Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Rubrik Critical Anomaly

Back
Id54c70d21-696f-4f03-9238-9d7118d079fe
RulenameRubrik Critical Anomaly
DescriptionRubrik Critical Anomaly rule matches Severity and if Critical severity found then generate the incident for each object.
SeverityMedium
TacticsPersistence
TechniquesT1546
Required data connectorsRubrikSecurityCloudAzureFunctions
KindScheduled
Query frequency10m
Query period10m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/RubrikSecurityCloud/Analytic Rules/RubrikCriticalAnomaly.yaml
Version1.0.0
Arm template54c70d21-696f-4f03-9238-9d7118d079fe.json
Deploy To Azure
Rubrik_Anomaly_Data_CL
| where severity_s == "critical"
status: Available
relevantTechniques:
- T1546
description: |
    'Rubrik Critical Anomaly rule matches Severity and if Critical severity found then generate the incident for each object.'
queryPeriod: 10m
kind: Scheduled
query: |
  Rubrik_Anomaly_Data_CL
  | where severity_s == "critical"  
version: 1.0.0
id: 54c70d21-696f-4f03-9238-9d7118d079fe
incidentConfiguration:
  createIncident: true
tactics:
- Persistence
eventGroupingSettings:
  aggregationKind: AlertPerResult
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/RubrikSecurityCloud/Analytic Rules/RubrikCriticalAnomaly.yaml
requiredDataConnectors:
- dataTypes:
  - RubrikAnomalyData
  connectorId: RubrikSecurityCloudAzureFunctions
name: Rubrik Critical Anomaly
severity: Medium
customDetails:
  ObjectName: custom_details_objectName_s
  ObjectType: custom_details_objectType_s
  ClusterIdentifier: custom_details_clusterId_g
  ObjectId: custom_details_objectId_g
  ClusterName: custom_details_clusterName_s
triggerOperator: gt
triggerThreshold: 0
queryFrequency: 10m
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/54c70d21-696f-4f03-9238-9d7118d079fe')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/54c70d21-696f-4f03-9238-9d7118d079fe')]",
      "properties": {
        "alertRuleTemplateName": "54c70d21-696f-4f03-9238-9d7118d079fe",
        "customDetails": {
          "ClusterIdentifier": "custom_details_clusterId_g",
          "ClusterName": "custom_details_clusterName_s",
          "ObjectId": "custom_details_objectId_g",
          "ObjectName": "custom_details_objectName_s",
          "ObjectType": "custom_details_objectType_s"
        },
        "description": "'Rubrik Critical Anomaly rule matches Severity and if Critical severity found then generate the incident for each object.'\n",
        "displayName": "Rubrik Critical Anomaly",
        "enabled": true,
        "entityMappings": null,
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/RubrikSecurityCloud/Analytic Rules/RubrikCriticalAnomaly.yaml",
        "query": "Rubrik_Anomaly_Data_CL\n| where severity_s == \"critical\"\n",
        "queryFrequency": "PT10M",
        "queryPeriod": "PT10M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Persistence"
        ],
        "techniques": [
          "T1546"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}