Collect Rubrik Security Cloud logs
Supported in:
This document explains how to ingest Rubrik Security Cloud logs to Google Security Operations using webhooks.
Rubrik Security Cloud (RSC) is a SaaS-based data security platform that provides backup, recovery, anomaly detection, and data governance capabilities across cloud and on-premises environments. RSC generates security events, audit logs, and operational activity logs in PagerDuty Common Event Format (PD-CEF) JSON that can be pushed to Google SecOps for centralized monitoring and analysis.
Before you begin
Make sure you have the following prerequisites:
- A Google SecOps instance
- Privileged access to Rubrik Security Cloud console with permissions to manage webhooks
- Network connectivity from Rubrik Security Cloud to the Google SecOps webhook endpoint
- Access to Google Cloud Console for API key creation
Create a webhook feed in Google SecOps
Create the feed
- Go to SIEM Settings > Feeds.
- Click Add New Feed.
- On the next page, click Configure a single feed.
- In the Feed namefield, enter a name for the feed (for example,
Rubrik Security Cloud Events). - Select Webhookas the Source type.
- Select Rubrik Security Cloudas the Log type.
- Click Next.
- Specify values for the following input parameters:
- Split delimiter(optional): Leave empty as each webhook request contains a single event.
- Asset namespace: The asset namespace .
- Ingestion labels: The label to be applied to the events from this feed.
- Click Next.
- Review your new feed configuration in the Finalizescreen, and then click Submit.
Generate and save a secret key
After creating the feed, you must generate a secret key for authentication:
- On the feed details page, click Generate Secret Key.
- A dialog displays the secret key.
- Copy and savethe secret key securely.
Get the feed endpoint URL
- Go to the Detailstab of the feed.
- In the Endpoint Informationsection, copy the Feed endpoint URL.
- Save this URL for the next steps.
- Click Done.
Create a Google Cloud API key
Google SecOps requires an API key for authentication. Create a restricted API key in the Google Cloud Console.
Create the API key
- Go to the Google Cloud Console Credentials page .
- Select your project (the project associated with your Google SecOps instance).
- Click Create credentials > API key.
- An API key is created and displayed in a dialog.
- Click Edit API keyto restrict the key.
Restrict the API key
- In the API keysettings page:
- Name: Enter a descriptive name (for example,
Chronicle Webhook API Key).
- Name: Enter a descriptive name (for example,
- Under API restrictions:
- Select Restrict key.
- In the Select APIsdrop-down, search for and select Google SecOps API(or Chronicle API).
- Click Save.
- Copythe API key value from the API keyfield at the top of the page.
-
Save the API key securely.
Configure a Rubrik Security Cloud webhook
Construct the webhook URL
-
Combine the Google SecOps endpoint URL and API key:
<ENDPOINT_URL>?key=<API_KEY>-
Example:
https://malachiteingestion-pa.googleapis.com/v2/unstructuredlogentries:batchCreate?key=AIzaSyD...
-
Create the webhook in Rubrik Security Cloud
- Sign in to Rubrik Security Cloudat
https://<account>.my.rubrik.com. - Click the gear icon in the upper right corner and select Settings.
- Click Notificationsand select Webhooks.
- Click Add Webhook.
- The Add Webhook wizard appears.
-
In Provider, select Generic.
-
In Webhook name, enter a descriptive name (for example,
Google SecOps Integration). -
In Endpoint, paste the complete webhook URL with API key from above.
-
Turn on Authenticationand select Customas the authentication method.
-
Add a custom header:
- Header Key: Enter
X-Chronicle-Auth. - Header Value: Paste the secret key from the Google SecOps feed creation.
- Header Key: Enter
-
Click Next.
-
Click Test Webhookto verify that the specified webhook configuration works and click Next.
-
The Select event and severitywindow appears.
-
Select the events that RSC sends to the configured webhook endpoint:
- Under Events, select the event types to forward:
- Backup
- Recovery
- Anomaly
- Configuration
- Diagnostic
- Sync
- Maintenance
- System
- Under Audit, select the audit types to forward.
- Under Severity, select the severity levels for triggering alerts:
- Critical
- Warning
- Informational
- Under Events, select the event types to forward:
-
Click Next.
-
Review the configuration details on the Confirmationwindow and click Save.
Verify the webhook is working
Check Rubrik Security Cloud webhook status
- Sign in to Rubrik Security Cloud.
- Go to Settings > Notifications > Webhooks.
- Check the Statuscolumn for your webhook (should show Enabled).
- Monitor for any error messages in the webhook details.
Check Google SecOps feed status
- Go to SIEM Settings > Feedsin Google SecOps.
- Check the Statuscolumn for your webhook feed (should be Active).
- Check Events receivedcount (should be incrementing).
- Check Last succeeded ontimestamp (should be recent).
Verify logs in Google SecOps
- Go to Search > UDM Search.
-
Use the following query:
metadata.vendor_name = "Rubrik" AND metadata.product_name = "Rubrik Security Cloud" -
Adjust time range to last 1 hour.
-
Verify events appear in results.
Webhook payload reference
-
Rubrik Security Cloud sends events in PagerDuty Common Event Format (PD-CEF) by default. The following is an example event payload:
{ "summary" : "Failed backup of vSphere VM 'example-vm'." , "source" : "Rubrik Security Cloud" , "severity" : "critical" , "timestamp" : "2024-07-18T06:39:40.46Z" , "class" : "Backup" , "custom_details" : { "seriesId" : "ccd7a8a5-4c58-4c88-bff9-7bdffddb6099" , "id" : "c2b47274-6323-4025-b307-afed1cfb7574" , "type" : "Event" , "objectId" : "83c4a80a-4a57-5699-b399-651089135586" , "objectName" : "example-vm" , "objectType" : "VmwareVm" , "status" : "Failure" , "clusterId" : "6a271636-9392-4cba-90c5-bdbe227854ab" , "clusterName" : "production-cluster" , "eventName" : "Snapshot.BackupFailed" , "errorId" : "Snapshot.VmwareSnapshotError" , "errorCode" : "" , "errorRemedy" : "" , "errorReason" : "" , "auditUserName" : "" , "auditUserId" : "" , "location" : "vcenter.example.com" , "url" : "" , "customerID" : "rubrik-customer" , "logicalSizeInBytes" : "" , "dataTransferredInBytes" : "" , "effectiveThroughput" : "" } }
UDM mapping table
| Log Field | UDM Mapping | Logic |
|---|---|---|
audit_info_label
|
additional.fields
|
Merged |
effectiveThroughput_label
|
additional.fields
|
Merged |
group_label
|
additional.fields
|
Merged |
isPolarisAudit_label
|
additional.fields
|
Merged |
label_name_label
|
additional.fields
|
Merged |
node_label
|
additional.fields
|
Merged |
orgID_label
|
additional.fields
|
Merged |
snappable_name_label
|
additional.fields
|
Merged |
snappable_type_label
|
additional.fields
|
Merged |
snapshot_date_label
|
additional.fields
|
Merged |
type_label
|
additional.fields
|
Merged |
userNote_label
|
additional.fields
|
Merged |
has_target
|
extensions.auth.type
|
Mapped: true
→ AUTHTYPE_UNSPECIFIED
|
hunt_date
|
metadata.event_timestamp
|
Parsed as ISO8601
|
timestamp
|
metadata.event_timestamp
|
Parsed as ISO8601
|
has_principal
|
metadata.event_type
|
Mapped: true
→ SCAN_HOST
, true
→ STATUS_UPDATE
|
has_target
|
metadata.event_type
|
Mapped: true
→ USER_LOGIN
|
custom_details.eventName
|
metadata.product_event_type
|
Directly mapped |
custom_details.id
|
metadata.product_log_id
|
Directly mapped |
source
|
metadata.product_name
|
Directly mapped |
custom_details.url
|
metadata.url_back_to_product
|
Directly mapped |
custom_details.dataTransferredInBytes
|
network.sent_bytes
|
Directly mapped |
custom_details.customerID
|
principal.administrative_domain
|
Directly mapped |
domain
|
principal.domain.name
|
Directly mapped |
custom_details.ipAddress
|
principal.ip
|
Merged |
ip_address
|
principal.ip
|
Merged |
is_ip_assigned
|
principal.ip
|
Mapped: false
→ ip_address
|
custom_details.clusterName
|
principal.resource.name
|
Directly mapped |
custom_details.clusterId
|
principal.resource.product_object_id
|
Directly mapped |
user_email
|
principal.user.email_addresses
|
Merged |
custom_details.auditUserName
|
principal.user.user_display_name
|
Directly mapped |
user_name
|
principal.user.user_display_name
|
Directly mapped |
action_name
|
security_result.action
|
Merged |
custom_details.status
|
security_result.action_details
|
Directly mapped |
category_temp
|
security_result.category
|
Merged |
class
|
security_result.category_details
|
Merged |
confidence
|
security_result.confidence_details
|
Directly mapped |
custom_details.errorMessage
|
security_result.description
|
Directly mapped |
access_type_label
|
security_result.detection_fields
|
Merged |
action_date_label
|
security_result.detection_fields
|
Merged |
detection_time_label
|
security_result.detection_fields
|
Merged |
directories_snoozed_label
|
security_result.detection_fields
|
Merged |
directories_unsnoozed_label
|
security_result.detection_fields
|
Merged |
document_count_label
|
security_result.detection_fields
|
Merged |
encryption_level_label
|
security_result.detection_fields
|
Merged |
errorCode_label
|
security_result.detection_fields
|
Merged |
errorId_label
|
security_result.detection_fields
|
Merged |
errorReason_label
|
security_result.detection_fields
|
Merged |
errorRemedy_label
|
security_result.detection_fields
|
Merged |
event_info_label
|
security_result.detection_fields
|
Merged |
failed_document_count_label
|
security_result.detection_fields
|
Merged |
file_matches_label
|
security_result.detection_fields
|
Merged |
files_created_count_label
|
security_result.detection_fields
|
Merged |
files_modified_count_label
|
security_result.detection_fields
|
Merged |
files_removed_count_label
|
security_result.detection_fields
|
Merged |
files_suspicious_count_label
|
security_result.detection_fields
|
Merged |
hash_tf_version_label
|
security_result.detection_fields
|
Merged |
identity_name_label
|
security_result.detection_fields
|
Merged |
num_files_with_matches_label
|
security_result.detection_fields
|
Merged |
num_hash_matches_label
|
security_result.detection_fields
|
Merged |
num_of_violating_identities_label
|
security_result.detection_fields
|
Merged |
num_yara_rule_matches_label
|
security_result.detection_fields
|
Merged |
obj_failed_label
|
security_result.detection_fields
|
Merged |
obj_partially_succeeded_label
|
security_result.detection_fields
|
Merged |
obj_succeeded_label
|
security_result.detection_fields
|
Merged |
object_matches_label
|
security_result.detection_fields
|
Merged |
policy_name_label
|
security_result.detection_fields
|
Merged |
reason_label
|
security_result.detection_fields
|
Merged |
remediation_type_label
|
security_result.detection_fields
|
Merged |
remedy_label
|
security_result.detection_fields
|
Merged |
risk_name_label
|
security_result.detection_fields
|
Merged |
seriesID_label
|
security_result.detection_fields
|
Merged |
seriesId_label
|
security_result.detection_fields
|
Merged |
skipped_document_count_label
|
security_result.detection_fields
|
Merged |
strain_name_label
|
security_result.detection_fields
|
Merged |
successful_document_count_label
|
security_result.detection_fields
|
Merged |
total_accessible_files_at_risk_count_label
|
security_result.detection_fields
|
Merged |
vm_count_label
|
security_result.detection_fields
|
Merged |
yara_tf_version_label
|
security_result.detection_fields
|
Merged |
hunt_name
|
security_result.rule_name
|
Directly mapped |
hunt_type
|
security_result.rule_type
|
Directly mapped |
is_severity_assigned
|
security_result.severity
|
Mapped: false
→ INFORMATIONAL
, false
→ MEDIUM
|
severity
|
security_result.severity
|
Mapped: INFO
→ INFORMATIONAL
, WARNING
→ MEDIUM
|
severity_name
|
security_result.severity
|
Mapped: INFO
→ INFORMATIONAL
, WARNING
→ MEDIUM
|
severity
|
security_result.severity_details
|
Directly mapped |
severity_name
|
security_result.severity_details
|
Directly mapped |
summary
|
security_result.summary
|
Directly mapped |
threat_feed_type
|
security_result.threat_feed_name
|
Directly mapped |
custom_details.logicalSizeInBytes
|
target.file.size
|
Directly mapped |
client_id_label
|
target.labels
|
Merged |
client_name_label
|
target.labels
|
Merged |
custom_details.location
|
target.location.name
|
Directly mapped |
custom_details.objectName
|
target.resource.name
|
Directly mapped |
object_name
|
target.resource.name
|
Directly mapped |
resource_name
|
target.resource.name
|
Directly mapped |
custom_details.objectId
|
target.resource.product_object_id
|
Directly mapped |
component
|
target.resource.resource_subtype
|
Directly mapped |
custom_details.objectType
|
target.resource.resource_subtype
|
Directly mapped |
is_object_type_assigned
|
target.resource.resource_type
|
Mapped: false
→ UNSPECIFIED
|
class
|
target.user.email_addresses
|
Mapped: Login
→ user_email
|
user_email
|
target.user.email_addresses
|
Merged |
each_group
|
target.user.group_identifiers
|
Merged |
custom_details.auditUserName
|
target.user.user_display_name
|
Directly mapped |
user_name
|
target.user.user_display_name
|
Directly mapped |
custom_details.auditUserId
|
target.user.userid
|
Directly mapped |
|
N/A
|
extensions.auth.type
|
Constant: AUTHTYPE_UNSPECIFIED
|
|
N/A
|
metadata.event_type
|
Constant: USER_LOGIN
|
|
N/A
|
metadata.product_name
|
Constant: RUBRIK SECURITY CLOUD
|
|
N/A
|
metadata.vendor_name
|
Constant: RUBRIK
|
|
N/A
|
principal.resource.resource_type
|
Constant: CLUSTER
|
|
N/A
|
security_result.severity
|
Constant: INFORMATIONAL
|
|
N/A
|
target.resource.resource_type
|
Constant: UNSPECIFIED
|
Change Log
View the Change Log for this parser
Need more help? Get answers from Community members and Google SecOps professionals.
