Anomaly Detection has a dedicated page that lists potential anomalous incidents with their location, cluster, file details, and snapshot time. If you have Cyber Recovery (discussed in a later section) enabled, objects that are part of a recovery plan will be grouped under that recovery plan.
By looking at this page, you now have an understanding of which systems and applications have been affected by the cyber attack.
Now, let's dive deeper into which folders and files are impacted.
Having access to this kind of information is invaluable. Keeping track of all the anomalies in your environment means that you can take the actions required to find the location of the anomalies and use clean snapshots to recover from the anomalies. There are multiple options for recovery, which we will discuss in the next section.
Expand the Haverford_site recovery plan and click on haverford-webapp-01 VM.
Expand the Suspicious filter from the left side and select Suspicious as the file type.
Browse and see exactly which files and folders have been affected. In this case, drilling down to var > www > html > wp-content > plugins.
You can now see that there are several files that have been encrypted.
Now that you have determined the blast radius, we can proceed to recovery.
Without the Anomaly Detection, it would be a "needle in a haystack" exercise to figure out what systems, files, and folders were impacted and where the clean recovery point will be.
As Rubrik collects each backup snapshot’s metadata, it leverages machine learning to build a perspective of what is going on with the workload. The model is trained to identify trends that exist across all samples and classify new data by their similarities without requiring human input. The result is that Anomaly Detection detects anomalies, analyzes the threat, and helps accelerate recovery with a few clicks.
Anomaly Detection is available in the Rubrik Security Cloud as an application.
If you haven't already connected to the Rubrik Security Cloud, head back to the
Once you're logged in, click the app-tray icon in the top right of the user interface, then select Data Threat Analytics.
The SecOps team wants to understand the blast radius of the attack. Currently, they can't figure out when the attack started, which applications were affected, and if there is a clean copy to recover from.
You have access to the Rubrik Enterprise edition, so let's start with Anomaly Detection to see how you can help the SecOps team.
Many ransomware recovery plans are based on restoring entire VMs. A ransomware attack doesn’t encrypt every file, so customers shouldn’t need to restore every file to recover. Normal day-to-day business functions routinely change data. These changes are coordinated across multiple files, databases, or even VMs. If you restore files that weren’t affected by a ransomware attack, you may lose transactions or even get out of sync with other systems.
A far better approach would be to incorporate a multi-layered approach such as Rubrik’s instant file recovery into a recovery plan that can make it easy to recover only what you need.
Let's discuss how Zaffre can take advantage of this.
The IT team can navigate to Haverford_Site > haverford-webapp-01 > var > www > html > wp-content > plugins folder as explained in the previous Ransomware Investigation lab section.
Select all the rows files on the page by selecting the box in the top row next to Name.
After selecting the files, notice that the Recover button becomes available.
Click on Recover and observe the various options available to recover the files.
For now, exit out of the recovery option. We will perform the recovery in a later section.
With Rubrik, multiple options for instant file recovery are available at your fingertips!
From the Anomaly Detection dashboard, you can see the critical events that were discovered over the past 24 hours. The Status card displays the number of anomalies detected in the last 24 hours on the top-left row.
Depending on how long ago the labs were pre-provisioned, the Anomaly events may not be visible in the Status section.
Next, on the top-right row, the Pipeline card displays the overall success of backup, indexing, and analysis jobs in the last 24 hours. You can click on each job type to view details on the Events page.
The File Analysis and Data Analysis cards give you an overview of the systems, files, and amount of data impacted by the cyber events over the last seven days.
Without any deep introspection, you now know the scope of the problem in the production environment. Let's dive in, and get more granular.
Click on the Investigations page in the banner on the top.
