Rubrik Anomaly Incident Response
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
This playbook provides an end to end example of the collection of Ransomware Anomaly information from Rubrik, its enrichment with Data Classification insights (to aid in incident prioritization), and the options to optionally perform various recovery operations. It uses several other playbooks defined in this solution to perform these tasks.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | RubrikSecurityCloud |
| Source | View on GitHub |
Logic App Connectors
This playbook uses 3 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azuresentinel |
Managed | 1 | 0 |
teams |
Managed | 1 | 0 |
workflow |
Built-in | 0 | 6 |
Action parameters (URLs, paths, function IDs)
workflow (Built-in)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| RubrikFilesetRansomwareDiscovery | — | — | workflowId=[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/',resourceGroup().name,'/providers/Microsoft.Logic/workflows/RubrikFilesetRansomwareDiscovery')]triggerName= manual |
| RubrikRansomwareDiscoveryAndFileRecovery | — | — | workflowId=[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/',resourceGroup().name,'/providers/Microsoft.Logic/workflows/RubrikRansomwareDiscoveryAndFileRecovery')]triggerName= manual |
| RubrikRansomwareDiscoveryAndVMRecovery | — | — | workflowId=[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/',resourceGroup().name,'/providers/Microsoft.Logic/workflows/RubrikRansomwareDiscoveryAndVMRecovery')]triggerName= manual |
| RubrikAnomalyAnalysis | — | — | workflowId=[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/',resourceGroup().name,'/providers/Microsoft.Logic/workflows/RubrikAnomalyAnalysis')]triggerName= manual |
| RubrikDataObjectDiscovery | — | — | workflowId=[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/',resourceGroup().name,'/providers/Microsoft.Logic/workflows/RubrikDataObjectDiscovery')]triggerName= manual |
| RubrikFileObjectContextAnalysis | — | — | workflowId=[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/',resourceGroup().name,'/providers/Microsoft.Logic/workflows/RubrikFileObjectContextAnalysis')]triggerName= manual |
Additional Documentation
📄 Source: RubrikAnomalyIncidentResponse/readme.md
RubrikAnomalyIncidentResponse
Summary
This playbook provides an end to end example of the collection of Ransomware Anomaly information from Rubrik, its enrichment with Data Classification insights (to aid in incident prioritization), and the options to optionally perform various recovery operations. It uses several other playbooks defined in this solution to perform these tasks.
Prerequisites
- The Rubrik Security Cloud data connector should be configured to send appropriate events to Microsoft Sentinel.
- The Rubrik Security Cloud solution should be configured to connect to Rubrik Security Cloud API end points using a Service Account, the service account should be assigned a role that includes the relevant privileges necessary to perform the desired operations (see Roles and Permissions in the Rubrik Security Cloud user guide).
- Obtain Teams group id and channel id.
- Make sure that below mentioned playbooks are deployed before deploying RubrikAnomalyIncidentResponse playbook:
- RubrikDataObjectDiscovery
- RubrikAnomalyAnalysis
- RubrikFilesetRansomwareDiscovery
- RubrikRansomwareDiscoveryAndFileRecovery
- RubrikRansomwareDiscoveryAndVMRecovery
- RubrikFileObjectContextAnalysis
Deployment instructions
- To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.
- Fill in the required parameters:
- Playbook Name: Enter the playbook name here
- API Hostname: Hostname of the RubrikApi instance
- Teams Group Id: Id of the Teams Group where the adaptive card will be posted
- Teams Channel Id: Id of the Teams Channel where the adaptive card will be posted
Post-Deployment instructions
a. Authorize connections
Once deployment is complete, authorize each connection like teams, microsoft sentinel.
- Click the Microsoft Sentinel connection resource
- Click edit API connection
- Click Authorize
- Sign in
- Click Save
- Repeat steps for other connections
b. Configurations in Microsoft Sentinel
- In Microsoft Sentinel, analytical rules should be configured to trigger an incident. An incident should have the ClusterId - custom entity that contains clusterId of an event generated in rubrik, ObjectId - custom entity that contains objectId of an event generated in rubrik, ObjectType - custom entity that contains objectType of an event generated in rubrik, ObjectName -custom entity that contains objectName of an event generated in rubrik . It can be obtained from the corresponding field in Rubrik Anomaly Event logs. Check the documentation to learn more about adding custom entities to incidents.
- Configure the automation rules to trigger the playbook.
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊