Rubrik Ransomware Discovery and File Recovery

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Content Index

This playbook interacts with Rubrik Security Cloud to (1) optionally preserve evidence by creating an on-demand snapshot of the object, (2) identify a potential recovery point by scanning backups for specified IOCs, and (3) supporting file level recovery.

Attribute Value
Type Playbook
Solution RubrikSecurityCloud
Source View on GitHub

Additional Documentation

📄 Source: RubrikRansomwareDiscoveryAndFileRecovery/readme.md

Summary

This playbook interacts with Rubrik Security Cloud to (1) optionally preserve evidence by creating an on-demand snapshot of the object, (2) identify a potential recovery point by scanning backups for specified IOCs, and (3) supporting file level recovery.

Prerequisites

  1. The Rubrik Security Cloud data connector should be configured to send appropriate events to Microsoft Sentinel.
  2. The Rubrik Security Cloud solution should be configured to connect to Rubrik Security Cloud API end points using a Service Account, the service account should be assigned a role that includes the relevant privileges necessary to perform the desired operations (see Roles and Permissions in the Rubrik Security Cloud user guide).
  3. To perform an IOC scan the IOC YARA rule should be available as a URL.
  4. Obtain Teams group id and channel id.
  5. Store Service account credentials in Key Vault and obtain keyvault name and tenantId a. Create a Key Vault with unique name b. Go to KeyVault -> secrets -> Generate/import and create 'Rubrik-AS-Int-ClientId' & 'Rubrik-AS-Int-ClientSecret' for storing client_id and client_secret respectively
  6. Make sure that RubrikIOCScan and RubrikPollAsyncResult playbook is deployed before deploying RubrikRansomwareDiscoveryAndFileRecovery playbook.

Deployment instructions

  1. To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.
  2. Fill in the required paramteres:
    • Playbook Name: Enter the playbook name here
    • Teams Group Id: Id of the Teams Group where the adaptive card will be posted
    • Teams Channel Id: Id of the Teams Channel where the adaptive card will be posted
    • keyvaultname: Name of keyvault where secrets are stored.
    • tenantId: TenantId where keyvault is located.

Deploy to Azure Deploy to Azure

Post-Deployment instructions

a. Authorize connections

Once deployment is complete, authorize each connection.

  1. Click the Custom connector connection resource
  2. Click edit API connection
  3. Click Authorize
  4. Sign in
  5. Click Save
  6. Repeat steps for other connections

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Playbooks · Back to RubrikSecurityCloud