Rubrik Integration with Sentinel for Ransomware Protection

Solution: RubrikSecurityCloud

RubrikSecurityCloud Logo

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Attribute	Value
Publisher	Rubrik
Support Tier	Partner
Support Link	https://support.rubrik.com
Categories	domains
Version	3.5.2
Author	Ben Meadowcroft - ben.meadowcroft@rubrik.com
First Published	2022-07-19
Last Updated	2026-02-19
Solution Folder	RubrikSecurityCloud
Marketplace	Azure Marketplace · Rating: ★★★★★ 5.0/5 (1 ratings) · Popularity: 🟢 High (85%)

The Rubrik Security Cloud solution enables security operations teams to integrate insights from Rubrik’s Data Observability services into Microsoft Sentinel.

Underlying Microsoft Technologies used:

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

a. Azure Monitor HTTP Data Collector API

b. Azure Functions

Data Connectors
Tables Used
Content Items

Data Connectors

This solution provides 2 data connector(s):

🔶 CLv1: This connector ingests into a table that uses the legacy Custom Log V1 schema format with type-suffixed column names (e.g. _s, _d, _b, _t, _g). Note: identification is based on column name suffixes which are also permitted in CLv2, so this classification may not always be accurate.

Tables Used

This solution uses 5 table(s):

Table	Used By Connectors	Used By Content
`RubrikProtectionStatus_CL`	Rubrik Security Cloud Protection Status (using Codeless Connector Framework)	-
`Rubrik_Anomaly_Data_CL` 🔶	Rubrik Security Cloud data connector	Analytics
`Rubrik_Events_Data_CL` 🔶	Rubrik Security Cloud data connector	Analytics
`Rubrik_Ransomware_Data_CL` 🔶	Rubrik Security Cloud data connector	-
`Rubrik_ThreatHunt_Data_CL` 🔶	Rubrik Security Cloud data connector	-

🔶 CLv1: This table uses the legacy Custom Log V1 schema format with type-suffixed column names (e.g. _s, _d, _b, _t, _g). Note: identification is based on column name suffixes which are also permitted in CLv2, so this classification may not always be accurate.

Content Items

This solution includes 19 content item(s):

Content Type	Count
Playbooks	17
Analytic Rules	2

Analytic Rules

Name	Severity	Tactics	Tables Used
Rubrik Critical Anomaly	Medium	Persistence	`Rubrik_Anomaly_Data_CL`
Rubrik Threat Monitoring	Medium	Persistence	`Rubrik_Events_Data_CL`

Playbooks

Name	Description	Tables Used
Rubrik Advanced Threat Hunt	This playbook fetches the object mapped with incident and starts advance threat hunt.	-
Rubrik Anomaly Analysis	This playbook queries Rubrik Security Cloud to enrich the Anomaly event with additional information ...	-
Rubrik Anomaly Generate Downloadable Link	This playbook will generate downloadable links according to objectType (VMware, Fileset or VolumeGro...	-
Rubrik Anomaly Incident Response	This playbook provides an end to end example of the collection of Ransomware Anomaly information fro...	-
Rubrik Data Object Discovery	This playbook queries Rubrik Security Cloud to enrich the incoming event with additional information...	-
Rubrik File Object Context Analysis	This playbook will retrieve policy hits from Rubrik Security Cloud for a given object, for a particu...	-
Rubrik Fileset Ransomware Discovery	This playbook queries Rubrik Security Cloud to enrich the incoming event with additional information...	-
Rubrik IOC Scan	This playbook interacts with Rubrik Security Cloud to scan backups for specified IOCs. This playbook...	-
Rubrik Poll Async Result	This playbook is used by other playbooks to poll for results from some of the asynchronous API calls...	-
Rubrik Ransomware Discovery and File Recovery	This playbook interacts with Rubrik Security Cloud to (1) optionally preserve evidence by creating a...	-
Rubrik Ransomware Discovery and VM Recovery	This playbook interacts with Rubrik Security Cloud to (1) optionally preserve evidence by creating a...	-
Rubrik Retrieve User Intelligence Information	This playbook queries Rubrik Security Cloud to get risk detail and policy hits details for a usernam...	-
Rubrik Turbo Threat Hunt	This playbook fetches the object mapped with incident and starts turbo threat hunt.	-
Rubrik Update Anomaly Status	This playbook will resolve or report false positive to unresolved anomaly and update status as resol...	-
Rubrik Update Anomaly Status Via Incident	This playbook queries Rubrik Security Cloud to enrich the Anomaly event with additional information ...	-
Rubrik User Intelligence Analysis	This playbook queries Rubrik Security Cloud to get user sensitive data and update severity of incide...	-
RubrikWorkloadAnalysis	This playbook retrieves sensitive IP and Host data to enrich the incident details, and adjusts the i...	-

Release Notes

Version	Date Modified (DD-MM-YYYY)	Change History
3.5.2	19-02-2026	Added RubrikSecurityCloud CCF (Codeless Connector Framework) Data Connector for ingesting Rubrik Protection Status data into Microsoft Sentinel. Enables backup compliance monitoring, ransomware recovery assessment, and incident correlation with protection status for Azure VMs.
3.5.1	05-11-2025	Updated API Host Name default value in playbooks and custom connector
3.5.0	25-07-2025	Added RubrikTurboThreatHunt and RubrikAdvanceThreatHunt playbooks. RubrikThreatMonitoring and RubrikCriticalAnomaly Analytic Rules also added.
3.4.0	07-04-2025	Added RubrikUpdateAnomalyStatusViaIncident and RubrikUpdateAnomalyStatus playbook. Enhanced RubrikAnomalyAnalysis playbook. Added User-Agent in every API call of each playbook. Removed policy creation resources from data connector Arm template.
3.3.0	19-11-2024	Added one new Playbook(RubrikWorkloadAnalysis) and updated the RubrikWebhookEvents Data Connector to add a new Orchestrator for Rubrik Events.
3.2.1	11-11-2024	Fixed the issue of Custom Connector id parameter in RubrikRansomwareDiscoveryAndVmRecovery playbook.
3.2.0	24-02-2024	Added 3 new Playbooks(RubrikFileObjectContextAnalysis, RubrikUserIntelligenceAnalysis, RubrikRetrieveUserIntelligenceInformation) for FileObject and User, fixed clusterLocation issue of Collect_IOC_Scan_Data adaptive card in RubrikRansomwareDiscoveryAndVmRecovery playbook and updated python packages to fix vulnerability CVE-2023-50782 of cryptography module. Enhanced Anomaly Analysis playbook and added RubrikAnomalyGenerateDownloadableLink playbook.
3.1.0	20-10-2023	Updated the DataConnector code by implementing Durable Function App.
3.0.0	14-07-2023	Updated the title in such a way that user can identify the adaptive card based on incident.