Rubrik User Intelligence Analysis
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
This playbook queries Rubrik Security Cloud to get user sensitive data and update severity of incident accordingly. This playbook calls the RubrikRetrieveUserIntelligenceInformation playbook internally to get user risk details and policy hits details to enrich the incident.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | RubrikSecurityCloud |
| Source | View on GitHub |
Additional Documentation
📄 Source: RubrikUserIntelligenceAnalysis/readme.md
Summary
This playbook queries Rubrik Security Cloud to get user sensitive data and update severity of incident accordingly. This playbook calls the RubrikRetrieveUserIntelligenceInformation playbook internally to get user risk details and policy hits details to enrich the incident
Prerequisites
- The Rubrik Security Cloud solution should be configured to connect to Rubrik Security Cloud API end points using a Service Account, the service account should be assigned a role that includes the relevant privileges necessary to perform the desired operations (see Roles and Permissions in the Rubrik Security Cloud user guide).
- Store Service account credentials in Key Vault and obtain keyvault name and tenantId
- Create a Key Vault with a unique name
- Go to KeyVault -> secrets, click on Generate/import and create 'Rubrik-AS-Int-ClientId' & 'Rubrik-AS-Int-ClientSecret' for storing client_id and client_secret respectively NOTE: Make sure the Permission model in the Access Configuration of Keyvault is selected to the Vault access policy. If not then change it to 'Vault access policy'
- Make sure that RubrikRetrieveUserIntelligenceInformation playbook is deployed before deploying RubrikUserIntelligenceAnalysis playbook.
Deployment instructions
- To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.
- Fill in the required parameters: * PlaybookName: Enter the playbook name here. * KeyvaultName: Name of keyvault where secrets are stored. * TenantId: TenantId where keyvault is located. * BaseUrl: Baseurl of the RubrikApi instance. * RiskPolicyHitsPlaybookName: Playbook name which is deployed as part of prerequisites
Post-Deployment instructions
a. Authorize connections
Once deployment is complete, authorize each connection like keyvault, azureloganalytics. 1. Go to your logic app -> API connections -> Select keyvault connection resource 2. Go to General -> edit API connection 3. Click the keyvault connection resource 4. Click edit API connection 5. Click Authorize 6. Sign in 7. Click Save 8. Repeat steps for other connections
b. Assign Role to add a comment in the incident
After authorizing each connection, assign a role to this playbook.
1. Go to Log Analytics Workspace →
c. Add Access policy in Keyvault
Add access policy for the playbook's managed identity to read, and write secrets of key vault.
1. Go to the logic app →
d. Configurations in Microsoft Sentinel
- In Microsoft Sentinel, Configure the analytic rules to trigger an incident.
* Analytic Rule must contain at least one of the below fields mapped in Custom Details to successfully run this playbook.
- Username
- In Microsoft Sentinel, Configure the automation rules to trigger the playbook.
* Go to Microsoft Sentinel ->
-> Automation * Click on Create -> Automation rule * Provide a name for your rule * In the Analytic rule name condition, select the analytic rule that you have created. * In Actions dropdown select Run playbook * In the second dropdown select your deployed playbook * Click on Apply * Save the Automation rule. NOTE: If you want to manually run the playbook on a particular incident follow the below steps:
- Go to Microsoft Sentinel ->
-> Incidents - Select an incident.
- In the right pane, click on Actions, and from the dropdown select the 'Run Playbook' option.
- click on the Run button beside this playbook.
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊