RubrikWorkloadAnalysis

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

Back to Content Index

This playbook retrieves sensitive IP and Host data to enrich the incident details, and adjusts the incident's severity level based on the gathered information.

Attribute Value
Type Playbook
Solution RubrikSecurityCloud
Source View on GitHub

Logic App Connectors

This playbook uses 3 Logic App connectors / built-in actions:

Connector / Action Type Connections Actions
azuresentinel Managed 1 5
keyvault Managed 1 2
http Built-in 0 2
Action parameters (URLs, paths, function IDs)

azuresentinel (Managed)

Action Method Endpoint Other
Update_Incident_(2) put /Incidents
Add_Failed_IP_-_Host_List_Into_Incident_Comment post /Incidents/Comment
Update_Incident put /Incidents
Add_Detail_Response_Of_IP_To_Incident_Comment post /Incidents/Comment
Add_Comment_For_30000_Characters_Limit post /Incidents/Comment

keyvault (Managed)

Action Method Endpoint Other
Get_Rubrik_Client_ID get /secrets/@{encodeURIComponent('Rubrik-Client-Id')}/value
Get_Rubrik_Client_Secret get /secrets/@{encodeURIComponent('Rubrik-Client-Secret')}/value

http (Built-in)

Action Method Endpoint Other
Get_Information GET @{variables('Base_URL')}/api/thirdparty/workload_summary
Get_Access_Token POST @{variables('Base_URL')}/api/client_token

Additional Documentation

📄 Source: RubrikWorkloadAnalysis/readme.md

Summary

This playbook retrieves sensitive IP and Host data to enrich the incident details, and adjusts the incident's severity level based on the gathered information.

Prerequisites

  1. User must have a valid Rubrik Client ID and Client Secret.
  2. Store Service account credentials in Key Vault and obtain keyvault name and tenantId
    • Create a Key Vault with a unique name
    • Go to KeyVault -> secrets, click on Generate/import and create 'Rubrik--Client-Id' & 'Rubrik-Client-Secret' for storing client_id and client_secret respectively NOTE: Make sure the Permission model in the Access Configuration of Keyvault is selected to the Vault access policy. If not then change it to 'Vault access policy'

Deployment instructions

  1. To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.
  2. Fill in the required parameters:

Deploy to Azure Deploy to Azure

Post-Deployment instructions

a. Authorize connections

Once deployment is complete, authorize each connection like keyvault, azureloganalytics.

  1. Go to your logic app -> API connections -> Select keyvault connection resource
  2. Go to General -> edit API connection
  3. Click the keyvault connection resource
  4. Click edit API connection
  5. Click Authorize
  6. Sign in
  7. Click Save
  8. Repeat steps for other connections

b. Assign Role to add a comment in the incident

After authorizing each connection, assign a role to this playbook.

  1. Go to Log Analytics Workspace → → Access Control → Add
  2. Add role assignment
  3. Assignment type: Job function roles
  4. Role: Microsoft Sentinel Contributor
  5. Members: select managed identity for "assigned access to" and add your logic app as a member.
  6. Click on review+assign

c. Add Access policy in Keyvault

Add access policy for the playbook's managed identity to read, and write secrets of key vault.

  1. Go to the logic app → → identity → System assigned Managed identity and copy Object (principal) ID.
  2. Go to keyvaults → → Access policies → create.
  3. Select all keys & secrets permissions. Click next.
  4. In the principal section, search by copied object ID. Click next.
  5. Click review + create.

d. Configurations in Microsoft Sentinel

  1. In Microsoft Sentinel, Configure the analytic rules to trigger an incident.
  1. In Microsoft Sentinel, Configure the automation rules to trigger the playbook.

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

Back to Playbooks · Back to RubrikSecurityCloud