diff --git a/Solutions/RubrikSecurityCloud/Data Connectors/RubrikSecurityCloud_CCF/README.md b/Solutions/RubrikSecurityCloud/Data Connectors/RubrikSecurityCloud_CCF/README.md new file mode 100644 index 00000000000..5dc45ea5fdb --- /dev/null +++ b/Solutions/RubrikSecurityCloud/Data Connectors/RubrikSecurityCloud_CCF/README.md @@ -0,0 +1,354 @@ +# Rubrik Security Cloud Backup Status Connector for Microsoft Sentinel + +A production-ready Microsoft Sentinel data connector that integrates Rubrik Security Cloud (RSC) backup and compliance data with security events, enabling security teams to correlate backup health with security incidents and detect ransomware indicators through backup anomalies. + +## 🎯 Overview + +The **Rubrik Security Cloud Backup Status connector** is built using **Microsoft's Codeless Connector Framework (CCF)** and collects comprehensive backup and compliance data for Azure VMs from RSC's GraphQL API, ingesting 49 attributes per VM including compliance status, snapshot counts, storage metrics, SLA assignments, and data reduction statistics into the `RubrikProtectionStatus_CL` table in Microsoft Sentinel. This enables security teams to correlate backup health with Sentinel security alerts and incidents through correlation queries that join security events with backup status based on asset identifiers, allowing them to identify potential ransomware indicators through backup anomalies such as sudden compliance failures, missing snapshots, unusual storage consumption patterns, or failed backup jobs that coincide with suspicious security events. By automatically correlating backup telemetry with security data, analysts can quickly determine if a compromised asset has recent, clean backups available for recovery, assess the blast radius of an attack, and detect sophisticated attack patterns that specifically target backup infrastructure to prevent recovery. + +## ✨ Key Features + +### Data Collection +- **Comprehensive VM Attributes**: 49+ backup and compliance fields per Azure VM +- **Real-time Compliance Monitoring**: Track SLA domain compliance status +- **Snapshot Analytics**: Counts, timestamps, and storage metrics +- **Storage Efficiency**: Data reduction ratios and storage consumption +- **Customizable Polling**: Configurable data collection intervals + +### Security Correlation +- **Security Alert Integration**: Join backup data with SecurityAlert events +- **Incident Correlation**: Identify compromised assets with backup issues +- **Ransomware Detection**: Detect backup anomalies coinciding with security events +- **Recovery Readiness**: Quickly assess if clean backups exist for compromised assets +- **Attack Pattern Detection**: Identify attacks targeting backup infrastructure + +### Built on Microsoft CCF +- **Native Sentinel Integration**: Appears as a standard data connector in Sentinel UI +- **OAuth2 Authentication**: Secure service account authentication with RSC +- **Automated Deployment**: ARM template-based infrastructure provisioning +- **UI-Driven Configuration**: Configure credentials through Sentinel portal +- **Health Monitoring**: Built-in connector health checks + +## πŸ“‹ Prerequisites + +### Rubrik Security Cloud +- Active RSC subscription +- Service account with read permissions for: + - Snappable objects (VMs, databases, filesets) + - SLA domains and policies + - Cluster information + - Snapshot and backup data +- RSC URL (e.g., `https://your-org.my.rubrik.com`) +- Client ID and Client Secret from service account + +### Microsoft Azure +- Microsoft Sentinel workspace +- Log Analytics workspace connected to Sentinel +- Contributor permissions on the resource group +- Azure subscription with sufficient quota + +## πŸš€ Quick Start + +### 1. Create RSC Service Account + +1. Navigate to RSC Console: `https://your-org.my.rubrik.com` +2. Go to **Settings β†’ Users & Roles β†’ Service Accounts** +3. Click **Add Service Account** +4. Configure: + - **Name**: `Sentinel-Backup-Monitor` + - **Role**: `Read-Only Admin` or `Viewer` +5. Download the JSON credentials file +6. Note the `client_id` and `client_secret` values + +### 2. Deploy the Connector + +#### Option A: Azure Portal (Recommended for Production) + +1. Navigate to **Microsoft Sentinel β†’ Data connectors** +2. Search for "Rubrik Security Cloud Backup Status" +3. Click **Open connector page** +4. Fill in the configuration: + - **RSC URL**: `https://your-org.my.rubrik.com` + - **Client ID**: From service account credentials + - **Client Secret**: From service account credentials +5. Click **Connect** + +#### Option B: PowerShell Deployment (For Testing/POC) + +```powershell +# Clean up any existing deployment +pwsh -File cleanup-rsc-connector.ps1 + +# Deploy the connector +New-AzResourceGroupDeployment ` + -ResourceGroupName 'your-resource-group' ` + -TemplateFile 'rsc-complete-arm-template.json' ` + -workspace 'your-workspace-name' ` + -workspace-location 'West US 2' ` + -RSCUrl 'https://your-org.my.rubrik.com' ` + -ClientId 'client|your-client-id' ` + -ClientSecret 'your-client-secret' ` + -Verbose +``` + +### 3. Verify Data Ingestion + +Wait 5-10 minutes for initial data collection, then run: + +```kql +RubrikProtectionStatus_CL +| where TimeGenerated > ago(1h) +| take 10 +``` + +## πŸ“Š Data Schema + +The connector creates the `RubrikProtectionStatus_CL` custom table with 52 columns: + +| Category | Fields | +|----------|--------| +| **Identity** | AssetId, AssetName, ObjectType, ObjectState, Fid, OrgId, OrgName | +| **Protection** | ProtectionStatus, ComplianceStatus, ArchivalComplianceStatus, ReplicationComplianceStatus | +| **Snapshots** | LastSnapshot, LatestArchivalSnapshot, LatestReplicationSnapshot, TotalSnapshots, LocalSnapshots, ArchiveSnapshots, ReplicaSnapshots, MissedSnapshots | +| **Storage** | LocalStorage, ArchiveStorage, ReplicaStorage, LogicalBytes, PhysicalBytes, UsedBytes, TransferredBytes | +| **Efficiency** | DataReduction, LogicalDataReduction, LocalEffectiveStorage | +| **SLA/Cluster** | SlaDomainName, ClusterName, Location, WorkloadOrgName | +| **Timestamps** | TimeGenerated, ProtectedOn, PullTime, LastSnapshot | + +See [RSC-README.md](RSC-README.md) for complete schema documentation. + +## πŸ” Sample Queries + +### Basic Compliance Monitoring +```kql +RubrikProtectionStatus_CL +| where ComplianceStatus != "IN_COMPLIANCE" +| summarize count() by SlaDomainName, ComplianceStatus +| order by count_ desc +``` + +### Security Alert Correlation +```kql +SecurityAlert +| where TimeGenerated > ago(7d) +| extend HostEntities = parse_json(Entities) +| mv-expand Entity = HostEntities +| where Entity.Type == "host" +| extend HostName = tostring(Entity.HostName) +| join kind=leftouter ( + RubrikProtectionStatus_CL + | where TimeGenerated > ago(1d) + | summarize arg_max(TimeGenerated, *) by AssetName +) on $left.HostName == $right.AssetName +| where isnotempty(ComplianceStatus) +| project + AlertTime = TimeGenerated, + AlertName, + AlertSeverity, + HostName, + ComplianceStatus, + LastSnapshot, + MissedSnapshots +``` + +### Ransomware Risk Assessment +```kql +SecurityAlert +| where TimeGenerated > ago(24h) +| where AlertSeverity in ("High", "Medium") +| extend HostName = tostring(parse_json(Entities)[0].HostName) +| join kind=inner ( + RubrikProtectionStatus_CL + | where ComplianceStatus != "IN_COMPLIANCE" or MissedSnapshots > 3 +) on $left.HostName == $right.AssetName +| project + AlertTime = TimeGenerated, + AlertName, + HostName, + ComplianceStatus, + MissedSnapshots, + LastSnapshot, + RiskLevel = "CRITICAL - Compromised asset with backup issues" +``` + +## πŸ“ Repository Structure + +``` +β”œβ”€β”€ rsc-complete-arm-template.json # Complete POC ARM template (recommended for testing) +β”œβ”€β”€ rsc-ccf-solution-proper.json # Production Solution template (for Sentinel UI) +β”œβ”€β”€ cleanup-rsc-connector.ps1 # Cleanup script for redeployment +β”œβ”€β”€ RSC-README.md # Detailed RSC connector documentation +β”œβ”€β”€ RSC-TESTING-GUIDE.md # Testing and validation guide +β”œβ”€β”€ DEPLOYMENT-GUIDE.md # Step-by-step deployment instructions +β”‚ +β”œβ”€β”€ KQL Queries +β”‚ β”œβ”€β”€ security-alerts-with-rubrik-correlation.kql # Security alert correlation +β”‚ β”œβ”€β”€ incident-backup-correlation-queries.kql # Incident correlation queries +β”‚ β”œβ”€β”€ hunting-queries-security-backup.kql # Threat hunting queries +β”‚ β”œβ”€β”€ analytics-rules-security-backup.kql # Detection rules +β”‚ β”œβ”€β”€ workbook-security-backup-dashboard.kql # Workbook visualizations +β”‚ └── rsc-sample-queries.kql # Basic RSC queries +β”‚ +β”œβ”€β”€ PowerShell Scripts +β”‚ β”œβ”€β”€ deploy-rsc-ccf-solution.ps1 # Deploy Solution template +β”‚ β”œβ”€β”€ test-rsc-api.ps1 # Test RSC API connectivity +β”‚ β”œβ”€β”€ verify-deployment.ps1 # Verify deployment status +β”‚ └── get-workspace-info.ps1 # Get workspace configuration +β”‚ +└── Additional Templates + β”œβ”€β”€ rsc-data-collection-rule.json # Standalone DCR template + β”œβ”€β”€ rsc-table-schema.json # Table schema definition + └── sentinel-incidents-connector-template.json # Incidents connector +``` + +## πŸ”§ Configuration + +### Polling Interval +The connector polls RSC every 5 minutes by default. To customize: + +1. Edit the ARM template +2. Modify `queryWindowInMin` parameter in the connector configuration +3. Recommended range: 5-60 minutes depending on environment size + +### Rate Limiting +- **Default**: 5 queries per second +- **Modify**: Adjust `rateLimitQPS` in the template +- **Note**: RSC has built-in rate limiting + +### Data Retention +- **Analytics Tier**: 4 days (hot, interactive queries) +- **Data Lake Tier**: 26 days (warm/cold, cost-effective) +- **Total Retention**: 30 days +- **Modify**: Update table retention settings in Log Analytics + +## πŸ› οΈ Troubleshooting + +### Common Issues + +#### 1. Connector Shows "Disconnected" +```kql +// Check last data ingestion +RubrikProtectionStatus_CL +| summarize LastData = max(TimeGenerated) +| extend MinutesAgo = datetime_diff('minute', now(), LastData) +``` +**Solution**: Verify RSC credentials, check DCR health, review Azure Activity Log + +#### 2. OAuth Authentication Failures +**Error**: `401 Unauthorized` +**Solution**: +- Verify client ID and secret are correct +- Check service account is active in RSC +- Ensure service account has read permissions + +#### 3. No Data After Deployment +**Checklist**: +- βœ… Wait 5-10 minutes for initial poll +- βœ… Verify RSC URL is correct (include `https://`) +- βœ… Check Data Collection Rule is active +- βœ… Review connector health in Sentinel UI +- βœ… Check Azure Activity Log for errors + +#### 4. GraphQL Query Errors +**Error**: `400 Bad Request` +**Solution**: +- Verify GraphQL query syntax in template +- Check RSC API version compatibility +- Test query directly in RSC GraphQL explorer + +### Validation Queries + +```kql +// Check data freshness +RubrikProtectionStatus_CL +| summarize + LastData = max(TimeGenerated), + RecordCount = count(), + UniqueAssets = dcount(AssetName) +| extend MinutesAgo = datetime_diff('minute', now(), LastData) + +// Validate data quality +RubrikProtectionStatus_CL +| summarize + ValidAssets = countif(isnotempty(AssetId)), + ValidClusters = countif(isnotempty(ClusterName)), + ValidSnapshots = countif(TotalSnapshots >= 0), + TotalRecords = count() +| extend QualityRate = round((ValidAssets * 100.0) / TotalRecords, 2) +``` + +## πŸ“ˆ Use Cases + +### 1. Ransomware Detection +Identify security alerts on assets with backup anomalies: +- Sudden compliance failures +- Missing snapshots during attack timeframe +- Unusual storage consumption patterns +- Failed backup jobs coinciding with security events + +### 2. Recovery Readiness Assessment +For any security incident, quickly determine: +- Does the compromised asset have recent backups? +- Are the backups compliant with SLA policies? +- When was the last clean backup taken? +- Are backups available in multiple locations? + +### 3. Attack Blast Radius Analysis +Correlate security incidents with backup infrastructure: +- Identify all affected assets and their backup status +- Determine which assets can be recovered +- Prioritize incident response based on backup availability +- Detect attacks specifically targeting backup systems + +### 4. Compliance Reporting +Generate audit reports combining security and backup data: +- Assets with security alerts and backup non-compliance +- Protection coverage across security zones +- Backup SLA compliance for critical assets +- Recovery time objectives (RTO) validation + +## πŸ“š Documentation + +- **[RSC-README.md](RSC-README.md)** - Detailed connector documentation and API reference +- **[DEPLOYMENT-GUIDE.md](DEPLOYMENT-GUIDE.md)** - Step-by-step deployment instructions +- **[RSC-TESTING-GUIDE.md](RSC-TESTING-GUIDE.md)** - Testing and validation procedures +- **[workbook-visualization-guide.md](workbook-visualization-guide.md)** - Workbook creation guide + +## πŸ”— Additional Resources + +- **Rubrik Security Cloud**: [docs.rubrik.com](https://docs.rubrik.com/) +- **Microsoft Sentinel**: [Data Connectors Guide](https://docs.microsoft.com/azure/sentinel/connect-data-sources) +- **Codeless Connector Framework**: [CCF Documentation](https://docs.microsoft.com/azure/sentinel/create-codeless-connector) +- **KQL Reference**: [Kusto Query Language](https://docs.microsoft.com/azure/data-explorer/kusto/query/) + +## 🀝 Contributing + +Contributions are welcome! Please: +1. Fork the repository +2. Create a feature branch +3. Test your changes thoroughly +4. Submit a pull request with detailed description + +## πŸ“„ License + +This project is licensed under the MIT License - see the LICENSE file for details. + +## πŸ’‘ Support + +This is a community-supported connector. For assistance: + +- **RSC API Issues**: Check Rubrik documentation and support +- **Azure Deployment**: Review Azure Activity Log and deployment outputs +- **Data Ingestion**: Validate DCR configuration and table schema +- **Query Performance**: Optimize KQL queries for your dataset size + +## 🎯 Quick Links + +- [Deploy Now](#-quick-start) +- [Sample Queries](#-sample-queries) +- [Troubleshooting](#-troubleshooting) +- [Documentation](#-documentation) + +--- + +**Built with Microsoft's Codeless Connector Framework (CCF) for seamless Sentinel integration** diff --git a/Solutions/RubrikSecurityCloud/Data Connectors/RubrikSecurityCloud_CCF/RubrikSecurityCloud_ConnectorDefinition.json b/Solutions/RubrikSecurityCloud/Data Connectors/RubrikSecurityCloud_CCF/RubrikSecurityCloud_ConnectorDefinition.json new file mode 100644 index 00000000000..76af9d84b0b --- /dev/null +++ b/Solutions/RubrikSecurityCloud/Data Connectors/RubrikSecurityCloud_CCF/RubrikSecurityCloud_ConnectorDefinition.json @@ -0,0 +1,127 @@ +{ + "properties": { + "connectorUiConfig": { + "id": "RubrikProtectionStatus", + "title": "Rubrik Security Cloud Protection Status (using Codeless Connector Framework)", + "publisher": "Rubrik, Inc", + "descriptionMarkdown": "The Rubrik Security Cloud Protection Status data connector allows you to ingest protection and compliance status information from RSC into Microsoft Sentinel.", + "logo": "rubrikLogo.svg", + "graphQueriesTableName": "RubrikProtectionStatus_CL", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "RubrikProtectionStatus_CL", + "baseQuery": "RubrikProtectionStatus_CL" + } + ], + "sampleQueries": [ + { + "description": "All RSC protection status events with key metrics", + "query": "RubrikProtectionStatus_CL | take 10 | project AssetName, ComplianceStatus, TotalSnapshots, LocalStorage, DataReduction, ClusterName" + }, + { + "description": "Assets out of compliance with storage metrics", + "query": "RubrikProtectionStatus_CL | where ComplianceStatus != 'Compliant' | project AssetName, ComplianceStatus, ArchivalComplianceStatus, ReplicationComplianceStatus, LastSnapshot, LocalStorage, SlaDomainName" + }, + { + "description": "Storage efficiency analysis", + "query": "RubrikProtectionStatus_CL | where isnotnull(DataReduction) | project AssetName, LogicalBytes, PhysicalBytes, DataReduction, LogicalDataReduction, LocalStorage | order by DataReduction desc" + }, + { + "description": "Snapshot distribution summary", + "query": "RubrikProtectionStatus_CL | summarize TotalAssets = count(), AvgSnapshots = avg(TotalSnapshots), TotalStorage = sum(LocalStorage) by ClusterName, SlaDomainName" + }, + { + "description": "Protection status overview", + "query": "RubrikProtectionStatus_CL | summarize count() by ProtectionStatus, ComplianceStatus | render piechart" + } + ], + "dataTypes": [ + { + "name": "RubrikProtectionStatus_CL", + "lastDataReceivedQuery": "RubrikProtectionStatus_CL | summarize Time = max(TimeGenerated) | where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "HasDataConnectors", + "value": null + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions on the workspace are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + } + ] + }, + "instructionSteps": [ + { + "title": "1. Enter Rubrik Security Cloud Credentials", + "description": "Provide your RSC API credentials to enable data collection.", + "instructions": [ + { + "type": "Markdown", + "parameters": { + "content": "**Configuration Steps:**\n\n1. **RSC URL** - Your organization's RSC URL (e.g., `https://your-org.my.rubrik.com`)\n2. **Client ID** - Service account client ID from RSC (format: `client|xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx`)\n3. **Client Secret** - Service account client secret from RSC\n\n**To create a service account in RSC:**\n- Go to RSC β†’ Settings β†’ Access Management β†’ Service Accounts\n- Create new service account with appropriate API permissions\n- Note the Client ID and Client Secret" + } + }, + { + "type": "Textbox", + "parameters": { + "label": "RSC URL", + "placeholder": "https://your-org.my.rubrik.com", + "type": "text", + "name": "rscUrl" + } + }, + { + "type": "Textbox", + "parameters": { + "label": "Client ID", + "placeholder": "client|xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", + "type": "text", + "name": "clientId" + } + }, + { + "type": "Textbox", + "parameters": { + "label": "Client Secret", + "placeholder": "Enter Client Secret", + "type": "password", + "name": "clientSecret" + } + } + ] + }, + { + "title": "2. Connect to Rubrik Security Cloud", + "description": "Click Connect to start data ingestion.", + "instructions": [ + { + "type": "ConnectionToggleButton", + "parameters": {} + } + ] + } + ] + } + }, + "apiVersion": "2024-01-01-preview", + "name": "RubrikSecurityCloud", + "kind": "Customizable", + "type": "Microsoft.SecurityInsights/dataConnectorDefinitions" +} diff --git a/Solutions/RubrikSecurityCloud/Data Connectors/RubrikSecurityCloud_CCF/RubrikSecurityCloud_DCE.json b/Solutions/RubrikSecurityCloud/Data Connectors/RubrikSecurityCloud_CCF/RubrikSecurityCloud_DCE.json new file mode 100644 index 00000000000..8b294051b19 --- /dev/null +++ b/Solutions/RubrikSecurityCloud/Data Connectors/RubrikSecurityCloud_CCF/RubrikSecurityCloud_DCE.json @@ -0,0 +1,11 @@ +{ + "location": "[parameters('workspace-location')]", + "apiVersion": "2022-06-01", + "name": "RubrikProtectionStatusDCE", + "properties": { + "networkAcls": { + "publicNetworkAccess": "Enabled" + } + }, + "type": "Microsoft.Insights/dataCollectionEndpoints" +} \ No newline at end of file diff --git a/Solutions/RubrikSecurityCloud/Data Connectors/RubrikSecurityCloud_CCF/RubrikSecurityCloud_DCR.json b/Solutions/RubrikSecurityCloud/Data Connectors/RubrikSecurityCloud_CCF/RubrikSecurityCloud_DCR.json new file mode 100644 index 00000000000..987c02d45cb --- /dev/null +++ b/Solutions/RubrikSecurityCloud/Data Connectors/RubrikSecurityCloud_CCF/RubrikSecurityCloud_DCR.json @@ -0,0 +1,227 @@ +{ + "location": "[parameters('workspace-location')]", + "apiVersion": "2022-06-01", + "name": "RubrikProtectionStatusDCR", + "properties": { + "dataCollectionEndpointId": "[resourceId('Microsoft.Insights/dataCollectionEndpoints', 'RubrikProtectionStatusDCE')]", + "streamDeclarations": { + "Custom-RubrikBackupStatus_API": { + "columns": [ + { + "name": "id", + "type": "string" + }, + { + "name": "name", + "type": "string" + }, + { + "name": "objectType", + "type": "string" + }, + { + "name": "objectState", + "type": "string" + }, + { + "name": "protectionStatus", + "type": "string" + }, + { + "name": "complianceStatus", + "type": "string" + }, + { + "name": "archivalComplianceStatus", + "type": "string" + }, + { + "name": "replicationComplianceStatus", + "type": "string" + }, + { + "name": "lastSnapshot", + "type": "datetime" + }, + { + "name": "latestArchivalSnapshot", + "type": "datetime" + }, + { + "name": "latestReplicationSnapshot", + "type": "datetime" + }, + { + "name": "protectedOn", + "type": "datetime" + }, + { + "name": "pullTime", + "type": "datetime" + }, + { + "name": "location", + "type": "string" + }, + { + "name": "cluster", + "type": "dynamic" + }, + { + "name": "slaDomain", + "type": "dynamic" + }, + { + "name": "workloadOrg", + "type": "dynamic" + }, + { + "name": "orgName", + "type": "string" + }, + { + "name": "fid", + "type": "string" + }, + { + "name": "orgId", + "type": "string" + }, + { + "name": "awaitingFirstFull", + "type": "boolean" + }, + { + "name": "archivalSnapshotLag", + "type": "int" + }, + { + "name": "replicationSnapshotLag", + "type": "int" + }, + { + "name": "missedSnapshots", + "type": "int" + }, + { + "name": "totalSnapshots", + "type": "int" + }, + { + "name": "localSnapshots", + "type": "int" + }, + { + "name": "localSlaSnapshots", + "type": "int" + }, + { + "name": "localOnDemandSnapshots", + "type": "int" + }, + { + "name": "archiveSnapshots", + "type": "int" + }, + { + "name": "replicaSnapshots", + "type": "int" + }, + { + "name": "localStorage", + "type": "long" + }, + { + "name": "archiveStorage", + "type": "long" + }, + { + "name": "replicaStorage", + "type": "long" + }, + { + "name": "localEffectiveStorage", + "type": "long" + }, + { + "name": "logicalBytes", + "type": "long" + }, + { + "name": "physicalBytes", + "type": "long" + }, + { + "name": "usedBytes", + "type": "long" + }, + { + "name": "provisionedBytes", + "type": "long" + }, + { + "name": "transferredBytes", + "type": "long" + }, + { + "name": "localProtectedData", + "type": "long" + }, + { + "name": "localMeteredData", + "type": "long" + }, + { + "name": "lastSnapshotLogicalBytes", + "type": "long" + }, + { + "name": "dataReduction", + "type": "real" + }, + { + "name": "logicalDataReduction", + "type": "real" + }, + { + "name": "sourceProtocol", + "type": "string" + }, + { + "name": "ncdPolicyName", + "type": "string" + }, + { + "name": "ncdSnapshotType", + "type": "string" + }, + { + "name": "ncdLatestArchiveSnapshot", + "type": "datetime" + } + ] + } + }, + "destinations": { + "logAnalytics": [ + { + "workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace'))]", + "name": "clv2ws1" + } + ] + }, + "dataFlows": [ + { + "streams": [ + "Custom-RubrikBackupStatus_API" + ], + "destinations": [ + "clv2ws1" + ], + "transformKql": "source | project TimeGenerated = now(), AssetId = id, AssetName = name, ObjectType = objectType, ObjectState = objectState, ProtectionStatus = protectionStatus, ComplianceStatus = complianceStatus, ArchivalComplianceStatus = archivalComplianceStatus, ReplicationComplianceStatus = replicationComplianceStatus, LastSnapshot = todatetime(lastSnapshot), LatestArchivalSnapshot = todatetime(latestArchivalSnapshot), LatestReplicationSnapshot = todatetime(latestReplicationSnapshot), ProtectedOn = todatetime(protectedOn), PullTime = todatetime(pullTime), Location = location, ClusterName = tostring(cluster.name), SlaDomainName = tostring(slaDomain.name), WorkloadOrgName = tostring(workloadOrg.name), OrgName = orgName, Fid = fid, OrgId = orgId, AwaitingFirstFull = tobool(awaitingFirstFull), ArchivalSnapshotLag = toint(archivalSnapshotLag), ReplicationSnapshotLag = toint(replicationSnapshotLag), MissedSnapshots = toint(missedSnapshots), TotalSnapshots = toint(totalSnapshots), LocalSnapshots = toint(localSnapshots), LocalSlaSnapshots = toint(localSlaSnapshots), LocalOnDemandSnapshots = toint(localOnDemandSnapshots), ArchiveSnapshots = toint(archiveSnapshots), ReplicaSnapshots = toint(replicaSnapshots), LocalStorage = tolong(localStorage), ArchiveStorage = tolong(archiveStorage), ReplicaStorage = tolong(replicaStorage), LocalEffectiveStorage = tolong(localEffectiveStorage), LogicalBytes = tolong(logicalBytes), PhysicalBytes = tolong(physicalBytes), UsedBytes = tolong(usedBytes), ProvisionedBytes = tolong(provisionedBytes), TransferredBytes = tolong(transferredBytes), LocalProtectedData = tolong(localProtectedData), LocalMeteredData = tolong(localMeteredData), LastSnapshotLogicalBytes = tolong(lastSnapshotLogicalBytes), DataReduction = toreal(dataReduction), LogicalDataReduction = toreal(logicalDataReduction), SourceProtocol = sourceProtocol, NcdPolicyName = ncdPolicyName, NcdSnapshotType = ncdSnapshotType, NcdLatestArchiveSnapshot = todatetime(ncdLatestArchiveSnapshot), SourceSystem = 'Rubrik Security Cloud'", + "outputStream": "Custom-RubrikProtectionStatus_CL" + } + ] + }, + "type": "Microsoft.Insights/dataCollectionRules" +} \ No newline at end of file diff --git a/Solutions/RubrikSecurityCloud/Data Connectors/RubrikSecurityCloud_CCF/RubrikSecurityCloud_PollerConfig.json b/Solutions/RubrikSecurityCloud/Data Connectors/RubrikSecurityCloud_CCF/RubrikSecurityCloud_PollerConfig.json new file mode 100644 index 00000000000..005d60ef2cc --- /dev/null +++ b/Solutions/RubrikSecurityCloud/Data Connectors/RubrikSecurityCloud_CCF/RubrikSecurityCloud_PollerConfig.json @@ -0,0 +1,46 @@ +{ + "properties": { + "connectorDefinitionName": "RubrikProtectionStatus", + "dataType": "Rubrik Security Cloud Protection Status", + "dcrConfig": { + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]", + "streamName": "Custom-RubrikBackupStatus_API" + }, + "auth": { + "type": "OAuth2", + "ClientId": "[[parameters('clientId')]", + "ClientSecret": "[[parameters('clientSecret')]", + "GrantType": "client_credentials", + "TokenEndpoint": "[[concat(parameters('rscUrl'), '/api/client_token')]", + "TokenEndpointHeaders": { + "Content-Type": "application/x-www-form-urlencoded", + "User-Agent": "Microsoft-Azure-DataConnector/1.0" + }, + "TokenEndpointMethod": "POST" + }, + "request": { + "apiEndpoint": "[[concat(parameters('rscUrl'), '/api/graphql')]", + "httpMethod": "POST", + "rateLimitQPS": 5, + "queryWindowInMin": 60, + "retryCount": 3, + "timeoutInSeconds": 120, + "headers": { + "Content-Type": "application/json", + "User-Agent": "Scuba" + }, + "queryParametersTemplate": "{\"query\":\"{\n snappableConnection(\n filter: {objectType: [AzureNativeVm], isLocal: true, objectState: [ACTIVE]}\n first: 50\n ) {\n nodes {\n id\n name\n objectType\n objectState\n protectionStatus\n complianceStatus\n archivalComplianceStatus\n replicationComplianceStatus\n lastSnapshot\n latestArchivalSnapshot\n latestReplicationSnapshot\n protectedOn\n pullTime\n location\n cluster {\n name\n }\n slaDomain {\n name\n }\n workloadOrg {\n name\n }\n orgName\n fid\n orgId\n awaitingFirstFull\n archivalSnapshotLag\n replicationSnapshotLag\n missedSnapshots\n totalSnapshots\n localSnapshots\n localSlaSnapshots\n localOnDemandSnapshots\n archiveSnapshots\n replicaSnapshots\n localStorage\n archiveStorage\n replicaStorage\n localEffectiveStorage\n logicalBytes\n physicalBytes\n usedBytes\n provisionedBytes\n transferredBytes\n localProtectedData\n localMeteredData\n lastSnapshotLogicalBytes\n dataReduction\n logicalDataReduction\n sourceProtocol\n ncdPolicyName\n ncdSnapshotType\n ncdLatestArchiveSnapshot\n }\n pageInfo {\n hasNextPage\n endCursor\n }\n }\n}\"}", + "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ" + }, + "response": { + "eventsJsonPaths": [ + "$.data.snappableConnection.nodes" + ] + } + }, + "apiVersion": "2022-09-01-preview", + "name": "RubrikSecurityCloudProtectionStatusPoller", + "kind": "RestApiPoller", + "type": "Microsoft.SecurityInsights/dataConnectors" +} diff --git a/Solutions/RubrikSecurityCloud/Data Connectors/RubrikSecurityCloud_CCF/RubrikSecurityCloud_Table.json b/Solutions/RubrikSecurityCloud/Data Connectors/RubrikSecurityCloud_CCF/RubrikSecurityCloud_Table.json new file mode 100644 index 00000000000..d12d7a94bb6 --- /dev/null +++ b/Solutions/RubrikSecurityCloud/Data Connectors/RubrikSecurityCloud_CCF/RubrikSecurityCloud_Table.json @@ -0,0 +1,215 @@ +{ + "apiVersion": "2021-12-01-preview", + "name": "RubrikProtectionStatus_CL", + "properties": { + "totalRetentionInDays": 30, + "plan": "Analytics", + "retentionInDays": 4, + "schema": { + "name": "RubrikProtectionStatus_CL", + "columns": [ + { + "name": "TimeGenerated", + "type": "dateTime" + }, + { + "name": "AssetId", + "type": "string" + }, + { + "name": "AssetName", + "type": "string" + }, + { + "name": "ObjectType", + "type": "string" + }, + { + "name": "ObjectState", + "type": "string" + }, + { + "name": "ProtectionStatus", + "type": "string" + }, + { + "name": "ComplianceStatus", + "type": "string" + }, + { + "name": "ArchivalComplianceStatus", + "type": "string" + }, + { + "name": "ReplicationComplianceStatus", + "type": "string" + }, + { + "name": "LastSnapshot", + "type": "dateTime" + }, + { + "name": "LatestArchivalSnapshot", + "type": "dateTime" + }, + { + "name": "LatestReplicationSnapshot", + "type": "dateTime" + }, + { + "name": "ProtectedOn", + "type": "dateTime" + }, + { + "name": "PullTime", + "type": "dateTime" + }, + { + "name": "Location", + "type": "string" + }, + { + "name": "ClusterName", + "type": "string" + }, + { + "name": "SlaDomainName", + "type": "string" + }, + { + "name": "WorkloadOrgName", + "type": "string" + }, + { + "name": "OrgName", + "type": "string" + }, + { + "name": "Fid", + "type": "string" + }, + { + "name": "OrgId", + "type": "string" + }, + { + "name": "AwaitingFirstFull", + "type": "bool" + }, + { + "name": "ArchivalSnapshotLag", + "type": "int" + }, + { + "name": "ReplicationSnapshotLag", + "type": "int" + }, + { + "name": "MissedSnapshots", + "type": "int" + }, + { + "name": "TotalSnapshots", + "type": "int" + }, + { + "name": "LocalSnapshots", + "type": "int" + }, + { + "name": "LocalSlaSnapshots", + "type": "int" + }, + { + "name": "LocalOnDemandSnapshots", + "type": "int" + }, + { + "name": "ArchiveSnapshots", + "type": "int" + }, + { + "name": "ReplicaSnapshots", + "type": "int" + }, + { + "name": "LocalStorage", + "type": "long" + }, + { + "name": "ArchiveStorage", + "type": "long" + }, + { + "name": "ReplicaStorage", + "type": "long" + }, + { + "name": "LocalEffectiveStorage", + "type": "long" + }, + { + "name": "LogicalBytes", + "type": "long" + }, + { + "name": "PhysicalBytes", + "type": "long" + }, + { + "name": "UsedBytes", + "type": "long" + }, + { + "name": "ProvisionedBytes", + "type": "long" + }, + { + "name": "TransferredBytes", + "type": "long" + }, + { + "name": "LocalProtectedData", + "type": "long" + }, + { + "name": "LocalMeteredData", + "type": "long" + }, + { + "name": "LastSnapshotLogicalBytes", + "type": "long" + }, + { + "name": "DataReduction", + "type": "real" + }, + { + "name": "LogicalDataReduction", + "type": "real" + }, + { + "name": "SourceProtocol", + "type": "string" + }, + { + "name": "NcdPolicyName", + "type": "string" + }, + { + "name": "NcdSnapshotType", + "type": "string" + }, + { + "name": "NcdLatestArchiveSnapshot", + "type": "dateTime" + }, + { + "name": "SourceSystem", + "type": "string" + } + ] + } + }, + "type": "Microsoft.OperationalInsights/workspaces/tables" +} \ No newline at end of file diff --git a/Solutions/RubrikSecurityCloud/Data/Solution_RubrikSecurityCloud.json b/Solutions/RubrikSecurityCloud/Data/Solution_RubrikSecurityCloud.json index 8098b401af0..acb556e89e4 100644 --- a/Solutions/RubrikSecurityCloud/Data/Solution_RubrikSecurityCloud.json +++ b/Solutions/RubrikSecurityCloud/Data/Solution_RubrikSecurityCloud.json @@ -24,14 +24,15 @@ "Playbooks/RubrikTurboThreatHunt/azuredeploy.json" ], "Data Connectors": [ - "Data Connectors/RubrikWebhookEvents/RubrikWebhookEvents_FunctionApp.json" + "Data Connectors/RubrikWebhookEvents/RubrikWebhookEvents_FunctionApp.json", + "Data Connectors/RubrikSecurityCloud_CCF/RubrikSecurityCloud_ConnectorDefinition.json" ], "Analytic Rules": [ "Analytic Rules/RubrikCriticalAnomaly.yaml", "Analytic Rules/RubrikThreatMonitoring.yaml" ], - "BasePath": "C:\\Azure-Sentinel\\Solutions\\RubrikSecurityCloud", - "Version": "3.5.1", + "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\RubrikSecurityCloud", + "Version": "3.5.2", "Metadata": "SolutionMetadata.json", "TemplateSpec": true, "Is1PConnector": false diff --git a/Solutions/RubrikSecurityCloud/Package/3.5.2.zip b/Solutions/RubrikSecurityCloud/Package/3.5.2.zip new file mode 100644 index 00000000000..43e108b0161 Binary files /dev/null and b/Solutions/RubrikSecurityCloud/Package/3.5.2.zip differ diff --git a/Solutions/RubrikSecurityCloud/Package/createUiDefinition.json b/Solutions/RubrikSecurityCloud/Package/createUiDefinition.json index 1b618d943fa..e10547f19a6 100644 --- a/Solutions/RubrikSecurityCloud/Package/createUiDefinition.json +++ b/Solutions/RubrikSecurityCloud/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\nβ€’ Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/RubrikSecurityCloud/ReleaseNotes.md)\n\n β€’ There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Rubrik Security Cloud](https://www.rubrik.com/) solution enables security operations teams to integrate insights from Rubrik’s Data Observability services into Microsoft Sentinel. \n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Azure Monitor HTTP Data Collector API](https://learn.microsoft.com/azure/azure-monitor/logs/data-collector-api)\n\nb. [Azure Functions](https://azure.microsoft.com/products/functions/#overview)\n\n**Data Connectors:** 1, **Analytic Rules:** 2, **Custom Azure Logic Apps Connectors:** 1, **Playbooks:** 17\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\nβ€’ Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/RubrikSecurityCloud/ReleaseNotes.md)\n\n β€’ There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Rubrik Security Cloud](https://www.rubrik.com/) solution enables security operations teams to integrate insights from Rubrik’s Data Observability services into Microsoft Sentinel. \n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Azure Monitor HTTP Data Collector API](https://learn.microsoft.com/azure/azure-monitor/logs/data-collector-api)\n\nb. [Azure Functions](https://azure.microsoft.com/products/functions/#overview)\n\n**Data Connectors:** 2, **Analytic Rules:** 2, **Custom Azure Logic Apps Connectors:** 1, **Playbooks:** 17\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -64,7 +64,14 @@ } }, { - "name": "dataconnectors-link1", + "name": "dataconnectors2-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This Solution installs the data connector for Rubrik Security Cloud Protection Status (using Codeless Connector Framework). You can get Rubrik Security Cloud Protection Status (using Codeless Connector Framework) data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." + } + }, + { + "name": "dataconnectors-link2", "type": "Microsoft.Common.TextBlock", "options": { "link": { diff --git a/Solutions/RubrikSecurityCloud/Package/mainTemplate.json b/Solutions/RubrikSecurityCloud/Package/mainTemplate.json index 2f1e00322f5..269f30d8573 100644 --- a/Solutions/RubrikSecurityCloud/Package/mainTemplate.json +++ b/Solutions/RubrikSecurityCloud/Package/mainTemplate.json @@ -27,15 +27,31 @@ "metadata": { "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" } + }, + "resourceGroupName": { + "type": "string", + "defaultValue": "[resourceGroup().name]", + "metadata": { + "description": "resource group name where Microsoft Sentinel is setup" + } + }, + "subscription": { + "type": "string", + "defaultValue": "[last(split(subscription().id, '/'))]", + "metadata": { + "description": "subscription id where Microsoft Sentinel is setup" + } } }, "variables": { "email": "ben.meadowcroft@rubrik.com", "_email": "[variables('email')]", "_solutionName": "RubrikSecurityCloud", - "_solutionVersion": "3.5.1", + "_solutionVersion": "3.5.2", "solutionId": "rubrik_inc.rubrik_sentinel", "_solutionId": "[variables('solutionId')]", + "_resourceGroupName": "[parameters('resourceGroupName')]", + "_subscription": "[parameters('subscription')]", "RubrikCustomConnector": "RubrikCustomConnector", "_RubrikCustomConnector": "[variables('RubrikCustomConnector')]", "TemplateEmptyArray": "[json('[]')]", @@ -192,6 +208,11 @@ "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", "dataConnectorVersion1": "1.0.0", "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", + "dataConnectorCCPVersion": "1.0.0", + "_dataConnectorContentIdConnectorDefinition2": "RubrikProtectionStatus", + "dataConnectorTemplateNameConnectorDefinition2": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnectorDefinition2')))]", + "_dataConnectorContentIdConnections2": "RubrikProtectionStatusConnections", + "dataConnectorTemplateNameConnections2": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnections2')))]", "analyticRuleObject1": { "analyticRuleVersion1": "1.0.0", "_analyticRulecontentId1": "54c70d21-696f-4f03-9238-9d7118d079fe", @@ -218,17 +239,17 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RubrikCustomConnector Playbook with template version 3.5.1", + "description": "RubrikCustomConnector Playbook with template version 3.5.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion1')]", "parameters": { "API Hostname": { - "type": "String", - "metadata": { + "type": "String", + "metadata": { "description": "Hostname of the RubrikApi instance (Ex: customer.my.rubrik.com)" - } - }, + } + }, "Rubrik Connector name": { "defaultValue": "RubrikCustomConnector", "type": "String" @@ -392,7 +413,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RubrikAnomalyAnalysis Playbook with template version 3.5.1", + "description": "RubrikAnomalyAnalysis Playbook with template version 3.5.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion2')]", @@ -3807,7 +3828,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RubrikAnomalyIncidentResponse Playbook with template version 3.5.1", + "description": "RubrikAnomalyIncidentResponse Playbook with template version 3.5.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion3')]", @@ -3815,7 +3836,7 @@ "API Hostname": { "type": "String", "metadata": { - "description": "Hostname of the RubrikApi instance (Ex: customer.my.rubrik.com)" + "description": "Hostname of the RubrikApi instance (Ex: customer.my.rubrik.com)" } }, "PlaybookName": { @@ -4527,7 +4548,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RubrikDataObjectDiscovery Playbook with template version 3.5.1", + "description": "RubrikDataObjectDiscovery Playbook with template version 3.5.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion4')]", @@ -7145,7 +7166,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RubrikFilesetRansomwareDiscovery Playbook with template version 3.5.1", + "description": "RubrikFilesetRansomwareDiscovery Playbook with template version 3.5.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion5')]", @@ -7795,7 +7816,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RubrikIOCScan Playbook with template version 3.5.1", + "description": "RubrikIOCScan Playbook with template version 3.5.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion6')]", @@ -10256,7 +10277,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RubrikPollAsyncResult Playbook with template version 3.5.1", + "description": "RubrikPollAsyncResult Playbook with template version 3.5.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion7')]", @@ -11126,7 +11147,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RubrikRansomwareDiscoveryAndFileRecovery Playbook with template version 3.5.1", + "description": "RubrikRansomwareDiscoveryAndFileRecovery Playbook with template version 3.5.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion8')]", @@ -13064,7 +13085,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RubrikRansomwareDiscoveryAndVMRecovery Playbook with template version 3.5.1", + "description": "RubrikRansomwareDiscoveryAndVMRecovery Playbook with template version 3.5.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion9')]", @@ -17200,7 +17221,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RubrikFileObjectContextAnalysis Playbook with template version 3.5.1", + "description": "RubrikFileObjectContextAnalysis Playbook with template version 3.5.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion10')]", @@ -20467,7 +20488,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RubrikUserIntelligenceAnalysis Playbook with template version 3.5.1", + "description": "RubrikUserIntelligenceAnalysis Playbook with template version 3.5.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion11')]", @@ -22457,7 +22478,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RubrikRetrieveUserIntelligenceInformation Playbook with template version 3.5.1", + "description": "RubrikRetrieveUserIntelligenceInformation Playbook with template version 3.5.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion12')]", @@ -24162,7 +24183,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RubrikAnomalyGenerateDownloadableLink Playbook with template version 3.5.1", + "description": "RubrikAnomalyGenerateDownloadableLink Playbook with template version 3.5.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion13')]", @@ -25520,7 +25541,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RubrikWorkloadAnalysis Playbook with template version 3.5.1", + "description": "RubrikWorkloadAnalysis Playbook with template version 3.5.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion14')]", @@ -27450,7 +27471,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RubrikUpdateAnomalyStatus Playbook with template version 3.5.1", + "description": "RubrikUpdateAnomalyStatus Playbook with template version 3.5.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion15')]", @@ -27926,7 +27947,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RubrikUpdateAnomalyStatusViaIncident Playbook with template version 3.5.1", + "description": "RubrikUpdateAnomalyStatusViaIncident Playbook with template version 3.5.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion16')]", @@ -27942,7 +27963,7 @@ "API Hostname": { "type": "String", "metadata": { - "description": "Hostname of the RubrikApi instance (Ex: customer.my.rubrik.com)" + "description": "Hostname of the RubrikApi instance (Ex: customer.my.rubrik.com)" } }, "Rubrik Connector name": { @@ -29111,7 +29132,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RubrikAdvancedThreatHunt Playbook with template version 3.5.1", + "description": "RubrikAdvancedThreatHunt Playbook with template version 3.5.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion17')]", @@ -29123,7 +29144,7 @@ "API Hostname": { "type": "String", "metadata": { - "description": "Hostname of the RubrikApi instance (Ex: customer.my.rubrik.com)" + "description": "Hostname of the RubrikApi instance (Ex: customer.my.rubrik.com)" } }, "Rubrik Connector name": { @@ -31639,7 +31660,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RubrikTurboThreatHunt Playbook with template version 3.5.1", + "description": "RubrikTurboThreatHunt Playbook with template version 3.5.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion18')]", @@ -31651,7 +31672,7 @@ "API Hostname": { "type": "String", "metadata": { - "description": "Hostname of the RubrikApi instance (Ex: customer.my.rubrik.com)" + "description": "Hostname of the RubrikApi instance (Ex: customer.my.rubrik.com)" } }, "Rubrik Connector name": { @@ -33575,7 +33596,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RubrikSecurityCloud data connector with template version 3.5.1", + "description": "RubrikSecurityCloud data connector with template version 3.5.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -34037,6 +34058,950 @@ } } }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnectorDefinition2'), variables('dataConnectorCCPVersion'))]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "contentId": "[variables('_dataConnectorContentIdConnectorDefinition2')]", + "displayName": "Rubrik Security Cloud Protection Status (using Codeless Connector Framework)", + "contentKind": "DataConnector", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorCCPVersion')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition2'))]", + "apiVersion": "2022-09-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions", + "location": "[parameters('workspace-location')]", + "kind": "Customizable", + "properties": { + "connectorUiConfig": { + "id": "RubrikProtectionStatus", + "title": "Rubrik Security Cloud Protection Status (using Codeless Connector Framework)", + "publisher": "Rubrik, Inc", + "descriptionMarkdown": "The Rubrik Security Cloud Protection Status data connector allows you to ingest protection and compliance status information from RSC into Microsoft Sentinel.", + "logo": "data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz4KPHN2ZyB2ZXJzaW9uPSIxLjEiIGlkPSI3YjFkOTY4Mi05N2FiLTQ5NGMtOTgzMC1hYjQwOTA1NzY4N2IiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeD0iMHB4IiB5PSIwcHgiCgkgdmlld0JveD0iMCAwIDc1IDc1IiBlbmFibGUtYmFja2dyb3VuZD0ibmV3IDAgMCA3NSA3NSIgeG1sOnNwYWNlPSJwcmVzZXJ2ZSI+CjxwYXRoIGZpbGw9IiMwMEIyQTkiIGQ9Ik0zOC45LDUuNWMtMC42LTAuNi0xLjktMC43LTIuNywwbC04LjQsOC40Yy0wLjYsMC42LTAuNywxLjksMCwyLjdsOC40LDguNGMwLjYsMC42LDEuOSwwLjcsMi43LDBsOC40LTguNAoJYzAuNi0wLjYsMC43LTEuOSwwLTIuN0wzOC45LDUuNXoiLz4KPHBhdGggZmlsbD0iIzAwQjJBOSIgZD0iTTE2LjYsMjcuOGMtMC42LTAuNi0xLjktMC43LTIuNywwbC04LjQsOC40Yy0wLjYsMC42LTAuNywxLjksMCwyLjdsOC40LDguNGMwLjYsMC42LDEuOSwwLjcsMi43LDBsOC40LTguNAoJYzAuNi0wLjYsMC43LTEuOSwwLTIuN0wxNi42LDI3Ljh6Ii8+CjxwYXRoIGZpbGw9IiMwMEIyQTkiIGQ9Ik0yNi4zLDYxLjNjMC0wLjYtMC4zLTAuOS0wLjktMC4zbC00LjEsNC4xYy0wLjYsMC42LTAuMywxLjMsMC4zLDEuNmwzLjUsMS42YzAuNiwwLjMsMS4zLDAsMS4zLTAuOQoJQzI2LjMsNjcuMywyNi4zLDYxLjMsMjYuMyw2MS4zeiIvPgo8cGF0aCBmaWxsPSIjMDBCMkE5IiBkPSJNNTMuNCw2Ni40YzAuNi0wLjMsMC45LTEuMywwLjMtMS42bC00LjEtNC4xYy0wLjYtMC42LTAuOS0wLjMtMC45LDAuM3Y2LjNjMCwwLjYsMC42LDEuMywxLjMsMC45TDUzLjQsNjYuNHoiCgkvPgo8cGF0aCBmaWxsPSIjMDBCMkE5IiBkPSJNNjYuNywyMS42Yy0wLjMtMC42LTEuMy0wLjktMS42LTAuM0w2MSwyNS40Yy0wLjYsMC42LTAuMywwLjksMC4zLDAuOWg2YzAuNiwwLDEuMy0wLjYsMC45LTEuM0w2Ni43LDIxLjZ6Ii8+CjxwYXRoIGZpbGw9IiMwMEIyQTkiIGQ9Ik01My44LDkuOWMwLjYtMC42LDAuMy0xLjMtMC4zLTEuNkw1MCw2LjdjLTAuNi0wLjMtMS4zLDAtMS4zLDAuOXY2YzAsMC42LDAuMywwLjksMC45LDAuM0w1My44LDkuOXoiLz4KPHBhdGggZmlsbD0iIzAwQjJBOSIgZD0iTTkuOSwyMS4zYy0wLjYtMC42LTEuMy0wLjMtMS42LDAuM0w2LjcsMjVjLTAuMywwLjYsMCwxLjMsMC45LDEuM2g2YzAuNiwwLDAuOS0wLjMsMC4zLTAuOUw5LjksMjEuM3oiLz4KPHBhdGggZmlsbD0iIzAwQjJBOSIgZD0iTTU4LjIsMjYuM2MwLjYsMCwxLjMtMC42LDEuMy0xLjN2LTguMmMwLTAuNi0wLjYtMS4zLTEuMy0xLjNINTBjLTAuNiwwLTEuMywwLjYtMS4zLDEuM1YyNQoJYzAsMC42LDAuNiwxLjMsMS4zLDEuM0g1OC4yeiIvPgo8cGF0aCBmaWxsPSIjMDBCMkE5IiBkPSJNNjEuMiwyNy44Yy0wLjYtMC42LTEuOS0wLjctMi43LDBsLTguNCw4LjRjLTAuNiwwLjYtMC43LDEuOSwwLDIuN2w4LjQsOC40YzAuNiwwLjYsMS45LDAuNywyLjcsMGw4LjQtOC40CgljMC42LTAuNiwwLjctMS45LDAtMi43TDYxLjIsMjcuOHoiLz4KPHBhdGggZmlsbD0iIzAwQjJBOSIgZD0iTTM4LjksNTBjLTAuNi0wLjYtMS45LTAuNy0yLjcsMGwtOC40LDguNGMtMC42LDAuNi0wLjcsMS45LDAsMi43bDguNCw4LjRjMC42LDAuNiwxLjksMC43LDIuNywwbDguNC04LjQKCWMwLjYtMC42LDAuNy0xLjksMC0yLjdMMzguOSw1MHoiLz4KPHBhdGggZmlsbD0iIzAwQjJBOSIgZD0iTTU4LjIsNTkuNGMwLjYsMCwxLjMtMC42LDEuMy0xLjN2LTguMmMwLTAuNi0wLjYtMS4zLTEuMy0xLjNINTBjLTAuNiwwLTEuMywwLjYtMS4zLDEuM3Y4LjIKCWMwLDAuNiwwLjYsMS4zLDEuMywxLjNINTguMnoiLz4KPHBhdGggZmlsbD0iIzAwQjJBOSIgZD0iTTI2LjMsNy40YzAtMC42LTAuNi0xLjMtMS4zLTAuOUwyMS42LDhjLTAuNiwwLjMtMC45LDEuMy0wLjMsMS42bDQuMSw0LjFjMC42LDAuNiwwLjksMC4zLDAuOS0wLjMKCUMyNi4zLDEzLjQsMjYuMyw3LjQsMjYuMyw3LjR6Ii8+CjxwYXRoIGZpbGw9IiMwMEIyQTkiIGQ9Ik02OC4zLDQ5LjZjMC4zLTAuNiwwLTEuMy0wLjktMS4zaC02Yy0wLjYsMC0wLjksMC4zLTAuMywwLjlsNC4xLDQuMWMwLjYsMC42LDEuMywwLjMsMS42LTAuM0w2OC4zLDQ5LjZ6Ii8+CjxwYXRoIGZpbGw9IiMwMEIyQTkiIGQ9Ik0yNC45LDI2LjJjMC42LDAsMS4zLTAuNiwxLjMtMS4zdi04LjJjMC0wLjYtMC42LTEuMy0xLjMtMS4zSDE3Yy0wLjYsMC0xLjMsMC42LTEuMywxLjN2OC4yCgljMCwwLjYsMC42LDEuMywxLjMsMS4zSDI0Ljl6Ii8+CjxwYXRoIGZpbGw9IiMwMEIyQTkiIGQ9Ik0yNC45LDU5LjVjMC42LDAsMS4zLTAuNiwxLjMtMS4zVjUwYzAtMC42LTAuNi0xLjMtMS4zLTEuM0gxN2MtMC42LDAtMS4zLDAuNi0xLjMsMS4zdjguMgoJYzAsMC42LDAuNiwxLjMsMS4zLDEuM0gyNC45eiIvPgo8cGF0aCBmaWxsPSIjMDBCMkE5IiBkPSJNMTQsNDkuM2MwLjYtMC4zLDAuMy0wLjktMC4zLTAuOWgtNmMtMC42LDAtMS4zLDAuNi0wLjksMS4zbDEuNiwzLjVjMC4zLDAuNiwxLjMsMC45LDEuNiwwLjNMMTQsNDkuM3oiLz4KPC9zdmc+Cg==", + "graphQueriesTableName": "RubrikProtectionStatus_CL", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "RubrikProtectionStatus_CL", + "baseQuery": "RubrikProtectionStatus_CL" + } + ], + "sampleQueries": [ + { + "description": "All RSC protection status events with key metrics", + "query": "RubrikProtectionStatus_CL | take 10 | project AssetName, ComplianceStatus, TotalSnapshots, LocalStorage, DataReduction, ClusterName" + }, + { + "description": "Assets out of compliance with storage metrics", + "query": "RubrikProtectionStatus_CL | where ComplianceStatus != 'Compliant' | project AssetName, ComplianceStatus, ArchivalComplianceStatus, ReplicationComplianceStatus, LastSnapshot, LocalStorage, SlaDomainName" + }, + { + "description": "Storage efficiency analysis", + "query": "RubrikProtectionStatus_CL | where isnotnull(DataReduction) | project AssetName, LogicalBytes, PhysicalBytes, DataReduction, LogicalDataReduction, LocalStorage | order by DataReduction desc" + }, + { + "description": "Snapshot distribution summary", + "query": "RubrikProtectionStatus_CL | summarize TotalAssets = count(), AvgSnapshots = avg(TotalSnapshots), TotalStorage = sum(LocalStorage) by ClusterName, SlaDomainName" + }, + { + "description": "Protection status overview", + "query": "RubrikProtectionStatus_CL | summarize count() by ProtectionStatus, ComplianceStatus | render piechart" + } + ], + "dataTypes": [ + { + "name": "RubrikProtectionStatus_CL", + "lastDataReceivedQuery": "RubrikProtectionStatus_CL | summarize Time = max(TimeGenerated) | where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "HasDataConnectors", + "value": null + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions on the workspace are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + } + ] + }, + "instructionSteps": [ + { + "title": "1. Enter Rubrik Security Cloud Credentials", + "description": "Provide your RSC API credentials to enable data collection.", + "instructions": [ + { + "type": "Markdown", + "parameters": { + "content": "**Configuration Steps:**\n\n1. **RSC URL** - Your organization's RSC URL (e.g., `https://your-org.my.rubrik.com`)\n2. **Client ID** - Service account client ID from RSC (format: `client|xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx`)\n3. **Client Secret** - Service account client secret from RSC\n\n**To create a service account in RSC:**\n- Go to RSC β†’ Settings β†’ Access Management β†’ Service Accounts\n- Create new service account with appropriate API permissions\n- Note the Client ID and Client Secret" + } + }, + { + "type": "Textbox", + "parameters": { + "label": "RSC URL", + "placeholder": "https://your-org.my.rubrik.com", + "type": "text", + "name": "rscUrl" + } + }, + { + "type": "Textbox", + "parameters": { + "label": "Client ID", + "placeholder": "client|xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", + "type": "text", + "name": "clientId" + } + }, + { + "type": "Textbox", + "parameters": { + "label": "Client Secret", + "placeholder": "Enter Client Secret", + "type": "password", + "name": "clientSecret" + } + } + ] + }, + { + "title": "2. Connect to Rubrik Security Cloud", + "description": "Click Connect to start data ingestion.", + "instructions": [ + { + "type": "ConnectionToggleButton", + "parameters": {} + } + ] + } + ] + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition2')))]", + "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition2'))]", + "contentId": "[variables('_dataConnectorContentIdConnectorDefinition2')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorCCPVersion')]", + "source": { + "sourceId": "[variables('_solutionId')]", + "name": "[variables('_solutionName')]", + "kind": "Solution" + }, + "author": { + "name": "Ben Meadowcroft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Rubrik", + "email": "support@rubrik.com", + "tier": "Partner", + "link": "https://support.rubrik.com" + }, + "dependencies": { + "criteria": [ + { + "version": "[variables('dataConnectorCCPVersion')]", + "contentId": "[variables('_dataConnectorContentIdConnections2')]", + "kind": "ResourcesDataConnector" + } + ] + } + } + }, + { + "name": "RubrikProtectionStatusDCR", + "apiVersion": "2022-06-01", + "type": "Microsoft.Insights/dataCollectionRules", + "location": "[parameters('workspace-location')]", + "kind": "[variables('blanks')]", + "properties": { + "dataCollectionEndpointId": "[resourceId('Microsoft.Insights/dataCollectionEndpoints', 'RubrikProtectionStatusDCE')]", + "streamDeclarations": { + "Custom-RubrikBackupStatus_API": { + "columns": [ + { + "name": "id", + "type": "string" + }, + { + "name": "name", + "type": "string" + }, + { + "name": "objectType", + "type": "string" + }, + { + "name": "objectState", + "type": "string" + }, + { + "name": "protectionStatus", + "type": "string" + }, + { + "name": "complianceStatus", + "type": "string" + }, + { + "name": "archivalComplianceStatus", + "type": "string" + }, + { + "name": "replicationComplianceStatus", + "type": "string" + }, + { + "name": "lastSnapshot", + "type": "datetime" + }, + { + "name": "latestArchivalSnapshot", + "type": "datetime" + }, + { + "name": "latestReplicationSnapshot", + "type": "datetime" + }, + { + "name": "protectedOn", + "type": "datetime" + }, + { + "name": "pullTime", + "type": "datetime" + }, + { + "name": "location", + "type": "string" + }, + { + "name": "cluster", + "type": "dynamic" + }, + { + "name": "slaDomain", + "type": "dynamic" + }, + { + "name": "workloadOrg", + "type": "dynamic" + }, + { + "name": "orgName", + "type": "string" + }, + { + "name": "fid", + "type": "string" + }, + { + "name": "orgId", + "type": "string" + }, + { + "name": "awaitingFirstFull", + "type": "boolean" + }, + { + "name": "archivalSnapshotLag", + "type": "int" + }, + { + "name": "replicationSnapshotLag", + "type": "int" + }, + { + "name": "missedSnapshots", + "type": "int" + }, + { + "name": "totalSnapshots", + "type": "int" + }, + { + "name": "localSnapshots", + "type": "int" + }, + { + "name": "localSlaSnapshots", + "type": "int" + }, + { + "name": "localOnDemandSnapshots", + "type": "int" + }, + { + "name": "archiveSnapshots", + "type": "int" + }, + { + "name": "replicaSnapshots", + "type": "int" + }, + { + "name": "localStorage", + "type": "long" + }, + { + "name": "archiveStorage", + "type": "long" + }, + { + "name": "replicaStorage", + "type": "long" + }, + { + "name": "localEffectiveStorage", + "type": "long" + }, + { + "name": "logicalBytes", + "type": "long" + }, + { + "name": "physicalBytes", + "type": "long" + }, + { + "name": "usedBytes", + "type": "long" + }, + { + "name": "provisionedBytes", + "type": "long" + }, + { + "name": "transferredBytes", + "type": "long" + }, + { + "name": "localProtectedData", + "type": "long" + }, + { + "name": "localMeteredData", + "type": "long" + }, + { + "name": "lastSnapshotLogicalBytes", + "type": "long" + }, + { + "name": "dataReduction", + "type": "real" + }, + { + "name": "logicalDataReduction", + "type": "real" + }, + { + "name": "sourceProtocol", + "type": "string" + }, + { + "name": "ncdPolicyName", + "type": "string" + }, + { + "name": "ncdSnapshotType", + "type": "string" + }, + { + "name": "ncdLatestArchiveSnapshot", + "type": "datetime" + } + ] + } + }, + "destinations": { + "logAnalytics": [ + { + "workspaceResourceId": "[variables('workspaceResourceId')]", + "name": "clv2ws1" + } + ] + }, + "dataFlows": [ + { + "streams": [ + "Custom-RubrikBackupStatus_API" + ], + "destinations": [ + "clv2ws1" + ], + "transformKql": "source | project TimeGenerated = now(), AssetId = id, AssetName = name, ObjectType = objectType, ObjectState = objectState, ProtectionStatus = protectionStatus, ComplianceStatus = complianceStatus, ArchivalComplianceStatus = archivalComplianceStatus, ReplicationComplianceStatus = replicationComplianceStatus, LastSnapshot = todatetime(lastSnapshot), LatestArchivalSnapshot = todatetime(latestArchivalSnapshot), LatestReplicationSnapshot = todatetime(latestReplicationSnapshot), ProtectedOn = todatetime(protectedOn), PullTime = todatetime(pullTime), Location = location, ClusterName = tostring(cluster.name), SlaDomainName = tostring(slaDomain.name), WorkloadOrgName = tostring(workloadOrg.name), OrgName = orgName, Fid = fid, OrgId = orgId, AwaitingFirstFull = tobool(awaitingFirstFull), ArchivalSnapshotLag = toint(archivalSnapshotLag), ReplicationSnapshotLag = toint(replicationSnapshotLag), MissedSnapshots = toint(missedSnapshots), TotalSnapshots = toint(totalSnapshots), LocalSnapshots = toint(localSnapshots), LocalSlaSnapshots = toint(localSlaSnapshots), LocalOnDemandSnapshots = toint(localOnDemandSnapshots), ArchiveSnapshots = toint(archiveSnapshots), ReplicaSnapshots = toint(replicaSnapshots), LocalStorage = tolong(localStorage), ArchiveStorage = tolong(archiveStorage), ReplicaStorage = tolong(replicaStorage), LocalEffectiveStorage = tolong(localEffectiveStorage), LogicalBytes = tolong(logicalBytes), PhysicalBytes = tolong(physicalBytes), UsedBytes = tolong(usedBytes), ProvisionedBytes = tolong(provisionedBytes), TransferredBytes = tolong(transferredBytes), LocalProtectedData = tolong(localProtectedData), LocalMeteredData = tolong(localMeteredData), LastSnapshotLogicalBytes = tolong(lastSnapshotLogicalBytes), DataReduction = toreal(dataReduction), LogicalDataReduction = toreal(logicalDataReduction), SourceProtocol = sourceProtocol, NcdPolicyName = ncdPolicyName, NcdSnapshotType = ncdSnapshotType, NcdLatestArchiveSnapshot = todatetime(ncdLatestArchiveSnapshot), SourceSystem = 'Rubrik Security Cloud'", + "outputStream": "Custom-RubrikProtectionStatus_CL" + } + ] + } + }, + { + "name": "RubrikProtectionStatus_CL", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "location": "[parameters('workspace-location')]", + "kind": null, + "properties": { + "totalRetentionInDays": 30, + "plan": "Analytics", + "retentionInDays": 4, + "schema": { + "name": "RubrikProtectionStatus_CL", + "columns": [ + { + "name": "TimeGenerated", + "type": "dateTime" + }, + { + "name": "AssetId", + "type": "string" + }, + { + "name": "AssetName", + "type": "string" + }, + { + "name": "ObjectType", + "type": "string" + }, + { + "name": "ObjectState", + "type": "string" + }, + { + "name": "ProtectionStatus", + "type": "string" + }, + { + "name": "ComplianceStatus", + "type": "string" + }, + { + "name": "ArchivalComplianceStatus", + "type": "string" + }, + { + "name": "ReplicationComplianceStatus", + "type": "string" + }, + { + "name": "LastSnapshot", + "type": "dateTime" + }, + { + "name": "LatestArchivalSnapshot", + "type": "dateTime" + }, + { + "name": "LatestReplicationSnapshot", + "type": "dateTime" + }, + { + "name": "ProtectedOn", + "type": "dateTime" + }, + { + "name": "PullTime", + "type": "dateTime" + }, + { + "name": "Location", + "type": "string" + }, + { + "name": "ClusterName", + "type": "string" + }, + { + "name": "SlaDomainName", + "type": "string" + }, + { + "name": "WorkloadOrgName", + "type": "string" + }, + { + "name": "OrgName", + "type": "string" + }, + { + "name": "Fid", + "type": "string" + }, + { + "name": "OrgId", + "type": "string" + }, + { + "name": "AwaitingFirstFull", + "type": "bool" + }, + { + "name": "ArchivalSnapshotLag", + "type": "int" + }, + { + "name": "ReplicationSnapshotLag", + "type": "int" + }, + { + "name": "MissedSnapshots", + "type": "int" + }, + { + "name": "TotalSnapshots", + "type": "int" + }, + { + "name": "LocalSnapshots", + "type": "int" + }, + { + "name": "LocalSlaSnapshots", + "type": "int" + }, + { + "name": "LocalOnDemandSnapshots", + "type": "int" + }, + { + "name": "ArchiveSnapshots", + "type": "int" + }, + { + "name": "ReplicaSnapshots", + "type": "int" + }, + { + "name": "LocalStorage", + "type": "long" + }, + { + "name": "ArchiveStorage", + "type": "long" + }, + { + "name": "ReplicaStorage", + "type": "long" + }, + { + "name": "LocalEffectiveStorage", + "type": "long" + }, + { + "name": "LogicalBytes", + "type": "long" + }, + { + "name": "PhysicalBytes", + "type": "long" + }, + { + "name": "UsedBytes", + "type": "long" + }, + { + "name": "ProvisionedBytes", + "type": "long" + }, + { + "name": "TransferredBytes", + "type": "long" + }, + { + "name": "LocalProtectedData", + "type": "long" + }, + { + "name": "LocalMeteredData", + "type": "long" + }, + { + "name": "LastSnapshotLogicalBytes", + "type": "long" + }, + { + "name": "DataReduction", + "type": "real" + }, + { + "name": "LogicalDataReduction", + "type": "real" + }, + { + "name": "SourceProtocol", + "type": "string" + }, + { + "name": "NcdPolicyName", + "type": "string" + }, + { + "name": "NcdSnapshotType", + "type": "string" + }, + { + "name": "NcdLatestArchiveSnapshot", + "type": "dateTime" + }, + { + "name": "SourceSystem", + "type": "string" + } + ] + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentIdConnectorDefinition2'),'-', variables('dataConnectorCCPVersion'))))]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "version": "[variables('dataConnectorCCPVersion')]" + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition2'))]", + "apiVersion": "2022-09-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions", + "location": "[parameters('workspace-location')]", + "kind": "Customizable", + "properties": { + "connectorUiConfig": { + "id": "RubrikProtectionStatus", + "title": "Rubrik Security Cloud Protection Status (using Codeless Connector Framework)", + "publisher": "Rubrik, Inc", + "descriptionMarkdown": "The Rubrik Security Cloud Protection Status data connector allows you to ingest protection and compliance status information from RSC into Microsoft Sentinel.", + "logo": "data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz4KPHN2ZyB2ZXJzaW9uPSIxLjEiIGlkPSI3YjFkOTY4Mi05N2FiLTQ5NGMtOTgzMC1hYjQwOTA1NzY4N2IiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeD0iMHB4IiB5PSIwcHgiCgkgdmlld0JveD0iMCAwIDc1IDc1IiBlbmFibGUtYmFja2dyb3VuZD0ibmV3IDAgMCA3NSA3NSIgeG1sOnNwYWNlPSJwcmVzZXJ2ZSI+CjxwYXRoIGZpbGw9IiMwMEIyQTkiIGQ9Ik0zOC45LDUuNWMtMC42LTAuNi0xLjktMC43LTIuNywwbC04LjQsOC40Yy0wLjYsMC42LTAuNywxLjksMCwyLjdsOC40LDguNGMwLjYsMC42LDEuOSwwLjcsMi43LDBsOC40LTguNAoJYzAuNi0wLjYsMC43LTEuOSwwLTIuN0wzOC45LDUuNXoiLz4KPHBhdGggZmlsbD0iIzAwQjJBOSIgZD0iTTE2LjYsMjcuOGMtMC42LTAuNi0xLjktMC43LTIuNywwbC04LjQsOC40Yy0wLjYsMC42LTAuNywxLjksMCwyLjdsOC40LDguNGMwLjYsMC42LDEuOSwwLjcsMi43LDBsOC40LTguNAoJYzAuNi0wLjYsMC43LTEuOSwwLTIuN0wxNi42LDI3Ljh6Ii8+CjxwYXRoIGZpbGw9IiMwMEIyQTkiIGQ9Ik0yNi4zLDYxLjNjMC0wLjYtMC4zLTAuOS0wLjktMC4zbC00LjEsNC4xYy0wLjYsMC42LTAuMywxLjMsMC4zLDEuNmwzLjUsMS42YzAuNiwwLjMsMS4zLDAsMS4zLTAuOQoJQzI2LjMsNjcuMywyNi4zLDYxLjMsMjYuMyw2MS4zeiIvPgo8cGF0aCBmaWxsPSIjMDBCMkE5IiBkPSJNNTMuNCw2Ni40YzAuNi0wLjMsMC45LTEuMywwLjMtMS42bC00LjEtNC4xYy0wLjYtMC42LTAuOS0wLjMtMC45LDAuM3Y2LjNjMCwwLjYsMC42LDEuMywxLjMsMC45TDUzLjQsNjYuNHoiCgkvPgo8cGF0aCBmaWxsPSIjMDBCMkE5IiBkPSJNNjYuNywyMS42Yy0wLjMtMC42LTEuMy0wLjktMS42LTAuM0w2MSwyNS40Yy0wLjYsMC42LTAuMywwLjksMC4zLDAuOWg2YzAuNiwwLDEuMy0wLjYsMC45LTEuM0w2Ni43LDIxLjZ6Ii8+CjxwYXRoIGZpbGw9IiMwMEIyQTkiIGQ9Ik01My44LDkuOWMwLjYtMC42LDAuMy0xLjMtMC4zLTEuNkw1MCw2LjdjLTAuNi0wLjMtMS4zLDAtMS4zLDAuOXY2YzAsMC42LDAuMywwLjksMC45LDAuM0w1My44LDkuOXoiLz4KPHBhdGggZmlsbD0iIzAwQjJBOSIgZD0iTTkuOSwyMS4zYy0wLjYtMC42LTEuMy0wLjMtMS42LDAuM0w2LjcsMjVjLTAuMywwLjYsMCwxLjMsMC45LDEuM2g2YzAuNiwwLDAuOS0wLjMsMC4zLTAuOUw5LjksMjEuM3oiLz4KPHBhdGggZmlsbD0iIzAwQjJBOSIgZD0iTTU4LjIsMjYuM2MwLjYsMCwxLjMtMC42LDEuMy0xLjN2LTguMmMwLTAuNi0wLjYtMS4zLTEuMy0xLjNINTBjLTAuNiwwLTEuMywwLjYtMS4zLDEuM1YyNQoJYzAsMC42LDAuNiwxLjMsMS4zLDEuM0g1OC4yeiIvPgo8cGF0aCBmaWxsPSIjMDBCMkE5IiBkPSJNNjEuMiwyNy44Yy0wLjYtMC42LTEuOS0wLjctMi43LDBsLTguNCw4LjRjLTAuNiwwLjYtMC43LDEuOSwwLDIuN2w4LjQsOC40YzAuNiwwLjYsMS45LDAuNywyLjcsMGw4LjQtOC40CgljMC42LTAuNiwwLjctMS45LDAtMi43TDYxLjIsMjcuOHoiLz4KPHBhdGggZmlsbD0iIzAwQjJBOSIgZD0iTTM4LjksNTBjLTAuNi0wLjYtMS45LTAuNy0yLjcsMGwtOC40LDguNGMtMC42LDAuNi0wLjcsMS45LDAsMi43bDguNCw4LjRjMC42LDAuNiwxLjksMC43LDIuNywwbDguNC04LjQKCWMwLjYtMC42LDAuNy0xLjksMC0yLjdMMzguOSw1MHoiLz4KPHBhdGggZmlsbD0iIzAwQjJBOSIgZD0iTTU4LjIsNTkuNGMwLjYsMCwxLjMtMC42LDEuMy0xLjN2LTguMmMwLTAuNi0wLjYtMS4zLTEuMy0xLjNINTBjLTAuNiwwLTEuMywwLjYtMS4zLDEuM3Y4LjIKCWMwLDAuNiwwLjYsMS4zLDEuMywxLjNINTguMnoiLz4KPHBhdGggZmlsbD0iIzAwQjJBOSIgZD0iTTI2LjMsNy40YzAtMC42LTAuNi0xLjMtMS4zLTAuOUwyMS42LDhjLTAuNiwwLjMtMC45LDEuMy0wLjMsMS42bDQuMSw0LjFjMC42LDAuNiwwLjksMC4zLDAuOS0wLjMKCUMyNi4zLDEzLjQsMjYuMyw3LjQsMjYuMyw3LjR6Ii8+CjxwYXRoIGZpbGw9IiMwMEIyQTkiIGQ9Ik02OC4zLDQ5LjZjMC4zLTAuNiwwLTEuMy0wLjktMS4zaC02Yy0wLjYsMC0wLjksMC4zLTAuMywwLjlsNC4xLDQuMWMwLjYsMC42LDEuMywwLjMsMS42LTAuM0w2OC4zLDQ5LjZ6Ii8+CjxwYXRoIGZpbGw9IiMwMEIyQTkiIGQ9Ik0yNC45LDI2LjJjMC42LDAsMS4zLTAuNiwxLjMtMS4zdi04LjJjMC0wLjYtMC42LTEuMy0xLjMtMS4zSDE3Yy0wLjYsMC0xLjMsMC42LTEuMywxLjN2OC4yCgljMCwwLjYsMC42LDEuMywxLjMsMS4zSDI0Ljl6Ii8+CjxwYXRoIGZpbGw9IiMwMEIyQTkiIGQ9Ik0yNC45LDU5LjVjMC42LDAsMS4zLTAuNiwxLjMtMS4zVjUwYzAtMC42LTAuNi0xLjMtMS4zLTEuM0gxN2MtMC42LDAtMS4zLDAuNi0xLjMsMS4zdjguMgoJYzAsMC42LDAuNiwxLjMsMS4zLDEuM0gyNC45eiIvPgo8cGF0aCBmaWxsPSIjMDBCMkE5IiBkPSJNMTQsNDkuM2MwLjYtMC4zLDAuMy0wLjktMC4zLTAuOWgtNmMtMC42LDAtMS4zLDAuNi0wLjksMS4zbDEuNiwzLjVjMC4zLDAuNiwxLjMsMC45LDEuNiwwLjNMMTQsNDkuM3oiLz4KPC9zdmc+Cg==", + "graphQueriesTableName": "RubrikProtectionStatus_CL", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "RubrikProtectionStatus_CL", + "baseQuery": "RubrikProtectionStatus_CL" + } + ], + "sampleQueries": [ + { + "description": "All RSC protection status events with key metrics", + "query": "RubrikProtectionStatus_CL | take 10 | project AssetName, ComplianceStatus, TotalSnapshots, LocalStorage, DataReduction, ClusterName" + }, + { + "description": "Assets out of compliance with storage metrics", + "query": "RubrikProtectionStatus_CL | where ComplianceStatus != 'Compliant' | project AssetName, ComplianceStatus, ArchivalComplianceStatus, ReplicationComplianceStatus, LastSnapshot, LocalStorage, SlaDomainName" + }, + { + "description": "Storage efficiency analysis", + "query": "RubrikProtectionStatus_CL | where isnotnull(DataReduction) | project AssetName, LogicalBytes, PhysicalBytes, DataReduction, LogicalDataReduction, LocalStorage | order by DataReduction desc" + }, + { + "description": "Snapshot distribution summary", + "query": "RubrikProtectionStatus_CL | summarize TotalAssets = count(), AvgSnapshots = avg(TotalSnapshots), TotalStorage = sum(LocalStorage) by ClusterName, SlaDomainName" + }, + { + "description": "Protection status overview", + "query": "RubrikProtectionStatus_CL | summarize count() by ProtectionStatus, ComplianceStatus | render piechart" + } + ], + "dataTypes": [ + { + "name": "RubrikProtectionStatus_CL", + "lastDataReceivedQuery": "RubrikProtectionStatus_CL | summarize Time = max(TimeGenerated) | where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "HasDataConnectors", + "value": null + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions on the workspace are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + } + ] + }, + "instructionSteps": [ + { + "title": "1. Enter Rubrik Security Cloud Credentials", + "description": "Provide your RSC API credentials to enable data collection.", + "instructions": [ + { + "type": "Markdown", + "parameters": { + "content": "**Configuration Steps:**\n\n1. **RSC URL** - Your organization's RSC URL (e.g., `https://your-org.my.rubrik.com`)\n2. **Client ID** - Service account client ID from RSC (format: `client|xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx`)\n3. **Client Secret** - Service account client secret from RSC\n\n**To create a service account in RSC:**\n- Go to RSC β†’ Settings β†’ Access Management β†’ Service Accounts\n- Create new service account with appropriate API permissions\n- Note the Client ID and Client Secret" + } + }, + { + "type": "Textbox", + "parameters": { + "label": "RSC URL", + "placeholder": "https://your-org.my.rubrik.com", + "type": "text", + "name": "rscUrl" + } + }, + { + "type": "Textbox", + "parameters": { + "label": "Client ID", + "placeholder": "client|xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", + "type": "text", + "name": "clientId" + } + }, + { + "type": "Textbox", + "parameters": { + "label": "Client Secret", + "placeholder": "Enter Client Secret", + "type": "password", + "name": "clientSecret" + } + } + ] + }, + { + "title": "2. Connect to Rubrik Security Cloud", + "description": "Click Connect to start data ingestion.", + "instructions": [ + { + "type": "ConnectionToggleButton", + "parameters": {} + } + ] + } + ] + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition2')))]", + "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition2'))]", + "contentId": "[variables('_dataConnectorContentIdConnectorDefinition2')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorCCPVersion')]", + "source": { + "sourceId": "[variables('_solutionId')]", + "name": "[variables('_solutionName')]", + "kind": "Solution" + }, + "author": { + "name": "Ben Meadowcroft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Rubrik", + "email": "support@rubrik.com", + "tier": "Partner", + "link": "https://support.rubrik.com" + }, + "dependencies": { + "criteria": [ + { + "version": "[variables('dataConnectorCCPVersion')]", + "contentId": "[variables('_dataConnectorContentIdConnections2')]", + "kind": "ResourcesDataConnector" + } + ] + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnections2'), variables('dataConnectorCCPVersion'))]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "contentId": "[variables('_dataConnectorContentIdConnections2')]", + "displayName": "Rubrik Security Cloud Protection Status (using Codeless Connector Framework)", + "contentKind": "ResourcesDataConnector", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorCCPVersion')]", + "parameters": { + "guidValue": { + "defaultValue": "[[newGuid()]", + "type": "securestring" + }, + "innerWorkspace": { + "defaultValue": "[parameters('workspace')]", + "type": "securestring" + }, + "connectorDefinitionName": { + "defaultValue": "Rubrik Security Cloud Protection Status (using Codeless Connector Framework)", + "type": "securestring", + "minLength": 1 + }, + "workspace": { + "defaultValue": "[parameters('workspace')]", + "type": "securestring" + }, + "dcrConfig": { + "defaultValue": { + "dataCollectionEndpoint": "data collection Endpoint", + "dataCollectionRuleImmutableId": "data collection rule immutableId" + }, + "type": "object" + }, + "rscUrl": { + "defaultValue": "rscUrl", + "type": "securestring", + "minLength": 1 + }, + "clientId": { + "defaultValue": "clientId", + "type": "securestring", + "minLength": 1 + }, + "clientSecret": { + "defaultValue": "clientSecret", + "type": "securestring", + "minLength": 1 + } + }, + "variables": { + "_dataConnectorContentIdConnections2": "[variables('_dataConnectorContentIdConnections2')]" + }, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnections2')))]", + "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentIdConnections2'))]", + "contentId": "[variables('_dataConnectorContentIdConnections2')]", + "kind": "ResourcesDataConnector", + "version": "[variables('dataConnectorCCPVersion')]", + "source": { + "sourceId": "[variables('_solutionId')]", + "name": "[variables('_solutionName')]", + "kind": "Solution" + }, + "author": { + "name": "Ben Meadowcroft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Rubrik", + "email": "support@rubrik.com", + "tier": "Partner", + "link": "https://support.rubrik.com" + } + } + }, + { + "name": "[[concat(parameters('innerWorkspace'),'/Microsoft.SecurityInsights/', 'RubrikSecurityCloudProtectionStatusPoller', parameters('guidValue'))]", + "apiVersion": "2023-02-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "RestApiPoller", + "properties": { + "connectorDefinitionName": "RubrikProtectionStatus", + "dataType": "Rubrik Security Cloud Protection Status", + "dcrConfig": { + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]", + "streamName": "Custom-RubrikBackupStatus_API" + }, + "auth": { + "type": "OAuth2", + "ClientId": "[[parameters('clientId')]", + "ClientSecret": "[[parameters('clientSecret')]", + "GrantType": "client_credentials", + "TokenEndpoint": "[[concat(parameters('rscUrl'), '/api/client_token')]", + "TokenEndpointHeaders": { + "Content-Type": "application/x-www-form-urlencoded", + "User-Agent": "Microsoft-Azure-DataConnector/1.0" + }, + "TokenEndpointMethod": "POST" + }, + "request": { + "apiEndpoint": "[[concat(parameters('rscUrl'), '/api/graphql')]", + "httpMethod": "POST", + "rateLimitQPS": 5, + "queryWindowInMin": 60, + "retryCount": 3, + "timeoutInSeconds": 120, + "headers": { + "Content-Type": "application/json", + "User-Agent": "Scuba" + }, + "queryParametersTemplate": "{\"query\":\"{\n snappableConnection(\n filter: {objectType: [AzureNativeVm], isLocal: true, objectState: [ACTIVE]}\n first: 50\n ) {\n nodes {\n id\n name\n objectType\n objectState\n protectionStatus\n complianceStatus\n archivalComplianceStatus\n replicationComplianceStatus\n lastSnapshot\n latestArchivalSnapshot\n latestReplicationSnapshot\n protectedOn\n pullTime\n location\n cluster {\n name\n }\n slaDomain {\n name\n }\n workloadOrg {\n name\n }\n orgName\n fid\n orgId\n awaitingFirstFull\n archivalSnapshotLag\n replicationSnapshotLag\n missedSnapshots\n totalSnapshots\n localSnapshots\n localSlaSnapshots\n localOnDemandSnapshots\n archiveSnapshots\n replicaSnapshots\n localStorage\n archiveStorage\n replicaStorage\n localEffectiveStorage\n logicalBytes\n physicalBytes\n usedBytes\n provisionedBytes\n transferredBytes\n localProtectedData\n localMeteredData\n lastSnapshotLogicalBytes\n dataReduction\n logicalDataReduction\n sourceProtocol\n ncdPolicyName\n ncdSnapshotType\n ncdLatestArchiveSnapshot\n }\n pageInfo {\n hasNextPage\n endCursor\n }\n }\n}\"}", + "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ" + }, + "response": { + "eventsJsonPaths": [ + "$.data.snappableConnection.nodes" + ] + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','rdc','-', uniqueString(concat(variables('_solutionId'),'-','ResourcesDataConnector','-',variables('_dataConnectorContentIdConnections2'),'-', variables('dataConnectorCCPVersion'))))]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "version": "[variables('dataConnectorCCPVersion')]" + } + }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", @@ -34046,7 +35011,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RubrikCriticalAnomaly_AnalyticalRules Analytics Rule with template version 3.5.1", + "description": "RubrikCriticalAnomaly_AnalyticalRules Analytics Rule with template version 3.5.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", @@ -34074,10 +35039,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "RubrikSecurityCloudAzureFunctions", "dataTypes": [ "RubrikAnomalyData" - ] + ], + "connectorId": "RubrikSecurityCloudAzureFunctions" } ], "tactics": [ @@ -34090,11 +35055,11 @@ "aggregationKind": "AlertPerResult" }, "customDetails": { - "ObjectId": "custom_details_objectId_g", - "ObjectName": "custom_details_objectName_s", + "ClusterName": "custom_details_clusterName_s", "ObjectType": "custom_details_objectType_s", "ClusterIdentifier": "custom_details_clusterId_g", - "ClusterName": "custom_details_clusterName_s" + "ObjectId": "custom_details_objectId_g", + "ObjectName": "custom_details_objectName_s" }, "incidentConfiguration": { "createIncident": true @@ -34152,7 +35117,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RubrikThreatMonitoring_AnalyticalRules Analytics Rule with template version 3.5.1", + "description": "RubrikThreatMonitoring_AnalyticalRules Analytics Rule with template version 3.5.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", @@ -34180,10 +35145,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "RubrikSecurityCloudAzureFunctions", "dataTypes": [ "RubrikEventsData" - ] + ], + "connectorId": "RubrikSecurityCloudAzureFunctions" } ], "tactics": [ @@ -34196,29 +35161,29 @@ "aggregationKind": "AlertPerResult" }, "customDetails": { - "ObjectId": "custom_details_objectId_g", - "ObjectType": "custom_details_objectType_s", - "EventName": "custom_details_eventName_s", - "Url": "custom_details_url_s", "ClusterIdentifier": "custom_details_clusterId_g", + "Summary": "summary_s", + "Url": "custom_details_url_s", + "ObjectId": "custom_details_objectId_g", "ObjectName": "custom_details_objectName_s", - "Summary": "summary_s" + "ObjectType": "custom_details_objectType_s", + "EventName": "custom_details_eventName_s" }, "alertDetailsOverride": { "alertDisplayNameFormat": "ThreatMonitoring Found {{count_}} {{eventname}} Matches for {{custom_details_objectName_s}}" }, "incidentConfiguration": { - "createIncident": true, "groupingConfiguration": { - "lookbackDuration": "P7D", - "reopenClosedIncident": false, + "matchingMethod": "Selected", "groupByCustomDetails": [ "ObjectName", "ObjectId" ], + "lookbackDuration": "P7D", "enabled": true, - "matchingMethod": "Selected" - } + "reopenClosedIncident": false + }, + "createIncident": true } } }, @@ -34269,12 +35234,12 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.5.1", + "version": "3.5.2", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "RubrikSecurityCloud", "publisherDisplayName": "Rubrik", - "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

β€’ Review the solution Release Notes

\n

β€’ There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Rubrik Security Cloud solution enables security operations teams to integrate insights from Rubrik’s Data Observability services into Microsoft Sentinel.

\n

Underlying Microsoft Technologies used:

\n

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n
    \n

  1. Azure Monitor HTTP Data Collector API

    \n
    2. \n

  2. Azure Functions

    \n
    3. \n
\n

Data Connectors: 1, Analytic Rules: 2, Custom Azure Logic Apps Connectors: 1, Playbooks: 17

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

β€’ Review the solution Release Notes

\n

β€’ There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Rubrik Security Cloud solution enables security operations teams to integrate insights from Rubrik’s Data Observability services into Microsoft Sentinel.

\n

Underlying Microsoft Technologies used:

\n

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n
    \n

  1. Azure Monitor HTTP Data Collector API

    \n
    2. \n

  2. Azure Functions

    \n
    3. \n
\n

Data Connectors: 2, Analytic Rules: 2, Custom Azure Logic Apps Connectors: 1, Playbooks: 17

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -34394,6 +35359,11 @@ "contentId": "[variables('_dataConnectorContentId1')]", "version": "[variables('dataConnectorVersion1')]" }, + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentIdConnections2')]", + "version": "[variables('dataConnectorCCPVersion')]" + }, { "kind": "AnalyticsRule", "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", @@ -34407,7 +35377,7 @@ ] }, "firstPublishDate": "2022-07-19", - "lastPublishDate": "2025-07-25", + "lastPublishDate": "2026-02-19", "providers": [ "Rubrik" ], diff --git a/Solutions/RubrikSecurityCloud/Package/testParameters.json b/Solutions/RubrikSecurityCloud/Package/testParameters.json index e55ec41a9ac..554801e41b7 100644 --- a/Solutions/RubrikSecurityCloud/Package/testParameters.json +++ b/Solutions/RubrikSecurityCloud/Package/testParameters.json @@ -20,5 +20,19 @@ "metadata": { "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" } + }, + "resourceGroupName": { + "type": "string", + "defaultValue": "[resourceGroup().name]", + "metadata": { + "description": "resource group name where Microsoft Sentinel is setup" + } + }, + "subscription": { + "type": "string", + "defaultValue": "[last(split(subscription().id, '/'))]", + "metadata": { + "description": "subscription id where Microsoft Sentinel is setup" + } } } diff --git a/Solutions/RubrikSecurityCloud/ReleaseNotes.md b/Solutions/RubrikSecurityCloud/ReleaseNotes.md index 2c5fd54f4db..0c80de1d329 100644 --- a/Solutions/RubrikSecurityCloud/ReleaseNotes.md +++ b/Solutions/RubrikSecurityCloud/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|---------------------------------------------| +| 3.5.2 | 19-02-2026 | Added RubrikSecurityCloud CCF (Codeless Connector Framework) Data Connector for ingesting Rubrik Protection Status data into Microsoft Sentinel. Enables backup compliance monitoring, ransomware recovery assessment, and incident correlation with protection status for Azure VMs. | | 3.5.1 | 05-11-2025 | Updated API Host Name default value in playbooks and custom connector | | 3.5.0 | 25-07-2025 | Added RubrikTurboThreatHunt and RubrikAdvanceThreatHunt playbooks. RubrikThreatMonitoring and RubrikCriticalAnomaly Analytic Rules also added. | 3.4.0 | 07-04-2025 | Added RubrikUpdateAnomalyStatusViaIncident and RubrikUpdateAnomalyStatus playbook. Enhanced RubrikAnomalyAnalysis playbook. Added User-Agent in every API call of each playbook. Removed policy creation resources from data connector Arm template. diff --git a/Solutions/RubrikSecurityCloud/SolutionMetadata.json b/Solutions/RubrikSecurityCloud/SolutionMetadata.json index a1133327cb2..5bc28b6e321 100644 --- a/Solutions/RubrikSecurityCloud/SolutionMetadata.json +++ b/Solutions/RubrikSecurityCloud/SolutionMetadata.json @@ -2,7 +2,7 @@ "publisherId": "rubrik_inc", "offerId": "rubrik_sentinel", "firstPublishDate": "2022-07-19", - "lastPublishDate": "2025-07-25", + "lastPublishDate": "2026-02-19", "providers": [ "Rubrik" ],