diff --git a/.script/tests/KqlvalidationsTests/CustomTables/Rubrik_Events_Data_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/Rubrik_Events_Data_CL.json new file mode 100644 index 00000000000..8a08e349fce --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/Rubrik_Events_Data_CL.json @@ -0,0 +1,113 @@ +{ + "Name":"Rubrik_Events_Data_CL", + "Properties":[ + { + "Name": "TenantId", + "Type": "string" + }, + { + "Name": "SourceSystem", + "Type": "string" + }, + { + "Name": "MG", + "Type": "string" + }, + { + "Name": "ManagementGroupName", + "Type": "string" + }, + { + "Name": "TimeGenerated", + "Type": "datetime" + }, + { + "Name": "Computer", + "Type": "string" + }, + { + "Name": "RawData", + "Type": "string" + }, + { + "Name": "custom_details_objectId_g", + "Type": "string" + }, + { + "Name": "custom_details_seriesId_g", + "Type": "string" + }, + { + "Name": "custom_details_id_g", + "Type": "string" + }, + { + "Name": "custom_details_clusterId_g", + "Type": "string" + }, + { + "Name": "summary_s", + "Type": "string" + }, + { + "Name": "source_s", + "Type": "string" + }, + { + "Name": "severity_s", + "Type": "string" + }, + { + "Name": "timestamp_s", + "Type": "datetime" + }, + { + "Name": "class_s", + "Type": "string" + }, + { + "Name": "custom_details_type_s", + "Type": "string" + }, + { + "Name": "custom_details_objectId_s", + "Type": "string" + }, + { + "Name": "custom_details_objectName_s", + "Type": "string" + }, + { + "Name": "custom_details_objectType_s", + "Type": "string" + }, + { + "Name": "custom_details_status_s", + "Type": "string" + }, + { + "Name": "custom_details_clusterName_s", + "Type": "string" + }, + { + "Name": "custom_details_eventName_s", + "Type": "string" + }, + { + "Name": "custom_details_auditUserName_s", + "Type": "string" + }, + { + "Name": "custom_details_auditUserId_s", + "Type": "string" + }, + { + "Name": "custom_details_location_s", + "Type": "string" + }, + { + "Name": "_ResourceId", + "Type": "string" + } + ] + } \ No newline at end of file diff --git a/Sample Data/Custom/Rubrik_Events_Data_CL.csv b/Sample Data/Custom/Rubrik_Events_Data_CL.csv new file mode 100644 index 00000000000..4f5db86db9f --- /dev/null +++ b/Sample Data/Custom/Rubrik_Events_Data_CL.csv @@ -0,0 +1,10 @@ +TimeGenerated [UTC],custom_details_objectId_g,custom_details_seriesId_g,custom_details_id_g,custom_details_clusterId_g,summary_s,source_s,severity_s,timestamp_s,class_s,custom_details_type_s,custom_details_objectId_s,custom_details_objectName_s,custom_details_objectType_s,custom_details_status_s,custom_details_clusterName_s,custom_details_eventName_s,custom_details_auditUserName_s,custom_details_auditUserId_s,custom_details_location_s +"11/8/2024, 5:30:42.136 AM",047ed0bc-6b72-4ea8-b9a0-c7fb89aa5811,01930a3b-e0cf-7b83-b02c-2db1087d3b0d,6617cef8-c37c-41db-988e-d8372bbe90f3,00000000-0000-0000-0000-000000000000,Waiting for 1 snapshot(s) to be available for file recovery.,Rubrik Security Cloud,info,2024-11-08T05:30:40.64979627Z,Index,Event,,use-test,AzureNativeVm,Running,Polaris,CloudNativeIndexSnapshotsWaitForSnappableIndexTaskStarted,,, +"11/8/2024, 5:30:50.314 AM",047ed0bc-6b72-4ea8-b9a0-c7fb89aa5811,01930a3f-f5ce-7900-8443-8a368f5baa2b,688bc4b0-f17d-4784-a96f-9a8cd387e43d,00000000-0000-0000-0000-000000000000,Successfully replicated snapshot taken at 08 Nov 24 5:00 AM UTC for the use-test Azure virtual machine in the use-test_group resource group in the TM-Lab-EA subscription to the region westus of TM-Lab-EA Azure subscription.,Rubrik Security Cloud,info,2024-11-08T05:29:57.30752593Z,Replication,Event,,use-test,AzureNativeVm,Success,Polaris,CloudNativeReplicateSnapshotsReplicateTaskSucceeded,,, +"11/8/2024, 5:25:31.234 AM",047ed0bc-6b72-4ea8-b9a0-c7fb89aa5811,01930a3b-e0cf-7b83-b02c-2db1087d3b0d,9cb57a51-4064-4c45-a10b-4693f8b5aaa7,00000000-0000-0000-0000-000000000000,Started indexing of the snapshots of the use-test Azure virtual machine in the use-test_group resource group in the TM-Lab-EA subscription.,Rubrik Security Cloud,info,2024-11-08T05:25:17.200115471Z,Index,Event,,use-test,AzureNativeVm,TaskSuccess,Polaris,CloudNativeIndexSnapshotsJobStarted,,, +"11/8/2024, 5:17:19.245 AM",,3787cdc1-a7ba-41ed-9c6e-cc5d8d4a2a27,88ece1ed-1a95-43b9-ae38-302cf05c19d8,00000000-0000-0000-0000-000000000000,xyz@gmail.com successfully created the webhook Rubrik-other-events.,Rubrik Security Cloud,info,2024-11-08T05:17:18.370059549Z,Configuration,Audit,auth0|65b91cdc85d3150aa4a1b3d0,xyz@gmail.com,User,Success,Polaris,WebhookCreated,xyz@gmail.com,auth0|65b91cdc85d3150aa4a1b3d0, +"11/8/2024, 5:18:40.088 AM",,496f42ec-e684-4a04-b191-e6a3a122d49f,efb7669b-8891-4a76-a613-d104f661b856,00000000-0000-0000-0000-000000000000,xyz@gmail.com successfully created the webhook Rubrik-AnomalyOrchestrator.,Rubrik Security Cloud,info,2024-11-08T05:18:39.20837609Z,Configuration,Audit,auth0|65b91cdc85d3150aa4a1b3d0,xyz@gmail.com,User,Success,Polaris,WebhookCreated,xyz@gmail.com,auth0|65b91cdc85d3150aa4a1b3d0, +"11/8/2024, 5:16:28.396 AM",,,,,Rubrik Polaris webhook test event,Rubrik Security Cloud,info,2024-11-08T05:16:14.067423864Z,Configuration,Event,,,,Succeeded,Rubrik Security Cloud,,,,test-location +"11/7/2024, 1:25:23.986 PM",,,,,Rubrik Polaris webhook test event,Rubrik Security Cloud,info,2024-11-07T13:25:01.215428023Z,Configuration,Event,,,,Succeeded,Rubrik Security Cloud,,,,test-location +"11/8/2024, 5:29:22.352 AM",047ed0bc-6b72-4ea8-b9a0-c7fb89aa5811,01930a3b-e0cf-7b83-b02c-2db1087d3b0d,e17bfee9-bed2-4691-b58d-0885322600c0,00000000-0000-0000-0000-000000000000,Started indexing of snapshot taken at 08 Nov 24 5:00 AM UTC.,Rubrik Security Cloud,info,2024-11-08T05:29:20.550468555Z,Index,Event,,use-test,AzureNativeVm,Running,Polaris,CloudNativeIndexSnapshotBegin,,, +"11/8/2024, 5:21:33.309 AM",,28b3ccfd-6679-4f88-b416-5658d859dc6c,f690f13a-12f9-4b80-a268-48ba26a6e917,00000000-0000-0000-0000-000000000000,xyz@gmail.com successfully created the webhook Rubrik-ThreathuntOrchestrator.,Rubrik Security Cloud,info,2024-11-08T05:21:31.535526647Z,Configuration,Audit,auth0|65b91cdc85d3150aa4a1b3d0,xyz@gmail.com,User,Success,Polaris,WebhookCreated,xyz@gmail.com,auth0|65b91cdc85d3150aa4a1b3d0, diff --git a/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/RubrikAnomalyOrchestrator/__init__.py b/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/RubrikAnomalyOrchestrator/__init__.py index 225c85297c9..26de6b4f7db 100644 --- a/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/RubrikAnomalyOrchestrator/__init__.py +++ b/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/RubrikAnomalyOrchestrator/__init__.py @@ -13,12 +13,12 @@ def orchestrator_function(context: df.DurableOrchestrationContext): Returns: str: result of Activity function """ - applogger.debug("{} AnomalyOrchestrator function called!".format(LOGS_STARTS_WITH)) + applogger.info("{} AnomalyOrchestrator function called!".format(LOGS_STARTS_WITH)) json_data = context.get_input() result1 = yield context.call_activity( "RubrikActivity", {"data": json_data, "log_type": ANOMALY_LOG_TYPE} ) - applogger.debug( + applogger.info( "{} AnomalyOrchestrator function completed!".format(LOGS_STARTS_WITH) ) return result1 diff --git a/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/RubrikEventsOrchestrator/__init__.py b/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/RubrikEventsOrchestrator/__init__.py new file mode 100644 index 00000000000..07ac317f781 --- /dev/null +++ b/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/RubrikEventsOrchestrator/__init__.py @@ -0,0 +1,28 @@ +"""This __init__ file will be called by Http Starter function to pass the Other Events data to activity function.""" +import azure.durable_functions as df +from shared_code.consts import EVENTS_LOG_TYPE, LOGS_STARTS_WITH +from shared_code.logger import applogger + + +def orchestrator_function(context: df.DurableOrchestrationContext): + """Get General data from durable orchestration context and schedule an activity for execution. + + Args: + context (df.DurableOrchestrationContext): Context of the durable orchestration execution. + + Returns: + str: result of Activity function + """ + applogger.info("{} RubrikEventOrchestrator function called!".format(LOGS_STARTS_WITH)) + json_data = context.get_input() + + result1 = yield context.call_activity( + "RubrikActivity", {"data": json_data, "log_type": EVENTS_LOG_TYPE} + ) + applogger.info( + "{} RubrikEventOrchestrator function completed!".format(LOGS_STARTS_WITH) + ) + return result1 + + +main = df.Orchestrator.create(orchestrator_function) diff --git a/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/RubrikEventsOrchestrator/function.json b/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/RubrikEventsOrchestrator/function.json new file mode 100644 index 00000000000..82fabb9a853 --- /dev/null +++ b/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/RubrikEventsOrchestrator/function.json @@ -0,0 +1,10 @@ +{ + "scriptFile": "__init__.py", + "bindings": [ + { + "name": "context", + "type": "orchestrationTrigger", + "direction": "in" + } + ] +} \ No newline at end of file diff --git a/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/RubrikHttpStarter/__init__.py b/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/RubrikHttpStarter/__init__.py index 18e3f5265d9..d6f9694c338 100644 --- a/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/RubrikHttpStarter/__init__.py +++ b/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/RubrikHttpStarter/__init__.py @@ -23,9 +23,7 @@ def get_data_from_request_body(request): json_data = json.dumps(data) return json_data except ValueError as value_error: - applogger.error( - "{}(method={}) {}".format(LOGS_STARTS_WITH, __method_name, value_error) - ) + applogger.error("{}(method={}) {}".format(LOGS_STARTS_WITH, __method_name, value_error)) raise RubrikException(value_error) except Exception as err: applogger.error("{}(method={}) {}".format(LOGS_STARTS_WITH, __method_name, err)) @@ -63,11 +61,7 @@ async def main(req: func.HttpRequest, starter: str) -> func.HttpResponse: headers={"Content-Length": str(len(body))}, ) else: - applogger.info( - "{}(method={})No required data found.".format( - LOGS_STARTS_WITH, __method_name - ) - ) + applogger.info("{}(method={})No required data found.".format(LOGS_STARTS_WITH, __method_name)) body = "No required data found." return func.HttpResponse( body=body, diff --git a/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/RubrikRansomwareOrchestrator/__init__.py b/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/RubrikRansomwareOrchestrator/__init__.py index 3dcd02232a5..95c502770b7 100644 --- a/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/RubrikRansomwareOrchestrator/__init__.py +++ b/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/RubrikRansomwareOrchestrator/__init__.py @@ -13,14 +13,14 @@ def orchestrator_function(context: df.DurableOrchestrationContext): Returns: str: result of Activity function """ - applogger.debug( + applogger.info( "{} RansomwareOrchestrator function called!".format(LOGS_STARTS_WITH) ) json_data = context.get_input() result1 = yield context.call_activity( "RubrikActivity", {"data": json_data, "log_type": RANSOMWARE_LOG_TYPE} ) - applogger.debug( + applogger.info( "{} RansomwareOrchestrator function completed!".format(LOGS_STARTS_WITH) ) return result1 diff --git a/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/RubrikThreathuntOrchestrator/__init__.py b/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/RubrikThreathuntOrchestrator/__init__.py index b8f31d04aec..df9387c8c25 100644 --- a/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/RubrikThreathuntOrchestrator/__init__.py +++ b/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/RubrikThreathuntOrchestrator/__init__.py @@ -13,14 +13,14 @@ def orchestrator_function(context: df.DurableOrchestrationContext): Returns: str: result of Activity function """ - applogger.debug( + applogger.info( "{} ThreatHuntOrchestrator function called!".format(LOGS_STARTS_WITH) ) json_data = context.get_input() result1 = yield context.call_activity( "RubrikActivity", {"data": json_data, "log_type": THREATHUNT_LOG_TYPE} ) - applogger.debug( + applogger.info( "{} ThreatHuntOrchestrator function completed!".format(LOGS_STARTS_WITH) ) return result1 diff --git a/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/RubrikWebhookEvents.zip b/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/RubrikWebhookEvents.zip index b709ab446e3..4743ed0c7b8 100644 Binary files a/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/RubrikWebhookEvents.zip and b/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/RubrikWebhookEvents.zip differ diff --git a/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/RubrikWebhookEvents_FunctionApp.json b/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/RubrikWebhookEvents_FunctionApp.json index c79b8167326..834727ab189 100644 --- a/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/RubrikWebhookEvents_FunctionApp.json +++ b/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/RubrikWebhookEvents_FunctionApp.json @@ -18,6 +18,11 @@ "metricName": "Total ThreatHunt Event data received", "legend": "Rubrik_ThreatHunt_Data_CL", "baseQuery": "Rubrik_ThreatHunt_Data_CL" + }, + { + "metricName": "Total Other Events data received", + "legend": "Rubrik_Events_Data_CL", + "baseQuery": "Rubrik_Events_Data_CL" } ], "sampleQueries": [ @@ -32,6 +37,10 @@ { "description": "Rubrik ThreatHunt Events - Threat Hunt Events for all severity types.", "query": "Rubrik_ThreatHunt_Data_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Rubrik Other Events - Other Events for all severity types.", + "query": "Rubrik_Events_Data_CL\n | sort by TimeGenerated desc" } ], "dataTypes": [ @@ -46,6 +55,10 @@ { "name": "Rubrik_ThreatHunt_Data_CL", "lastDataReceivedQuery": "Rubrik_ThreatHunt_Data_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "Rubrik_Events_Data_CL", + "lastDataReceivedQuery": "Rubrik_Events_Data_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" } ], "connectivityCriterias": [ @@ -66,6 +79,12 @@ "value": [ "Rubrik_ThreatHunt_Data_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "Rubrik_Events_Data_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] } ], "availability": { @@ -137,7 +156,7 @@ }, { "title": "Option 1 - Azure Resource Manager (ARM) Template", - "description": "Use this method for automated deployment of the Rubrik connector.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-RubrikWebhookEvents-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the below information : \n\t\tFunction Name \n\t\tWorkspace ID \n\t\tWorkspace Key \n\t\tAnomalies_table_name \n\t\tRansomwareAnalysis_table_name \n\t\tThreatHunts_table_name\n\t\tLogLevel \n \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy." + "description": "Use this method for automated deployment of the Rubrik connector.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-RubrikWebhookEvents-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the below information : \n\t\tFunction Name \n\t\tWorkspace ID \n\t\tWorkspace Key \n\t\tAnomaliesTableName \n\t\tRansomwareAnalysisTableName \n\t\tThreatHuntsTableName \n\t\tEventsTableName \n\t\tLogLevel \n \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy." }, { "title": "Option 2 - Manual Deployment of Azure Functions", @@ -149,7 +168,7 @@ }, { "title": "", - "description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following application settings individually, with their respective values (case-sensitive): \n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tAnomalies_table_name\n\t\tRansomwareAnalysis_table_name\n\t\tThreatHunts_table_name\n\t\tLogLevel\n\t\tlogAnalyticsUri (optional)\n - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: https://.ods.opinsights.azure.us. \n4. Once all application settings have been entered, click **Save**." + "description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following application settings individually, with their respective values (case-sensitive): \n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tAnomaliesTableName\n\t\tRansomwareAnalysisTableName\n\t\tThreatHuntsTableName\n\t\tEventsTableName\n\t\tLogLevel\n\t\tlogAnalyticsUri (optional)\n - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: https://.ods.opinsights.azure.us. \n4. Once all application settings have been entered, click **Save**." }, { "title": "", @@ -161,11 +180,11 @@ }, { "title": "2) Add a webhook in RubrikSecurityCloud to send data to Microsoft Sentinel.", - "description": "Follow the Rubrik User Guide instructions to [Add a Webhook](https://docs.rubrik.com/en-us/saas/saas/common/adding_webhook.html) to begin receiving event information related to Ransomware Anomalies \n 1. Select the Generic as the webhook Provider(This will use CEF formatted event information)\n 2. Enter the URL part from copied Function-url as the webhook URL endpoint and replace **{functionname}** with **\"RubrikAnomalyOrchestrator\"**, for the Rubrik Microsoft Sentinel Solution \n 3. Select the Advanced or Custom Authentication option \n 4. Enter x-functions-key as the HTTP header \n 5. Enter the Function access key(value of code parameter from copied function-url) as the HTTP value(Note: if you change this function access key in Microsoft Sentinel in the future you will need to update this webhook configuration) \n 6. Select the EventType as Anomaly \n 7. Select the following severity levels: Critical, Warning, Informational \n 8. Repeat the same steps to add webhooks for Ransomware Investigation Analysis and Threat Hunt. \n\n NOTE: while adding webhooks for Ransomware Investigation Analysis and Threat Hunt, replace **{functionname}** with **\"RubrikRansomwareOrchestrator\"** and **\"RubrikThreatHuntOrchestrator\"** respectively in copied function-url." + "description": "Follow the Rubrik User Guide instructions to [Add a Webhook](https://docs.rubrik.com/en-us/saas/saas/common/adding_webhook.html) to begin receiving event information \n 1. Select the Microsoft Sentinel as the webhook Provider \n 2. Enter the desired Webhook name \n 3. Enter the URL part from copied Function-url as the webhook URL endpoint and replace **{functionname}** with **\"RubrikAnomalyOrchestrator\"**, for the Rubrik Microsoft Sentinel Solution \n 4. Select the EventType as Anomaly \n 5. Select the following severity levels: Critical, Warning, Informational \n 6. Choose multiple log types, if desired, when running **\"RubrikEventsOrchestrator\"** \n 7. Repeat the same steps to add webhooks for Anomaly Detection Analysis, Threat Hunt and Other Events.\n \n\n NOTE: while adding webhooks for Anomaly Detection Analysis, Threat Hunt and Other Events, replace **{functionname}** with **\"RubrikRansomwareOrchestrator\"**, **\"RubrikThreatHuntOrchestrator\"** and **\"RubrikEventsOrchestrator\"** respectively in copied function-url." }, { "title": "", - "description": "*Now we are done with the rubrik Webhook configuration. Once the webhook events triggered , you should be able to see the Anomaly, Ransomware Investigation Analysis, Threat Hunt events from the Rubrik into respective LogAnalytics workspace table called \"Rubrik_Anomaly_Data_CL\", \"Rubrik_Ransomware_Data_CL\", \"Rubrik_ThreatHunt_Data_CL\".*\n\n" + "description": "*Now we are done with the rubrik Webhook configuration. Once the webhook events triggered , you should be able to see the Anomaly, Anomaly Detection Analysis, Threat Hunt events and Other Events from the Rubrik into respective LogAnalytics workspace table called \"Rubrik_Anomaly_Data_CL\", \"Rubrik_Ransomware_Data_CL\", \"Rubrik_ThreatHunt_Data_CL\", and \"Rubrik_Events_Data_CL\".*\n\n" } ] -} +} \ No newline at end of file diff --git a/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/azuredeploy_Connector_RubrikWebhookEvents_AzureFunction.json b/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/azuredeploy_Connector_RubrikWebhookEvents_AzureFunction.json index 1c96a7af47b..d4d44e415b7 100644 --- a/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/azuredeploy_Connector_RubrikWebhookEvents_AzureFunction.json +++ b/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/azuredeploy_Connector_RubrikWebhookEvents_AzureFunction.json @@ -24,25 +24,33 @@ }, "AnomaliesTableName": { "type": "string", - "defaultValue": "Rubrik_Anomaly_Data_CL", + "defaultValue": "Rubrik_Anomaly_Data", "metadata": { "description": "Enter name of the table used to store Rubrik Anamaly logs. Default is 'Rubrik_Anomaly_Data_CL'" } }, "RansomwareAnalysisTableName": { "type": "string", - "defaultValue": "Rubrik_Ransomware_Data_CL", - "metadata": { + "defaultValue": "Rubrik_Ransomware_Data", + "metadata": { "description": "Enter name of the table used to store Rubrik Ransomware logs. Default is 'Rubrik_Ransomware_Data_CL'" } }, "ThreatHuntsTableName": { "type": "string", - "defaultValue": "Rubrik_ThreatHunt_Data_CL", - "metadata": { + "defaultValue": "Rubrik_ThreatHunt_Data", + "metadata": { "description": "Enter name of the table used to store Rubrik ThreatHunt logs. Default is 'Rubrik_ThreatHunt_Data_CL'" } }, + "EventsTableName": { + "type": "string", + "defaultValue": "Rubrik_Events_Data", + "metadata": { + "description": "Enter the table name for types other than Anomaly, Ransomware, and Threat Hunt" + } + }, + "LogLevel": { "type": "string", "metadata": { @@ -117,7 +125,6 @@ "keySource": "Microsoft.Storage" }, "minimumTlsVersion": "TLS1_2" - } }, { @@ -217,7 +224,7 @@ "alwaysOn": true, "reserved": true, "siteConfig": { - "linuxFxVersion": "python|3.9" + "linuxFxVersion": "python|3.11" } }, "resources": [ @@ -231,6 +238,7 @@ "properties": { "FUNCTIONS_EXTENSION_VERSION": "~4", "FUNCTIONS_WORKER_RUNTIME": "python", + "AzureWebJobsDisableHomepage": "True", "APPINSIGHTS_INSTRUMENTATIONKEY": "[reference(resourceId('Microsoft.insights/components', variables('FunctionName')), '2015-05-01').InstrumentationKey]", "APPLICATIONINSIGHTS_CONNECTION_STRING": "[reference(resourceId('microsoft.insights/components', variables('FunctionName')), '2015-05-01').ConnectionString]", "AzureWebJobsStorage": "[concat('DefaultEndpointsProtocol=https;AccountName=', toLower(variables('FunctionName')),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', toLower(variables('FunctionName'))), '2019-06-01').keys[0].value, ';EndpointSuffix=',toLower(variables('StorageSuffix')))]", @@ -240,6 +248,7 @@ "RansomwareAnalysis_table_name": "[parameters('RansomwareAnalysisTableName')]", "ThreatHunts_table_name": "[parameters('ThreatHuntsTableName')]", "Anomalies_table_name": "[parameters('AnomaliesTableName')]", + "Events_table_name": "[parameters('EventsTableName')]", "LogLevel": "[parameters('LogLevel')]", "WEBSITE_RUN_FROM_PACKAGE": "https://aka.ms/sentinel-RubrikWebhookEvents-functionapp" } @@ -283,4 +292,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/shared_code/consts.py b/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/shared_code/consts.py index c3bf5967b4a..7ba95d1b91e 100644 --- a/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/shared_code/consts.py +++ b/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/shared_code/consts.py @@ -6,6 +6,7 @@ LOG_LEVEL = os.environ.get("LogLevel", "") WORKSPACE_ID = os.environ.get("WorkspaceID") WORKSPACE_KEY = os.environ.get("WorkspaceKey") -ANOMALY_LOG_TYPE = os.environ.get("Anomalies_table_name") -RANSOMWARE_LOG_TYPE = os.environ.get("RansomwareAnalysis_table_name") -THREATHUNT_LOG_TYPE = os.environ.get("ThreatHunts_table_name") +ANOMALY_LOG_TYPE = os.environ.get("Anomalies_table_name", "Rubrik_Anomaly_Data") +RANSOMWARE_LOG_TYPE = os.environ.get("RansomwareAnalysis_table_name", "Rubrik_Ransomware_Data") +THREATHUNT_LOG_TYPE = os.environ.get("ThreatHunts_table_name", "Rubrik_ThreatHunt_Data") +EVENTS_LOG_TYPE = os.environ.get("Events_table_name", "Rubrik_Events_Data") diff --git a/Solutions/RubrikSecurityCloud/Data/Solution_RubrikSecurityCloud.json b/Solutions/RubrikSecurityCloud/Data/Solution_RubrikSecurityCloud.json index dbc33554635..349db6b0b7c 100644 --- a/Solutions/RubrikSecurityCloud/Data/Solution_RubrikSecurityCloud.json +++ b/Solutions/RubrikSecurityCloud/Data/Solution_RubrikSecurityCloud.json @@ -16,13 +16,14 @@ "Playbooks/RubrikFileObjectContextAnalysis/azuredeploy.json", "Playbooks/RubrikUserIntelligenceAnalysis/azuredeploy.json", "Playbooks/RubrikRetrieveUserIntelligenceInformation/azuredeploy.json", - "Playbooks/RubrikAnomalyGenerateDownloadableLink/azuredeploy.json" + "Playbooks/RubrikAnomalyGenerateDownloadableLink/azuredeploy.json", + "Playbooks/RubrikWorkloadAnalysis/azuredeploy.json" ], "Data Connectors": [ "Data Connectors/RubrikWebhookEvents/RubrikWebhookEvents_FunctionApp.json" ], "BasePath": "C:\\Azure-Sentinel\\Solutions\\RubrikSecurityCloud", - "Version": "3.2.1", + "Version": "3.3.0", "Metadata": "SolutionMetadata.json", "TemplateSpec": true, "Is1PConnector": false diff --git a/Solutions/RubrikSecurityCloud/Package/3.3.0.zip b/Solutions/RubrikSecurityCloud/Package/3.3.0.zip new file mode 100644 index 00000000000..d489320b41e Binary files /dev/null and b/Solutions/RubrikSecurityCloud/Package/3.3.0.zip differ diff --git a/Solutions/RubrikSecurityCloud/Package/createUiDefinition.json b/Solutions/RubrikSecurityCloud/Package/createUiDefinition.json index 74b90ec80d9..2a8055f478f 100644 --- a/Solutions/RubrikSecurityCloud/Package/createUiDefinition.json +++ b/Solutions/RubrikSecurityCloud/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/RubrikSecurityCloud/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Rubrik Security Cloud](https://www.rubrik.com/) solution enables security operations teams to integrate insights from Rubrik’s Data Observability services into Microsoft Sentinel. \n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Azure Monitor HTTP Data Collector API](https://learn.microsoft.com/azure/azure-monitor/logs/data-collector-api)\n\nb. [Azure Functions](https://azure.microsoft.com/products/functions/#overview)\n\n**Data Connectors:** 1, **Custom Azure Logic Apps Connectors:** 1, **Playbooks:** 12\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/RubrikSecurityCloud/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Rubrik Security Cloud](https://www.rubrik.com/) solution enables security operations teams to integrate insights from Rubrik’s Data Observability services into Microsoft Sentinel. \n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Azure Monitor HTTP Data Collector API](https://learn.microsoft.com/azure/azure-monitor/logs/data-collector-api)\n\nb. [Azure Functions](https://azure.microsoft.com/products/functions/#overview)\n\n**Data Connectors:** 1, **Custom Azure Logic Apps Connectors:** 1, **Playbooks:** 13\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", diff --git a/Solutions/RubrikSecurityCloud/Package/mainTemplate.json b/Solutions/RubrikSecurityCloud/Package/mainTemplate.json index 43459c8a6e0..198e9753d96 100644 --- a/Solutions/RubrikSecurityCloud/Package/mainTemplate.json +++ b/Solutions/RubrikSecurityCloud/Package/mainTemplate.json @@ -33,7 +33,7 @@ "email": "ben.meadowcroft@rubrik.com", "_email": "[variables('email')]", "_solutionName": "RubrikSecurityCloud", - "_solutionVersion": "3.2.1", + "_solutionVersion": "3.3.0", "solutionId": "rubrik_inc.rubrik_sentinel", "_solutionId": "[variables('solutionId')]", "RubrikCustomConnector": "RubrikCustomConnector", @@ -44,48 +44,40 @@ "playbookContentId1": "RubrikCustomConnector", "_playbookContentId1": "[variables('playbookContentId1')]", "playbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-lc-',uniquestring(variables('_playbookContentId1'))))]", - "playbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','lc','-', uniqueString(concat(variables('_solutionId'),'-','LogicAppsCustomConnector','-',variables('_playbookContentId1'),'-', variables('playbookVersion1'))))]", - "_playbookcontentProductId1": "[variables('playbookcontentProductId1')]", + "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", + "_playbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','lc','-', uniqueString(concat(variables('_solutionId'),'-','LogicAppsCustomConnector','-',variables('_playbookContentId1'),'-', variables('playbookVersion1'))))]", "RubrikAnomalyAnalysis": "RubrikAnomalyAnalysis", "_RubrikAnomalyAnalysis": "[variables('RubrikAnomalyAnalysis')]", "playbookVersion2": "1.0", "playbookContentId2": "RubrikAnomalyAnalysis", "_playbookContentId2": "[variables('playbookContentId2')]", "playbookId2": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId2'))]", - "_playbookId2": "[variables('playbookId2')]", "playbookTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId2'))))]", - "playbookcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId2'),'-', variables('playbookVersion2'))))]", - "_playbookcontentProductId2": "[variables('playbookcontentProductId2')]", + "_playbookcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId2'),'-', variables('playbookVersion2'))))]", "RubrikAnomalyIncidentResponse": "RubrikAnomalyIncidentResponse", "_RubrikAnomalyIncidentResponse": "[variables('RubrikAnomalyIncidentResponse')]", "playbookVersion3": "1.0", "playbookContentId3": "RubrikAnomalyIncidentResponse", "_playbookContentId3": "[variables('playbookContentId3')]", "playbookId3": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId3'))]", - "_playbookId3": "[variables('playbookId3')]", "playbookTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId3'))))]", - "playbookcontentProductId3": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId3'),'-', variables('playbookVersion3'))))]", - "_playbookcontentProductId3": "[variables('playbookcontentProductId3')]", + "_playbookcontentProductId3": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId3'),'-', variables('playbookVersion3'))))]", "RubrikDataObjectDiscovery": "RubrikDataObjectDiscovery", "_RubrikDataObjectDiscovery": "[variables('RubrikDataObjectDiscovery')]", "playbookVersion4": "1.0", "playbookContentId4": "RubrikDataObjectDiscovery", "_playbookContentId4": "[variables('playbookContentId4')]", "playbookId4": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId4'))]", - "_playbookId4": "[variables('playbookId4')]", "playbookTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId4'))))]", - "playbookcontentProductId4": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId4'),'-', variables('playbookVersion4'))))]", - "_playbookcontentProductId4": "[variables('playbookcontentProductId4')]", + "_playbookcontentProductId4": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId4'),'-', variables('playbookVersion4'))))]", "RubrikFilesetRansomwareDiscovery": "RubrikFilesetRansomwareDiscovery", "_RubrikFilesetRansomwareDiscovery": "[variables('RubrikFilesetRansomwareDiscovery')]", "playbookVersion5": "1.0", "playbookContentId5": "RubrikFilesetRansomwareDiscovery", "_playbookContentId5": "[variables('playbookContentId5')]", "playbookId5": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId5'))]", - "_playbookId5": "[variables('playbookId5')]", "playbookTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId5'))))]", - "playbookcontentProductId5": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId5'),'-', variables('playbookVersion5'))))]", - "_playbookcontentProductId5": "[variables('playbookcontentProductId5')]", + "_playbookcontentProductId5": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId5'),'-', variables('playbookVersion5'))))]", "RubrikIOCScan": "RubrikIOCScan", "_RubrikIOCScan": "[variables('RubrikIOCScan')]", "TemplateEmptyObject": "[json('{}')]", @@ -93,80 +85,72 @@ "playbookContentId6": "RubrikIOCScan", "_playbookContentId6": "[variables('playbookContentId6')]", "playbookId6": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId6'))]", - "_playbookId6": "[variables('playbookId6')]", "playbookTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId6'))))]", - "playbookcontentProductId6": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId6'),'-', variables('playbookVersion6'))))]", - "_playbookcontentProductId6": "[variables('playbookcontentProductId6')]", + "_playbookcontentProductId6": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId6'),'-', variables('playbookVersion6'))))]", "RubrikPollAsyncResult": "RubrikPollAsyncResult", "_RubrikPollAsyncResult": "[variables('RubrikPollAsyncResult')]", "playbookVersion7": "1.0", "playbookContentId7": "RubrikPollAsyncResult", "_playbookContentId7": "[variables('playbookContentId7')]", "playbookId7": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId7'))]", - "_playbookId7": "[variables('playbookId7')]", "playbookTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId7'))))]", - "playbookcontentProductId7": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId7'),'-', variables('playbookVersion7'))))]", - "_playbookcontentProductId7": "[variables('playbookcontentProductId7')]", + "_playbookcontentProductId7": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId7'),'-', variables('playbookVersion7'))))]", "RubrikRansomwareDiscoveryAndFileRecovery": "RubrikRansomwareDiscoveryAndFileRecovery", "_RubrikRansomwareDiscoveryAndFileRecovery": "[variables('RubrikRansomwareDiscoveryAndFileRecovery')]", "playbookVersion8": "1.0", "playbookContentId8": "RubrikRansomwareDiscoveryAndFileRecovery", "_playbookContentId8": "[variables('playbookContentId8')]", "playbookId8": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId8'))]", - "_playbookId8": "[variables('playbookId8')]", "playbookTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId8'))))]", - "playbookcontentProductId8": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId8'),'-', variables('playbookVersion8'))))]", - "_playbookcontentProductId8": "[variables('playbookcontentProductId8')]", + "_playbookcontentProductId8": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId8'),'-', variables('playbookVersion8'))))]", "RubrikRansomwareDiscoveryAndVMRecovery": "RubrikRansomwareDiscoveryAndVMRecovery", "_RubrikRansomwareDiscoveryAndVMRecovery": "[variables('RubrikRansomwareDiscoveryAndVMRecovery')]", "playbookVersion9": "1.0", "playbookContentId9": "RubrikRansomwareDiscoveryAndVMRecovery", "_playbookContentId9": "[variables('playbookContentId9')]", "playbookId9": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId9'))]", - "_playbookId9": "[variables('playbookId9')]", "playbookTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId9'))))]", - "playbookcontentProductId9": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId9'),'-', variables('playbookVersion9'))))]", - "_playbookcontentProductId9": "[variables('playbookcontentProductId9')]", + "_playbookcontentProductId9": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId9'),'-', variables('playbookVersion9'))))]", "RubrikFileObjectContextAnalysis": "RubrikFileObjectContextAnalysis", "_RubrikFileObjectContextAnalysis": "[variables('RubrikFileObjectContextAnalysis')]", "playbookVersion10": "1.0", "playbookContentId10": "RubrikFileObjectContextAnalysis", "_playbookContentId10": "[variables('playbookContentId10')]", "playbookId10": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId10'))]", - "_playbookId10": "[variables('playbookId10')]", "playbookTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId10'))))]", - "playbookcontentProductId10": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId10'),'-', variables('playbookVersion10'))))]", - "_playbookcontentProductId10": "[variables('playbookcontentProductId10')]", + "_playbookcontentProductId10": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId10'),'-', variables('playbookVersion10'))))]", "RubrikUserIntelligenceAnalysis": "RubrikUserIntelligenceAnalysis", "_RubrikUserIntelligenceAnalysis": "[variables('RubrikUserIntelligenceAnalysis')]", "playbookVersion11": "1.0", "playbookContentId11": "RubrikUserIntelligenceAnalysis", "_playbookContentId11": "[variables('playbookContentId11')]", "playbookId11": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId11'))]", - "_playbookId11": "[variables('playbookId11')]", "playbookTemplateSpecName11": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId11'))))]", - "playbookcontentProductId11": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId11'),'-', variables('playbookVersion11'))))]", - "_playbookcontentProductId11": "[variables('playbookcontentProductId11')]", + "_playbookcontentProductId11": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId11'),'-', variables('playbookVersion11'))))]", "RubrikRetrieveUserIntelligenceInformation": "RubrikRetrieveUserIntelligenceInformation", "_RubrikRetrieveUserIntelligenceInformation": "[variables('RubrikRetrieveUserIntelligenceInformation')]", "playbookVersion12": "1.0", "playbookContentId12": "RubrikRetrieveUserIntelligenceInformation", "_playbookContentId12": "[variables('playbookContentId12')]", "playbookId12": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId12'))]", - "_playbookId12": "[variables('playbookId12')]", "playbookTemplateSpecName12": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId12'))))]", - "playbookcontentProductId12": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId12'),'-', variables('playbookVersion12'))))]", - "_playbookcontentProductId12": "[variables('playbookcontentProductId12')]", + "_playbookcontentProductId12": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId12'),'-', variables('playbookVersion12'))))]", "RubrikAnomalyGenerateDownloadableLink": "RubrikAnomalyGenerateDownloadableLink", "_RubrikAnomalyGenerateDownloadableLink": "[variables('RubrikAnomalyGenerateDownloadableLink')]", "playbookVersion13": "1.0", "playbookContentId13": "RubrikAnomalyGenerateDownloadableLink", "_playbookContentId13": "[variables('playbookContentId13')]", "playbookId13": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId13'))]", - "_playbookId13": "[variables('playbookId13')]", "playbookTemplateSpecName13": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId13'))))]", - "playbookcontentProductId13": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId13'),'-', variables('playbookVersion13'))))]", - "_playbookcontentProductId13": "[variables('playbookcontentProductId13')]", + "_playbookcontentProductId13": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId13'),'-', variables('playbookVersion13'))))]", + "RubrikWorkloadAnalysis": "RubrikWorkloadAnalysis", + "_RubrikWorkloadAnalysis": "[variables('RubrikWorkloadAnalysis')]", + "playbookVersion14": "1.0", + "playbookContentId14": "RubrikWorkloadAnalysis", + "_playbookContentId14": "[variables('playbookContentId14')]", + "playbookId14": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId14'))]", + "playbookTemplateSpecName14": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId14'))))]", + "_playbookcontentProductId14": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId14'),'-', variables('playbookVersion14'))))]", "uiConfigId1": "RubrikSecurityCloudAzureFunctions", "_uiConfigId1": "[variables('uiConfigId1')]", "dataConnectorContentId1": "RubrikSecurityCloudAzureFunctions", @@ -175,10 +159,8 @@ "_dataConnectorId1": "[variables('dataConnectorId1')]", "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", "dataConnectorVersion1": "1.0.0", - "dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", - "_dataConnectorcontentProductId1": "[variables('dataConnectorcontentProductId1')]", - "solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]", - "_solutioncontentProductId": "[variables('solutioncontentProductId')]" + "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", + "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" }, "resources": [ { @@ -190,7 +172,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RubrikCustomConnector Playbook with template version 3.2.1", + "description": "RubrikCustomConnector Playbook with template version 3.3.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion1')]", @@ -356,7 +338,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RubrikAnomalyAnalysis Playbook with template version 3.2.1", + "description": "RubrikAnomalyAnalysis Playbook with template version 3.3.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion2')]", @@ -382,7 +364,7 @@ "DownloadableLinkGeneratePlaybookName": { "type": "string", "metadata": { - "description": "Playbook name that you have given while deployment of playbook RubrikAnomalyGenerateDownloadableLink(e.g.RubrikAnomalyGenerateDownloadableLink)" + "description": "Playbook name that you have given while deployment of playbook RubrikGenerateDownloadableLink(e.g.RubrikGenerateDownloadableLink)" } } }, @@ -3317,9 +3299,9 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('_playbookId2'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId2'),'/'))))]", "properties": { - "parentId": "[variables('_playbookId2')]", + "parentId": "[variables('playbookId2')]", "contentId": "[variables('_playbookContentId2')]", "kind": "Playbook", "version": "[variables('playbookVersion2')]", @@ -3413,7 +3395,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RubrikAnomalyIncidentResponse Playbook with template version 3.2.1", + "description": "RubrikAnomalyIncidentResponse Playbook with template version 3.3.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion3')]", @@ -4018,9 +4000,9 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('_playbookId3'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId3'),'/'))))]", "properties": { - "parentId": "[variables('_playbookId3')]", + "parentId": "[variables('playbookId3')]", "contentId": "[variables('_playbookContentId3')]", "kind": "Playbook", "version": "[variables('playbookVersion3')]", @@ -4067,10 +4049,10 @@ "5. Click Save", "6. Repeat steps for other connections", "**b. Configurations in Microsoft Sentinel**", - "1. In Microsoft Sentinel, analytical rules should be configured to trigger an incident. An incident should have the *ClusterId* - custom entity that contains clusterId of an event generated in rubrik, *ObjectId* - custom entity that contains objectId of an event generated in rubrik, *ObjectType* - custom entity that contains objectType of an event generated in rubrik, *ObjectName* -custom entity that contains objectName of an event generated in rubrik . It can be obtained from the corresponding field in Rubrik Anomaly Event logs. Check the [documentation](https://docs.microsoft.com/azure/sentinel/surface-custom-details-in-alerts) to learn more about adding custom entities to incidents.", + "1. In Microsoft sentinel, analytical rules should be configured to trigger an incident. An incident should have the *ClusterId* - custom entity that contains clusterId of an event generated in rubrik, *ObjectId* - custom entity that contains objectId of an event generated in rubrik, *ObjectType* - custom entity that contains objectType of an event generated in rubrik, *ObjectName* -custom entity that contains objectName of an event generated in rubrik . It can be obtained from the corresponding field in Rubrik Anomaly Event logs. Check the [documentation](https://docs.microsoft.com/azure/sentinel/surface-custom-details-in-alerts) to learn more about adding custom entities to incidents.", "2. Configure the automation rules to trigger the playbook." ], - "lastUpdateTime": "2024-02-21T10:23:09.173Z", + "lastUpdateTime": "2022-01-20T00:00:00Z", "entities": [ "account", "url" @@ -4111,7 +4093,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RubrikDataObjectDiscovery Playbook with template version 3.2.1", + "description": "RubrikDataObjectDiscovery Playbook with template version 3.3.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion4')]", @@ -6626,9 +6608,9 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('_playbookId4'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId4'),'/'))))]", "properties": { - "parentId": "[variables('_playbookId4')]", + "parentId": "[variables('playbookId4')]", "contentId": "[variables('_playbookContentId4')]", "kind": "Playbook", "version": "[variables('playbookVersion4')]", @@ -6722,7 +6704,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RubrikFilesetRansomwareDiscovery Playbook with template version 3.2.1", + "description": "RubrikFilesetRansomwareDiscovery Playbook with template version 3.3.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion5')]", @@ -7282,9 +7264,9 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('_playbookId5'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId5'),'/'))))]", "properties": { - "parentId": "[variables('_playbookId5')]", + "parentId": "[variables('playbookId5')]", "contentId": "[variables('_playbookContentId5')]", "kind": "Playbook", "version": "[variables('playbookVersion5')]", @@ -7368,7 +7350,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RubrikIOCScan Playbook with template version 3.2.1", + "description": "RubrikIOCScan Playbook with template version 3.3.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion6')]", @@ -9725,9 +9707,9 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('_playbookId6'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId6'),'/'))))]", "properties": { - "parentId": "[variables('_playbookId6')]", + "parentId": "[variables('playbookId6')]", "contentId": "[variables('_playbookContentId6')]", "kind": "Playbook", "version": "[variables('playbookVersion6')]", @@ -9821,7 +9803,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RubrikPollAsyncResult Playbook with template version 3.2.1", + "description": "RubrikPollAsyncResult Playbook with template version 3.3.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion7')]", @@ -10590,9 +10572,9 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('_playbookId7'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId7'),'/'))))]", "properties": { - "parentId": "[variables('_playbookId7')]", + "parentId": "[variables('playbookId7')]", "contentId": "[variables('_playbookContentId7')]", "kind": "Playbook", "version": "[variables('playbookVersion7')]", @@ -10685,7 +10667,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RubrikRansomwareDiscoveryAndFileRecovery Playbook with template version 3.2.1", + "description": "RubrikRansomwareDiscoveryAndFileRecovery Playbook with template version 3.3.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion8')]", @@ -12514,9 +12496,9 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('_playbookId8'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId8'),'/'))))]", "properties": { - "parentId": "[variables('_playbookId8')]", + "parentId": "[variables('playbookId8')]", "contentId": "[variables('_playbookContentId8')]", "kind": "Playbook", "version": "[variables('playbookVersion8')]", @@ -12613,7 +12595,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RubrikRansomwareDiscoveryAndVMRecovery Playbook with template version 3.2.1", + "description": "RubrikRansomwareDiscoveryAndVMRecovery Playbook with template version 3.3.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion9')]", @@ -16635,9 +16617,9 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('_playbookId9'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId9'),'/'))))]", "properties": { - "parentId": "[variables('_playbookId9')]", + "parentId": "[variables('playbookId9')]", "contentId": "[variables('_playbookContentId9')]", "kind": "Playbook", "version": "[variables('playbookVersion9')]", @@ -16692,7 +16674,7 @@ "5. Click Save", "6. Repeat steps for other connections" ], - "lastUpdateTime": "2024-02-21T10:23:09.173Z", + "lastUpdateTime": "2022-01-20T00:00:00Z", "entities": [ "account", "url" @@ -16734,7 +16716,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RubrikFileObjectContextAnalysis Playbook with template version 3.2.1", + "description": "RubrikFileObjectContextAnalysis Playbook with template version 3.3.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion10')]", @@ -19891,9 +19873,9 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('_playbookId10'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId10'),'/'))))]", "properties": { - "parentId": "[variables('_playbookId10')]", + "parentId": "[variables('playbookId10')]", "contentId": "[variables('_playbookContentId10')]", "kind": "Playbook", "version": "[variables('playbookVersion10')]", @@ -19949,6 +19931,7 @@ "4. In principal section, search by copied object ID. Click next.", "5. Click review + create." ], + "lastUpdateTime": "2024-04-22T00:14:08.736Z", "entities": [ "account", "url" @@ -19959,7 +19942,6 @@ "Security", "Rubrik" ], - "lastUpdateTime": "2024-04-22T00:14:08.736Z", "releaseNotes": { "version": "1.0", "title": "[variables('blanks')]", @@ -19991,7 +19973,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RubrikUserIntelligenceAnalysis Playbook with template version 3.2.1", + "description": "RubrikUserIntelligenceAnalysis Playbook with template version 3.3.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion11')]", @@ -21836,9 +21818,9 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('_playbookId11'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId11'),'/'))))]", "properties": { - "parentId": "[variables('_playbookId11')]", + "parentId": "[variables('playbookId11')]", "contentId": "[variables('_playbookContentId11')]", "kind": "Playbook", "version": "[variables('playbookVersion11')]", @@ -21957,7 +21939,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RubrikRetrieveUserIntelligenceInformation Playbook with template version 3.2.1", + "description": "RubrikRetrieveUserIntelligenceInformation Playbook with template version 3.3.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion12')]", @@ -23568,9 +23550,9 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('_playbookId12'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId12'),'/'))))]", "properties": { - "parentId": "[variables('_playbookId12')]", + "parentId": "[variables('playbookId12')]", "contentId": "[variables('_playbookContentId12')]", "kind": "Playbook", "version": "[variables('playbookVersion12')]", @@ -23657,7 +23639,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RubrikAnomalyGenerateDownloadableLink Playbook with template version 3.2.1", + "description": "RubrikAnomalyGenerateDownloadableLink Playbook with template version 3.3.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion13')]", @@ -24912,9 +24894,9 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('_playbookId13'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId13'),'/'))))]", "properties": { - "parentId": "[variables('_playbookId13')]", + "parentId": "[variables('playbookId13')]", "contentId": "[variables('_playbookContentId13')]", "kind": "Playbook", "version": "[variables('playbookVersion13')]", @@ -25003,173 +24985,2101 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('dataConnectorTemplateSpecName1')]", + "name": "[variables('playbookTemplateSpecName14')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RubrikSecurityCloud data connector with template version 3.2.1", + "description": "RubrikWorkloadAnalysis Playbook with template version 3.3.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('dataConnectorVersion1')]", - "parameters": {}, - "variables": {}, + "contentVersion": "[variables('playbookVersion14')]", + "parameters": { + "PlaybookName": { + "defaultValue": "RubrikWorkloadAnalysis", + "minLength": 1, + "type": "string", + "metadata": { + "description": "Please do not keep 'Playbook Name' parameter empty, else you will receive validation failure" + } + }, + "Keyvault Name": { + "type": "string", + "metadata": { + "description": "Enter name of keyvault where service account credentials are stored(Example: RubrikSentinelKeyVault)" + } + }, + "Tenant Id": { + "type": "string", + "metadata": { + "description": "Enter Tenant ID of your Microsoft EntraID where keyvault is available" + } + }, + "Rubrik Base URL": { + "type": "string", + "minLength": 1, + "defaultValue": "https://rubrik-tme.my.rubrik.com", + "metadata": { + "description": "Enter Base URL of the RubrikApi instance (Example: https://rubrik-tme.my.rubrik.com)" + } + }, + "IncreaseSeverityLevel": { + "defaultValue": 1, + "allowedValues": [ + 1, + 2, + 3 + ], + "type": "Int", + "metadata": { + "description": "Enter a value to increase the severity level of the incident.(Example: for value 1 incident severity will change from Low to Medium)" + } + } + }, + "variables": { + "MicrosoftSentinelConnectionName": "[[concat('MicrosoftSentinel-', parameters('PlaybookName'))]", + "KeyvaultConnectionName": "[[concat('Keyvault-', parameters('PlaybookName'))]", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", + "_connection-2": "[[variables('connection-2')]", + "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Keyvault')]", + "_connection-3": "[[variables('connection-3')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, "resources": [ { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", "properties": { - "connectorUiConfig": { - "id": "[variables('_uiConfigId1')]", - "title": "Rubrik Security Cloud data connector (using Azure Functions)", - "publisher": "Rubrik, Inc", - "descriptionMarkdown": "The Rubrik Security Cloud data connector enables security operations teams to integrate insights from Rubrik's Data Observability services into Microsoft Sentinel. The insights include identification of anomalous filesystem behavior associated with ransomware and mass deletion, assess the blast radius of a ransomware attack, and sensitive data operators to prioritize and more rapidly investigate potential incidents.", - "graphQueries": [ - { - "metricName": "Total Anomaly Event data received", - "legend": "Rubrik_Anomaly_Data_CL", - "baseQuery": "Rubrik_Anomaly_Data_CL" - }, - { - "metricName": "Total Ransomware Event data received", - "legend": "Rubrik_Ransomware_Data_CL", - "baseQuery": "Rubrik_Ransomware_Data_CL" - }, - { - "metricName": "Total ThreatHunt Event data received", - "legend": "Rubrik_ThreatHunt_Data_CL", - "baseQuery": "Rubrik_ThreatHunt_Data_CL" - } - ], - "sampleQueries": [ - { - "description": "Rubrik Anomaly Events - Anomaly Events for all severity types.", - "query": "Rubrik_Anomaly_Data_CL\n | sort by TimeGenerated desc" - }, - { - "description": "Rubrik Ransomware Analysis Events - Ransomware Analysis Events for all severity types.", - "query": "Rubrik_Ransomware_Data_CL\n | sort by TimeGenerated desc" - }, - { - "description": "Rubrik ThreatHunt Events - Threat Hunt Events for all severity types.", - "query": "Rubrik_ThreatHunt_Data_CL\n | sort by TimeGenerated desc" - } - ], - "dataTypes": [ - { - "name": "Rubrik_Anomaly_Data_CL", - "lastDataReceivedQuery": "Rubrik_Anomaly_Data_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" }, - { - "name": "Rubrik_Ransomware_Data_CL", - "lastDataReceivedQuery": "Rubrik_Ransomware_Data_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + "Increase_Severity_Level": { + "defaultValue": "[[parameters('IncreaseSeverityLevel')]", + "type": "Int" }, - { - "name": "Rubrik_ThreatHunt_Data_CL", - "lastDataReceivedQuery": "Rubrik_ThreatHunt_Data_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + "Rubrik_Base_URL": { + "defaultValue": "[[trim(parameters('Rubrik Base URL'))]", + "type": "String" } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "Rubrik_Anomaly_Data_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - }, - { - "type": "IsConnectedQuery", - "value": [ - "Rubrik_Ransomware_Data_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - }, - { - "type": "IsConnectedQuery", - "value": [ - "Rubrik_ThreatHunt_Data_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] + }, + "triggers": { + "Microsoft_Sentinel_incident": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/incident-creation" + } } - ], - "availability": { - "status": 1, - "isPreview": false }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions on the workspace are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "read": true, - "delete": true + "actions": { + "Check_For_Status_Code_Of_Generating_Access_Token": { + "actions": { + "Set_Access_Token": { + "type": "SetVariable", + "inputs": { + "name": "Access_Token", + "value": "@{body('Get_Access_Token')?['access_token']}" + } } }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true + "runAfter": { + "Get_Access_Token": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Terminate_Due_To_Authentication_Failure": { + "type": "Terminate", + "inputs": { + "runError": { + "code": "@{outputs('Get_Access_Token')['statusCode']}", + "message": "@{body('Get_Access_Token')?['message']}" + }, + "runStatus": "Failed" + } + } } - } - ], - "customs": [ - { - "name": "Microsoft.Web/sites permissions", - "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." - } - ] - }, - "instructionSteps": [ - { - "description": ">**NOTE:** This connector uses Azure Functions to connect to the Rubrik webhook which push its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details." - }, - { - "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." + }, + "expression": { + "and": [ + { + "equals": [ + "@outputs('Get_Access_Token')['statusCode']", + 200 + ] + } + ] + }, + "type": "If" }, - { - "description": "**STEP 1 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the Rubrik Microsoft Sentinel data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following) readily available..", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId" - ], - "label": "Workspace ID" - }, - "type": "CopyableLabel" - }, - { - "parameters": { - "fillWith": [ - "PrimaryKey" - ], - "label": "Primary Key" - }, - "type": "CopyableLabel" + "Condition_To_Verify_Empty_List_Of_IP_-_Host": { + "actions": { + "Terminate_Due_Empty_IP_-_Host_List": { + "type": "Terminate", + "inputs": { + "runError": { + "code": "404", + "message": "IP or Host are not Mapped with Incident" + }, + "runStatus": "Failed" + } } - ] - }, - { - "description": "Use this method for automated deployment of the Rubrik connector.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-RubrikWebhookEvents-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the below information : \n\t\tFunction Name \n\t\tWorkspace ID \n\t\tWorkspace Key \n\t\tAnomalies_table_name \n\t\tRansomwareAnalysis_table_name \n\t\tThreatHunts_table_name\n\t\tLogLevel \n \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.", - "title": "Option 1 - Azure Resource Manager (ARM) Template" + }, + "runAfter": { + "For_Hosts_In_Entity_Mapping": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "equals": [ + "@length(variables('IP_Host_List'))", + 0 + ] + } + ] + }, + "type": "If" }, - { - "description": "Use the following step-by-step instructions to deploy the Rubrik Microsoft Sentinel data connector manually with Azure Functions (Deployment via Visual Studio Code).", - "title": "Option 2 - Manual Deployment of Azure Functions" + "Condition_To_Verify_Length_Of_Failed_IP_-_Host_List": { + "actions": { + "Condition_To_Check_All_Failure": { + "else": { + "actions": { + "Update_Incident_(2)": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "severity": "@variables('Incident_Severity')" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "put", + "path": "/Incidents" + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@length(variables('Failed_IP_Host_List'))", + "@length(variables('IP_Host_List'))" + ] + } + ] + }, + "type": "If" + }, + "Condition_To_Verify_That_Incident_Comment_Does_Not_Reach_Limit_(2)": { + "actions": { + "Add_Failed_IP_-_Host_List_Into_Incident_Comment": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@body('Update_Incident_(2)')?['id']", + "message": "

Failed IP/Host List: @{replace(replace(replace(replace(string(variables('Failed_IP_Host_List')), '\"', ''), '[', ''), ']', ''), ',', ', ')}

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + } + }, + "runAfter": { + "Condition_To_Check_All_Failure": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "less": [ + "@variables('Comment_Count')", + 100 + ] + } + ] + }, + "type": "If" + } + }, + "runAfter": { + "For_Each_IP_Or_Host": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Update_Incident": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "severity": "@variables('Incident_Severity')" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "put", + "path": "/Incidents" + } + } + } + }, + "expression": { + "and": [ + { + "greater": [ + "@length(variables('Failed_IP_Host_List'))", + 0 + ] + } + ] + }, + "type": "If" + }, + "For_Each_Alert_Details": { + "foreach": "@triggerBody()?['object']?['properties']?['Alerts']", + "actions": { + "Condition_To_Verify_Custom_Details_Is_Not_Empty": { + "actions": { + "Condition_To_Verify_Host_Is_Mapped_In_Custom_Details": { + "actions": { + "Condition_To_Verify_List_Of_Hosts": { + "actions": { + "For_Each_Host_In_Custom_Details": { + "foreach": "@json(body('Parse_Custom_Details')?['Host'][0])", + "actions": { + "Append_Host_Into_List": { + "type": "AppendToArrayVariable", + "inputs": { + "name": "IP_Host_List", + "value": "@items('For_Each_Host_In_Custom_Details')" + } + } + }, + "type": "Foreach" + } + }, + "else": { + "actions": { + "Append_Host_Into_List_(2)": { + "type": "AppendToArrayVariable", + "inputs": { + "name": "IP_Host_List", + "value": "@body('Parse_Custom_Details')?['Host'][0]" + } + } + } + }, + "expression": { + "and": [ + { + "contains": [ + "@body('Parse_Custom_Details')?['Host'][0]", + "]" + ] + } + ] + }, + "type": "If" + } + }, + "runAfter": { + "Set_IP_List_Size_(2)": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "equals": [ + "@empty(body('Parse_Custom_Details')?['Host'])", + "@false" + ] + } + ] + }, + "type": "If" + }, + "Condition_To_Verify_IP_Is_Mapped_In_Custom_Details": { + "actions": { + "Condition_To_Verify_List_Of_IPs_(2)": { + "actions": { + "For_Each_IP_In_Custom_Details": { + "foreach": "@json(body('Parse_Custom_Details')?['IP'][0])", + "actions": { + "Condition_To_Verify_IP_Already_Not_Exist_In_List": { + "actions": { + "Append_IP_Into_List_(3)": { + "type": "AppendToArrayVariable", + "inputs": { + "name": "IP_Host_List", + "value": "@items('For_Each_IP_In_Custom_Details')" + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@contains(variables('IP_Host_List'), items('For_Each_IP_In_Custom_Details'))", + "@false" + ] + } + ] + }, + "type": "If" + } + }, + "type": "Foreach" + } + }, + "else": { + "actions": { + "Condition_To_Verify_IP_Already_Not_Exist_In_List_(2)": { + "actions": { + "Append_IP_Into_List_(4)": { + "type": "AppendToArrayVariable", + "inputs": { + "name": "IP_Host_List", + "value": "@body('Parse_Custom_Details')?['IP'][0]" + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@contains(variables('IP_Host_List'), body('Parse_Custom_Details')?['IP'][0])", + "@false" + ] + } + ] + }, + "type": "If" + } + } + }, + "expression": { + "and": [ + { + "contains": [ + "@body('Parse_Custom_Details')?['IP'][0]", + "]" + ] + } + ] + }, + "type": "If" + } + }, + "runAfter": { + "Parse_Custom_Details": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "equals": [ + "@empty(body('Parse_Custom_Details')?['IP'])", + "@false" + ] + } + ] + }, + "type": "If" + }, + "Parse_Custom_Details": { + "type": "ParseJson", + "inputs": { + "content": "@items('For_Each_Alert_Details')?['properties']?['additionalData']?['Custom Details']", + "schema": { + "properties": { + "Host": { + "items": { + "type": "string" + }, + "type": "array" + }, + "IP": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + } + } + }, + "Set_IP_List_Size_(2)": { + "runAfter": { + "Condition_To_Verify_IP_Is_Mapped_In_Custom_Details": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "IP_List_Size", + "value": "@length(variables('IP_Host_List'))" + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@empty(items('For_Each_Alert_Details')?['properties']?['additionalData']?['Custom Details'])", + "@false" + ] + } + ] + }, + "type": "If" + } + }, + "runAfter": { + "Set_IP_List_Size": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "For_Each_IP_Or_Host": { + "foreach": "@variables('IP_Host_List')", + "actions": { + "Check_For_HTTP_Request_Status_Code": { + "actions": { + "Condition_To_Check_IP_-_Host_Invalid_Or_Data_Not_Found": { + "actions": { + "Append_IP_Address_Or_Host_Name_Into_Failed_List_(2)": { + "type": "AppendToArrayVariable", + "inputs": { + "name": "Failed_IP_Host_List", + "value": "@items('For_Each_IP_Or_Host')" + } + } + }, + "runAfter": { + "Parse_Response": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Condition_To_Verify_Incident_Severity_Is_High": { + "runAfter": { + "Condition_To_Verify_That_Incident_Comment_Does_Not_Reach_Limit": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Condition_To_Check_Incident_Updated_By_Increase_Level": { + "actions": { + "Condition_To_Check_Response_And_Update_Incident_Severity": { + "actions": { + "Condition_To_Verify_Increase_Level_Is_1": { + "actions": { + "Switch_Case_For_Update_Incident_Severity": { + "cases": { + "Case_When_Severity_Is_Informational": { + "case": "Informational", + "actions": { + "Set_Incident_Severity_Updated_To_True": { + "runAfter": { + "Set_Severity_For_Increase_Level_To_Low": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "Incident_Severity_Updated", + "value": "@true" + } + }, + "Set_Severity_For_Increase_Level_To_Low": { + "type": "SetVariable", + "inputs": { + "name": "Severity_For_Increase_Level", + "value": "Low" + } + } + } + }, + "Case_When_Severity_Is_Low": { + "case": "Low", + "actions": { + "Set_Incident_Severity_Updated_To_True_(2)": { + "runAfter": { + "Set_Severity_For_Increase_Level_To_Medium": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "Incident_Severity_Updated", + "value": "@true" + } + }, + "Set_Severity_For_Increase_Level_To_Medium": { + "type": "SetVariable", + "inputs": { + "name": "Severity_For_Increase_Level", + "value": "Medium" + } + } + } + }, + "Case_When_Severity_Is_Medium": { + "case": "Medium", + "actions": { + "Set_Incident_Severity_Updated_To_True_(3)": { + "runAfter": { + "Set_Severity_For_Increase_Level_To_High": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "Incident_Severity_Updated", + "value": "@true" + } + }, + "Set_Severity_For_Increase_Level_To_High": { + "type": "SetVariable", + "inputs": { + "name": "Severity_For_Increase_Level", + "value": "High" + } + } + } + } + }, + "expression": "@variables('Severity_For_Increase_Level')", + "type": "Switch" + } + }, + "else": { + "actions": { + "Condition_To_Verify_Increase_Level_Is_2_And_Incident_Severity_Is_Informational": { + "actions": { + "Set_Incident_Severity_Updated_To_True_(4)": { + "runAfter": { + "Set_Severity_For_Increase_Level_To_Medium_(2)": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "Incident_Severity_Updated", + "value": "@true" + } + }, + "Set_Severity_For_Increase_Level_To_Medium_(2)": { + "type": "SetVariable", + "inputs": { + "name": "Severity_For_Increase_Level", + "value": "Medium" + } + } + }, + "else": { + "actions": { + "Set_Incident_Severity_Updated_To_True_(5)": { + "runAfter": { + "Set_Severity_For_Increase_Level_To_High_(2)": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "Incident_Severity_Updated", + "value": "@true" + } + }, + "Set_Severity_For_Increase_Level_To_High_(2)": { + "type": "SetVariable", + "inputs": { + "name": "Severity_For_Increase_Level", + "value": "High" + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@variables('Increase_Severity_Level')", + 2 + ] + }, + { + "equals": [ + "@variables('Severity_For_Increase_Level')", + "Informational" + ] + } + ] + }, + "type": "If" + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@variables('Increase_Severity_Level')", + 1 + ] + } + ] + }, + "type": "If" + } + }, + "expression": { + "and": [ + { + "equals": [ + "@or(\r\nif(equals(body('Parse_Response')?['threatHuntInfo']?['latestMaliciousThreatHunt']?['isMalicious'], 'Matches Found'), true, false),\r\nif(equals(body('Parse_Response')?['threatMonitoringInfo']?['latestMaliciousThreatMonitoring']?['isMalicious'], 'Matches Found'), true, false))", + "@true" + ] + } + ] + }, + "type": "If" + } + }, + "expression": { + "and": [ + { + "equals": [ + "@variables('Incident_Severity_Updated')", + "@false" + ] + } + ] + }, + "type": "If" + }, + "Condition_To_Check_Risk_Level": { + "actions": { + "Set_Severity_For_Risk_Level": { + "type": "SetVariable", + "inputs": { + "name": "Severity_For_RiskLevel", + "value": "@{variables('Severity_Mapping')?[toLower(body('Parse_Response')?['sensitiveInfo']?['riskLevel'])]}" + } + } + }, + "runAfter": { + "Condition_To_Check_Incident_Updated_By_Increase_Level": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "equals": [ + "@contains(string(variables('Severity_Mapping')), toLower(body('Parse_Response')?['sensitiveInfo']?['riskLevel']))", + "@true" + ] + } + ] + }, + "type": "If" + }, + "Condition_To_Verify_High_Severity": { + "actions": { + "Set_Incident_Severity_To_High": { + "type": "SetVariable", + "inputs": { + "name": "Incident_Severity", + "value": "High" + } + } + }, + "runAfter": { + "Switch_Case_For_Anomaly_Severity": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Condition_To_Verify_Medium_Severity": { + "actions": { + "Set_Incident_Severity_To_Medium": { + "type": "SetVariable", + "inputs": { + "name": "Incident_Severity", + "value": "Medium" + } + } + }, + "else": { + "actions": { + "Condition_To_Verify_Low_Severity": { + "actions": { + "Set_Incident_Severity_To_Low": { + "type": "SetVariable", + "inputs": { + "name": "Incident_Severity", + "value": "Low" + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@or(if(equals(variables('Severity_For_Increase_Level'), 'Low'), true, false), if(equals(variables('Severity_For_RiskLevel'), 'Low'), true, false), if(equals(variables('Anomaly_Severity'), 'Low'), true, false), if(equals(variables('Incident_Severity'), 'Low'), true, false))", + "@true" + ] + } + ] + }, + "type": "If" + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@or(if(equals(variables('Severity_For_Increase_Level'), 'Medium'), true, false), if(equals(variables('Severity_For_RiskLevel'), 'Medium'), true, false), if(equals(variables('Anomaly_Severity'), 'Medium'), true, false), if(equals(variables('Incident_Severity'), 'Medium'), true, false))", + "@true" + ] + } + ] + }, + "type": "If" + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@or(if(equals(variables('Severity_For_Increase_Level'), 'High'), true, false), if(equals(variables('Severity_For_RiskLevel'), 'High'), true, false), if(equals(variables('Anomaly_Severity'), 'High'), true, false), if(equals(variables('Incident_Severity'), 'High'), true, false))", + "@true" + ] + } + ] + }, + "type": "If" + }, + "Switch_Case_For_Anomaly_Severity": { + "runAfter": { + "Condition_To_Check_Risk_Level": [ + "Succeeded" + ] + }, + "cases": { + "Case_When_Anomaly_Severity_Is_Critical": { + "case": "critical", + "actions": { + "Set_Anomaly_Severity_To_High": { + "type": "SetVariable", + "inputs": { + "name": "Anomaly_Severity", + "value": "High" + } + } + } + }, + "Case_When_Anomaly_Severity_Is_Informational": { + "case": "informational", + "actions": { + "Set_Anomaly_Severity_To_Informational": { + "type": "SetVariable", + "inputs": { + "name": "Anomaly_Severity", + "value": "Informational" + } + } + } + }, + "Case_When_Anomaly_Severity_Is_Warning": { + "case": "warning", + "actions": { + "Set_Anomaly_Severity_To_Medium": { + "type": "SetVariable", + "inputs": { + "name": "Anomaly_Severity", + "value": "Medium" + } + } + } + } + }, + "expression": "@toLower(body('Parse_Response')?['anomalyInfo']?['severity'])", + "type": "Switch" + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@variables('Incident_Severity')", + "High" + ] + } + ] + }, + "type": "If" + }, + "Condition_To_Verify_That_Incident_Comment_Does_Not_Reach_Limit": { + "actions": { + "Condition_To_Verify_Length_Of_Detail_Response_To_30000_Characters_Limit": { + "actions": { + "Add_Detail_Response_Of_IP_To_Incident_Comment": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

@{variables('Detailed_Response')}

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + } + }, + "else": { + "actions": { + "Add_Comment_For_30000_Characters_Limit": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

Length of response is exceeded to 30,000 characters for @{items('For_Each_IP_Or_Host')}

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + } + } + }, + "expression": { + "and": [ + { + "less": [ + "@length(variables('Detailed_Response'))", + 30000 + ] + } + ] + }, + "type": "If" + }, + "Increment_Comment_Count": { + "runAfter": { + "Condition_To_Verify_Length_Of_Detail_Response_To_30000_Characters_Limit": [ + "Succeeded" + ] + }, + "type": "IncrementVariable", + "inputs": { + "name": "Comment_Count", + "value": 1 + } + } + }, + "runAfter": { + "Set_Detailed_Response": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "less": [ + "@variables('Comment_Count')", + 100 + ] + } + ] + }, + "type": "If" + }, + "Set_Detailed_Response": { + "type": "SetVariable", + "inputs": { + "name": "Detailed_Response", + "value": "\n

General Information for the given @{body('Parse_Response')?['sensitiveInfo']?['riskLevel']} risk : @{items('For_Each_IP_Or_Host')}

\n\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n
FID@{body('Parse_Response')?['generalInfo']?['fid']}
Name@{body('Parse_Response')?['generalInfo']?['name']}
Object Type@{body('Parse_Response')?['generalInfo']?['objectType']}
Protection Status@{body('Parse_Response')?['generalInfo']?['protectionStatus']}
Last Snapshot@{body('Parse_Response')?['generalInfo']?['lastSnapshot']}
Redirect Link@{body('Parse_Response')?['generalInfo']?['redirectLink']}
\n\n\n

Sensitive Information

\n\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n
Risk Level@{body('Parse_Response')?['sensitiveInfo']?['riskLevel']}
Sensitive Files\n

mediumCount: @{body('Parse_Response')?['sensitiveInfo']?['sensitiveFiles']?['mediumCount']}

\n
Sensitive Hits@{body('Parse_Response')?['sensitiveInfo']?['sensitiveHits']}
Open Access Files@{body('Parse_Response')?['sensitiveInfo']?['openAccessFiles']}
Stale Files@{body('Parse_Response')?['sensitiveInfo']?['staleFiles']}
Policy Names@{replace(replace(replace(replace(string(body('Parse_Response')?['sensitiveInfo']?['policyNames']), '\"', ''), '[', ''), ']', ''), ',', ', ')}
Redirect Link@{body('Parse_Response')?['sensitiveInfo']?['redirectLink']}
\n\n\n

Anomaly Information

\n\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n
Severity@{body('Parse_Response')?['anomalyInfo']?['severity']}
Detection Time@{body('Parse_Response')?['anomalyInfo']?['detectionTime']}
Created File Count@{body('Parse_Response')?['anomalyInfo']?['createdFileCount']}
Deleted File Count@{body('Parse_Response')?['anomalyInfo']?['deletedFileCount']}
Modified File Count@{body('Parse_Response')?['anomalyInfo']?['modifiedFileCount']}
Suspicious File Count@{body('Parse_Response')?['anomalyInfo']?['suspiciousFileCount']}
Redirect Link@{body('Parse_Response')?['anomalyInfo']?['redirectLink']}
\n\n\n

Threat Hunt Information

\n\n \n \n \n \n \n \n \n \n \n \n \n \n
Latest Threat Hunt\n

huntId: @{body('Parse_Response')?['threatHuntInfo']?['latestThreatHunt']?['huntId']}

\n

huntStartTime: @{body('Parse_Response')?['threatHuntInfo']?['latestThreatHunt']?['huntStartTime']}

\n

isMalicious: @{body('Parse_Response')?['threatHuntInfo']?['latestThreatHunt']?['isMalicious']}

\n
Latest Malicious Threat Hunt\n

huntId: @{body('Parse_Response')?['threatHuntInfo']?['latestMaliciousThreatHunt']?['huntId']}

\n

huntStartTime: @{body('Parse_Response')?['threatHuntInfo']?['latestMaliciousThreatHunt']?['huntStartTime']}

\n

isMalicious: @{body('Parse_Response')?['threatHuntInfo']?['latestMaliciousThreatHunt']?['isMalicious']}

\n
Redirect Link@{body('Parse_Response')?['threatHuntInfo']?['redirectLink']}
\n\n\n

Threat Monitoring Information

\n\n \n \n \n \n \n \n \n \n \n \n \n \n
Latest Threat Monitoring\n

snapshotFid: @{body('Parse_Response')?['threatMonitoringInfo']?['latestThreatMonitoring']?['snapshotFid']}

\n

monitoringScanTime: @{body('Parse_Response')?['threatMonitoringInfo']?['latestThreatMonitoring']?['monitoringScanTime']}

\n

isMalicious: @{body('Parse_Response')?['threatMonitoringInfo']?['latestThreatMonitoring']?['isMalicious']}

\n
Latest Malicious Threat Monitoring\n

snapshotFid: @{body('Parse_Response')?['threatMonitoringInfo']?['latestMaliciousThreatMonitoring']?['snapshotFid']}

\n

monitoringScanTime: @{body('Parse_Response')?['threatMonitoringInfo']?['latestMaliciousThreatMonitoring']?['monitoringScanTime']}

\n

isMalicious: @{body('Parse_Response')?['threatMonitoringInfo']?['latestMaliciousThreatMonitoring']?['isMalicious']}

\n
Redirect Link@{body('Parse_Response')?['threatMonitoringInfo']?['redirectLink']}
" + } + } + } + }, + "expression": { + "or": [ + { + "equals": [ + "@contains(body('Parse_Response')?['generalInfo']?['fid'], 'No Objects Found')", + "@true" + ] + }, + { + "equals": [ + "@contains(body('Parse_Response')?['generalInfo']?['name'], 'No Objects Found')", + "@true" + ] + } + ] + }, + "type": "If" + }, + "Parse_Response": { + "type": "ParseJson", + "inputs": { + "content": "@body('Get_Information')", + "schema": { + "properties": { + "anomalyInfo": { + "properties": { + "createdFileCount": { + "type": "string" + }, + "deletedFileCount": { + "type": "string" + }, + "detectionTime": { + "type": "string" + }, + "modifiedFileCount": { + "type": "string" + }, + "redirectLink": { + "type": "string" + }, + "severity": { + "type": "string" + }, + "suspiciousFileCount": { + "type": "string" + } + }, + "type": "object" + }, + "generalInfo": { + "properties": { + "fid": { + "type": "string" + }, + "lastSnapshot": { + "type": "string" + }, + "name": { + "type": "string" + }, + "objectType": { + "type": "string" + }, + "protectionStatus": { + "type": "string" + }, + "redirectLink": { + "type": "string" + } + }, + "type": "object" + }, + "sensitiveInfo": { + "properties": { + "openAccessFiles": { + "type": "integer" + }, + "policyNames": { + "items": { + "type": "string" + }, + "type": "array" + }, + "redirectLink": { + "type": "string" + }, + "riskLevel": { + "type": "string" + }, + "sensitiveFiles": { + "properties": { + "mediumCount": { + "type": "string" + } + }, + "type": "object" + }, + "sensitiveHits": { + "type": "integer" + }, + "staleFiles": { + "type": "integer" + } + }, + "type": "object" + }, + "threatHuntInfo": { + "properties": { + "latestMaliciousThreatHunt": { + "properties": { + "huntId": { + "type": "string" + }, + "huntStartTime": { + "type": "string" + }, + "isMalicious": { + "type": "string" + } + }, + "type": "object" + }, + "latestThreatHunt": { + "properties": { + "huntId": { + "type": "string" + }, + "huntStartTime": { + "type": "string" + }, + "isMalicious": { + "type": "string" + } + }, + "type": "object" + }, + "redirectLink": { + "type": "string" + } + }, + "type": "object" + }, + "threatMonitoringInfo": { + "properties": { + "latestMaliciousThreatMonitoring": { + "properties": { + "isMalicious": { + "type": "string" + }, + "monitoringScanTime": { + "type": "string" + }, + "snapshotFid": { + "type": "string" + } + }, + "type": "object" + }, + "latestThreatMonitoring": { + "properties": { + "isMalicious": { + "type": "string" + }, + "monitoringScanTime": { + "type": "string" + }, + "snapshotFid": { + "type": "string" + } + }, + "type": "object" + }, + "redirectLink": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + } + } + } + }, + "runAfter": { + "Get_Information": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Append_IP_Address_Or_Host_Name_Into_Failed_List": { + "type": "AppendToArrayVariable", + "inputs": { + "name": "Failed_IP_Host_List", + "value": "@items('For_Each_IP_Or_Host')" + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@outputs('Get_Information')['statusCode']", + 200 + ] + } + ] + }, + "type": "If" + }, + "Condition_To_Set_Search_Type": { + "actions": { + "Set_Search_Type_To_name": { + "type": "SetVariable", + "inputs": { + "name": "Search_Type", + "value": "name" + } + } + }, + "else": { + "actions": { + "Decrement_IP_List_Size_By_1": { + "type": "DecrementVariable", + "inputs": { + "name": "IP_List_Size", + "value": 1 + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@variables('IP_List_Size')", + 0 + ] + } + ] + }, + "type": "If" + }, + "Get_Information": { + "runAfter": { + "Condition_To_Set_Search_Type": [ + "Succeeded" + ] + }, + "type": "Http", + "inputs": { + "headers": { + "Authorization": "Bearer @{variables('Access_Token')}" + }, + "method": "GET", + "queries": { + "search_string": "@{items('For_Each_IP_Or_Host')}", + "search_type": "@variables('Search_Type')" + }, + "uri": "@{variables('Base_URL')}/api/thirdparty/workload_summary" + } + } + }, + "runAfter": { + "Check_For_Status_Code_Of_Generating_Access_Token": [ + "Succeeded" + ] + }, + "type": "Foreach", + "runtimeConfiguration": { + "concurrency": { + "repetitions": 1 + } + } + }, + "For_Hosts_In_Entity_Mapping": { + "foreach": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "actions": { + "Condition_To_Verify_Host": { + "actions": { + "Condition_To_Verify_List_Of_Hosts_(2)": { + "actions": { + "For_Each_Host_In_Entity_Mapping": { + "foreach": "@json(items('For_Hosts_In_Entity_Mapping')?['properties']?['hostName'])", + "actions": { + "Condition_To_Verify_Host_Already_Not_Exist_In_List": { + "actions": { + "Append_Host_Into_List_(3)": { + "type": "AppendToArrayVariable", + "inputs": { + "name": "IP_Host_List", + "value": "@items('For_Each_Host_In_Entity_Mapping')" + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@contains(variables('IP_Host_List'), items('For_Each_Host_In_Entity_Mapping'))", + "@false" + ] + } + ] + }, + "type": "If" + } + }, + "type": "Foreach" + } + }, + "else": { + "actions": { + "Condition_To_Verify_Host_Already_Not_Exist_In_List_(2)": { + "actions": { + "Append_Host_Into_List_(4)": { + "type": "AppendToArrayVariable", + "inputs": { + "name": "IP_Host_List", + "value": "@items('For_Hosts_In_Entity_Mapping')?['properties']?['hostName']" + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@contains(variables('IP_Host_List'), items('For_Hosts_In_Entity_Mapping')?['properties']?['hostName'])", + "@false" + ] + } + ] + }, + "type": "If" + } + } + }, + "expression": { + "and": [ + { + "contains": [ + "@items('For_Hosts_In_Entity_Mapping')?['properties']?['hostName']", + "]" + ] + } + ] + }, + "type": "If" + } + }, + "expression": { + "and": [ + { + "equals": [ + "@items('For_Hosts_In_Entity_Mapping')?['kind']", + "Host" + ] + } + ] + }, + "type": "If" + } + }, + "runAfter": { + "For_Each_Alert_Details": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "For_IPs_In_Entity_Mapping": { + "foreach": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "actions": { + "Condition_To_Verify_IP": { + "actions": { + "Condition_To_Verify_List_Of_IPs": { + "actions": { + "For_Each_IP_In_Entity_Mapping": { + "foreach": "@json(items('For_IPs_In_Entity_Mapping')?['properties']?['address'])", + "actions": { + "Append_IP_Into_List": { + "type": "AppendToArrayVariable", + "inputs": { + "name": "IP_Host_List", + "value": "@items('For_Each_IP_In_Entity_Mapping')" + } + } + }, + "type": "Foreach" + } + }, + "else": { + "actions": { + "Append_IP_Into_List_(2)": { + "type": "AppendToArrayVariable", + "inputs": { + "name": "IP_Host_List", + "value": "@items('For_IPs_In_Entity_Mapping')?['properties']?['address']" + } + } + } + }, + "expression": { + "and": [ + { + "contains": [ + "@items('For_IPs_In_Entity_Mapping')?['properties']?['address']", + "]" + ] + } + ] + }, + "type": "If" + } + }, + "expression": { + "and": [ + { + "equals": [ + "@items('For_IPs_In_Entity_Mapping')?['kind']", + "Ip" + ] + } + ] + }, + "type": "If" + } + }, + "runAfter": { + "Initialize_Severity_Mapping": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Get_Access_Token": { + "runAfter": { + "Condition_To_Verify_Empty_List_Of_IP_-_Host": [ + "Succeeded" + ] + }, + "type": "Http", + "inputs": { + "body": { + "client_id": "@body('Get_Rubrik_Client_ID')?['value']", + "client_secret": "@body('Get_Rubrik_Client_Secret')?['value']" + }, + "method": "POST", + "uri": "@{variables('Base_URL')}/api/client_token" + } + }, + "Get_Rubrik_Client_ID": { + "runAfter": { + "Initialize_Count_Of_Comments_In_Incident": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['keyvault']['connectionId']" + } + }, + "method": "get", + "path": "/secrets/@{encodeURIComponent('Rubrik-Client-Id')}/value" + } + }, + "Get_Rubrik_Client_Secret": { + "runAfter": { + "Get_Rubrik_Client_ID": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['keyvault']['connectionId']" + } + }, + "method": "get", + "path": "/secrets/@{encodeURIComponent('Rubrik-Client-Secret')}/value" + } + }, + "Initialize_AccessToken": { + "runAfter": { + "Initialize_Incident_Severity_Updated": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Access_Token", + "type": "string" + } + ] + } + }, + "Initialize_Anomaly_Severity": { + "runAfter": { + "Initialize_Severity_For_Risk_Level": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Anomaly_Severity", + "type": "string", + "value": "@triggerBody()?['object']?['properties']?['severity']" + } + ] + } + }, + "Initialize_Base_URL": { + "runAfter": { + "Initialize_Search_Type": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Base_URL", + "type": "string", + "value": "@parameters('Rubrik_Base_URL')" + } + ] + } + }, + "Initialize_Count_Of_Comments_In_Incident": { + "runAfter": { + "Initialize_Base_URL": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Comment_Count", + "type": "integer", + "value": "@length(triggerBody()?['object']?['properties']?['Comments'])" + } + ] + } + }, + "Initialize_Detailed_Response": { + "runAfter": { + "Initialize_AccessToken": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Detailed_Response", + "type": "string" + } + ] + } + }, + "Initialize_Failed_IP_Address_And_Host_Name_List": { + "runAfter": { + "Initialize_IP_Address_And_Host_Name_List": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Failed_IP_Host_List", + "type": "array" + } + ] + } + }, + "Initialize_IP_Address_And_Host_Name_List": { + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "IP_Host_List", + "type": "array" + } + ] + } + }, + "Initialize_IP_List_Size": { + "runAfter": { + "Initialize_Failed_IP_Address_And_Host_Name_List": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "IP_List_Size", + "type": "integer", + "value": 0 + } + ] + } + }, + "Initialize_Incident_Severity": { + "runAfter": { + "Get_Rubrik_Client_Secret": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Incident_Severity", + "type": "string", + "value": "@triggerBody()?['object']?['properties']?['severity']" + } + ] + } + }, + "Initialize_Incident_Severity_Increase_Level": { + "runAfter": { + "Initialize_Anomaly_Severity": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Increase_Severity_Level", + "type": "integer", + "value": "@parameters('Increase_Severity_Level')" + } + ] + } + }, + "Initialize_Incident_Severity_Updated": { + "runAfter": { + "Initialize_Incident_Severity_Increase_Level": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Incident_Severity_Updated", + "type": "boolean", + "value": "@false" + } + ] + } + }, + "Initialize_Search_Type": { + "runAfter": { + "Initialize_IP_List_Size": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Search_Type", + "type": "string", + "value": "ipv4" + } + ] + } + }, + "Initialize_Severity_For_Increase_Level": { + "runAfter": { + "Initialize_Incident_Severity": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Severity_For_Increase_Level", + "type": "string", + "value": "@triggerBody()?['object']?['properties']?['severity']" + } + ] + } + }, + "Initialize_Severity_For_Risk_Level": { + "runAfter": { + "Initialize_Severity_For_Increase_Level": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Severity_For_RiskLevel", + "type": "string", + "value": "@triggerBody()?['object']?['properties']?['severity']" + } + ] + } + }, + "Initialize_Severity_Mapping": { + "runAfter": { + "Initialize_Detailed_Response": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Severity_Mapping", + "type": "object", + "value": { + "high": "High", + "low": "Low", + "medium": "Medium" + } + } + ] + } + }, + "Set_IP_List_Size": { + "runAfter": { + "For_IPs_In_Entity_Mapping": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "IP_List_Size", + "value": "@length(variables('IP_Host_List'))" + } + } + } + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + }, + "keyvault": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('KeyvaultConnectionName'))]", + "connectionName": "[[variables('KeyvaultConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Keyvault')]" + } + } + } + } + }, + "name": "[[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[[variables('workspace-location-inline')]", + "identity": { + "type": "SystemAssigned" + }, + "tags": { + "hidden-SentinelTemplateName": "RubrikWorkloadAnalysis", + "hidden-SentinelTemplateVersion": "1.0", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "apiVersion": "2017-07-01", + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('KeyvaultConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('MicrosoftSentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('MicrosoftSentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('KeyvaultConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('KeyvaultConnectionName')]", + "api": { + "id": "[[variables('_connection-3')]" + }, + "parameterValues": { + "token:TenantId": "[[trim(parameters('Tenant Id'))]", + "token:grantType": "code", + "vaultName": "[[trim(parameters('Keyvault Name'))]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId14'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId14')]", + "contentId": "[variables('_playbookContentId14')]", + "kind": "Playbook", + "version": "[variables('playbookVersion14')]", + "source": { + "kind": "Solution", + "name": "RubrikSecurityCloud", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Ben Meadowcroft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Rubrik", + "email": "support@rubrik.com", + "tier": "Partner", + "link": "https://support.rubrik.com" + } + } + } + ], + "metadata": { + "title": "RubrikWorkloadAnalysis", + "description": "This playbook retrieves sensitive IP and Host data to enrich the incident details, and adjusts the incident's severity level based on the gathered information.", + "prerequisites": [ + "1. User must have a valid Rubrik Client Id and Client Secret.", + "2. Store Service account credentials in Key Vault and obtain keyvault name and tenantId", + "a. Create a Key Vault with a unique name", + "b. Go to KeyVault -> secrets, click on Generate/import and create 'Rubrik-Client-Id' & 'Rubrik-Client-Secret' for storing client_id and client_secret respectively", + "NOTE: Make sure the Permission model in the Access Configuration of Keyvault is selected to the Vault access policy. If not then change it to 'Vault access policy'" + ], + "postDeployment": [ + "**a. Authorize connections**", + "Once deployment is complete, authorize each connection.", + "1. Go to your logic app -> API connections -> Select keyvault connection resource", + "2. Go to General -> edit API connection", + "3. Click the keyvault connection resource", + "4. Click edit API connection", + "5. Click Authorize", + "6. Sign in", + "7. Click Save", + "8. Repeat steps for other connections", + "**b. Assign Role to add comment in incident**", + "After authorizing each connection, assign role to this playbook.", + "1. Go to Log Analytics Workspace → → Access Control → Add", + "2. Add role assignment", + "3. Assignment type: Job function roles -> Add 'Microsoft Sentinel Contributor' as a Role", + "4. Members: select managed identity for assigned access to and add your logic app as member", + "5. Click on review+assign", + "**c. Add Access policy in Keyvault**", + "Add access policy for the playbook's managed identity and authorized user to read, and write secrets of key vault.", + "1. Go to logic app → → identity → System assigned Managed identity and copy Object (principal) ID.", + "2. Go to keyvaults → → Access policies → create.", + "3. Select all keys & secrets permissions. Click next.", + "4. In the principal section, search by copied object ID. Click next.", + "5. Click review + create.", + "**d. Configurations in Microsoft Sentinel**", + "1. In Microsoft Sentinel, Configure the analytic rules to trigger an incident.", + "a. Analytic Rule must contain at least one of the below fields mapped in Entity Mapping or Custom Details to successfully fetch data.", + "IP", + "Host", + "2. In Microsoft Sentinel, Configure the automation rules to trigger the playbook.", + "a. Go to Microsoft Sentinel -> -> Automation", + "b. Click on Create -> Automation rule", + "c. Provide name for your rule", + "d. In Analytic rule name condition, select analytic rule which you have created.", + "e. In Actions dropdown select Run playbook", + "f. In second dropdown select your deployed playbook", + "g. Click on Apply", + "h. Save the Automation rule.", + "NOTE: If you want to manually run the playbook on a particular incident follow the below steps:", + "a. Go to Microsoft Sentinel -> -> Incidents", + "b. Select an incident.", + "c. In the right pane, click on Actions, and from the dropdown select the 'Run Playbook' option.", + "d. click on the Run button beside this playbook." + ], + "lastUpdateTime": "2024-11-08T18:00:00Z", + "entities": [ + "ip", + "Host" + ], + "tags": [ + "ip", + "Host", + "Rubrik" + ], + "releaseNotes": { + "version": "1.0", + "title": "[variables('blanks')]", + "notes": [ + "Initial version" + ] + } + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId14')]", + "contentKind": "Playbook", + "displayName": "RubrikWorkloadAnalysis", + "contentProductId": "[variables('_playbookcontentProductId14')]", + "id": "[variables('_playbookcontentProductId14')]", + "version": "[variables('playbookVersion14')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('dataConnectorTemplateSpecName1')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "RubrikSecurityCloud data connector with template version 3.3.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorVersion1')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "id": "[variables('_uiConfigId1')]", + "title": "Rubrik Security Cloud data connector (using Azure Functions)", + "publisher": "Rubrik, Inc", + "descriptionMarkdown": "The Rubrik Security Cloud data connector enables security operations teams to integrate insights from Rubrik's Data Observability services into Microsoft Sentinel. The insights include identification of anomalous filesystem behavior associated with ransomware and mass deletion, assess the blast radius of a ransomware attack, and sensitive data operators to prioritize and more rapidly investigate potential incidents.", + "graphQueries": [ + { + "metricName": "Total Anomaly Event data received", + "legend": "Rubrik_Anomaly_Data_CL", + "baseQuery": "Rubrik_Anomaly_Data_CL" + }, + { + "metricName": "Total Ransomware Event data received", + "legend": "Rubrik_Ransomware_Data_CL", + "baseQuery": "Rubrik_Ransomware_Data_CL" + }, + { + "metricName": "Total ThreatHunt Event data received", + "legend": "Rubrik_ThreatHunt_Data_CL", + "baseQuery": "Rubrik_ThreatHunt_Data_CL" + }, + { + "metricName": "Total Other Events data received", + "legend": "Rubrik_Events_Data_CL", + "baseQuery": "Rubrik_Events_Data_CL" + } + ], + "sampleQueries": [ + { + "description": "Rubrik Anomaly Events - Anomaly Events for all severity types.", + "query": "Rubrik_Anomaly_Data_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Rubrik Ransomware Analysis Events - Ransomware Analysis Events for all severity types.", + "query": "Rubrik_Ransomware_Data_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Rubrik ThreatHunt Events - Threat Hunt Events for all severity types.", + "query": "Rubrik_ThreatHunt_Data_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Rubrik Other Events - Other Events for all severity types.", + "query": "Rubrik_Events_Data_CL\n | sort by TimeGenerated desc" + } + ], + "dataTypes": [ + { + "name": "Rubrik_Anomaly_Data_CL", + "lastDataReceivedQuery": "Rubrik_Anomaly_Data_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "Rubrik_Ransomware_Data_CL", + "lastDataReceivedQuery": "Rubrik_Ransomware_Data_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "Rubrik_ThreatHunt_Data_CL", + "lastDataReceivedQuery": "Rubrik_ThreatHunt_Data_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "Rubrik_Events_Data_CL", + "lastDataReceivedQuery": "Rubrik_Events_Data_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "Rubrik_Anomaly_Data_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "Rubrik_Ransomware_Data_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "Rubrik_ThreatHunt_Data_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "Rubrik_Events_Data_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions on the workspace are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Microsoft.Web/sites permissions", + "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." + } + ] + }, + "instructionSteps": [ + { + "description": ">**NOTE:** This connector uses Azure Functions to connect to the Rubrik webhook which push its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details." + }, + { + "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." + }, + { + "description": "**STEP 1 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the Rubrik Microsoft Sentinel data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following) readily available..", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId" + ], + "label": "Workspace ID" + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "fillWith": [ + "PrimaryKey" + ], + "label": "Primary Key" + }, + "type": "CopyableLabel" + } + ] + }, + { + "description": "Use this method for automated deployment of the Rubrik connector.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-RubrikWebhookEvents-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the below information : \n\t\tFunction Name \n\t\tWorkspace ID \n\t\tWorkspace Key \n\t\tAnomaliesTableName \n\t\tRansomwareAnalysisTableName \n\t\tThreatHuntsTableName \n\t\tEventsTableName \n\t\tLogLevel \n \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.", + "title": "Option 1 - Azure Resource Manager (ARM) Template" + }, + { + "description": "Use the following step-by-step instructions to deploy the Rubrik Microsoft Sentinel data connector manually with Azure Functions (Deployment via Visual Studio Code).", + "title": "Option 2 - Manual Deployment of Azure Functions" }, { "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-RubrikWebhookEvents-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. RubrikXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.8 or above.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration." }, { - "description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following application settings individually, with their respective values (case-sensitive): \n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tAnomalies_table_name\n\t\tRansomwareAnalysis_table_name\n\t\tThreatHunts_table_name\n\t\tLogLevel\n\t\tlogAnalyticsUri (optional)\n - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: https://.ods.opinsights.azure.us. \n4. Once all application settings have been entered, click **Save**." + "description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following application settings individually, with their respective values (case-sensitive): \n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tAnomaliesTableName\n\t\tRansomwareAnalysisTableName\n\t\tThreatHuntsTableName\n\t\tEventsTableName\n\t\tLogLevel\n\t\tlogAnalyticsUri (optional)\n - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: https://.ods.opinsights.azure.us. \n4. Once all application settings have been entered, click **Save**." }, { "description": "**Post Deployment steps**\n\n" @@ -25179,11 +27089,11 @@ "title": "1) Get the Function app endpoint" }, { - "description": "Follow the Rubrik User Guide instructions to [Add a Webhook](https://docs.rubrik.com/en-us/saas/saas/common/adding_webhook.html) to begin receiving event information related to Ransomware Anomalies \n 1. Select the Generic as the webhook Provider(This will use CEF formatted event information)\n 2. Enter the URL part from copied Function-url as the webhook URL endpoint and replace **{functionname}** with **\"RubrikAnomalyOrchestrator\"**, for the Rubrik Microsoft Sentinel Solution \n 3. Select the Advanced or Custom Authentication option \n 4. Enter x-functions-key as the HTTP header \n 5. Enter the Function access key(value of code parameter from copied function-url) as the HTTP value(Note: if you change this function access key in Microsoft Sentinel in the future you will need to update this webhook configuration) \n 6. Select the EventType as Anomaly \n 7. Select the following severity levels: Critical, Warning, Informational \n 8. Repeat the same steps to add webhooks for Ransomware Investigation Analysis and Threat Hunt. \n\n NOTE: while adding webhooks for Ransomware Investigation Analysis and Threat Hunt, replace **{functionname}** with **\"RubrikRansomwareOrchestrator\"** and **\"RubrikThreatHuntOrchestrator\"** respectively in copied function-url.", + "description": "Follow the Rubrik User Guide instructions to [Add a Webhook](https://docs.rubrik.com/en-us/saas/saas/common/adding_webhook.html) to begin receiving event information \n 1. Select the Microsoft Sentinel as the webhook Provider \n 2. Enter the desired Webhook name \n 3. Enter the URL part from copied Function-url as the webhook URL endpoint and replace **{functionname}** with **\"RubrikAnomalyOrchestrator\"**, for the Rubrik Microsoft Sentinel Solution \n 4. Select the EventType as Anomaly \n 5. Select the following severity levels: Critical, Warning, Informational \n 6. Choose multiple log types, if desired, when running **\"RubrikEventsOrchestrator\"** \n 7. Repeat the same steps to add webhooks for Anomaly Detection Analysis, Threat Hunt and Other Events.\n \n\n NOTE: while adding webhooks for Anomaly Detection Analysis, Threat Hunt and Other Events, replace **{functionname}** with **\"RubrikRansomwareOrchestrator\"**, **\"RubrikThreatHuntOrchestrator\"** and **\"RubrikEventsOrchestrator\"** respectively in copied function-url.", "title": "2) Add a webhook in RubrikSecurityCloud to send data to Microsoft Sentinel." }, { - "description": "*Now we are done with the rubrik Webhook configuration. Once the webhook events triggered , you should be able to see the Anomaly, Ransomware Investigation Analysis, Threat Hunt events from the Rubrik into respective LogAnalytics workspace table called \"Rubrik_Anomaly_Data_CL\", \"Rubrik_Ransomware_Data_CL\", \"Rubrik_ThreatHunt_Data_CL\".*\n\n" + "description": "*Now we are done with the rubrik Webhook configuration. Once the webhook events triggered , you should be able to see the Anomaly, Anomaly Detection Analysis, Threat Hunt events and Other Events from the Rubrik into respective LogAnalytics workspace table called \"Rubrik_Anomaly_Data_CL\", \"Rubrik_Ransomware_Data_CL\", \"Rubrik_ThreatHunt_Data_CL\", and \"Rubrik_Events_Data_CL\".*\n\n" } ] } @@ -25286,6 +27196,11 @@ "metricName": "Total ThreatHunt Event data received", "legend": "Rubrik_ThreatHunt_Data_CL", "baseQuery": "Rubrik_ThreatHunt_Data_CL" + }, + { + "metricName": "Total Other Events data received", + "legend": "Rubrik_Events_Data_CL", + "baseQuery": "Rubrik_Events_Data_CL" } ], "dataTypes": [ @@ -25300,6 +27215,10 @@ { "name": "Rubrik_ThreatHunt_Data_CL", "lastDataReceivedQuery": "Rubrik_ThreatHunt_Data_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "Rubrik_Events_Data_CL", + "lastDataReceivedQuery": "Rubrik_Events_Data_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" } ], "connectivityCriterias": [ @@ -25320,6 +27239,12 @@ "value": [ "Rubrik_ThreatHunt_Data_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "Rubrik_Events_Data_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] } ], "sampleQueries": [ @@ -25334,6 +27259,10 @@ { "description": "Rubrik ThreatHunt Events - Threat Hunt Events for all severity types.", "query": "Rubrik_ThreatHunt_Data_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Rubrik Other Events - Other Events for all severity types.", + "query": "Rubrik_Events_Data_CL\n | sort by TimeGenerated desc" } ], "availability": { @@ -25401,7 +27330,7 @@ ] }, { - "description": "Use this method for automated deployment of the Rubrik connector.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-RubrikWebhookEvents-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the below information : \n\t\tFunction Name \n\t\tWorkspace ID \n\t\tWorkspace Key \n\t\tAnomalies_table_name \n\t\tRansomwareAnalysis_table_name \n\t\tThreatHunts_table_name\n\t\tLogLevel \n \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.", + "description": "Use this method for automated deployment of the Rubrik connector.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-RubrikWebhookEvents-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the below information : \n\t\tFunction Name \n\t\tWorkspace ID \n\t\tWorkspace Key \n\t\tAnomaliesTableName \n\t\tRansomwareAnalysisTableName \n\t\tThreatHuntsTableName \n\t\tEventsTableName \n\t\tLogLevel \n \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.", "title": "Option 1 - Azure Resource Manager (ARM) Template" }, { @@ -25412,7 +27341,7 @@ "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-RubrikWebhookEvents-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. RubrikXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.8 or above.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration." }, { - "description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following application settings individually, with their respective values (case-sensitive): \n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tAnomalies_table_name\n\t\tRansomwareAnalysis_table_name\n\t\tThreatHunts_table_name\n\t\tLogLevel\n\t\tlogAnalyticsUri (optional)\n - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: https://.ods.opinsights.azure.us. \n4. Once all application settings have been entered, click **Save**." + "description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following application settings individually, with their respective values (case-sensitive): \n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tAnomaliesTableName\n\t\tRansomwareAnalysisTableName\n\t\tThreatHuntsTableName\n\t\tEventsTableName\n\t\tLogLevel\n\t\tlogAnalyticsUri (optional)\n - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: https://.ods.opinsights.azure.us. \n4. Once all application settings have been entered, click **Save**." }, { "description": "**Post Deployment steps**\n\n" @@ -25422,11 +27351,11 @@ "title": "1) Get the Function app endpoint" }, { - "description": "Follow the Rubrik User Guide instructions to [Add a Webhook](https://docs.rubrik.com/en-us/saas/saas/common/adding_webhook.html) to begin receiving event information related to Ransomware Anomalies \n 1. Select the Generic as the webhook Provider(This will use CEF formatted event information)\n 2. Enter the URL part from copied Function-url as the webhook URL endpoint and replace **{functionname}** with **\"RubrikAnomalyOrchestrator\"**, for the Rubrik Microsoft Sentinel Solution \n 3. Select the Advanced or Custom Authentication option \n 4. Enter x-functions-key as the HTTP header \n 5. Enter the Function access key(value of code parameter from copied function-url) as the HTTP value(Note: if you change this function access key in Microsoft Sentinel in the future you will need to update this webhook configuration) \n 6. Select the EventType as Anomaly \n 7. Select the following severity levels: Critical, Warning, Informational \n 8. Repeat the same steps to add webhooks for Ransomware Investigation Analysis and Threat Hunt. \n\n NOTE: while adding webhooks for Ransomware Investigation Analysis and Threat Hunt, replace **{functionname}** with **\"RubrikRansomwareOrchestrator\"** and **\"RubrikThreatHuntOrchestrator\"** respectively in copied function-url.", + "description": "Follow the Rubrik User Guide instructions to [Add a Webhook](https://docs.rubrik.com/en-us/saas/saas/common/adding_webhook.html) to begin receiving event information \n 1. Select the Microsoft Sentinel as the webhook Provider \n 2. Enter the desired Webhook name \n 3. Enter the URL part from copied Function-url as the webhook URL endpoint and replace **{functionname}** with **\"RubrikAnomalyOrchestrator\"**, for the Rubrik Microsoft Sentinel Solution \n 4. Select the EventType as Anomaly \n 5. Select the following severity levels: Critical, Warning, Informational \n 6. Choose multiple log types, if desired, when running **\"RubrikEventsOrchestrator\"** \n 7. Repeat the same steps to add webhooks for Anomaly Detection Analysis, Threat Hunt and Other Events.\n \n\n NOTE: while adding webhooks for Anomaly Detection Analysis, Threat Hunt and Other Events, replace **{functionname}** with **\"RubrikRansomwareOrchestrator\"**, **\"RubrikThreatHuntOrchestrator\"** and **\"RubrikEventsOrchestrator\"** respectively in copied function-url.", "title": "2) Add a webhook in RubrikSecurityCloud to send data to Microsoft Sentinel." }, { - "description": "*Now we are done with the rubrik Webhook configuration. Once the webhook events triggered , you should be able to see the Anomaly, Ransomware Investigation Analysis, Threat Hunt events from the Rubrik into respective LogAnalytics workspace table called \"Rubrik_Anomaly_Data_CL\", \"Rubrik_Ransomware_Data_CL\", \"Rubrik_ThreatHunt_Data_CL\".*\n\n" + "description": "*Now we are done with the rubrik Webhook configuration. Once the webhook events triggered , you should be able to see the Anomaly, Anomaly Detection Analysis, Threat Hunt events and Other Events from the Rubrik into respective LogAnalytics workspace table called \"Rubrik_Anomaly_Data_CL\", \"Rubrik_Ransomware_Data_CL\", \"Rubrik_ThreatHunt_Data_CL\", and \"Rubrik_Events_Data_CL\".*\n\n" } ], "id": "[variables('_uiConfigId1')]" @@ -25438,12 +27367,12 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.2.1", + "version": "3.3.0", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "RubrikSecurityCloud", "publisherDisplayName": "Rubrik", - "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Rubrik Security Cloud solution enables security operations teams to integrate insights from Rubrik’s Data Observability services into Microsoft Sentinel.

\n

Underlying Microsoft Technologies used:

\n

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n
    \n

  1. Azure Monitor HTTP Data Collector API

    \n
    2. \n

  2. Azure Functions

    \n
    3. \n
\n

Data Connectors: 1, Custom Azure Logic Apps Connectors: 1, Playbooks: 12

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Rubrik Security Cloud solution enables security operations teams to integrate insights from Rubrik’s Data Observability services into Microsoft Sentinel.

\n

Underlying Microsoft Technologies used:

\n

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n
    \n

  1. Azure Monitor HTTP Data Collector API

    \n
    2. \n

  2. Azure Functions

    \n
    3. \n
\n

Data Connectors: 1, Custom Azure Logic Apps Connectors: 1, Playbooks: 13

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -25533,6 +27462,11 @@ "contentId": "[variables('_RubrikAnomalyGenerateDownloadableLink')]", "version": "[variables('playbookVersion13')]" }, + { + "kind": "Playbook", + "contentId": "[variables('_RubrikWorkloadAnalysis')]", + "version": "[variables('playbookVersion14')]" + }, { "kind": "DataConnector", "contentId": "[variables('_dataConnectorContentId1')]", @@ -25541,7 +27475,7 @@ ] }, "firstPublishDate": "2022-07-19", - "lastPublishDate": "2024-03-17", + "lastPublishDate": "2024-11-19", "providers": [ "Rubrik" ], diff --git a/Solutions/RubrikSecurityCloud/Playbooks/RubrikWorkloadAnalysis/Images/RubrikWorkloadAnalysis.png b/Solutions/RubrikSecurityCloud/Playbooks/RubrikWorkloadAnalysis/Images/RubrikWorkloadAnalysis.png new file mode 100644 index 00000000000..b8d5b616e27 Binary files /dev/null and b/Solutions/RubrikSecurityCloud/Playbooks/RubrikWorkloadAnalysis/Images/RubrikWorkloadAnalysis.png differ diff --git a/Solutions/RubrikSecurityCloud/Playbooks/RubrikWorkloadAnalysis/README.md b/Solutions/RubrikSecurityCloud/Playbooks/RubrikWorkloadAnalysis/README.md new file mode 100644 index 00000000000..1df37cf45e6 --- /dev/null +++ b/Solutions/RubrikSecurityCloud/Playbooks/RubrikWorkloadAnalysis/README.md @@ -0,0 +1,66 @@ +# RubrikWorkloadAnalysis +## Summary +This playbook retrieves sensitive IP and Host data to enrich the incident details, and adjusts the incident's severity level based on the gathered information. +### Prerequisites +1. User must have a valid Rubrik Client ID and Client Secret. +2. Store Service account credentials in Key Vault and obtain keyvault name and tenantId + * Create a Key Vault with a unique name + * Go to KeyVault -> secrets, click on Generate/import and create 'Rubrik--Client-Id' & 'Rubrik-Client-Secret' for storing client_id and client_secret respectively + **NOTE:** Make sure the Permission model in the Access Configuration of Keyvault is selected to the Vault access policy. If not then change it to **'Vault access policy'** +### Deployment instructions +1. To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard. +2. Fill in the required parameters: +* Playbook Name: Enter the playbook name here. +* Keyvault Name: Enter name of keyvault where service account credentials are stored(e.g. RubrikSentinelKeyVault). +* Tenant ID: Enter Tenant ID of your Microsoft EntraID where keyvault is available. +* Rubrik Base URL: Enter Base URL of the RubrikApi instance (Example: https://rubrik-tme.my.rubrik.com). +* Increase Severity Level: Enter a value to increase the severity level of the incident.(Example: for value 1 incident severity will change from Low to Medium) + +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FRubrikSecurityCloud%2FPlaybooks%2FRubrikWorkloadAnalysis%2Fazuredeploy.json) [![Deploy to Azure](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FRubrikSecurityCloud%2FPlaybooks%2FRubrikWorkloadAnalysis%2Fazuredeploy.json) + +### Post-Deployment instructions +#### a. Authorize connections +Once deployment is complete, authorize each connection like keyvault, azureloganalytics. +1. Go to your logic app -> API connections -> Select keyvault connection resource +2. Go to General -> edit API connection +3. Click the keyvault connection resource +4. Click edit API connection +5. Click Authorize +6. Sign in +7. Click Save +8. Repeat steps for other connections +#### b. Assign Role to add a comment in the incident +After authorizing each connection, assign a role to this playbook. +1. Go to Log Analytics Workspace → → Access Control → Add +2. Add role assignment +3. Assignment type: Job function roles +4. Role: Microsoft Sentinel Contributor +5. Members: select managed identity for "assigned access to" and add your logic app as a member. +6. Click on review+assign +#### c. Add Access policy in Keyvault +Add access policy for the playbook's managed identity to read, and write secrets of key vault. +1. Go to the logic app → → identity → System assigned Managed identity and copy Object (principal) ID. +2. Go to keyvaults → → Access policies → create. +3. Select all keys & secrets permissions. Click next. +4. In the principal section, search by copied object ID. Click next. +5. Click review + create. +#### d. Configurations in Microsoft Sentinel +1. In Microsoft Sentinel, Configure the analytic rules to trigger an incident. + * Analytic Rule must contain at least one of the below fields mapped in Custom Details to successfully run this playbook. + * IP + * Host +2. In Microsoft Sentinel, Configure the automation rules to trigger the playbook. + * Go to Microsoft Sentinel -> -> Automation + * Click on **Create** -> **Automation rule** + * Provide a name for your rule + * In the Analytic rule name condition, select the analytic rule that you have created. + * In Actions dropdown select **Run playbook** + * In the second dropdown select your deployed playbook + * Click on **Apply** + * Save the Automation rule. +**NOTE:** If you want to manually run the playbook on a particular incident follow the below steps: + +- Go to Microsoft Sentinel -> -> Incidents +- Select an incident. +- In the right pane, click on Actions, and from the dropdown select the 'Run Playbook' option. +- click on the Run button beside this playbook. \ No newline at end of file diff --git a/Solutions/RubrikSecurityCloud/Playbooks/RubrikWorkloadAnalysis/azuredeploy.json b/Solutions/RubrikSecurityCloud/Playbooks/RubrikWorkloadAnalysis/azuredeploy.json new file mode 100644 index 00000000000..3abb0c2338f --- /dev/null +++ b/Solutions/RubrikSecurityCloud/Playbooks/RubrikWorkloadAnalysis/azuredeploy.json @@ -0,0 +1,1923 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "title": "RubrikWorkloadAnalysis", + "description": "This playbook retrieves sensitive IP and Host data to enrich the incident details, and adjusts the incident's severity level based on the gathered information.", + "prerequisites": [ + "1. User must have a valid Rubrik Client Id and Client Secret.", + "2. Store Service account credentials in Key Vault and obtain keyvault name and tenantId", + "a. Create a Key Vault with a unique name", + "b. Go to KeyVault -> secrets, click on Generate/import and create 'Rubrik-Client-Id' & 'Rubrik-Client-Secret' for storing client_id and client_secret respectively", + "NOTE: Make sure the Permission model in the Access Configuration of Keyvault is selected to the Vault access policy. If not then change it to 'Vault access policy'" + ], + "postDeployment": [ + "**a. Authorize connections**", + "Once deployment is complete, authorize each connection.", + "1. Go to your logic app -> API connections -> Select keyvault connection resource", + "2. Go to General -> edit API connection", + "3. Click the keyvault connection resource", + "4. Click edit API connection", + "5. Click Authorize", + "6. Sign in", + "7. Click Save", + "8. Repeat steps for other connections", + "**b. Assign Role to add comment in incident**", + "After authorizing each connection, assign role to this playbook.", + "1. Go to Log Analytics Workspace → → Access Control → Add", + "2. Add role assignment", + "3. Assignment type: Job function roles -> Add 'Microsoft Sentinel Contributor' as a Role", + "4. Members: select managed identity for assigned access to and add your logic app as member", + "5. Click on review+assign", + "**c. Add Access policy in Keyvault**", + "Add access policy for the playbook's managed identity and authorized user to read, and write secrets of key vault.", + "1. Go to logic app → → identity → System assigned Managed identity and copy Object (principal) ID.", + "2. Go to keyvaults → → Access policies → create.", + "3. Select all keys & secrets permissions. Click next.", + "4. In the principal section, search by copied object ID. Click next.", + "5. Click review + create.", + "**d. Configurations in Microsoft Sentinel**", + "1. In Microsoft Sentinel, Configure the analytic rules to trigger an incident.", + "a. Analytic Rule must contain at least one of the below fields mapped in Entity Mapping or Custom Details to successfully fetch data.", + "IP", + "Host", + "2. In Microsoft Sentinel, Configure the automation rules to trigger the playbook.", + "a. Go to Microsoft Sentinel -> -> Automation", + "b. Click on Create -> Automation rule", + "c. Provide name for your rule", + "d. In Analytic rule name condition, select analytic rule which you have created.", + "e. In Actions dropdown select Run playbook", + "f. In second dropdown select your deployed playbook", + "g. Click on Apply", + "h. Save the Automation rule.", + "NOTE: If you want to manually run the playbook on a particular incident follow the below steps:", + "a. Go to Microsoft Sentinel -> -> Incidents", + "b. Select an incident.", + "c. In the right pane, click on Actions, and from the dropdown select the 'Run Playbook' option.", + "d. click on the Run button beside this playbook." + ], + "lastUpdateTime": "2024-11-08T18:00:00.000Z", + "entities": [ + "ip", + "Host" + ], + "tags": [ + "ip", + "Host", + "Rubrik" + ], + "support": { + "tier": "Community", + "armtemplate": "Generated from https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator" + }, + "author": { + "name": "Rubrik" + } + }, + "parameters": { + "PlaybookName": { + "defaultValue": "RubrikWorkloadAnalysis", + "minLength": 1, + "type": "string", + "metadata": { + "description": "Please do not keep 'Playbook Name' parameter empty, else you will receive validation failure" + } + }, + "Keyvault Name": { + "type": "string", + "metadata": { + "description": "Enter name of keyvault where service account credentials are stored(Example: RubrikSentinelKeyVault)" + } + }, + "Tenant Id": { + "type": "string", + "metadata": { + "description": "Enter Tenant ID of your Microsoft EntraID where keyvault is available" + } + }, + "Rubrik Base URL": { + "type": "string", + "minLength": 1, + "defaultValue": "https://rubrik-tme.my.rubrik.com", + "metadata": { + "description": "Enter Base URL of the RubrikApi instance (Example: https://rubrik-tme.my.rubrik.com)" + } + }, + "IncreaseSeverityLevel": { + "defaultValue": 1, + "allowedValues": [ + 1, + 2, + 3 + ], + "type": "Int", + "metadata": { + "description": "Enter a value to increase the severity level of the incident.(Example: for value 1 incident severity will change from Low to Medium)" + } + } + }, + "variables": { + "MicrosoftSentinelConnectionName": "[concat('MicrosoftSentinel-', parameters('PlaybookName'))]", + "KeyvaultConnectionName": "[concat('Keyvault-', parameters('PlaybookName'))]" + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "defaultValue": { + }, + "type": "Object" + }, + "Increase_Severity_Level": { + "defaultValue": "[parameters('IncreaseSeverityLevel')]", + "type": "Int" + }, + "Rubrik_Base_URL": { + "defaultValue": "[trim(parameters('Rubrik Base URL'))]", + "type": "String" + } + }, + "triggers": { + "Microsoft_Sentinel_incident": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/incident-creation" + } + } + }, + "actions": { + "Check_For_Status_Code_Of_Generating_Access_Token": { + "actions": { + "Set_Access_Token": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "Access_Token", + "value": "@{body('Get_Access_Token')?['access_token']}" + } + } + }, + "runAfter": { + "Get_Access_Token": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Terminate_Due_To_Authentication_Failure": { + "runAfter": {}, + "type": "Terminate", + "inputs": { + "runError": { + "code": "@{outputs('Get_Access_Token')['statusCode']}", + "message": "@{body('Get_Access_Token')?['message']}" + }, + "runStatus": "Failed" + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@outputs('Get_Access_Token')['statusCode']", + 200 + ] + } + ] + }, + "type": "If" + }, + "Condition_To_Verify_Empty_List_Of_IP_-_Host": { + "actions": { + "Terminate_Due_Empty_IP_-_Host_List": { + "runAfter": {}, + "type": "Terminate", + "inputs": { + "runError": { + "code": "404", + "message": "IP or Host are not Mapped with Incident" + }, + "runStatus": "Failed" + } + } + }, + "runAfter": { + "For_Hosts_In_Entity_Mapping": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "equals": [ + "@length(variables('IP_Host_List'))", + 0 + ] + } + ] + }, + "type": "If" + }, + "Condition_To_Verify_Length_Of_Failed_IP_-_Host_List": { + "actions": { + "Condition_To_Check_All_Failure": { + "actions": {}, + "runAfter": {}, + "else": { + "actions": { + "Update_Incident_(2)": { + "runAfter": {}, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "severity": "@variables('Incident_Severity')" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "put", + "path": "/Incidents" + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@length(variables('Failed_IP_Host_List'))", + "@length(variables('IP_Host_List'))" + ] + } + ] + }, + "type": "If" + }, + "Condition_To_Verify_That_Incident_Comment_Does_Not_Reach_Limit_(2)": { + "actions": { + "Add_Failed_IP_-_Host_List_Into_Incident_Comment": { + "runAfter": {}, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@body('Update_Incident_(2)')?['id']", + "message": "

Failed IP/Host List: @{replace(replace(replace(replace(string(variables('Failed_IP_Host_List')), '\"', ''), '[', ''), ']', ''), ',', ', ')}

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + } + }, + "runAfter": { + "Condition_To_Check_All_Failure": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "less": [ + "@variables('Comment_Count')", + 100 + ] + } + ] + }, + "type": "If" + } + }, + "runAfter": { + "For_Each_IP_Or_Host": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Update_Incident": { + "runAfter": {}, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "severity": "@variables('Incident_Severity')" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "put", + "path": "/Incidents" + } + } + } + }, + "expression": { + "and": [ + { + "greater": [ + "@length(variables('Failed_IP_Host_List'))", + 0 + ] + } + ] + }, + "type": "If" + }, + "For_Each_Alert_Details": { + "foreach": "@triggerBody()?['object']?['properties']?['Alerts']", + "actions": { + "Condition_To_Verify_Custom_Details_Is_Not_Empty": { + "actions": { + "Condition_To_Verify_Host_Is_Mapped_In_Custom_Details": { + "actions": { + "Condition_To_Verify_List_Of_Hosts": { + "actions": { + "For_Each_Host_In_Custom_Details": { + "foreach": "@json(body('Parse_Custom_Details')?['Host'][0])", + "actions": { + "Append_Host_Into_List": { + "runAfter": {}, + "type": "AppendToArrayVariable", + "inputs": { + "name": "IP_Host_List", + "value": "@items('For_Each_Host_In_Custom_Details')" + } + } + }, + "runAfter": {}, + "type": "Foreach" + } + }, + "runAfter": {}, + "else": { + "actions": { + "Append_Host_Into_List_(2)": { + "runAfter": {}, + "type": "AppendToArrayVariable", + "inputs": { + "name": "IP_Host_List", + "value": "@body('Parse_Custom_Details')?['Host'][0]" + } + } + } + }, + "expression": { + "and": [ + { + "contains": [ + "@body('Parse_Custom_Details')?['Host'][0]", + "]" + ] + } + ] + }, + "type": "If" + } + }, + "runAfter": { + "Set_IP_List_Size_(2)": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "equals": [ + "@empty(body('Parse_Custom_Details')?['Host'])", + "@false" + ] + } + ] + }, + "type": "If" + }, + "Condition_To_Verify_IP_Is_Mapped_In_Custom_Details": { + "actions": { + "Condition_To_Verify_List_Of_IPs_(2)": { + "actions": { + "For_Each_IP_In_Custom_Details": { + "foreach": "@json(body('Parse_Custom_Details')?['IP'][0])", + "actions": { + "Condition_To_Verify_IP_Already_Not_Exist_In_List": { + "actions": { + "Append_IP_Into_List_(3)": { + "runAfter": {}, + "type": "AppendToArrayVariable", + "inputs": { + "name": "IP_Host_List", + "value": "@items('For_Each_IP_In_Custom_Details')" + } + } + }, + "runAfter": {}, + "expression": { + "and": [ + { + "equals": [ + "@contains(variables('IP_Host_List'), items('For_Each_IP_In_Custom_Details'))", + "@false" + ] + } + ] + }, + "type": "If" + } + }, + "runAfter": {}, + "type": "Foreach" + } + }, + "runAfter": {}, + "else": { + "actions": { + "Condition_To_Verify_IP_Already_Not_Exist_In_List_(2)": { + "actions": { + "Append_IP_Into_List_(4)": { + "runAfter": {}, + "type": "AppendToArrayVariable", + "inputs": { + "name": "IP_Host_List", + "value": "@body('Parse_Custom_Details')?['IP'][0]" + } + } + }, + "runAfter": {}, + "expression": { + "and": [ + { + "equals": [ + "@contains(variables('IP_Host_List'), body('Parse_Custom_Details')?['IP'][0])", + "@false" + ] + } + ] + }, + "type": "If" + } + } + }, + "expression": { + "and": [ + { + "contains": [ + "@body('Parse_Custom_Details')?['IP'][0]", + "]" + ] + } + ] + }, + "type": "If" + } + }, + "runAfter": { + "Parse_Custom_Details": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "equals": [ + "@empty(body('Parse_Custom_Details')?['IP'])", + "@false" + ] + } + ] + }, + "type": "If" + }, + "Parse_Custom_Details": { + "runAfter": {}, + "type": "ParseJson", + "inputs": { + "content": "@items('For_Each_Alert_Details')?['properties']?['additionalData']?['Custom Details']", + "schema": { + "properties": { + "Host": { + "items": { + "type": "string" + }, + "type": "array" + }, + "IP": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + } + } + }, + "Set_IP_List_Size_(2)": { + "runAfter": { + "Condition_To_Verify_IP_Is_Mapped_In_Custom_Details": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "IP_List_Size", + "value": "@length(variables('IP_Host_List'))" + } + } + }, + "runAfter": {}, + "expression": { + "and": [ + { + "equals": [ + "@empty(items('For_Each_Alert_Details')?['properties']?['additionalData']?['Custom Details'])", + "@false" + ] + } + ] + }, + "type": "If" + } + }, + "runAfter": { + "Set_IP_List_Size": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "For_Each_IP_Or_Host": { + "foreach": "@variables('IP_Host_List')", + "actions": { + "Check_For_HTTP_Request_Status_Code": { + "actions": { + "Condition_To_Check_IP_-_Host_Invalid_Or_Data_Not_Found": { + "actions": { + "Append_IP_Address_Or_Host_Name_Into_Failed_List_(2)": { + "runAfter": {}, + "type": "AppendToArrayVariable", + "inputs": { + "name": "Failed_IP_Host_List", + "value": "@items('For_Each_IP_Or_Host')" + } + } + }, + "runAfter": { + "Parse_Response": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Condition_To_Verify_Incident_Severity_Is_High": { + "actions": {}, + "runAfter": { + "Condition_To_Verify_That_Incident_Comment_Does_Not_Reach_Limit": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Condition_To_Check_Incident_Updated_By_Increase_Level": { + "actions": { + "Condition_To_Check_Response_And_Update_Incident_Severity": { + "actions": { + "Condition_To_Verify_Increase_Level_Is_1": { + "actions": { + "Switch_Case_For_Update_Incident_Severity": { + "runAfter": {}, + "cases": { + "Case_When_Severity_Is_Informational": { + "case": "Informational", + "actions": { + "Set_Incident_Severity_Updated_To_True": { + "runAfter": { + "Set_Severity_For_Increase_Level_To_Low": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "Incident_Severity_Updated", + "value": "@true" + } + }, + "Set_Severity_For_Increase_Level_To_Low": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "Severity_For_Increase_Level", + "value": "Low" + } + } + } + }, + "Case_When_Severity_Is_Low": { + "case": "Low", + "actions": { + "Set_Incident_Severity_Updated_To_True_(2)": { + "runAfter": { + "Set_Severity_For_Increase_Level_To_Medium": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "Incident_Severity_Updated", + "value": "@true" + } + }, + "Set_Severity_For_Increase_Level_To_Medium": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "Severity_For_Increase_Level", + "value": "Medium" + } + } + } + }, + "Case_When_Severity_Is_Medium": { + "case": "Medium", + "actions": { + "Set_Incident_Severity_Updated_To_True_(3)": { + "runAfter": { + "Set_Severity_For_Increase_Level_To_High": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "Incident_Severity_Updated", + "value": "@true" + } + }, + "Set_Severity_For_Increase_Level_To_High": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "Severity_For_Increase_Level", + "value": "High" + } + } + } + } + }, + "expression": "@variables('Severity_For_Increase_Level')", + "type": "Switch" + } + }, + "runAfter": {}, + "else": { + "actions": { + "Condition_To_Verify_Increase_Level_Is_2_And_Incident_Severity_Is_Informational": { + "actions": { + "Set_Incident_Severity_Updated_To_True_(4)": { + "runAfter": { + "Set_Severity_For_Increase_Level_To_Medium_(2)": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "Incident_Severity_Updated", + "value": "@true" + } + }, + "Set_Severity_For_Increase_Level_To_Medium_(2)": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "Severity_For_Increase_Level", + "value": "Medium" + } + } + }, + "runAfter": {}, + "else": { + "actions": { + "Set_Incident_Severity_Updated_To_True_(5)": { + "runAfter": { + "Set_Severity_For_Increase_Level_To_High_(2)": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "Incident_Severity_Updated", + "value": "@true" + } + }, + "Set_Severity_For_Increase_Level_To_High_(2)": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "Severity_For_Increase_Level", + "value": "High" + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@variables('Increase_Severity_Level')", + 2 + ] + }, + { + "equals": [ + "@variables('Severity_For_Increase_Level')", + "Informational" + ] + } + ] + }, + "type": "If" + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@variables('Increase_Severity_Level')", + 1 + ] + } + ] + }, + "type": "If" + } + }, + "runAfter": {}, + "expression": { + "and": [ + { + "equals": [ + "@or(\r\nif(equals(body('Parse_Response')?['threatHuntInfo']?['latestMaliciousThreatHunt']?['isMalicious'], 'Matches Found'), true, false),\r\nif(equals(body('Parse_Response')?['threatMonitoringInfo']?['latestMaliciousThreatMonitoring']?['isMalicious'], 'Matches Found'), true, false))", + "@true" + ] + } + ] + }, + "type": "If" + } + }, + "runAfter": {}, + "expression": { + "and": [ + { + "equals": [ + "@variables('Incident_Severity_Updated')", + "@false" + ] + } + ] + }, + "type": "If" + }, + "Condition_To_Check_Risk_Level": { + "actions": { + "Set_Severity_For_Risk_Level": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "Severity_For_RiskLevel", + "value": "@{variables('Severity_Mapping')?[toLower(body('Parse_Response')?['sensitiveInfo']?['riskLevel'])]}" + } + } + }, + "runAfter": { + "Condition_To_Check_Incident_Updated_By_Increase_Level": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "equals": [ + "@contains(string(variables('Severity_Mapping')), toLower(body('Parse_Response')?['sensitiveInfo']?['riskLevel']))", + "@true" + ] + } + ] + }, + "type": "If" + }, + "Condition_To_Verify_High_Severity": { + "actions": { + "Set_Incident_Severity_To_High": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "Incident_Severity", + "value": "High" + } + } + }, + "runAfter": { + "Switch_Case_For_Anomaly_Severity": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Condition_To_Verify_Medium_Severity": { + "actions": { + "Set_Incident_Severity_To_Medium": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "Incident_Severity", + "value": "Medium" + } + } + }, + "runAfter": {}, + "else": { + "actions": { + "Condition_To_Verify_Low_Severity": { + "actions": { + "Set_Incident_Severity_To_Low": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "Incident_Severity", + "value": "Low" + } + } + }, + "runAfter": {}, + "expression": { + "and": [ + { + "equals": [ + "@or(if(equals(variables('Severity_For_Increase_Level'), 'Low'), true, false), if(equals(variables('Severity_For_RiskLevel'), 'Low'), true, false), if(equals(variables('Anomaly_Severity'), 'Low'), true, false), if(equals(variables('Incident_Severity'), 'Low'), true, false))", + "@true" + ] + } + ] + }, + "type": "If" + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@or(if(equals(variables('Severity_For_Increase_Level'), 'Medium'), true, false), if(equals(variables('Severity_For_RiskLevel'), 'Medium'), true, false), if(equals(variables('Anomaly_Severity'), 'Medium'), true, false), if(equals(variables('Incident_Severity'), 'Medium'), true, false))", + "@true" + ] + } + ] + }, + "type": "If" + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@or(if(equals(variables('Severity_For_Increase_Level'), 'High'), true, false), if(equals(variables('Severity_For_RiskLevel'), 'High'), true, false), if(equals(variables('Anomaly_Severity'), 'High'), true, false), if(equals(variables('Incident_Severity'), 'High'), true, false))", + "@true" + ] + } + ] + }, + "type": "If" + }, + "Switch_Case_For_Anomaly_Severity": { + "runAfter": { + "Condition_To_Check_Risk_Level": [ + "Succeeded" + ] + }, + "cases": { + "Case_When_Anomaly_Severity_Is_Critical": { + "case": "critical", + "actions": { + "Set_Anomaly_Severity_To_High": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "Anomaly_Severity", + "value": "High" + } + } + } + }, + "Case_When_Anomaly_Severity_Is_Informational": { + "case": "informational", + "actions": { + "Set_Anomaly_Severity_To_Informational": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "Anomaly_Severity", + "value": "Informational" + } + } + } + }, + "Case_When_Anomaly_Severity_Is_Warning": { + "case": "warning", + "actions": { + "Set_Anomaly_Severity_To_Medium": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "Anomaly_Severity", + "value": "Medium" + } + } + } + } + }, + "expression": "@toLower(body('Parse_Response')?['anomalyInfo']?['severity'])", + "type": "Switch" + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@variables('Incident_Severity')", + "High" + ] + } + ] + }, + "type": "If" + }, + "Condition_To_Verify_That_Incident_Comment_Does_Not_Reach_Limit": { + "actions": { + "Condition_To_Verify_Length_Of_Detail_Response_To_30000_Characters_Limit": { + "actions": { + "Add_Detail_Response_Of_IP_To_Incident_Comment": { + "runAfter": {}, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

@{variables('Detailed_Response')}

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + } + }, + "runAfter": {}, + "else": { + "actions": { + "Add_Comment_For_30000_Characters_Limit": { + "runAfter": {}, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

Length of response is exceeded to 30,000 characters for @{items('For_Each_IP_Or_Host')}

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + } + } + }, + "expression": { + "and": [ + { + "less": [ + "@length(variables('Detailed_Response'))", + 30000 + ] + } + ] + }, + "type": "If" + }, + "Increment_Comment_Count": { + "runAfter": { + "Condition_To_Verify_Length_Of_Detail_Response_To_30000_Characters_Limit": [ + "Succeeded" + ] + }, + "type": "IncrementVariable", + "inputs": { + "name": "Comment_Count", + "value": 1 + } + } + }, + "runAfter": { + "Set_Detailed_Response": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "less": [ + "@variables('Comment_Count')", + 100 + ] + } + ] + }, + "type": "If" + }, + "Set_Detailed_Response": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "Detailed_Response", + "value": "\n

General Information for the given @{body('Parse_Response')?['sensitiveInfo']?['riskLevel']} risk : @{items('For_Each_IP_Or_Host')}

\n\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n
FID@{body('Parse_Response')?['generalInfo']?['fid']}
Name@{body('Parse_Response')?['generalInfo']?['name']}
Object Type@{body('Parse_Response')?['generalInfo']?['objectType']}
Protection Status@{body('Parse_Response')?['generalInfo']?['protectionStatus']}
Last Snapshot@{body('Parse_Response')?['generalInfo']?['lastSnapshot']}
Redirect Link@{body('Parse_Response')?['generalInfo']?['redirectLink']}
\n\n\n

Sensitive Information

\n\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n
Risk Level@{body('Parse_Response')?['sensitiveInfo']?['riskLevel']}
Sensitive Files\n

mediumCount: @{body('Parse_Response')?['sensitiveInfo']?['sensitiveFiles']?['mediumCount']}

\n
Sensitive Hits@{body('Parse_Response')?['sensitiveInfo']?['sensitiveHits']}
Open Access Files@{body('Parse_Response')?['sensitiveInfo']?['openAccessFiles']}
Stale Files@{body('Parse_Response')?['sensitiveInfo']?['staleFiles']}
Policy Names@{replace(replace(replace(replace(string(body('Parse_Response')?['sensitiveInfo']?['policyNames']), '\"', ''), '[', ''), ']', ''), ',', ', ')}
Redirect Link@{body('Parse_Response')?['sensitiveInfo']?['redirectLink']}
\n\n\n

Anomaly Information

\n\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n
Severity@{body('Parse_Response')?['anomalyInfo']?['severity']}
Detection Time@{body('Parse_Response')?['anomalyInfo']?['detectionTime']}
Created File Count@{body('Parse_Response')?['anomalyInfo']?['createdFileCount']}
Deleted File Count@{body('Parse_Response')?['anomalyInfo']?['deletedFileCount']}
Modified File Count@{body('Parse_Response')?['anomalyInfo']?['modifiedFileCount']}
Suspicious File Count@{body('Parse_Response')?['anomalyInfo']?['suspiciousFileCount']}
Redirect Link@{body('Parse_Response')?['anomalyInfo']?['redirectLink']}
\n\n\n

Threat Hunt Information

\n\n \n \n \n \n \n \n \n \n \n \n \n \n
Latest Threat Hunt\n

huntId: @{body('Parse_Response')?['threatHuntInfo']?['latestThreatHunt']?['huntId']}

\n

huntStartTime: @{body('Parse_Response')?['threatHuntInfo']?['latestThreatHunt']?['huntStartTime']}

\n

isMalicious: @{body('Parse_Response')?['threatHuntInfo']?['latestThreatHunt']?['isMalicious']}

\n
Latest Malicious Threat Hunt\n

huntId: @{body('Parse_Response')?['threatHuntInfo']?['latestMaliciousThreatHunt']?['huntId']}

\n

huntStartTime: @{body('Parse_Response')?['threatHuntInfo']?['latestMaliciousThreatHunt']?['huntStartTime']}

\n

isMalicious: @{body('Parse_Response')?['threatHuntInfo']?['latestMaliciousThreatHunt']?['isMalicious']}

\n
Redirect Link@{body('Parse_Response')?['threatHuntInfo']?['redirectLink']}
\n\n\n

Threat Monitoring Information

\n\n \n \n \n \n \n \n \n \n \n \n \n \n
Latest Threat Monitoring\n

snapshotFid: @{body('Parse_Response')?['threatMonitoringInfo']?['latestThreatMonitoring']?['snapshotFid']}

\n

monitoringScanTime: @{body('Parse_Response')?['threatMonitoringInfo']?['latestThreatMonitoring']?['monitoringScanTime']}

\n

isMalicious: @{body('Parse_Response')?['threatMonitoringInfo']?['latestThreatMonitoring']?['isMalicious']}

\n
Latest Malicious Threat Monitoring\n

snapshotFid: @{body('Parse_Response')?['threatMonitoringInfo']?['latestMaliciousThreatMonitoring']?['snapshotFid']}

\n

monitoringScanTime: @{body('Parse_Response')?['threatMonitoringInfo']?['latestMaliciousThreatMonitoring']?['monitoringScanTime']}

\n

isMalicious: @{body('Parse_Response')?['threatMonitoringInfo']?['latestMaliciousThreatMonitoring']?['isMalicious']}

\n
Redirect Link@{body('Parse_Response')?['threatMonitoringInfo']?['redirectLink']}
" + } + } + } + }, + "expression": { + "or": [ + { + "equals": [ + "@contains(body('Parse_Response')?['generalInfo']?['fid'], 'No Objects Found')", + "@true" + ] + }, + { + "equals": [ + "@contains(body('Parse_Response')?['generalInfo']?['name'], 'No Objects Found')", + "@true" + ] + } + ] + }, + "type": "If" + }, + "Parse_Response": { + "runAfter": {}, + "type": "ParseJson", + "inputs": { + "content": "@body('Get_Information')", + "schema": { + "properties": { + "anomalyInfo": { + "properties": { + "createdFileCount": { + "type": "string" + }, + "deletedFileCount": { + "type": "string" + }, + "detectionTime": { + "type": "string" + }, + "modifiedFileCount": { + "type": "string" + }, + "redirectLink": { + "type": "string" + }, + "severity": { + "type": "string" + }, + "suspiciousFileCount": { + "type": "string" + } + }, + "type": "object" + }, + "generalInfo": { + "properties": { + "fid": { + "type": "string" + }, + "lastSnapshot": { + "type": "string" + }, + "name": { + "type": "string" + }, + "objectType": { + "type": "string" + }, + "protectionStatus": { + "type": "string" + }, + "redirectLink": { + "type": "string" + } + }, + "type": "object" + }, + "sensitiveInfo": { + "properties": { + "openAccessFiles": { + "type": "integer" + }, + "policyNames": { + "items": { + "type": "string" + }, + "type": "array" + }, + "redirectLink": { + "type": "string" + }, + "riskLevel": { + "type": "string" + }, + "sensitiveFiles": { + "properties": { + "mediumCount": { + "type": "string" + } + }, + "type": "object" + }, + "sensitiveHits": { + "type": "integer" + }, + "staleFiles": { + "type": "integer" + } + }, + "type": "object" + }, + "threatHuntInfo": { + "properties": { + "latestMaliciousThreatHunt": { + "properties": { + "huntId": { + "type": "string" + }, + "huntStartTime": { + "type": "string" + }, + "isMalicious": { + "type": "string" + } + }, + "type": "object" + }, + "latestThreatHunt": { + "properties": { + "huntId": { + "type": "string" + }, + "huntStartTime": { + "type": "string" + }, + "isMalicious": { + "type": "string" + } + }, + "type": "object" + }, + "redirectLink": { + "type": "string" + } + }, + "type": "object" + }, + "threatMonitoringInfo": { + "properties": { + "latestMaliciousThreatMonitoring": { + "properties": { + "isMalicious": { + "type": "string" + }, + "monitoringScanTime": { + "type": "string" + }, + "snapshotFid": { + "type": "string" + } + }, + "type": "object" + }, + "latestThreatMonitoring": { + "properties": { + "isMalicious": { + "type": "string" + }, + "monitoringScanTime": { + "type": "string" + }, + "snapshotFid": { + "type": "string" + } + }, + "type": "object" + }, + "redirectLink": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + } + } + } + }, + "runAfter": { + "Get_Information": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Append_IP_Address_Or_Host_Name_Into_Failed_List": { + "runAfter": {}, + "type": "AppendToArrayVariable", + "inputs": { + "name": "Failed_IP_Host_List", + "value": "@items('For_Each_IP_Or_Host')" + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@outputs('Get_Information')['statusCode']", + 200 + ] + } + ] + }, + "type": "If" + }, + "Condition_To_Set_Search_Type": { + "actions": { + "Set_Search_Type_To_name": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "Search_Type", + "value": "name" + } + } + }, + "runAfter": {}, + "else": { + "actions": { + "Decrement_IP_List_Size_By_1": { + "runAfter": {}, + "type": "DecrementVariable", + "inputs": { + "name": "IP_List_Size", + "value": 1 + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@variables('IP_List_Size')", + 0 + ] + } + ] + }, + "type": "If" + }, + "Get_Information": { + "runAfter": { + "Condition_To_Set_Search_Type": [ + "Succeeded" + ] + }, + "type": "Http", + "inputs": { + "headers": { + "Authorization": "Bearer @{variables('Access_Token')}" + }, + "method": "GET", + "queries": { + "search_string": "@{items('For_Each_IP_Or_Host')}", + "search_type": "@variables('Search_Type')" + }, + "uri": "@{variables('Base_URL')}/api/thirdparty/workload_summary" + } + } + }, + "runAfter": { + "Check_For_Status_Code_Of_Generating_Access_Token": [ + "Succeeded" + ] + }, + "type": "Foreach", + "runtimeConfiguration": { + "concurrency": { + "repetitions": 1 + } + } + }, + "For_Hosts_In_Entity_Mapping": { + "foreach": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "actions": { + "Condition_To_Verify_Host": { + "actions": { + "Condition_To_Verify_List_Of_Hosts_(2)": { + "actions": { + "For_Each_Host_In_Entity_Mapping": { + "foreach": "@json(items('For_Hosts_In_Entity_Mapping')?['properties']?['hostName'])", + "actions": { + "Condition_To_Verify_Host_Already_Not_Exist_In_List": { + "actions": { + "Append_Host_Into_List_(3)": { + "runAfter": {}, + "type": "AppendToArrayVariable", + "inputs": { + "name": "IP_Host_List", + "value": "@items('For_Each_Host_In_Entity_Mapping')" + } + } + }, + "runAfter": {}, + "expression": { + "and": [ + { + "equals": [ + "@contains(variables('IP_Host_List'), items('For_Each_Host_In_Entity_Mapping'))", + "@false" + ] + } + ] + }, + "type": "If" + } + }, + "runAfter": {}, + "type": "Foreach" + } + }, + "runAfter": {}, + "else": { + "actions": { + "Condition_To_Verify_Host_Already_Not_Exist_In_List_(2)": { + "actions": { + "Append_Host_Into_List_(4)": { + "runAfter": {}, + "type": "AppendToArrayVariable", + "inputs": { + "name": "IP_Host_List", + "value": "@items('For_Hosts_In_Entity_Mapping')?['properties']?['hostName']" + } + } + }, + "runAfter": {}, + "expression": { + "and": [ + { + "equals": [ + "@contains(variables('IP_Host_List'), items('For_Hosts_In_Entity_Mapping')?['properties']?['hostName'])", + "@false" + ] + } + ] + }, + "type": "If" + } + } + }, + "expression": { + "and": [ + { + "contains": [ + "@items('For_Hosts_In_Entity_Mapping')?['properties']?['hostName']", + "]" + ] + } + ] + }, + "type": "If" + } + }, + "runAfter": {}, + "expression": { + "and": [ + { + "equals": [ + "@items('For_Hosts_In_Entity_Mapping')?['kind']", + "Host" + ] + } + ] + }, + "type": "If" + } + }, + "runAfter": { + "For_Each_Alert_Details": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "For_IPs_In_Entity_Mapping": { + "foreach": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "actions": { + "Condition_To_Verify_IP": { + "actions": { + "Condition_To_Verify_List_Of_IPs": { + "actions": { + "For_Each_IP_In_Entity_Mapping": { + "foreach": "@json(items('For_IPs_In_Entity_Mapping')?['properties']?['address'])", + "actions": { + "Append_IP_Into_List": { + "runAfter": {}, + "type": "AppendToArrayVariable", + "inputs": { + "name": "IP_Host_List", + "value": "@items('For_Each_IP_In_Entity_Mapping')" + } + } + }, + "runAfter": {}, + "type": "Foreach" + } + }, + "runAfter": {}, + "else": { + "actions": { + "Append_IP_Into_List_(2)": { + "runAfter": {}, + "type": "AppendToArrayVariable", + "inputs": { + "name": "IP_Host_List", + "value": "@items('For_IPs_In_Entity_Mapping')?['properties']?['address']" + } + } + } + }, + "expression": { + "and": [ + { + "contains": [ + "@items('For_IPs_In_Entity_Mapping')?['properties']?['address']", + "]" + ] + } + ] + }, + "type": "If" + } + }, + "runAfter": {}, + "expression": { + "and": [ + { + "equals": [ + "@items('For_IPs_In_Entity_Mapping')?['kind']", + "Ip" + ] + } + ] + }, + "type": "If" + } + }, + "runAfter": { + "Initialize_Severity_Mapping": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Get_Access_Token": { + "runAfter": { + "Condition_To_Verify_Empty_List_Of_IP_-_Host": [ + "Succeeded" + ] + }, + "type": "Http", + "inputs": { + "body": { + "client_id": "@body('Get_Rubrik_Client_ID')?['value']", + "client_secret": "@body('Get_Rubrik_Client_Secret')?['value']" + }, + "method": "POST", + "uri": "@{variables('Base_URL')}/api/client_token" + } + }, + "Get_Rubrik_Client_ID": { + "runAfter": { + "Initialize_Count_Of_Comments_In_Incident": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['keyvault']['connectionId']" + } + }, + "method": "get", + "path": "/secrets/@{encodeURIComponent('Rubrik-Client-Id')}/value" + } + }, + "Get_Rubrik_Client_Secret": { + "runAfter": { + "Get_Rubrik_Client_ID": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['keyvault']['connectionId']" + } + }, + "method": "get", + "path": "/secrets/@{encodeURIComponent('Rubrik-Client-Secret')}/value" + } + }, + "Initialize_AccessToken": { + "runAfter": { + "Initialize_Incident_Severity_Updated": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Access_Token", + "type": "string" + } + ] + } + }, + "Initialize_Anomaly_Severity": { + "runAfter": { + "Initialize_Severity_For_Risk_Level": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Anomaly_Severity", + "type": "string", + "value": "@triggerBody()?['object']?['properties']?['severity']" + } + ] + } + }, + "Initialize_Base_URL": { + "runAfter": { + "Initialize_Search_Type": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Base_URL", + "type": "string", + "value": "@parameters('Rubrik_Base_URL')" + } + ] + } + }, + "Initialize_Count_Of_Comments_In_Incident": { + "runAfter": { + "Initialize_Base_URL": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Comment_Count", + "type": "integer", + "value": "@length(triggerBody()?['object']?['properties']?['Comments'])" + } + ] + } + }, + "Initialize_Detailed_Response": { + "runAfter": { + "Initialize_AccessToken": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Detailed_Response", + "type": "string" + } + ] + } + }, + "Initialize_Failed_IP_Address_And_Host_Name_List": { + "runAfter": { + "Initialize_IP_Address_And_Host_Name_List": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Failed_IP_Host_List", + "type": "array" + } + ] + } + }, + "Initialize_IP_Address_And_Host_Name_List": { + "runAfter": {}, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "IP_Host_List", + "type": "array" + } + ] + } + }, + "Initialize_IP_List_Size": { + "runAfter": { + "Initialize_Failed_IP_Address_And_Host_Name_List": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "IP_List_Size", + "type": "integer", + "value": 0 + } + ] + } + }, + "Initialize_Incident_Severity": { + "runAfter": { + "Get_Rubrik_Client_Secret": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Incident_Severity", + "type": "string", + "value": "@triggerBody()?['object']?['properties']?['severity']" + } + ] + } + }, + "Initialize_Incident_Severity_Increase_Level": { + "runAfter": { + "Initialize_Anomaly_Severity": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Increase_Severity_Level", + "type": "integer", + "value": "@parameters('Increase_Severity_Level')" + } + ] + } + }, + "Initialize_Incident_Severity_Updated": { + "runAfter": { + "Initialize_Incident_Severity_Increase_Level": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Incident_Severity_Updated", + "type": "boolean", + "value": "@false" + } + ] + } + }, + "Initialize_Search_Type": { + "runAfter": { + "Initialize_IP_List_Size": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Search_Type", + "type": "string", + "value": "ipv4" + } + ] + } + }, + "Initialize_Severity_For_Increase_Level": { + "runAfter": { + "Initialize_Incident_Severity": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Severity_For_Increase_Level", + "type": "string", + "value": "@triggerBody()?['object']?['properties']?['severity']" + } + ] + } + }, + "Initialize_Severity_For_Risk_Level": { + "runAfter": { + "Initialize_Severity_For_Increase_Level": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Severity_For_RiskLevel", + "type": "string", + "value": "@triggerBody()?['object']?['properties']?['severity']" + } + ] + } + }, + "Initialize_Severity_Mapping": { + "runAfter": { + "Initialize_Detailed_Response": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Severity_Mapping", + "type": "object", + "value": { + "high": "High", + "low": "Low", + "medium": "Medium" + } + } + ] + } + }, + "Set_IP_List_Size": { + "runAfter": { + "For_IPs_In_Entity_Mapping": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "IP_List_Size", + "value": "@length(variables('IP_Host_List'))" + } + } + }, + "outputs": { + } + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "connectionName": "[variables('MicrosoftSentinelConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + }, + "keyvault": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('KeyvaultConnectionName'))]", + "connectionName": "[variables('KeyvaultConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Keyvault')]" + } + } + } + } + }, + "name": "[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[resourceGroup().location]", + "identity": { + "type": "SystemAssigned" + }, + "tags": { + "hidden-SentinelTemplateName": "RubrikWorkloadAnalysis", + "hidden-SentinelTemplateVersion": "1.0" + }, + "apiVersion": "2017-07-01", + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "[resourceId('Microsoft.Web/connections', variables('KeyvaultConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('MicrosoftSentinelConnectionName')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[variables('MicrosoftSentinelConnectionName')]", + "customParameterValues": { + }, + "parameterValueType": "Alternative", + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('KeyvaultConnectionName')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[variables('KeyvaultConnectionName')]", + "customParameterValues": { + }, + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Keyvault')]" + }, + "parameterValues": { + "token:TenantId": "[trim(parameters('Tenant Id'))]", + "token:grantType": "code", + "vaultName": "[trim(parameters('Keyvault Name'))]" + } + } + } + ] +} diff --git a/Solutions/RubrikSecurityCloud/ReleaseNotes.md b/Solutions/RubrikSecurityCloud/ReleaseNotes.md index 6dc9ee7d3e2..25ea79e3dd3 100644 --- a/Solutions/RubrikSecurityCloud/ReleaseNotes.md +++ b/Solutions/RubrikSecurityCloud/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|---------------------------------------------| +| 3.3.0 | 19-11-2024 | Added one new Playbook(RubrikWorkloadAnalysis) and updated the RubrikWebhookEvents Data Connector to add a new Orchestrator for Rubrik Events. | 3.2.1 | 11-11-2024 | Fixed the issue of Custom Connector id parameter in RubrikRansomwareDiscoveryAndVmRecovery playbook. | | 3.2.0 | 24-02-2024 | Added 3 new Playbooks(RubrikFileObjectContextAnalysis, RubrikUserIntelligenceAnalysis, RubrikRetrieveUserIntelligenceInformation) for FileObject and User, fixed clusterLocation issue of Collect_IOC_Scan_Data adaptive card in RubrikRansomwareDiscoveryAndVmRecovery playbook and updated python packages to fix vulnerability CVE-2023-50782 of cryptography module. Enhanced Anomaly Analysis playbook and added RubrikAnomalyGenerateDownloadableLink playbook. | | 3.1.0 | 20-10-2023 | Updated the **DataConnector** code by implementing Durable Function App. | diff --git a/Solutions/RubrikSecurityCloud/SolutionMetadata.json b/Solutions/RubrikSecurityCloud/SolutionMetadata.json index 55e43e2cdfa..276b41e2b97 100644 --- a/Solutions/RubrikSecurityCloud/SolutionMetadata.json +++ b/Solutions/RubrikSecurityCloud/SolutionMetadata.json @@ -2,7 +2,7 @@ "publisherId": "rubrik_inc", "offerId": "rubrik_sentinel", "firstPublishDate": "2022-07-19", - "lastPublishDate": "2024-03-17", + "lastPublishDate": "2024-11-19", "providers": [ "Rubrik" ],