Rubrik Ransomware Discovery and File Recovery

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Content Index

This playbook interacts with Rubrik Security Cloud to (1) optionally preserve evidence by creating an on-demand snapshot of the object, (2) identify a potential recovery point by scanning backups for specified IOCs, and (3) supporting file level recovery.

Attribute	Value
Type	Playbook
Solution	RubrikSecurityCloud
Source	View on GitHub

Logic App Connectors

This playbook uses 6 Logic App connectors / built-in actions:

Connector / Action	Type	Connections	Actions
`keyvault`	Managed	1	0
`keyvault_1`	Managed	0	2
`teams`	Managed	1	0
`RubrikCustomConnector`	Custom	1	1
`http`	Built-in	0	4
`workflow`	Built-in	0	3

Action parameters (URLs, paths, function IDs)

`keyvault_1` (Managed)

Action	Method	Endpoint	Other
Get_ClientId	get	`/secrets/@{encodeURIComponent('Rubrik-AS-Int-clientId')}/value`	—
Get_ClientSecret	get	`/secrets/@{encodeURIComponent('Rubrik-AS-Int-ClientSecret')}/value`	—

`RubrikCustomConnector` (Custom)

Action	Method	Endpoint	Other
Authentication	post	`/api/client_token`	—

`http` (Built-in)

Action	Method	Endpoint	Other
Create_Snapshot_for_evidence	POST	`@{triggerBody()?['BaseUrl']}/api/graphql`	—
Recover_snapshot_files	POST	`@{triggerBody()?['BaseUrl']}/api/graphql`	—
List_all_Snapshots	POST	`@{triggerBody()?['BaseUrl']}/api/graphql`	—
Fetch_Yara_rule(s)_from_file_URLs	GET	`@body('Collect_IOC_Scan_Data')?['data']?['ioc Yara rule file URL ']`	—

`workflow` (Built-in)

Action	Method	Endpoint	Other
RubrikPollAsyncResult	—	—	workflowId=`[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/',resourceGroup().name,'/providers/Microsoft.Logic/workflows/RubrikPollAsyncResult')]` triggerName=`manual`
RubrikPollAsyncResult_2	—	—	workflowId=`[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/',resourceGroup().name,'/providers/Microsoft.Logic/workflows/RubrikPollAsyncResult')]` triggerName=`manual`
RubrikIOCScan	—	—	workflowId=`[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/',resourceGroup().name,'/providers/Microsoft.Logic/workflows/RubrikIOCScan')]` triggerName=`manual`

Additional Documentation

📄 Source: RubrikRansomwareDiscoveryAndFileRecovery/readme.md

Summary

Prerequisites

The Rubrik Security Cloud data connector should be configured to send appropriate events to Microsoft Sentinel.
The Rubrik Security Cloud solution should be configured to connect to Rubrik Security Cloud API end points using a Service Account, the service account should be assigned a role that includes the relevant privileges necessary to perform the desired operations (see Roles and Permissions in the Rubrik Security Cloud user guide).
To perform an IOC scan the IOC YARA rule should be available as a URL.
Obtain Teams group id and channel id.
Store Service account credentials in Key Vault and obtain keyvault name and tenantId a. Create a Key Vault with unique name b. Go to KeyVault -> secrets -> Generate/import and create 'Rubrik-AS-Int-ClientId' & 'Rubrik-AS-Int-ClientSecret' for storing client_id and client_secret respectively
Make sure that RubrikIOCScan and RubrikPollAsyncResult playbook is deployed before deploying RubrikRansomwareDiscoveryAndFileRecovery playbook.

Deployment instructions

To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.
Fill in the required paramteres:
- Playbook Name: Enter the playbook name here
- Teams Group Id: Id of the Teams Group where the adaptive card will be posted
- Teams Channel Id: Id of the Teams Channel where the adaptive card will be posted
- keyvaultname: Name of keyvault where secrets are stored.
- tenantId: TenantId where keyvault is located.