Rubrik Security Cloud Protection Status (using Codeless Connector Framework)

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Connectors Index

Attribute Value
Connector ID RubrikProtectionStatus
Publisher Rubrik, Inc
Used in Solutions RubrikSecurityCloud
Collection Method CCF
Connector Definition Files RubrikSecurityCloud_ConnectorDefinition.json
CCF Configuration RubrikSecurityCloud_PollerConfig.json
CCF Capabilities OAuth2, POST

The Rubrik Security Cloud Protection Status data connector allows you to ingest protection and compliance status information from RSC into Microsoft Sentinel.

Tables Ingested

This connector ingests data into the following tables:

Table Transformations Ingestion API Lake-Only
RubrikProtectionStatus_CL ? ?

💡 Tip: Tables with Ingestion API support allow data ingestion via the Azure Monitor Data Collector API, which also enables custom transformations during ingestion.

Permissions

Resource Provider Permissions: - Workspace (Workspace): read and write permissions on the workspace are required.

Setup Instructions

⚠️ Note: These instructions were automatically generated from the connector's user interface definition file using AI and may not be fully accurate. Please verify all configuration steps in the Microsoft Sentinel portal.

1. Enter Rubrik Security Cloud Credentials

Provide your RSC API credentials to enable data collection. Configuration Steps:

  1. RSC URL - Your organization's RSC URL (e.g., https://your-org.my.rubrik.com)
  2. Client ID - Service account client ID from RSC (format: client|xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx)
  3. Client Secret - Service account client secret from RSC

To create a service account in RSC: - Go to RSC → Settings → Access Management → Service Accounts - Create new service account with appropriate API permissions - Note the Client ID and Client Secret - RSC URL: https://your-org.my.rubrik.com - Client ID: client|xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx - Client Secret: (password field)

2. Connect to Rubrik Security Cloud

Click Connect to start data ingestion. - Click 'Connect' to establish connection

Additional Documentation

📄 Source: RubrikSecurityCloud\Data Connectors\RubrikSecurityCloud_CCF\README.md

Rubrik Security Cloud Backup Status Connector for Microsoft Sentinel

A production-ready Microsoft Sentinel data connector that integrates Rubrik Security Cloud (RSC) backup and compliance data with security events, enabling security teams to correlate backup health with security incidents and detect ransomware indicators through backup anomalies.

🎯 Overview

The Rubrik Security Cloud Backup Status connector is built using Microsoft's Codeless Connector Framework (CCF) and collects comprehensive backup and compliance data for Azure VMs from RSC's GraphQL API, ingesting 49 attributes per VM including compliance status, snapshot counts, storage metrics, SLA assignments, and data reduction statistics into the RubrikProtectionStatus_CL table in Microsoft Sentinel. This enables security teams to correlate backup health with Sentinel security alerts and incidents through correlation queries that join security events with backup status based on asset identifiers, allowing them to identify potential ransomware indicators through backup anomalies such as sudden compliance failures, missing snapshots, unusual storage consumption patterns, or failed backup jobs that coincide with suspicious security events. By automatically correlating backup telemetry with security data, analysts can quickly determine if a compromised asset has recent, clean backups available for recovery, assess the blast radius of an attack, and detect sophisticated attack patterns that specifically target backup infrastructure to prevent recovery.

✨ Key Features

Data Collection

Security Correlation

Built on Microsoft CCF

📋 Prerequisites

Rubrik Security Cloud

Microsoft Azure

🚀 Quick Start

1. Create RSC Service Account

  1. Navigate to RSC Console: https://your-org.my.rubrik.com
  2. Go to Settings → Users & Roles → Service Accounts
  3. Click Add Service Account
  4. Configure: - Name: Sentinel-Backup-Monitor - Role: Read-Only Admin or Viewer
  5. Download the JSON credentials file
  6. Note the client_id and client_secret values

2. Deploy the Connector

Option A: Azure Portal (Recommended for Production)

  1. Navigate to Microsoft Sentinel → Data connectors
  2. Search for "Rubrik Security Cloud Backup Status"
  3. Click Open connector page
  4. Fill in the configuration: - RSC URL: https://your-org.my.rubrik.com - Client ID: From service account credentials - Client Secret: From service account credentials
  5. Click Connect

Option B: PowerShell Deployment (For Testing/POC)

# Clean up any existing deployment
pwsh -File cleanup-rsc-connector.ps1

# Deploy the connector
New-AzResourceGroupDeployment `
    -ResourceGroupName 'your-resource-group' `
    -TemplateFile 'rsc-complete-arm-template.json' `
    -workspace 'your-workspace-name' `
    -workspace-location 'West US 2' `
    -RSCUrl 'https://your-org.my.rubrik.com' `
    -ClientId 'client|your-client-id' `
    -ClientSecret 'your-client-secret' `
    -Verbose

3. Verify Data Ingestion

Wait 5-10 minutes for initial data collection, then run:

RubrikProtectionStatus_CL
| where TimeGenerated > ago(1h)
| take 10

📊 Data Schema

The connector creates the RubrikProtectionStatus_CL custom table with 52 columns:

Category Fields
Identity AssetId, AssetName, ObjectType, ObjectState, Fid, OrgId, OrgName
Protection ProtectionStatus, ComplianceStatus, ArchivalComplianceStatus, ReplicationComplianceStatus
Snapshots LastSnapshot, LatestArchivalSnapshot, LatestReplicationSnapshot, TotalSnapshots, LocalSnapshots, ArchiveSnapshots, ReplicaSnapshots, MissedSnapshots
Storage LocalStorage, ArchiveStorage, ReplicaStorage, LogicalBytes, PhysicalBytes, UsedBytes, TransferredBytes
Efficiency DataReduction, LogicalDataReduction, LocalEffectiveStorage
SLA/Cluster SlaDomainName, ClusterName, Location, WorkloadOrgName
Timestamps TimeGenerated, ProtectedOn, PullTime, LastSnapshot

See RSC-README.md for complete schema documentation.

🔍 Sample Queries

Basic Compliance Monitoring

RubrikProtectionStatus_CL
| where ComplianceStatus != "IN_COMPLIANCE"
| summarize count() by SlaDomainName, ComplianceStatus
| order by count_ desc

Security Alert Correlation

SecurityAlert
| where TimeGenerated > ago(7d)
| extend HostEntities = parse_json(Entities)
| mv-expand Entity = HostEntities
| where Entity.Type == "host"
| extend HostName = tostring(Entity.HostName)
| join kind=leftouter (
    RubrikProtectionStatus_CL
    | where TimeGenerated > ago(1d)
    | summarize arg_max(TimeGenerated, *) by AssetName
) on $left.HostName == $right.AssetName
| where isnotempty(ComplianceStatus)
| project 
    AlertTime = TimeGenerated,
    AlertName,
    AlertSeverity,
    HostName,
    ComplianceStatus,
    LastSnapshot,
    MissedSnapshots

Ransomware Risk Assessment

SecurityAlert
| where TimeGenerated > ago(24h)
| where AlertSeverity in ("High", "Medium")
| extend HostName = tostring(parse_json(Entities)[0].HostName)
| join kind=inner (
    RubrikProtectionStatus_CL
    | where ComplianceStatus != "IN_COMPLIANCE" or MissedSnapshots > 3
) on $left.HostName == $right.AssetName
| project 
    AlertTime = TimeGenerated,
    AlertName,
    HostName,
    ComplianceStatus,
    MissedSnapshots,
    LastSnapshot,
    RiskLevel = "CRITICAL - Compromised asset with backup issues"

📁 Repository Structure

├── rsc-complete-arm-template.json          # Complete POC ARM template (recommended for testing)
├── rsc-ccf-solution-proper.json            # Production Solution template (for Sentinel UI)
├── cleanup-rsc-connector.ps1               # Cleanup script for redeployment
├── RSC-README.md                           # Detailed RSC connector documentation
├── RSC-TESTING-GUIDE.md                    # Testing and validation guide
├── DEPLOYMENT-GUIDE.md                     # Step-by-step deployment instructions
│
├── KQL Queries
│   ├── security-alerts-with-rubrik-correlation.kql    # Security alert correlation
│   ├── incident-backup-correlation-queries.kql        # Incident correlation queries
│   ├── hunting-queries-security-backup.kql            # Threat hunting queries
│   ├── analytics-rules-security-backup.kql            # Detection rules
│   ├── workbook-security-backup-dashboard.kql         # Workbook visualizations
│   └── rsc-sample-queries.kql                         # Basic RSC queries
│
├── PowerShell Scripts
│   ├── deploy-rsc-ccf-solution.ps1        # Deploy Solution template
│   ├── test-rsc-api.ps1                   # Test RSC API connectivity
│   ├── verify-deployment.ps1              # Verify deployment status
│   └── get-workspace-info.ps1             # Get workspace configuration
│
└── Additional Templates
    ├── rsc-data-collection-rule.json      # Standalone DCR template
    ├── rsc-table-schema.json              # Table schema definition
    └── sentinel-incidents-connector-template.json  # Incidents connector

🔧 Configuration

Polling Interval

The connector polls RSC every 5 minutes by default. To customize:

  1. Edit the ARM template
  2. Modify queryWindowInMin parameter in the connector configuration
  3. Recommended range: 5-60 minutes depending on environment size

Rate Limiting

Data Retention

🛠️ Troubleshooting

Common Issues

1. Connector Shows "Disconnected"

// Check last data ingestion
RubrikProtectionStatus_CL
| summarize LastData = max(TimeGenerated)
| extend MinutesAgo = datetime_diff('minute', now(), LastData)

Solution: Verify RSC credentials, check DCR health, review Azure Activity Log

2. OAuth Authentication Failures

Error: 401 Unauthorized Solution: - Verify client ID and secret are correct - Check service account is active in RSC - Ensure service account has read permissions

3. No Data After Deployment

Checklist: - ✅ Wait 5-10 minutes for initial poll - ✅ Verify RSC URL is correct (include https://) - ✅ Check Data Collection Rule is active - ✅ Review connector health in Sentinel UI - ✅ Check Azure Activity Log for errors

4. GraphQL Query Errors

Error: 400 Bad Request Solution: - Verify GraphQL query syntax in template - Check RSC API version compatibility - Test query directly in RSC GraphQL explorer

Validation Queries

// Check data freshness
RubrikProtectionStatus_CL
| summarize
    LastData = max(TimeGenerated),
    RecordCount = count(),
    UniqueAssets = dcount(AssetName)
| extend MinutesAgo = datetime_diff('minute', now(), LastData)

// Validate data quality
RubrikProtectionStatus_CL
| summarize
    ValidAssets = countif(isnotempty(AssetId)),
    ValidClusters = countif(isnotempty(ClusterName)),
    ValidSnapshots = countif(TotalSnapshots >= 0),
    TotalRecords = count()
| extend QualityRate = round((ValidAssets * 100.0) / TotalRecords, 2)

📈 Use Cases

1. Ransomware Detection

Identify security alerts on assets with backup anomalies: - Sudden compliance failures - Missing snapshots during attack timeframe - Unusual storage consumption patterns - Failed backup jobs coinciding with security events

2. Recovery Readiness Assessment

For any security incident, quickly determine: - Does the compromised asset have recent backups? - Are the backups compliant with SLA policies? - When was the last clean backup taken? - Are backups available in multiple locations?

3. Attack Blast Radius Analysis

Correlate security incidents with backup infrastructure: - Identify all affected assets and their backup status - Determine which assets can be recovered - Prioritize incident response based on backup availability - Detect attacks specifically targeting backup systems

4. Compliance Reporting

Generate audit reports combining security and backup data: - Assets with security alerts and backup non-compliance - Protection coverage across security zones - Backup SLA compliance for critical assets - Recovery time objectives (RTO) validation

📚 Documentation

🔗 Additional Resources

🤝 Contributing

Contributions are welcome! Please: 1. Fork the repository 2. Create a feature branch 3. Test your changes thoroughly 4. Submit a pull request with detailed description

📄 License

This project is licensed under the MIT License - see the LICENSE file for details.

💡 Support

This is a community-supported connector. For assistance:

Built with Microsoft's Codeless Connector Framework (CCF) for seamless Sentinel integration

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Connectors Index