Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Rubrik Threat Monitoring

Rubrik Threat Monitoring

Back
Id0083cbc4-776e-42ca-8694-6950fd605df9
RulenameRubrik Threat Monitoring
DescriptionRubrik Threat Monitoring matches Event Name and if match found then generate the incident for each object.
SeverityMedium
TacticsPersistence
TechniquesT1546
Required data connectorsRubrikSecurityCloudAzureFunctions
KindScheduled
Query frequency10m
Query period10m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/RubrikSecurityCloud/Analytic Rules/RubrikThreatMonitoring.yaml
Version1.0.0
Arm template0083cbc4-776e-42ca-8694-6950fd605df9.json
Deploy To Azure
Rubrik_Events_Data_CL
| where custom_details_eventName_s endswith "AnalysisMatchesFound" or custom_details_eventName_s contains "ThreatMonitoringHashCatalogAnalysisFailed" or custom_details_eventName_s contains "ThreatMonitoringHashMatchesFound" or custom_details_eventName_s contains "ThreatMonitoringYaraMatchesFound"
| extend hashMatchCount = toint(extract("Found ([0-9]+) hash matches",1, summary_s)),    yaraMatchCount = toint(extract("Found ([0-9]+) YARA rule matches", 1, summary_s)),    fileHashMatchCount = toint(extract("Found file hash matches for ([0-9]+) files", 1, summary_s))
| extend count_ = coalesce(hashMatchCount,yaraMatchCount, fileHashMatchCount), eventname = substring(custom_details_eventName_s,16, strlen(custom_details_eventName_s) - 28)
| where count_ > 0
| summarize arg_max(TimeGenerated,*) by eventname, custom_details_objectId_g, count_

kind: Scheduled
eventGroupingSettings:
  aggregationKind: AlertPerResult
alertDetailsOverride:
  alertDisplayNameFormat: ThreatMonitoring Found {{count_}} {{eventname}} Matches for {{custom_details_objectName_s}}
description: |
    'Rubrik Threat Monitoring matches Event Name and if match found then generate the incident for each object.'
severity: Medium
queryFrequency: 10m
incidentConfiguration:
  groupingConfiguration:
    reopenClosedIncident: false
    lookbackDuration: P7D
    matchingMethod: Selected
    groupByCustomDetails:
    - ObjectName
    - ObjectId
    enabled: true
  createIncident: true
triggerThreshold: 0
relevantTechniques:
- T1546
status: Available
customDetails:
  Summary: summary_s
  ObjectId: custom_details_objectId_g
  ObjectName: custom_details_objectName_s
  Url: custom_details_url_s
  EventName: custom_details_eventName_s
  ObjectType: custom_details_objectType_s
  ClusterIdentifier: custom_details_clusterId_g
version: 1.0.0
name: Rubrik Threat Monitoring
id: 0083cbc4-776e-42ca-8694-6950fd605df9
query: |
  Rubrik_Events_Data_CL
  | where custom_details_eventName_s endswith "AnalysisMatchesFound" or custom_details_eventName_s contains "ThreatMonitoringHashCatalogAnalysisFailed" or custom_details_eventName_s contains "ThreatMonitoringHashMatchesFound" or custom_details_eventName_s contains "ThreatMonitoringYaraMatchesFound"
  | extend hashMatchCount = toint(extract("Found ([0-9]+) hash matches",1, summary_s)),    yaraMatchCount = toint(extract("Found ([0-9]+) YARA rule matches", 1, summary_s)),    fileHashMatchCount = toint(extract("Found file hash matches for ([0-9]+) files", 1, summary_s))
  | extend count_ = coalesce(hashMatchCount,yaraMatchCount, fileHashMatchCount), eventname = substring(custom_details_eventName_s,16, strlen(custom_details_eventName_s) - 28)
  | where count_ > 0
  | summarize arg_max(TimeGenerated,*) by eventname, custom_details_objectId_g, count_  
requiredDataConnectors:
- dataTypes:
  - RubrikEventsData
  connectorId: RubrikSecurityCloudAzureFunctions
tactics:
- Persistence
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/RubrikSecurityCloud/Analytic Rules/RubrikThreatMonitoring.yaml
queryPeriod: 10m

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/0083cbc4-776e-42ca-8694-6950fd605df9')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/0083cbc4-776e-42ca-8694-6950fd605df9')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDisplayNameFormat": "ThreatMonitoring Found {{count_}} {{eventname}} Matches for {{custom_details_objectName_s}}"
        },
        "alertRuleTemplateName": "0083cbc4-776e-42ca-8694-6950fd605df9",
        "customDetails": {
          "ClusterIdentifier": "custom_details_clusterId_g",
          "EventName": "custom_details_eventName_s",
          "ObjectId": "custom_details_objectId_g",
          "ObjectName": "custom_details_objectName_s",
          "ObjectType": "custom_details_objectType_s",
          "Summary": "summary_s",
          "Url": "custom_details_url_s"
        },
        "description": "'Rubrik Threat Monitoring matches Event Name and if match found then generate the incident for each object.'\n",
        "displayName": "Rubrik Threat Monitoring",
        "enabled": true,
        "entityMappings": null,
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "groupByCustomDetails": [
              "ObjectName",
              "ObjectId"
            ],
            "lookbackDuration": "P7D",
            "matchingMethod": "Selected",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/RubrikSecurityCloud/Analytic Rules/RubrikThreatMonitoring.yaml",
        "query": "Rubrik_Events_Data_CL\n| where custom_details_eventName_s endswith \"AnalysisMatchesFound\" or custom_details_eventName_s contains \"ThreatMonitoringHashCatalogAnalysisFailed\" or custom_details_eventName_s contains \"ThreatMonitoringHashMatchesFound\" or custom_details_eventName_s contains \"ThreatMonitoringYaraMatchesFound\"\n| extend hashMatchCount = toint(extract(\"Found ([0-9]+) hash matches\",1, summary_s)),    yaraMatchCount = toint(extract(\"Found ([0-9]+) YARA rule matches\", 1, summary_s)),    fileHashMatchCount = toint(extract(\"Found file hash matches for ([0-9]+) files\", 1, summary_s))\n| extend count_ = coalesce(hashMatchCount,yaraMatchCount, fileHashMatchCount), eventname = substring(custom_details_eventName_s,16, strlen(custom_details_eventName_s) - 28)\n| where count_ > 0\n| summarize arg_max(TimeGenerated,*) by eventname, custom_details_objectId_g, count_\n",
        "queryFrequency": "PT10M",
        "queryPeriod": "PT10M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Persistence"
        ],
        "techniques": [
          "T1546"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}