Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Rubrik Threat Monitoring

Rubrik Threat Monitoring

Back
Id0083cbc4-776e-42ca-8694-6950fd605df9
RulenameRubrik Threat Monitoring
DescriptionRubrik Threat Monitoring matches Event Name and if match found then generate the incident for each object.
SeverityMedium
TacticsPersistence
TechniquesT1546
Required data connectorsRubrikSecurityCloudAzureFunctions
KindScheduled
Query frequency10m
Query period10m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/RubrikSecurityCloud/Analytic Rules/RubrikThreatMonitoring.yaml
Version1.0.0
Arm template0083cbc4-776e-42ca-8694-6950fd605df9.json
Deploy To Azure
Rubrik_Events_Data_CL
| where custom_details_eventName_s endswith "AnalysisMatchesFound" or custom_details_eventName_s contains "ThreatMonitoringHashCatalogAnalysisFailed" or custom_details_eventName_s contains "ThreatMonitoringHashMatchesFound" or custom_details_eventName_s contains "ThreatMonitoringYaraMatchesFound"
| extend hashMatchCount = toint(extract("Found ([0-9]+) hash matches",1, summary_s)),    yaraMatchCount = toint(extract("Found ([0-9]+) YARA rule matches", 1, summary_s)),    fileHashMatchCount = toint(extract("Found file hash matches for ([0-9]+) files", 1, summary_s))
| extend count_ = coalesce(hashMatchCount,yaraMatchCount, fileHashMatchCount), eventname = substring(custom_details_eventName_s,16, strlen(custom_details_eventName_s) - 28)
| where count_ > 0
| summarize arg_max(TimeGenerated,*) by eventname, custom_details_objectId_g, count_

version: 1.0.0
severity: Medium
relevantTechniques:
- T1546
triggerOperator: gt
alertDetailsOverride:
  alertDisplayNameFormat: ThreatMonitoring Found {{count_}} {{eventname}} Matches for {{custom_details_objectName_s}}
requiredDataConnectors:
- dataTypes:
  - RubrikEventsData
  connectorId: RubrikSecurityCloudAzureFunctions
queryFrequency: 10m
triggerThreshold: 0
eventGroupingSettings:
  aggregationKind: AlertPerResult
incidentConfiguration:
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: P7D
    groupByCustomDetails:
    - ObjectName
    - ObjectId
    matchingMethod: Selected
  createIncident: true
id: 0083cbc4-776e-42ca-8694-6950fd605df9
status: Available
description: |
    'Rubrik Threat Monitoring matches Event Name and if match found then generate the incident for each object.'
name: Rubrik Threat Monitoring
query: |
  Rubrik_Events_Data_CL
  | where custom_details_eventName_s endswith "AnalysisMatchesFound" or custom_details_eventName_s contains "ThreatMonitoringHashCatalogAnalysisFailed" or custom_details_eventName_s contains "ThreatMonitoringHashMatchesFound" or custom_details_eventName_s contains "ThreatMonitoringYaraMatchesFound"
  | extend hashMatchCount = toint(extract("Found ([0-9]+) hash matches",1, summary_s)),    yaraMatchCount = toint(extract("Found ([0-9]+) YARA rule matches", 1, summary_s)),    fileHashMatchCount = toint(extract("Found file hash matches for ([0-9]+) files", 1, summary_s))
  | extend count_ = coalesce(hashMatchCount,yaraMatchCount, fileHashMatchCount), eventname = substring(custom_details_eventName_s,16, strlen(custom_details_eventName_s) - 28)
  | where count_ > 0
  | summarize arg_max(TimeGenerated,*) by eventname, custom_details_objectId_g, count_  
queryPeriod: 10m
tactics:
- Persistence
kind: Scheduled
customDetails:
  ClusterIdentifier: custom_details_clusterId_g
  ObjectId: custom_details_objectId_g
  EventName: custom_details_eventName_s
  ObjectName: custom_details_objectName_s
  Summary: summary_s
  ObjectType: custom_details_objectType_s
  Url: custom_details_url_s
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/RubrikSecurityCloud/Analytic Rules/RubrikThreatMonitoring.yaml