Rubrik IOC Scan v2 - Rubrik Polaris

This playbook starts an advance IOC Scan with the provided IOC values and shows the results upon completion.

Rubrik Security Cloud · 19 tasks · 16 inputs · 1 output

Inputs

  • object_ids — The Object ID of the system on which to perform the scan. Supports comma separated values. Note: Users can get the list of object IDs by executing the "rubrik-polaris-objects-list" command.
  • start_date — Filter the snapshots from the provided date. Any snapshots taken before the provided date-time will be excluded. Formats accepted: 2 minutes, 2 hours, 2 days, 2 weeks, 2 months, 2 years, yyyy-mm-dd, yyyy-mm-ddTHH:MM:SSZ, etc.
  • end_date — Filter the snapshots until the provided date. Any snapshots taken after the provided date-time will be excluded. Formats accepted: 2 minutes, 2 hours, 2 days, 2 weeks, 2 months, 2 years, yyyy-mm-dd, yyyy-mm-ddTHH:MM:SSZ, etc.
  • ioc_path — Path of IOC to scan. Supports comma separated multiple values. Note: Do not provide quoted values. Provide the values in proper JSON format (Example: C:\\Users\\Malware_Executible.ps1).
  • ioc_hash — Hash of IOC to scan. Supports comma separated multiple values. Note: Do not provide quoted values.
  • ioc_yara_rule — Yara Rule(s) for IOC scan. Note: Do not provide quoted values. Provide the values in proper JSON format.
  • polling_interval — Frequency that the IOC scan command will run (minutes).
  • polling_timeout — Amount of time to poll before declaring a timeout and resuming the playbook (in minutes).
  • paths_to_include — Paths to include in the scan. Supports comma separated values. Note: Do not provide quoted values. Format accepted: path_to_include_1, path_to_include_2.
  • paths_to_exclude — Paths to exclude from the scan. Supports comma separated values. Note: Do not provide quoted values. Format accepted: path_to_exclude_1, path_to_exclude_2.
  • paths_to_exempt — Paths to exempt from exclusion. Supports comma separated values. Note: Do not provide quoted values. Format accepted: path_to_exempt_1, path_to_exempt_2.
  • scan_name — Name of the new advanced threat hunt scan.
  • max_file_size — Maximum size of the file in bytes that will be included in the scan. The maximum allowed size is 15000000 bytes.
  • min_file_size — Minimum size of the file in bytes that will be included in the scan. The maximum allowed size is 15000000 bytes.
  • max_matches_per_snapshot — Maximum number of IOC matches allowed per snapshot.
  • max_snapshots_per_object — Maximum number of snapshots to scan per object.

Outputs

  • RubrikPolaris.IOCScan — The results of the IOC scan.

Commands used

rubrik-advance-ioc-scan rubrik-ioc-scan-results-v2

Flowchart

yes yes yes yes Start Start Start Advance IOC scan - rubrik-advance-ioc-scan Start Advance IOC scan rubrik-advance-ioc-scan Done Done Prepare IOC Path - Set Prepare IOC Path Set Prepare IOC Hash - Set Prepare IOC Hash Set Prepare advance IOC - Set Prepare advance IOC Set Get scan results - rubrik-ioc-scan-results-v2 Get scan results rubrik-ioc-scan-results-v2 Prepare advance IOC value Prepare advance IOC value Prepare IOC Yara Rule - Set Prepare IOC Yara Rule Set Start IOC scan Start IOC scan Is Rubrik Polaris integration enabled? Is Rubrik Polaris integra... Is IOC values are provided? Is IOC values are provided? Provide IOC values and details to start Advance IOC scan Provide IOC values and de... Is IOC values are provided? Is IOC values are provided? Is object ID provided? Is object ID provided? Provide object IDs Provide object IDs Print exit message - Print Print exit message Print Clear previous inputs - DeleteContext Clear previous inputs DeleteContext GenericPolling - GenericPolling GenericPolling GenericPolling