Rubrik Update Anomaly Status Via Incident
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
This playbook queries Rubrik Security Cloud to enrich the Anomaly event with additional information and internally calls RubrikUpdateAnomalyStatus playbook with additional anomaly information to resolve the anomaly.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | RubrikSecurityCloud |
| Source | View on GitHub |
Additional Documentation
Summary
This playbook queries Rubrik Security Cloud to enrich the Anomaly event with additional information and internally calls RubrikUpdateAnomalyStatus playbook with additional anomaly information to resolve the anomaly.
Prerequisites
- The Rubrik Security Cloud data connector should be configured to send appropriate events to Microsoft Sentinel.
- The Rubrik Security Cloud solution should be configured to connect to Rubrik Security Cloud API end points using a Service Account, the service account should be assigned a role that includes the relevant privileges necessary to perform the desired operations (see Roles and Permissions in the Rubrik Security Cloud user guide).
- Rubrik custom connector needs to be deployed prior to the deployment of this playbook, in the same resource group and region. Relevant instructions can be found in the connector doc page.
- Store Service account credentials in Key Vault and obtain keyvault name and tenantId a. Create a Key Vault with unique name b. Go to KeyVault -> secrets -> Generate/import and create 'Rubrik-AS-Int-ClientId' & 'Rubrik-AS-Int-ClientSecret' for storing client_id and client_secret respectively
- Make sure that RubrikUpdateAnomalyStatus playbook is deployed before deploying RubrikUpdateAnomalyStatusViaIncident playbook.
Deployment instructions
- To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.
- Fill in the required parameters:
- PlaybookName: Enter the playbook name here.
- API Hostname: Hostname of the RubrikApi instance
- Rubrik Connector name: Name of the Rubrik Custom Connector deployed previously
- keyvaultname: Name of keyvault where secrets are stored.
- tenantId: TenantId where keyvault is located.
- UpdateAnomalyStatusPlaybookName: Playbook name which is deployed as part of prerequisites
Post-Deployment instructions
a. Authorize connections
Once deployment is complete, authorize each connection like keyvault.
- Click the connection resource
- Click edit API connection
- Click Authorize
- Sign in
- Click Save
- Repeat steps for other connections
b. Assign Role to close incident
Assign role to this playbook.
1. Go to Log Analytics Workspace →
c. Configurations in Microsoft Sentinel
- In Microsoft sentinel, analytical rules should be configured to trigger an incident which has Entities Mapping available for IP.
- To manually run the playbook on a particular incident follow the below steps:
a. Go to Microsoft Sentinel ->
-> Incidents b. Select an incident. c. In the right pane, click on Actions, and from the dropdown select the 'Run Playbook' option. d. Click on the Run button beside this playbook.
d. Configurations in Microsoft Sentinel
- In Microsoft Sentinel, analytical rules should be configured to trigger an incident. An incident should have the ClusterId - custom entity that contains clusterId of an event generated in rubrik, ObjectId - custom entity that contains objectId of an event generated in rubrik, ObjectType - custom entity that contains objectType of an event generated in rubrik, ObjectName -custom entity that contains objectName of an event generated in rubrik . It can be obtained from the corresponding field in Rubrik Anomaly Event logs. Check the documentation to learn more about adding custom entities to incidents.
- Configure the automation rules to trigger the playbook.
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊