Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Rubrik Threat Monitoring

Rubrik Threat Monitoring

Back
Id0083cbc4-776e-42ca-8694-6950fd605df9
RulenameRubrik Threat Monitoring
DescriptionRubrik Threat Monitoring matches Event Name and if match found then generate the incident for each object.
SeverityMedium
TacticsPersistence
TechniquesT1546
Required data connectorsRubrikSecurityCloudAzureFunctions
KindScheduled
Query frequency10m
Query period10m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/RubrikSecurityCloud/Analytic Rules/RubrikThreatMonitoring.yaml
Version1.0.0
Arm template0083cbc4-776e-42ca-8694-6950fd605df9.json
Deploy To Azure
Rubrik_Events_Data_CL
| where custom_details_eventName_s endswith "AnalysisMatchesFound" or custom_details_eventName_s contains "ThreatMonitoringHashCatalogAnalysisFailed" or custom_details_eventName_s contains "ThreatMonitoringHashMatchesFound" or custom_details_eventName_s contains "ThreatMonitoringYaraMatchesFound"
| extend hashMatchCount = toint(extract("Found ([0-9]+) hash matches",1, summary_s)),    yaraMatchCount = toint(extract("Found ([0-9]+) YARA rule matches", 1, summary_s)),    fileHashMatchCount = toint(extract("Found file hash matches for ([0-9]+) files", 1, summary_s))
| extend count_ = coalesce(hashMatchCount,yaraMatchCount, fileHashMatchCount), eventname = substring(custom_details_eventName_s,16, strlen(custom_details_eventName_s) - 28)
| where count_ > 0
| summarize arg_max(TimeGenerated,*) by eventname, custom_details_objectId_g, count_

alertDetailsOverride:
  alertDisplayNameFormat: ThreatMonitoring Found {{count_}} {{eventname}} Matches for {{custom_details_objectName_s}}
requiredDataConnectors:
- connectorId: RubrikSecurityCloudAzureFunctions
  dataTypes:
  - RubrikEventsData
tactics:
- Persistence
description: |
    'Rubrik Threat Monitoring matches Event Name and if match found then generate the incident for each object.'
query: |
  Rubrik_Events_Data_CL
  | where custom_details_eventName_s endswith "AnalysisMatchesFound" or custom_details_eventName_s contains "ThreatMonitoringHashCatalogAnalysisFailed" or custom_details_eventName_s contains "ThreatMonitoringHashMatchesFound" or custom_details_eventName_s contains "ThreatMonitoringYaraMatchesFound"
  | extend hashMatchCount = toint(extract("Found ([0-9]+) hash matches",1, summary_s)),    yaraMatchCount = toint(extract("Found ([0-9]+) YARA rule matches", 1, summary_s)),    fileHashMatchCount = toint(extract("Found file hash matches for ([0-9]+) files", 1, summary_s))
  | extend count_ = coalesce(hashMatchCount,yaraMatchCount, fileHashMatchCount), eventname = substring(custom_details_eventName_s,16, strlen(custom_details_eventName_s) - 28)
  | where count_ > 0
  | summarize arg_max(TimeGenerated,*) by eventname, custom_details_objectId_g, count_  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/RubrikSecurityCloud/Analytic Rules/RubrikThreatMonitoring.yaml
id: 0083cbc4-776e-42ca-8694-6950fd605df9
triggerOperator: gt
eventGroupingSettings:
  aggregationKind: AlertPerResult
status: Available
customDetails:
  Summary: summary_s
  Url: custom_details_url_s
  ClusterIdentifier: custom_details_clusterId_g
  ObjectName: custom_details_objectName_s
  ObjectId: custom_details_objectId_g
  EventName: custom_details_eventName_s
  ObjectType: custom_details_objectType_s
queryFrequency: 10m
severity: Medium
name: Rubrik Threat Monitoring
queryPeriod: 10m
relevantTechniques:
- T1546
kind: Scheduled
triggerThreshold: 0
version: 1.0.0
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    reopenClosedIncident: false
    lookbackDuration: P7D
    enabled: true
    groupByCustomDetails:
    - ObjectName
    - ObjectId
    matchingMethod: Selected

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/0083cbc4-776e-42ca-8694-6950fd605df9')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/0083cbc4-776e-42ca-8694-6950fd605df9')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDisplayNameFormat": "ThreatMonitoring Found {{count_}} {{eventname}} Matches for {{custom_details_objectName_s}}"
        },
        "alertRuleTemplateName": "0083cbc4-776e-42ca-8694-6950fd605df9",
        "customDetails": {
          "ClusterIdentifier": "custom_details_clusterId_g",
          "EventName": "custom_details_eventName_s",
          "ObjectId": "custom_details_objectId_g",
          "ObjectName": "custom_details_objectName_s",
          "ObjectType": "custom_details_objectType_s",
          "Summary": "summary_s",
          "Url": "custom_details_url_s"
        },
        "description": "'Rubrik Threat Monitoring matches Event Name and if match found then generate the incident for each object.'\n",
        "displayName": "Rubrik Threat Monitoring",
        "enabled": true,
        "entityMappings": null,
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "groupByCustomDetails": [
              "ObjectName",
              "ObjectId"
            ],
            "lookbackDuration": "P7D",
            "matchingMethod": "Selected",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/RubrikSecurityCloud/Analytic Rules/RubrikThreatMonitoring.yaml",
        "query": "Rubrik_Events_Data_CL\n| where custom_details_eventName_s endswith \"AnalysisMatchesFound\" or custom_details_eventName_s contains \"ThreatMonitoringHashCatalogAnalysisFailed\" or custom_details_eventName_s contains \"ThreatMonitoringHashMatchesFound\" or custom_details_eventName_s contains \"ThreatMonitoringYaraMatchesFound\"\n| extend hashMatchCount = toint(extract(\"Found ([0-9]+) hash matches\",1, summary_s)),    yaraMatchCount = toint(extract(\"Found ([0-9]+) YARA rule matches\", 1, summary_s)),    fileHashMatchCount = toint(extract(\"Found file hash matches for ([0-9]+) files\", 1, summary_s))\n| extend count_ = coalesce(hashMatchCount,yaraMatchCount, fileHashMatchCount), eventname = substring(custom_details_eventName_s,16, strlen(custom_details_eventName_s) - 28)\n| where count_ > 0\n| summarize arg_max(TimeGenerated,*) by eventname, custom_details_objectId_g, count_\n",
        "queryFrequency": "PT10M",
        "queryPeriod": "PT10M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Persistence"
        ],
        "techniques": [
          "T1546"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}