Rubrik Ransomware Discovery and VM Recovery
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
This playbook interacts with Rubrik Security Cloud to (1) optionally preserve evidence by creating an on-demand snapshot of the object, (2) identify a potential recovery point by scanning backups for specified IOCs, and (3) supporting VM image level recovery.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | RubrikSecurityCloud |
| Source | View on GitHub |
Logic App Connectors
This playbook uses 6 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
keyvault |
Managed | 1 | 0 |
keyvault_1 |
Managed | 0 | 2 |
teams |
Managed | 1 | 0 |
RubrikCustomConnector |
Custom | 1 | 1 |
http |
Built-in | 0 | 9 |
workflow |
Built-in | 0 | 3 |
Action parameters (URLs, paths, function IDs)
keyvault_1 (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| ClientId | get | /secrets/@{encodeURIComponent('Rubrik-AS-Int-ClientId')}/value |
— |
| ClientSecret | get | /secrets/@{encodeURIComponent('Rubrik-AS-Int-ClientSecret')}/value |
— |
RubrikCustomConnector (Custom)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Authentication | post | /api/client_token |
— |
http (Built-in)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Fetch_yara_rule_from_URLs | GET | @body('Collect_IOC_scan_and_general_recovery_data')?['data']?['ioc Yara rule file URL'] |
— |
| Create_Snapshot_for_evidence | POST | @{triggerBody()?['BaseUrl']}/api/graphql |
— |
| Get_VM_metadata | POST | @{triggerBody()?['BaseUrl']}/api/graphql |
— |
| Get_HostID | POST | @{triggerBody()?['BaseUrl']}/api/graphql |
— |
| Get_Vsphere_Host_ID | POST | @{triggerBody()?['BaseUrl']}/api/graphql |
— |
| Live-Mount_recovered_snapshot | POST | @{triggerBody()?['BaseUrl']}/api/graphql |
— |
| Export_recovered_snapshot | POST | @{triggerBody()?['BaseUrl']}/api/graphql |
— |
| Get_Vsphere_Datastore_ID | POST | @{triggerBody()?['BaseUrl']}/api/graphql |
— |
| Get_Vsphere_Host_ID_-_2 | POST | @{triggerBody()?['BaseUrl']}/api/graphql |
— |
workflow (Built-in)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| RubrikPollAsyncResult_3 | — | — | workflowId=[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/',resourceGroup().name,'/providers/Microsoft.Logic/workflows/RubrikPollAsyncResult')]triggerName= manual |
| RubrikPollAsyncResult_2 | — | — | workflowId=[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/',resourceGroup().name,'/providers/Microsoft.Logic/workflows/RubrikPollAsyncResult')]triggerName= manual |
| RubrikIOCScan | — | — | workflowId=[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/',resourceGroup().name,'/providers/Microsoft.Logic/workflows/RubrikIOCScan')]triggerName= manual |
Additional Documentation
Summary
TThis playbook interacts with Rubrik Security Cloud to (1) optionally preserve evidence by creating an on-demand snapshot of the object, (2) identify a potential recovery point by scanning backups for specified IOCs, and (3) supporting VM image level recovery.
Prerequisites
- The Rubrik Security Cloud data connector should be configured to send appropriate events to Microsoft Sentinel.
- The Rubrik Security Cloud solution should be configured to connect to Rubrik Security Cloud API end points using a Service Account, the service account should be assigned a role that includes the relevant privileges necessary to perform the desired operations (see Roles and Permissions in the Rubrik Security Cloud user guide).
- To perform an IOC scan the IOC YARA rule should be available as a URL.
- Obtain Teams group id and channel id.
- Store Service account credentials in Key Vault and obtain keyvault name and tenantId a. Create a Key Vault with unique name b. Go to KeyVault -> secrets -> Generate/import and create 'Rubrik-AS-Int-ClientId' & 'Rubrik-AS-Int-ClientSecret' for storing client_id and client_secret respectively
- Make sure that RubrikIOCScan and RubrikPollAsyncResult playbook is deployed before deploying RubrikRansomwareDiscoveryAndVMRecovery playbook.
Deployment instructions
- To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.
- Fill in the required paramteres:
- Playbook Name: Enter the playbook name here
- Teams Group Id: Id of the Teams Group where the adaptive card will be posted
- Teams Channel Id: Id of the Teams Channel where the adaptive card will be posted
- keyvaultname: Name of keyvault where secrets are stored.
- tenantId: TenantId where keyvault is located.
Post-Deployment instructions
a. Authorize connections
Once deployment is complete, authorize each connection like teams, keyvault.
- Click the connection resource
- Click edit API connection
- Click Authorize
- Sign in
- Click Save
- Repeat steps for other connections
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊