Rubrik Threat Monitoring

Back


Id	0083cbc4-776e-42ca-8694-6950fd605df9
Rulename	Rubrik Threat Monitoring
Description	Rubrik Threat Monitoring matches Event Name and if match found then generate the incident for each object.
Severity	Medium
Tactics	Persistence
Techniques	T1546
Required data connectors	RubrikSecurityCloudAzureFunctions
Kind	Scheduled
Query frequency	10m
Query period	10m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/RubrikSecurityCloud/Analytic Rules/RubrikThreatMonitoring.yaml
Version	1.0.0
Arm template	0083cbc4-776e-42ca-8694-6950fd605df9.json

KQL

Rubrik_Events_Data_CL
| where custom_details_eventName_s endswith "AnalysisMatchesFound" or custom_details_eventName_s contains "ThreatMonitoringHashCatalogAnalysisFailed" or custom_details_eventName_s contains "ThreatMonitoringHashMatchesFound" or custom_details_eventName_s contains "ThreatMonitoringYaraMatchesFound"
| extend hashMatchCount = toint(extract("Found ([0-9]+) hash matches",1, summary_s)),    yaraMatchCount = toint(extract("Found ([0-9]+) YARA rule matches", 1, summary_s)),    fileHashMatchCount = toint(extract("Found file hash matches for ([0-9]+) files", 1, summary_s))
| extend count_ = coalesce(hashMatchCount,yaraMatchCount, fileHashMatchCount), eventname = substring(custom_details_eventName_s,16, strlen(custom_details_eventName_s) - 28)
| where count_ > 0
| summarize arg_max(TimeGenerated,*) by eventname, custom_details_objectId_g, count_

YAML

alertDetailsOverride:
  alertDisplayNameFormat: ThreatMonitoring Found {{count_}} {{eventname}} Matches for {{custom_details_objectName_s}}
relevantTechniques:
- T1546
name: Rubrik Threat Monitoring
queryFrequency: 10m
query: |
  Rubrik_Events_Data_CL
  | where custom_details_eventName_s endswith "AnalysisMatchesFound" or custom_details_eventName_s contains "ThreatMonitoringHashCatalogAnalysisFailed" or custom_details_eventName_s contains "ThreatMonitoringHashMatchesFound" or custom_details_eventName_s contains "ThreatMonitoringYaraMatchesFound"
  | extend hashMatchCount = toint(extract("Found ([0-9]+) hash matches",1, summary_s)),    yaraMatchCount = toint(extract("Found ([0-9]+) YARA rule matches", 1, summary_s)),    fileHashMatchCount = toint(extract("Found file hash matches for ([0-9]+) files", 1, summary_s))
  | extend count_ = coalesce(hashMatchCount,yaraMatchCount, fileHashMatchCount), eventname = substring(custom_details_eventName_s,16, strlen(custom_details_eventName_s) - 28)
  | where count_ > 0
  | summarize arg_max(TimeGenerated,*) by eventname, custom_details_objectId_g, count_  
triggerThreshold: 0
severity: Medium
requiredDataConnectors:
- connectorId: RubrikSecurityCloudAzureFunctions
  dataTypes:
  - RubrikEventsData
tactics:
- Persistence
eventGroupingSettings:
  aggregationKind: AlertPerResult
version: 1.0.0
kind: Scheduled
queryPeriod: 10m
triggerOperator: gt
customDetails:
  ObjectName: custom_details_objectName_s
  ClusterIdentifier: custom_details_clusterId_g
  ObjectId: custom_details_objectId_g
  EventName: custom_details_eventName_s
  ObjectType: custom_details_objectType_s
  Url: custom_details_url_s
  Summary: summary_s
incidentConfiguration:
  groupingConfiguration:
    matchingMethod: Selected
    enabled: true
    groupByCustomDetails:
    - ObjectName
    - ObjectId
    lookbackDuration: P7D
    reopenClosedIncident: false
  createIncident: true
id: 0083cbc4-776e-42ca-8694-6950fd605df9
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/RubrikSecurityCloud/Analytic Rules/RubrikThreatMonitoring.yaml
status: Available
description: |
    'Rubrik Threat Monitoring matches Event Name and if match found then generate the incident for each object.'

ARM