Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Rubrik Threat Monitoring

Back
Id0083cbc4-776e-42ca-8694-6950fd605df9
RulenameRubrik Threat Monitoring
DescriptionRubrik Threat Monitoring matches Event Name and if match found then generate the incident for each object.
SeverityMedium
TacticsPersistence
TechniquesT1546
Required data connectorsRubrikSecurityCloudAzureFunctions
KindScheduled
Query frequency10m
Query period10m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/RubrikSecurityCloud/Analytic Rules/RubrikThreatMonitoring.yaml
Version1.0.0
Arm template0083cbc4-776e-42ca-8694-6950fd605df9.json
Deploy To Azure
Rubrik_Events_Data_CL
| where custom_details_eventName_s endswith "AnalysisMatchesFound" or custom_details_eventName_s contains "ThreatMonitoringHashCatalogAnalysisFailed" or custom_details_eventName_s contains "ThreatMonitoringHashMatchesFound" or custom_details_eventName_s contains "ThreatMonitoringYaraMatchesFound"
| extend hashMatchCount = toint(extract("Found ([0-9]+) hash matches",1, summary_s)),    yaraMatchCount = toint(extract("Found ([0-9]+) YARA rule matches", 1, summary_s)),    fileHashMatchCount = toint(extract("Found file hash matches for ([0-9]+) files", 1, summary_s))
| extend count_ = coalesce(hashMatchCount,yaraMatchCount, fileHashMatchCount), eventname = substring(custom_details_eventName_s,16, strlen(custom_details_eventName_s) - 28)
| where count_ > 0
| summarize arg_max(TimeGenerated,*) by eventname, custom_details_objectId_g, count_
status: Available
relevantTechniques:
- T1546
description: |
    'Rubrik Threat Monitoring matches Event Name and if match found then generate the incident for each object.'
queryPeriod: 10m
kind: Scheduled
alertDetailsOverride:
  alertDisplayNameFormat: ThreatMonitoring Found {{count_}} {{eventname}} Matches for {{custom_details_objectName_s}}
query: |
  Rubrik_Events_Data_CL
  | where custom_details_eventName_s endswith "AnalysisMatchesFound" or custom_details_eventName_s contains "ThreatMonitoringHashCatalogAnalysisFailed" or custom_details_eventName_s contains "ThreatMonitoringHashMatchesFound" or custom_details_eventName_s contains "ThreatMonitoringYaraMatchesFound"
  | extend hashMatchCount = toint(extract("Found ([0-9]+) hash matches",1, summary_s)),    yaraMatchCount = toint(extract("Found ([0-9]+) YARA rule matches", 1, summary_s)),    fileHashMatchCount = toint(extract("Found file hash matches for ([0-9]+) files", 1, summary_s))
  | extend count_ = coalesce(hashMatchCount,yaraMatchCount, fileHashMatchCount), eventname = substring(custom_details_eventName_s,16, strlen(custom_details_eventName_s) - 28)
  | where count_ > 0
  | summarize arg_max(TimeGenerated,*) by eventname, custom_details_objectId_g, count_  
version: 1.0.0
id: 0083cbc4-776e-42ca-8694-6950fd605df9
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    lookbackDuration: P7D
    groupByCustomDetails:
    - ObjectName
    - ObjectId
    matchingMethod: Selected
    reopenClosedIncident: false
    enabled: true
tactics:
- Persistence
eventGroupingSettings:
  aggregationKind: AlertPerResult
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/RubrikSecurityCloud/Analytic Rules/RubrikThreatMonitoring.yaml
requiredDataConnectors:
- dataTypes:
  - RubrikEventsData
  connectorId: RubrikSecurityCloudAzureFunctions
name: Rubrik Threat Monitoring
severity: Medium
customDetails:
  ObjectName: custom_details_objectName_s
  ObjectType: custom_details_objectType_s
  ClusterIdentifier: custom_details_clusterId_g
  Url: custom_details_url_s
  EventName: custom_details_eventName_s
  ObjectId: custom_details_objectId_g
  Summary: summary_s
triggerOperator: gt
triggerThreshold: 0
queryFrequency: 10m
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/0083cbc4-776e-42ca-8694-6950fd605df9')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/0083cbc4-776e-42ca-8694-6950fd605df9')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDisplayNameFormat": "ThreatMonitoring Found {{count_}} {{eventname}} Matches for {{custom_details_objectName_s}}"
        },
        "alertRuleTemplateName": "0083cbc4-776e-42ca-8694-6950fd605df9",
        "customDetails": {
          "ClusterIdentifier": "custom_details_clusterId_g",
          "EventName": "custom_details_eventName_s",
          "ObjectId": "custom_details_objectId_g",
          "ObjectName": "custom_details_objectName_s",
          "ObjectType": "custom_details_objectType_s",
          "Summary": "summary_s",
          "Url": "custom_details_url_s"
        },
        "description": "'Rubrik Threat Monitoring matches Event Name and if match found then generate the incident for each object.'\n",
        "displayName": "Rubrik Threat Monitoring",
        "enabled": true,
        "entityMappings": null,
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "groupByCustomDetails": [
              "ObjectName",
              "ObjectId"
            ],
            "lookbackDuration": "P7D",
            "matchingMethod": "Selected",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/RubrikSecurityCloud/Analytic Rules/RubrikThreatMonitoring.yaml",
        "query": "Rubrik_Events_Data_CL\n| where custom_details_eventName_s endswith \"AnalysisMatchesFound\" or custom_details_eventName_s contains \"ThreatMonitoringHashCatalogAnalysisFailed\" or custom_details_eventName_s contains \"ThreatMonitoringHashMatchesFound\" or custom_details_eventName_s contains \"ThreatMonitoringYaraMatchesFound\"\n| extend hashMatchCount = toint(extract(\"Found ([0-9]+) hash matches\",1, summary_s)),    yaraMatchCount = toint(extract(\"Found ([0-9]+) YARA rule matches\", 1, summary_s)),    fileHashMatchCount = toint(extract(\"Found file hash matches for ([0-9]+) files\", 1, summary_s))\n| extend count_ = coalesce(hashMatchCount,yaraMatchCount, fileHashMatchCount), eventname = substring(custom_details_eventName_s,16, strlen(custom_details_eventName_s) - 28)\n| where count_ > 0\n| summarize arg_max(TimeGenerated,*) by eventname, custom_details_objectId_g, count_\n",
        "queryFrequency": "PT10M",
        "queryPeriod": "PT10M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Persistence"
        ],
        "techniques": [
          "T1546"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}