10m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/RubrikSecurityCloud/Analytic Rules/RubrikThreatMonitoring.yaml
Version1.0.0
Arm template0083cbc4-776e-42ca-8694-6950fd605df9.json
Deploy To Azure
Rubrik_Events_Data_CL
| where custom_details_eventName_s endswith "AnalysisMatchesFound" or custom_details_eventName_s contains "ThreatMonitoringHashCatalogAnalysisFailed" or custom_details_eventName_s contains "ThreatMonitoringHashMatchesFound" or custom_details_eventName_s contains "ThreatMonitoringYaraMatchesFound"
| extend hashMatchCount = toint(extract("Found ([0-9]+) hash matches",1, summary_s)),    yaraMatchCount = toint(extract("Found ([0-9]+) YARA rule matches", 1, summary_s)),    fileHashMatchCount = toint(extract("Found file hash matches for ([0-9]+) files", 1, summary_s))
| extend count_ = coalesce(hashMatchCount,yaraMatchCount, fileHashMatchCount), eventname = substring(custom_details_eventName_s,16, strlen(custom_details_eventName_s) - 28)
| where count_ > 0
| summarize arg_max(TimeGenerated,*) by eventname, custom_details_objectId_g, count_

tactics:
- Persistence
name: Rubrik Threat Monitoring
id: 0083cbc4-776e-42ca-8694-6950fd605df9
requiredDataConnectors:
- connectorId: RubrikSecurityCloudAzureFunctions
  dataTypes:
  - RubrikEventsData
query: |
  Rubrik_Events_Data_CL
  | where custom_details_eventName_s endswith "AnalysisMatchesFound" or custom_details_eventName_s contains "ThreatMonitoringHashCatalogAnalysisFailed" or custom_details_eventName_s contains "ThreatMonitoringHashMatchesFound" or custom_details_eventName_s contains "ThreatMonitoringYaraMatchesFound"
  | extend hashMatchCount = toint(extract("Found ([0-9]+) hash matches",1, summary_s)),    yaraMatchCount = toint(extract("Found ([0-9]+) YARA rule matches", 1, summary_s)),    fileHashMatchCount = toint(extract("Found file hash matches for ([0-9]+) files", 1, summary_s))
  | extend count_ = coalesce(hashMatchCount,yaraMatchCount, fileHashMatchCount), eventname = substring(custom_details_eventName_s,16, strlen(custom_details_eventName_s) - 28)
  | where count_ > 0
  | summarize arg_max(TimeGenerated,*) by eventname, custom_details_objectId_g, count_  
eventGroupingSettings:
  aggregationKind: AlertPerResult
relevantTechniques:
- T1546
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    matchingMethod: Selected
    groupByCustomDetails:
    - ObjectName
    - ObjectId
    reopenClosedIncident: false
    lookbackDuration: P7D
description: |
    'Rubrik Threat Monitoring matches Event Name and if match found then generate the incident for each object.'
triggerOperator: gt
queryPeriod: 10m
severity: Medium
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/RubrikSecurityCloud/Analytic Rules/RubrikThreatMonitoring.yaml
version: 1.0.0
alertDetailsOverride:
  alertDisplayNameFormat: ThreatMonitoring Found {{count_}} {{eventname}} Matches for {{custom_details_objectName_s}}
triggerThreshold: 0
queryFrequency: 10m
kind: Scheduled
status: Available
customDetails:
  Url: custom_details_url_s
  ObjectType: custom_details_objectType_s
  EventName: custom_details_eventName_s
  ClusterIdentifier: custom_details_clusterId_g
  ObjectName: custom_details_objectName_s
  ObjectId: custom_details_objectId_g
  Summary: summary_s

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/0083cbc4-776e-42ca-8694-6950fd605df9')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/0083cbc4-776e-42ca-8694-6950fd605df9')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDisplayNameFormat": "ThreatMonitoring Found {{count_}} {{eventname}} Matches for {{custom_details_objectName_s}}"
        },
        "alertRuleTemplateName": "0083cbc4-776e-42ca-8694-6950fd605df9",
        "customDetails": {
          "ClusterIdentifier": "custom_details_clusterId_g",
          "EventName": "custom_details_eventName_s",
          "ObjectId": "custom_details_objectId_g",
          "ObjectName": "custom_details_objectName_s",
          "ObjectType": "custom_details_objectType_s",
          "Summary": "summary_s",
          "Url": "custom_details_url_s"
        },
        "description": "'Rubrik Threat Monitoring matches Event Name and if match found then generate the incident for each object.'\n",
        "displayName": "Rubrik Threat Monitoring",
        "enabled": true,
        "entityMappings": null,
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "groupByCustomDetails": [
              "ObjectName",
              "ObjectId"
            ],
            "lookbackDuration": "P7D",
            "matchingMethod": "Selected",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/RubrikSecurityCloud/Analytic Rules/RubrikThreatMonitoring.yaml",
        "query": "Rubrik_Events_Data_CL\n| where custom_details_eventName_s endswith \"AnalysisMatchesFound\" or custom_details_eventName_s contains \"ThreatMonitoringHashCatalogAnalysisFailed\" or custom_details_eventName_s contains \"ThreatMonitoringHashMatchesFound\" or custom_details_eventName_s contains \"ThreatMonitoringYaraMatchesFound\"\n| extend hashMatchCount = toint(extract(\"Found ([0-9]+) hash matches\",1, summary_s)),    yaraMatchCount = toint(extract(\"Found ([0-9]+) YARA rule matches\", 1, summary_s)),    fileHashMatchCount = toint(extract(\"Found file hash matches for ([0-9]+) files\", 1, summary_s))\n| extend count_ = coalesce(hashMatchCount,yaraMatchCount, fileHashMatchCount), eventname = substring(custom_details_eventName_s,16, strlen(custom_details_eventName_s) - 28)\n| where count_ > 0\n| summarize arg_max(TimeGenerated,*) by eventname, custom_details_objectId_g, count_\n",
        "queryFrequency": "PT10M",
        "queryPeriod": "PT10M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Persistence"
        ],
        "techniques": [
          "T1546"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}