Rubrik¶
About¶
Rubrik is a cloud data management company based in Palo Alto, California, United States founded in December 2013 with offices in Morrisville, North Carolina, Bangalore, India, Lawrence, Kansas, Amsterdam, Netherlands, Nottingham, England and Cork, Ireland.
Product Details¶
Vendor URL: Rubrik Data Backup - Gartner on Ransomware Recovery
Product Type: Zero Trust Data Security
Product Tier: Tier I
Integration Method: Syslog, JSON
Integration URL: Security Hardening Best Practices - Rubrik
Log Guide: N/A
Parser Details¶
Log Format: Syslog
Expected Normalization Rate: 90%
Data Label: RUBRIK
UDM Fields (list of all UDM fields leveraged in the Parser):
Log File Field | UDM Field |
---|---|
auditName | principal.user.user_display_name |
auditUserId | principal.user.userid |
class | metadata.product_event_type |
cluster_name | src.resource.parent |
clusterId | src.hostname |
clusterName | src.resource.parent |
command | src.process.command_line |
description | security_result.action |
dhost | target.hostname |
dhost | target.ip |
dst | target.hostname |
dst | target.ip |
dst_domain | target.administrative_domain |
dst_port | target.port |
error_code | additional.error_code |
errorCode | additional.errorCode |
error_message | additional.error_message |
errorMessage | additional.errorMessage |
error_reason | additional.error_reason |
errorReason | additional.errorReason |
error_remedy | additional.error_remedy |
errorRemedy | additional.errorRemedy |
event_id | additional.event_id |
event_series_id | additional.event_series_id |
eventName | metadata.description |
file_path | src.file.full_path |
id | additional.id |
job_type | security_result.description |
location | principal.location.name |
node_ip | observer.ip |
object_id | src.resource.product_object_id |
objectId | prinicpal.hostname |
object_name | src.resource.name |
objectName | src.resource.name |
object_type | principal.application |
objectType | principal.application |
observer | observer.hostname |
observer_domain | observer.administrative_domain |
path | src.url |
product_event | metadata.product_event_type |
proto | network.ip_protocol |
seriesId | additional.seriesId |
severity | security_result.severity |
shost | principal.hostname |
shost | principal.ip |
source | principal.ip |
src | principal.hostname |
src | principal.ip |
src_domain | principal.administrative_domain |
src_port | principal.port |
Statically Defined | extensions.auth.type |
Statically Defined | src.resource.resource_type |
Statically Defined | metadata.event_type |
Statically Defined | metadata.vendor_name |
summary | security_result.summary |
suser | principal.user.userid |
type | security_result.description |
Product Event Types¶
type,subtype | severity | UDM Event Classification | alerting enabled |
---|---|---|---|
src, dst, and protocol Information | NETWORK_CONNECTION | ||
session opened | USER_LOGIN | ||
session closed | USER_LOGOUT | ||
Default | GENERIC_EVENT |
Log Sample¶
<30>Jan 31 16:26:11 OBSERVER_DATA snmpd[909]: Connection from UDP: [10.0.0.1]:59689->[10.0.0.2]:161
Sample Parsing¶
metadata.event_timestamp = "2022-01-31T16:26:11Z"
metadata.event_type = "NETWORK_CONNECTION"
metadata.vendor_name = "Rubrik"
metadata.product_event_type = "snmpd"
metadata.description = "Connection from UDP: [10.0.0.1]:59689->[10.0.0.2]:161"
metadata.ingested_timestamp = "2022-01-31T16:26:32.615608Z"
metadata.ingestion_labels.key = "cyderes.io/source/agent"
metadata.ingestion_labels.value = "cdp-syslog-forwarder@cyderes.io/latest"
metadata.ingestion_labels.key = "cyderes.io/source/path"
metadata.ingestion_labels.key = "cyderes.io/source/type"
metadata.ingestion_labels.key = "cyderes.io/persistent-object"
metadata.ingestion_labels.value = "cyderes_zh_0.gz"
principal.ip = "10.0.0.1"
principal.port = 59689
principal.asset.ip = "10.0.0.1"
target.ip = "10.0.0.2"
target.port = 161
target.asset.ip = "10.0.0.2"
observer.hostname = "OBSERVER_DATA"
network.ip_protocol = "UDP"
Parser Alerting¶
This product currently does not have any Parser-based Alerting