What Changed

New Codeless Connector Framework (CCF) data connector for Rubrik Security Cloud that ingests comprehensive backup and protection status data for Azure VMs into Microsoft Sentinel. The connector creates a custom table RubrikProtectionStatus_CL with 49 data fields covering compliance status, snapshot counts, storage metrics, SLA assignments, and cluster information.

Security Impact (Visibility & Fidelity)

This connector addresses a critical visibility gap in ransomware incident response by enabling automatic correlation of security alerts with backup infrastructure health. Security teams can now:

  • Ransomware Recovery Readiness: Immediately assess if compromised assets have recent, clean backups available during active incidents
  • Attack Pattern Detection: Identify sophisticated attacks that specifically target backup infrastructure to prevent recovery
  • Incident Correlation: Join SecurityAlert events with backup status using asset identifiers to determine blast radius and recovery options
  • Backup Anomaly Detection: Detect sudden compliance failures, missing snapshots, or unusual storage consumption coinciding with security events

The connector polls Rubrik Security Cloud GraphQL API every 60 minutes using OAuth2 authentication, collecting protection telemetry that was previously invisible to security operations.

Data Source

  • Product: Rubrik Security Cloud backup and data protection platform
  • API: GraphQL API with OAuth2 service account authentication
  • Data Types: VM backup status, SLA compliance, snapshot metadata, storage efficiency metrics
  • Target Table: RubrikProtectionStatus_CL (custom table with 49 fields)

Ingestion Mechanism

  • Framework: Codeless Connector Framework (CCF) with Data Collection Rule (DCR)
  • Polling Interval: 60 minutes (configurable)
  • Authentication: OAuth2 client credentials flow
  • Rate Limiting: 5 queries per second

Detection Surface Unlocked

Security teams gain visibility into backup infrastructure that attackers commonly target to prevent recovery:

  • Correlation of security incidents with backup compliance failures
  • Detection of backup job failures during suspicious activity windows
  • Monitoring of snapshot deletion patterns that indicate ransomware preparation
  • Assessment of data reduction anomalies suggesting encryption activity
  • Tracking of SLA domain changes that could indicate policy tampering

The README includes sample KQL queries for correlating SecurityAlert events with backup status and identifying critical risks where compromised assets lack adequate backup protection.

Affected Files

Solutions/RubrikSecurityCloud/Data Connectors/RubrikSecurityCloud_CCF/README.md
Solutions/RubrikSecurityCloud/Data Connectors/RubrikSecurityCloud_CCF/RubrikSecurityCloud_ConnectorDefinition.json
Solutions/RubrikSecurityCloud/Data Connectors/RubrikSecurityCloud_CCF/RubrikSecurityCloud_DCE.json
Solutions/RubrikSecurityCloud/Data Connectors/RubrikSecurityCloud_CCF/RubrikSecurityCloud_DCR.json
Solutions/RubrikSecurityCloud/Data Connectors/RubrikSecurityCloud_CCF/RubrikSecurityCloud_PollerConfig.json
Solutions/RubrikSecurityCloud/Data Connectors/RubrikSecurityCloud_CCF/RubrikSecurityCloud_Table.json
Solutions/RubrikSecurityCloud/Package/testParameters.json
(packaging artefacts: 3.5.2.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_RubrikSecurityCloud.json, createUiDefinition.json, mainTemplate.json)