Rubrik User Intelligence Analysis

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

Back to Content Index

This playbook queries Rubrik Security Cloud to get user sensitive data and update severity of incident accordingly. This playbook calls the RubrikRetrieveUserIntelligenceInformation playbook internally to get user risk details and policy hits details to enrich the incident.

Attribute Value
Type Playbook
Solution RubrikSecurityCloud
Source View on GitHub

Logic App Connectors

This playbook uses 4 Logic App connectors / built-in actions:

Connector / Action Type Connections Actions
azuresentinel Managed 1 10
keyvault Managed 1 2
http Built-in 0 3
workflow Built-in 0 2
Action parameters (URLs, paths, function IDs)

azuresentinel (Managed)

Action Method Endpoint Other
Add_comment_to_incident_that_more_users_details_can_be_found_in_table post /Incidents/Comment
Update_incident_Severity_to_High_based_on_user_risk put /Incidents
Update_incident_severity_to_low put /Incidents
Update_incident_severity_to_medium put /Incidents
Add_comment_that_no_information_is_available_related_to_username post /Incidents/Comment
Add_comment_to_incident_(V3) post /Incidents/Comment
Update_incident_Severity_to_High put /Incidents
Update_incident_severity_to_low_based_on_user_email put /Incidents
Update_incident_severity_to_medium_based_risk_of_email_user put /Incidents
Add_comment_to_incident_that_no_users_are_available post /Incidents/Comment

keyvault (Managed)

Action Method Endpoint Other
Get_Rubrik_ClientId get /secrets/@{encodeURIComponent('Rubrik-AS-Int-ClientId')}/value
Get_Rubrik_ClientSecret get /secrets/@{encodeURIComponent('Rubrik-AS-Int-ClientSecret')}/value

http (Built-in)

Action Method Endpoint Other
Get_User_risk_information_for_username POST @{variables('BaseUrl')}/api/graphql
Get_user_risk_information POST @{variables('BaseUrl')}/api/graphql
Get_Access_Token POST @{variables('BaseUrl')}/api/client_token

workflow (Built-in)

Action Method Endpoint Other
RubrikUserRiskPolicyDetails_3 workflowId=[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/',resourceGroup().name,'/providers/Microsoft.Logic/workflows/',parameters('RiskPolicyHitsPlaybookName'))]
triggerName=manual
RubrikUserRiskPolicyDetails workflowId=[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/',resourceGroup().name,'/providers/Microsoft.Logic/workflows/',parameters('RiskPolicyHitsPlaybookName'))]
triggerName=manual

Additional Documentation

📄 Source: RubrikUserIntelligenceAnalysis/readme.md

Summary

This playbook queries Rubrik Security Cloud to get user sensitive data and update severity of incident accordingly. This playbook calls the RubrikRetrieveUserIntelligenceInformation playbook internally to get user risk details and policy hits details to enrich the incident

Prerequisites

  1. The Rubrik Security Cloud solution should be configured to connect to Rubrik Security Cloud API end points using a Service Account, the service account should be assigned a role that includes the relevant privileges necessary to perform the desired operations (see Roles and Permissions in the Rubrik Security Cloud user guide).
  2. Store Service account credentials in Key Vault and obtain keyvault name and tenantId
    • Create a Key Vault with a unique name
    • Go to KeyVault -> secrets, click on Generate/import and create 'Rubrik-AS-Int-ClientId' & 'Rubrik-AS-Int-ClientSecret' for storing client_id and client_secret respectively NOTE: Make sure the Permission model in the Access Configuration of Keyvault is selected to the Vault access policy. If not then change it to 'Vault access policy'
  3. Make sure that RubrikRetrieveUserIntelligenceInformation playbook is deployed before deploying RubrikUserIntelligenceAnalysis playbook.

Deployment instructions

  1. To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.
  2. Fill in the required parameters:

Deploy to Azure Deploy to Azure

Post-Deployment instructions

a. Authorize connections

Once deployment is complete, authorize each connection like keyvault, azureloganalytics.

  1. Go to your logic app -> API connections -> Select keyvault connection resource
  2. Go to General -> edit API connection
  3. Click the keyvault connection resource
  4. Click edit API connection
  5. Click Authorize
  6. Sign in
  7. Click Save
  8. Repeat steps for other connections

b. Assign Role to add a comment in the incident

After authorizing each connection, assign a role to this playbook.

  1. Go to Log Analytics Workspace → → Access Control → Add
  2. Add role assignment
  3. Assignment type: Job function roles
  4. Role: Microsoft Sentinel Contributor
  5. Members: select managed identity for "assigned access to" and add your logic app as a member.
  6. Click on review+assign

c. Add Access policy in Keyvault

Add access policy for the playbook's managed identity to read, and write secrets of key vault.

  1. Go to the logic app → → identity → System assigned Managed identity and copy Object (principal) ID.
  2. Go to keyvaults → → Access policies → create.
  3. Select all keys & secrets permissions. Click next.
  4. In the principal section, search by copied object ID. Click next.
  5. Click review + create.

d. Configurations in Microsoft Sentinel

  1. In Microsoft Sentinel, Configure the analytic rules to trigger an incident.
  1. In Microsoft Sentinel, Configure the automation rules to trigger the playbook.

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

Back to Playbooks · Back to RubrikSecurityCloud