Skip to content

Rubrik

Rubrik

About

Rubrik is a cloud data management company based in Palo Alto, California, United States founded in December 2013 with offices in Morrisville, North Carolina, Bangalore, India, Lawrence, Kansas, Amsterdam, Netherlands, Nottingham, England and Cork, Ireland.

Product Details

Vendor URL: Rubrik Data Backup - Gartner on Ransomware Recovery

Product Type: Zero Trust Data Security

Product Tier: Tier I

Integration Method: Syslog, JSON

Integration URL: Security Hardening Best Practices - Rubrik

Log Guide: N/A

Parser Details

Log Format: Syslog

Expected Normalization Rate: 90%

Data Label: RUBRIK

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
auditName principal.user.user_display_name
auditUserId principal.user.userid
class metadata.product_event_type
cluster_name src.resource.parent
clusterId src.hostname
clusterName src.resource.parent
command src.process.command_line
description security_result.action
dhost target.hostname
dhost target.ip
dst target.hostname
dst target.ip
dst_domain target.administrative_domain
dst_port target.port
error_code additional.error_code
errorCode additional.errorCode
error_message additional.error_message
errorMessage additional.errorMessage
error_reason additional.error_reason
errorReason additional.errorReason
error_remedy additional.error_remedy
errorRemedy additional.errorRemedy
event_id additional.event_id
event_series_id additional.event_series_id
eventName metadata.description
file_path src.file.full_path
id additional.id
job_type security_result.description
location principal.location.name
node_ip observer.ip
object_id src.resource.product_object_id
objectId prinicpal.hostname
object_name src.resource.name
objectName src.resource.name
object_type principal.application
objectType principal.application
observer observer.hostname
observer_domain observer.administrative_domain
path src.url
product_event metadata.product_event_type
proto network.ip_protocol
seriesId additional.seriesId
severity security_result.severity
shost principal.hostname
shost principal.ip
source principal.ip
src principal.hostname
src principal.ip
src_domain principal.administrative_domain
src_port principal.port
Statically Defined extensions.auth.type
Statically Defined src.resource.resource_type
Statically Defined metadata.event_type
Statically Defined metadata.vendor_name
summary security_result.summary
suser principal.user.userid
type security_result.description

Product Event Types

type,subtype severity UDM Event Classification alerting enabled
src, dst, and protocol Information NETWORK_CONNECTION
session opened USER_LOGIN
session closed USER_LOGOUT
Default GENERIC_EVENT

Log Sample

<30>Jan 31 16:26:11 OBSERVER_DATA snmpd[909]: Connection from UDP: [10.0.0.1]:59689->[10.0.0.2]:161

Sample Parsing

metadata.event_timestamp = "2022-01-31T16:26:11Z"
metadata.event_type = "NETWORK_CONNECTION"
metadata.vendor_name = "Rubrik"
metadata.product_event_type = "snmpd"
metadata.description = "Connection from UDP: [10.0.0.1]:59689->[10.0.0.2]:161"
metadata.ingested_timestamp = "2022-01-31T16:26:32.615608Z"
metadata.ingestion_labels.key = "cyderes.io/source/agent"
metadata.ingestion_labels.value = "cdp-syslog-forwarder@cyderes.io/latest"
metadata.ingestion_labels.key = "cyderes.io/source/path"
metadata.ingestion_labels.key = "cyderes.io/source/type"
metadata.ingestion_labels.key = "cyderes.io/persistent-object"
metadata.ingestion_labels.value = "cyderes_zh_0.gz"
principal.ip = "10.0.0.1"
principal.port = 59689
principal.asset.ip = "10.0.0.1"
target.ip = "10.0.0.2"
target.port = 161
target.asset.ip = "10.0.0.2"
observer.hostname = "OBSERVER_DATA"
network.ip_protocol = "UDP"

Parser Alerting

This product currently does not have any Parser-based Alerting