Based on the direction from the SOC team, you will now quarantine the threat to ensure you don't use this snapshot for recovery and avoid any reinfection.
To get started:
Select the eicar.com file.
Click QUARANTINE next to the (...) ellipses.
On the Quarantine Objects wizard, click QUARANTINE.
Click DONE.
Congratulations on quarantining the threat!
You can now use the Hash values (MD5, SHA256, SH1) to run a complete Threat Hunt to ensure no other older snapshots are affected by the IOC.
With Threat Monitoring, you now have a proactive approach to cybersecurity. You can now stay ahead of the threat landscape, decrease risk exposure, and minimize the potential impact of security incidents.
Following this recent attack, the leadership team is keen to explore whether you can proactively scan the backups and identify the most prevalent cyber threats within critical infrastructure before receiving a ransomware note. This proactive approach could expedite investigations, minimize the impact of significant cyber incidents, and mitigate the risk of reinfection.
You have access to the Rubrik Enterprise edition, so let's start with Threat Monitoring to see how you can help the SecOps team.
Rubrik Threat Monitoring automatically scans the backup for the most active IOCs based on the Rubrik Threat Intelligence feed. In case of a match, the object and IOC details are displayed on the Threat Monitoring dashboard. The Rubrik Threat Monitoring consists of intelligence in the form of YARA rules and Hashes and combines intelligence from third-party threat feeds with proprietary intelligence from Rubrik Zero Labs (Rubrik’s data threat intelligence unit) and Rubrik’s InfoSec team. The feed is automatically updated with the latest active IOCs.
Once logged in
Click the app tray in the top right
Launch the Data Threat Analytics app
Click the Threat Monitoring tab
As mentioned earlier, you can see the object details on the Threat Monitoring dashboard if there are any IOC matches.
Threat Monitoring has identified an object with an IOC match derived from the Rubrik Threat Intelligence feed.
On the dashboard, you will observe details (A) such as:
Object name
The number of files matches
The time when the match was detected
Match Type
Now, to get the details of the IOC, click on Windows File Share.
You can also observe details (A) such as:
File name and size
The first matched snapshot
Match Type
The time when the match was detected
On the right panel, you can observe the details (B) such as:
The path for the specific file
Indicators of compromise (IOC) details including the IOC name, the threat intelligence source, the file hashes of the malicious file, the author of the IOC, and the IOC description
The affected snapshots indicated by Threat Monitoring
Armed with this information, the Zaffre security team can formulate a quarantine plan and recover from a clean snapshot.
Without the Threat Detection app, you cannot use up-to-date threat intelligence to find lurking threats early!
If you haven't already connected to the Rubrik Security Cloud, head back to the .
