Rubrik Anomaly Analysis

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Content Index

This playbook queries Rubrik Security Cloud to enrich the Anomaly event with additional information regarding the Ransomware analysis, results from sensitive data scans, (to aid in incident prioritization), and additional information about the Rubrik cluster. Also it retrieves suspiciousFiles information associated with anomalous snapshot and internally calls RubrikAnomalyGenerateDownloadableLink playbook to get downloadable links and enrich the anomaly incident and RubrikUpdateAnomalyStatus pla

Attribute	Value
Type	Playbook
Solution	RubrikSecurityCloud
Source	View on GitHub

Logic App Connectors

This playbook uses 6 Logic App connectors / built-in actions:

Connector / Action	Type	Connections	Actions
`azuresentinel`	Managed	1	2
`keyvault`	Managed	1	0
`keyvault_1`	Managed	0	2
`RubrikCustomConnector`	Custom	1	1
`http`	Built-in	0	9
`workflow`	Built-in	0	2

Action parameters (URLs, paths, function IDs)

`azuresentinel` (Managed)

Action	Method	Endpoint	Other
Close_Incident_Due_To_Anomaly_Is_Already_Resolved	put	`/Incidents`	—
Close_incident_due_to_resolve_anomaly_or_report_false_positive	put	`/Incidents`	—

`keyvault_1` (Managed)

Action	Method	Endpoint	Other
Get_Client_Id_	get	`/secrets/@{encodeURIComponent('Rubrik-AS-Int-ClientId')}/value`	—
Get_secret	get	`/secrets/@{encodeURIComponent('Rubrik-AS-Int-ClientSecret')}/value`	—

`RubrikCustomConnector` (Custom)

Action	Method	Endpoint	Other
Authentication	post	`/api/client_token`	—

`http` (Built-in)

Action	Method	Endpoint	Other
Determine_the_status_of_the_Rubrik_Radar_analysis_process	POST	`@{triggerBody()?['BaseUrl']}/api/graphql`	—
sonar_sensitive_hits(Object_Details)	POST	`@{triggerBody()?['BaseUrl']}/api/graphql`	—
Get_Suspicious_files_for_a_latest_snpshot_of_given_object	POST	`@{triggerBody()?['BaseUrl']}/api/graphql`	—
Get_cdm_snapshotid_for_latest_snapshotfid	POST	`@{triggerBody()?['BaseUrl']}/api/graphql`	—
Gather_the_final_Radar_Analysis_results	POST	`@{triggerBody()?['BaseUrl']}/api/graphql`	—
GenericPolling	POST	`@{triggerBody()?['BaseUrl']}/api/graphql`	—
rubrik-cdm-cluster-connection-state	POST	`@{triggerBody()?['BaseUrl']}/api/graphql`	—
rubrik-cdm-cluster-location	POST	`@{triggerBody()?['BaseUrl']}/api/graphql`	—
rubrik-sonar-sensitive-hits(Object_List)	POST	`@{triggerBody()?['BaseUrl']}/api/graphql`	—

`workflow` (Built-in)

Action	Method	Endpoint	Other
RubrikGenerateDownloadableLink	—	—	workflowId=`[concat('/subscriptions/',subscription().subscriptionId,'/resourceGroups/',resourceGroup().name,'/providers/Microsoft.Logic/workflows/',parameters('DownloadableLinkGeneratePlaybookName'))]` triggerName=`manual`
RubrikUpdateAnomalyStatus	—	—	workflowId=`[concat('/subscriptions/',subscription().subscriptionId,'/resourceGroups/',resourceGroup().name,'/providers/Microsoft.Logic/workflows/',parameters('UpdateAnomalyStatusPlaybookName'))]` triggerName=`manual`

Additional Documentation

📄 Source: RubrikAnomalyAnalysis/readme.md

Summary

Prerequisites

The Rubrik Security Cloud data connector should be configured to send appropriate events to Microsoft Sentinel.
The Rubrik Security Cloud solution should be configured to connect to Rubrik Security Cloud API end points using a Service Account, the service account should be assigned a role that includes the relevant privileges necessary to perform the desired operations (see Roles and Permissions in the Rubrik Security Cloud user guide).
Rubrik custom connector needs to be deployed prior to the deployment of this playbook, in the same resource group and region. Relevant instructions can be found in the connector doc page.
Store Service account credentials in Key Vault and obtain keyvault name and tenantId a. Create a Key Vault with unique name b. Go to KeyVault -> secrets -> Generate/import and create 'Rubrik-AS-Int-ClientId' & 'Rubrik-AS-Int-ClientSecret' for storing client_id and client_secret respectively
Make sure that RubrikAnomalyGenerateDownloadableLink and RubrikUpdateAnomalyStatus playbook are deployed before deploying RubrikAnomalyAnalysis playbook.

Deployment instructions

To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.
Fill in the required paramteres:
- Playbook Name: Enter the playbook name here
- Rubrik Connector name: Name of the Rubrik Custom Connector deployed previously
- keyvaultname: Name of keyvault where secrets are stored.
- tenantId: TenantId where keyvault is located.
- DownloadableLinkGeneratePlaybookName: Playbook name which is deployed as part of prerequisites
- UpdateAnomalyStatusPlaybookName: Playbook name which is deployed as part of prerequisites

Post-Deployment instructions

a. Authorize connections

Once deployment is complete, authorize each connection like keyvault.

Click the connection resource
Click edit API connection
Click Authorize
Sign in
Click Save
Repeat steps for other connections

b. Assign Role to close incident

Assign role to this playbook.

Go to Log Analytics Workspace → → Access Control → Add
Add role assignment
Assignment type: Job function roles -> Add 'Microsoft Sentinel Contributor' as a Role
Members: select managed identity for assigned access to and add your logic app as member
Click on review+assign