Rubrik Retrieve User Intelligence Information

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Content Index

This playbook queries Rubrik Security Cloud to get risk detail and policy hits details for a username or email address, and enriches the incident by adding incident comment

Attribute	Value
Type	Playbook
Solution	RubrikSecurityCloud
Source	View on GitHub

Logic App Connectors

This playbook uses 3 Logic App connectors / built-in actions:

Connector / Action	Type	Connections	Actions
`azureloganalyticsdatacollector`	Managed	1	2
`azuresentinel`	Managed	1	8
`http`	Built-in	0	2

Action parameters (URLs, paths, function IDs)

`azureloganalyticsdatacollector` (Managed)

Action	Method	Endpoint	Other
Send_User_Details_to_Workspace	post	`/api/logs`	—
Send_Policy_hits_details_to_Workspace	post	`/api/logs`	—

`azuresentinel` (Managed)

Action	Method	Endpoint	Other
Add_comment_to_incident_with_userDetails	post	`/Incidents/Comment`	—
Add_comment_to_incident_with_user_access_details_only	post	`/Incidents/Comment`	—
Add_comment_to_incident_with_user_and_risk_details	post	`/Incidents/Comment`	—
Add_comment_to_incident_with_user_data	post	`/Incidents/Comment`	—
Add_comment_to_incident_with_user_policy_data	post	`/Incidents/Comment`	—
Add_comment_to_incident_for_no_policy_hits_data	post	`/Incidents/Comment`	—
Add_comment_to_incident_with_user_and_risk_details_only	post	`/Incidents/Comment`	—
Add_comment_to_incident_(V3)	post	`/Incidents/Comment`	—

`http` (Built-in)

Action	Method	Endpoint	Other
Get_Policy_hits_details_for_user	POST	`@{variables('BaseUrl')}/api/graphql`	—
Get_User_Details	POST	`@{variables('BaseUrl')}/api/graphql`	—

Additional Documentation

📄 Source: RubrikRetrieveUserIntelligenceInformation/readme.md

Summary

This playbook queries Rubrik Security Cloud to get risk detail and policy hits details for a username or email address, and enriches the incident by adding incident comment

Prerequisites

The Rubrik Security Cloud solution should be configured to connect to Rubrik Security Cloud API end points using a Service Account, the service account should be assigned a role that includes the relevant privileges necessary to perform the desired operations (see Roles and Permissions in the Rubrik Security Cloud user guide).

Deployment instructions

To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.
Fill in the required parameters:

PlaybookName: Enter the playbook name here.
LogAnalyticsWorkspaceId: Id of the log analytics workspace where you want to ingest data in Microsoft Sentinel.
LogAnalyticsWorkspaceKey: PrimaryKey of log analytics workspace where you want to ingest data in Microsoft Sentinel.
UserDetailsTableName: Table name to store userdetails in Log Analytics Workspace.
UserPolicyHitsTableName: Table name to store user policy hits data into Log Analytics Workspace.

Post-Deployment instructions

a. Authorize connections

Once deployment is complete, authorize each connection like keyvault, azureloganalytics.

Go to your logic app -> API connections -> Select keyvault connection resource
Go to General -> edit API connection
Click the keyvault connection resource
Click edit API connection
Click Authorize
Sign in
Click Save
Repeat steps for other connections

b. Assign Role to add a comment in the incident

After authorizing each connection, assign a role to this playbook.

Go to Log Analytics Workspace → → Access Control → Add
Add role assignment
Assignment type: Job function roles
Role: Microsoft Sentinel Contributor
Members: select managed identity for "assigned access to" and add your logic app as a member.
Click on review+assign