Rubrik Critical Anomaly

Back


Id	54c70d21-696f-4f03-9238-9d7118d079fe
Rulename	Rubrik Critical Anomaly
Description	Rubrik Critical Anomaly rule matches Severity and if Critical severity found then generate the incident for each object.
Severity	Medium
Tactics	Persistence
Techniques	T1546
Required data connectors	RubrikSecurityCloudAzureFunctions
Kind	Scheduled
Query frequency	10m
Query period	10m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/RubrikSecurityCloud/Analytic Rules/RubrikCriticalAnomaly.yaml
Version	1.0.0
Arm template	54c70d21-696f-4f03-9238-9d7118d079fe.json

KQL

Rubrik_Anomaly_Data_CL
| where severity_s == "critical"

YAML

kind: Scheduled
eventGroupingSettings:
  aggregationKind: AlertPerResult
description: |
    'Rubrik Critical Anomaly rule matches Severity and if Critical severity found then generate the incident for each object.'
severity: Medium
queryFrequency: 10m
customDetails:
  ObjectId: custom_details_objectId_g
  ObjectName: custom_details_objectName_s
  ObjectType: custom_details_objectType_s
  ClusterName: custom_details_clusterName_s
  ClusterIdentifier: custom_details_clusterId_g
triggerThreshold: 0
relevantTechniques:
- T1546
status: Available
version: 1.0.0
name: Rubrik Critical Anomaly
id: 54c70d21-696f-4f03-9238-9d7118d079fe
query: |
  Rubrik_Anomaly_Data_CL
  | where severity_s == "critical"  
requiredDataConnectors:
- dataTypes:
  - RubrikAnomalyData
  connectorId: RubrikSecurityCloudAzureFunctions
tactics:
- Persistence
incidentConfiguration:
  createIncident: true
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/RubrikSecurityCloud/Analytic Rules/RubrikCriticalAnomaly.yaml
queryPeriod: 10m

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/54c70d21-696f-4f03-9238-9d7118d079fe')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/54c70d21-696f-4f03-9238-9d7118d079fe')]",
      "properties": {
        "alertRuleTemplateName": "54c70d21-696f-4f03-9238-9d7118d079fe",
        "customDetails": {
          "ClusterIdentifier": "custom_details_clusterId_g",
          "ClusterName": "custom_details_clusterName_s",
          "ObjectId": "custom_details_objectId_g",
          "ObjectName": "custom_details_objectName_s",
          "ObjectType": "custom_details_objectType_s"
        },
        "description": "'Rubrik Critical Anomaly rule matches Severity and if Critical severity found then generate the incident for each object.'\n",
        "displayName": "Rubrik Critical Anomaly",
        "enabled": true,
        "entityMappings": null,
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/RubrikSecurityCloud/Analytic Rules/RubrikCriticalAnomaly.yaml",
        "query": "Rubrik_Anomaly_Data_CL\n| where severity_s == \"critical\"\n",
        "queryFrequency": "PT10M",
        "queryPeriod": "PT10M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Persistence"
        ],
        "techniques": [
          "T1546"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}