Rubrik Advanced Threat Hunt
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
This playbook fetches the object mapped with incident and starts advance threat hunt.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | RubrikSecurityCloud |
| Source | View on GitHub |
Additional Documentation
📄 Source: RubrikAdvanceThreatHunt/readme.md
Rubrik Advance Threat Hunt
Summary
This playbook fetches the object mapped with incident and starts Advance threat hunt.
Prerequisites
- The Rubrik Security Cloud data connector should be configured to send appropriate events to Microsoft Sentinel.
- The Rubrik Security Cloud solution should be configured to connect to Rubrik Security Cloud API end points using a Service Account, the service account should be assigned a role that includes the relevant privileges necessary to perform the desired operations (see Roles and Permissions in the Rubrik Security Cloud user guide).
- Rubrik custom connector needs to be deployed prior to the deployment of this playbook, in the same resource group and region. Relevant instructions can be found in the connector doc page.
- Store Service account credentials in Key Vault and obtain keyvault name and tenantId a. Create a Key Vault with unique name b. Go to KeyVault -> secrets -> Generate/import and create 'Rubrik-AS-Int-ClientId' & 'Rubrik-AS-Int-ClientSecret' for storing client_id and client_secret respectively
- Obtain Teams GroupId and ChannelId a. Create a Team with a public channel. b. Click on three dots (...) present on the right side of your newly created teams channel and Get link to the channel. c. Copy the text from the link between /channel and /, decode it using an online url decoder and copy it to use as channelId. d. Copy the text of the groupId parameter from the link to use as groupId.
Deployment instructions
- To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.
- Fill in the required paramteres:
- Playbook Name: Enter the playbook name here
- API Hostname: Hostname of the RubrikApi instance.
- Rubrik Connector name: Name of the Rubrik Custom Connector deployed previously
- keyvaultname: Name of keyvault where secrets are stored.
- tenantId: TenantId where keyvault is located.
- Teams Group Id: Id of the Teams Group where the adaptive card will be posted
- Teams Channel Id: Id of the Teams Channel where the adaptive card will be posted
- Polling Interval: Time Interval in minutes for checking hunt status (Ex: 5)
- Polling Timeout: Time limit in minutes for checking hunt status (Ex: 720)
Post-Deployment instructions
a. Authorize connections
Once deployment is complete, authorize each connection like keyvault.
- Click the connection resource
- Click edit API connection
- Click Authorize
- Sign in
- Click Save
- Repeat steps for other connections
a. Authorize connections
Once deployment is complete, authorize each connection like keyvault.
- Click the connection resource
- Click edit API connection
- Click Authorize
- Sign in
- Click Save
- Repeat steps for other connections
b. Assign Role to add comment into incident
Assign role to this playbook.
1. Go to Log Analytics Workspace → your workspace → Access Control → Add
2. Add role assignment
3. Assignment type: Job function roles -> Add 'Microsoft Sentinel Contributor' as a Role
4. Members: select managed identity for assigned access to and add your logic app as member
5. Click on review+assign
c. Configurations in Microsoft Sentinel
- In Microsoft sentinel, analytical rules should be configured to trigger an incident.
- To manually run the playbook on a particular incident follow the below steps: a. Go to Microsoft Sentinel -> your workspace -> Incidents b. Select an incident. c. In the right pane, click on Actions, and from the dropdown select the 'Run Playbook' option. d. Click on the Run button beside this playbook.
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊