Rubrik Threat Monitoring

Back


Id	0083cbc4-776e-42ca-8694-6950fd605df9
Rulename	Rubrik Threat Monitoring
Description	Rubrik Threat Monitoring matches Event Name and if match found then generate the incident for each object.
Severity	Medium
Tactics	Persistence
Techniques	T1546
Required data connectors	RubrikSecurityCloudAzureFunctions
Kind	Scheduled
Query frequency	10m
Query period	10m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/RubrikSecurityCloud/Analytic Rules/RubrikThreatMonitoring.yaml
Version	1.0.0
Arm template	0083cbc4-776e-42ca-8694-6950fd605df9.json

KQL

Rubrik_Events_Data_CL
| where custom_details_eventName_s endswith "AnalysisMatchesFound" or custom_details_eventName_s contains "ThreatMonitoringHashCatalogAnalysisFailed" or custom_details_eventName_s contains "ThreatMonitoringHashMatchesFound" or custom_details_eventName_s contains "ThreatMonitoringYaraMatchesFound"
| extend hashMatchCount = toint(extract("Found ([0-9]+) hash matches",1, summary_s)),    yaraMatchCount = toint(extract("Found ([0-9]+) YARA rule matches", 1, summary_s)),    fileHashMatchCount = toint(extract("Found file hash matches for ([0-9]+) files", 1, summary_s))
| extend count_ = coalesce(hashMatchCount,yaraMatchCount, fileHashMatchCount), eventname = substring(custom_details_eventName_s,16, strlen(custom_details_eventName_s) - 28)
| where count_ > 0
| summarize arg_max(TimeGenerated,*) by eventname, custom_details_objectId_g, count_

YAML

queryPeriod: 10m
query: |
  Rubrik_Events_Data_CL
  | where custom_details_eventName_s endswith "AnalysisMatchesFound" or custom_details_eventName_s contains "ThreatMonitoringHashCatalogAnalysisFailed" or custom_details_eventName_s contains "ThreatMonitoringHashMatchesFound" or custom_details_eventName_s contains "ThreatMonitoringYaraMatchesFound"
  | extend hashMatchCount = toint(extract("Found ([0-9]+) hash matches",1, summary_s)),    yaraMatchCount = toint(extract("Found ([0-9]+) YARA rule matches", 1, summary_s)),    fileHashMatchCount = toint(extract("Found file hash matches for ([0-9]+) files", 1, summary_s))
  | extend count_ = coalesce(hashMatchCount,yaraMatchCount, fileHashMatchCount), eventname = substring(custom_details_eventName_s,16, strlen(custom_details_eventName_s) - 28)
  | where count_ > 0
  | summarize arg_max(TimeGenerated,*) by eventname, custom_details_objectId_g, count_  
name: Rubrik Threat Monitoring
eventGroupingSettings:
  aggregationKind: AlertPerResult
queryFrequency: 10m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/RubrikSecurityCloud/Analytic Rules/RubrikThreatMonitoring.yaml
alertDetailsOverride:
  alertDisplayNameFormat: ThreatMonitoring Found {{count_}} {{eventname}} Matches for {{custom_details_objectName_s}}
description: |
    'Rubrik Threat Monitoring matches Event Name and if match found then generate the incident for each object.'
kind: Scheduled
version: 1.0.0
status: Available
severity: Medium
requiredDataConnectors:
- connectorId: RubrikSecurityCloudAzureFunctions
  dataTypes:
  - RubrikEventsData
triggerOperator: gt
triggerThreshold: 0
incidentConfiguration:
  groupingConfiguration:
    matchingMethod: Selected
    reopenClosedIncident: false
    lookbackDuration: P7D
    groupByCustomDetails:
    - ObjectName
    - ObjectId
    enabled: true
  createIncident: true
customDetails:
  Summary: summary_s
  Url: custom_details_url_s
  EventName: custom_details_eventName_s
  ObjectId: custom_details_objectId_g
  ObjectName: custom_details_objectName_s
  ClusterIdentifier: custom_details_clusterId_g
  ObjectType: custom_details_objectType_s
tactics:
- Persistence
id: 0083cbc4-776e-42ca-8694-6950fd605df9
relevantTechniques:
- T1546

ARM