Skip to main content

Rubrik Security Cloud

This Integration is part of the Rubrik Security Cloud Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

The Rubrik Security Cloud integration will fetch the Rubrik Anomaly Event and is rich with commands to perform the on-demand scans, backups, recoveries and many more features to manage and protect the organizational data. This integration was integrated and tested with version 1.0.0 of Rubrik Security Cloud

Configure Rubrik Security Cloud on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for Rubrik Security Cloud.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    Service Account JSONFalse
    Rubrik Account (e.g. ${rubrikAccount}.my.rubrik.com)False
    EmailFalse
    PasswordFalse
    Fetch incidentsFalse
    Incident typeFalse
    First fetch timeThe time interval for the first fetch (retroactive). Examples of supported values can be found at https://dateparser.readthedocs.io/en/latest/\#relative-dates.False
    Fetch Limit (Maximum of 1000)Maximum number of incidents to fetch every time. The maximum value is 1000.False
    Anomaly Event Critical Severity Level MappingWhen a Anomaly event of Critical severity is detected and fetched, this setting indicates what severity will get assigned within XSOAR.False
    Anomaly Event Warning Severity Level MappingWhen a Anomaly event of Warning severity is detected and fetched, this setting indicates what severity will get assigned within XSOAR.False
    Use system proxy settingsWhether to use XSOAR's system proxy settings to connect to the API.False
    Trust any certificate (not secure)Whether to allow connections without verifying SSL certificates validity.False
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

rubrik-radar-analysis-status#


Check the Radar Event for updates.

Base Command#

rubrik-radar-analysis-status

Input#

Argument NameDescriptionRequired
activitySeriesIdThe ID of the Polaris Event Series. When used in combination with \"Rubrik Radar Anomaly\" incidents, this value will automatically be looked up using the incident context. Otherwise it is a required value.

Note: Users can retrieve the list of the activity series IDs by executing the \"rubrik-event-list\" command.
Required
clusterIdThe ID of the CDM cluster. When used in combination with \"Rubrik Radar Anomaly\" incidents, this value will automatically be looked up using the incident context. Otherwise, it is a required value.

Note: Users can retrieve the list of the cluster IDs by executing the \"rubrik-gps-cluster-list\" command.
Required

Context Output#

PathTypeDescription
Rubrik.Radar.EventCompleteBooleanFlag that indicates whether Radar has finished analysing the object.
Rubrik.Radar.MessageUnknownThe text, ID, and timestamp of each message in the Activity Series.
Rubrik.Radar.ActivitySeriesIdStringThe ID of the Rubrik Polaris Activity Series.
Rubrik.Radar.ClusterIdStringThe ID of the cluster.

Command Example#

!rubrik-radar-analysis-status activitySeriesId="" clusterId="cc19573c-db6c-418a-9d48-067a256543ba"

Human Readable Output#

Radar Analysis Status#

Activity Series IDCluster IDMessageEvent Complete
ec9c48ce-5faf-474a-927c-33667355aecdcc19573c-db6c-418a-9d48-067a256543baCompleted backup of the transaction log for SQL Server database 'AdventureWorks2012' from 'sx1-sql12-1\MSSQLSERVER'.True

rubrik-sonar-sensitive-hits#


Find data classification hits on an object.

Base Command#

rubrik-sonar-sensitive-hits

Input#

Argument NameDescriptionRequired
objectNameThe name of the Rubrik object to check for sensitive hits. When used in combination with "Rubrik Radar Anomaly" incidents, this value will automatically be looked up using the incident context. Otherwise it is a required value.

Note: Users can get the list of the object names by executing the "rubrik-polaris-object-list" or "rubrik-polaris-object-search" command.
Optional
searchTimePeriodThe number of days in the past to look for sensitive hits. If no value is provided, then today's data will be returned and, if there is no data for today then the argument will default to 7 days.
Default is 7.
Optional

Context Output#

PathTypeDescription
Rubrik.Sonar.totalHitsStringThe total number of data classification hits found on the provided object.
Rubrik.Sonar.idStringID of the sensitive hits object.
Rubrik.Sonar.policy_hitsUnknownInformation of the policy analyzer group of the sensitive hits object.
Rubrik.Sonar.filesWithHitsNumberThe total number of files with hits of the object.
Rubrik.Sonar.openAccessFilesNumberThe total number of open access files of the object.
Rubrik.Sonar.openAccessFilesWithHitsNumberThe total number of open access files with hits of the object.
Rubrik.Sonar.openAccessFoldersNumberThe total number of open access folders of the object.
Rubrik.Sonar.staleFilesNumberThe total number of stale files of the object.
Rubrik.Sonar.staleFilesWithHitsNumberThe total number of stale files with hits of the object.
Rubrik.Sonar.openAccessStaleFilesNumberThe total number of open access stale files of the object.
Rubrik.Radar.MessageUnknownThe text, ID, and timestamp of each message in the Activity Series.
Rubrik.Radar.ActivitySeriesIdStringThe ID of the Rubrik Polaris Activity Series.

Command Example#

!rubrik-sonar-sensitive-hits objectName="sx1-radar15"

Human Readable Output#

Sensitive Hits#

IDTotal Hits
afc0f6f0-148a-54c5-9927-c24c7cde160849684

rubrik-cdm-cluster-location#


Find the CDM GeoLocation of a CDM Cluster.

Base Command#

rubrik-cdm-cluster-location

Input#

Argument NameDescriptionRequired
clusterIdThe ID of the CDM cluster. When used in combination with "Rubrik Radar Anomaly" incidents, this value will automatically be looked up using the incident context. Otherwise, it is a required value.

Note: Users can retrieve the list of the cluster IDs by executing the "rubrik-gps-cluster-list" command.
Required

Context Output#

PathTypeDescription
Rubrik.CDM.Cluster.LocationStringThe GeoLocation of the Rubrik CDM Cluster.
Rubrik.CDM.ClusterIdStringThe ID of the cluster.

Command Example#

!rubrik-cdm-cluster-location clusterId="cc19573c-db6c-418a-9d48-067a256543ba"

Human Readable Output#

CDM Cluster Location#

Location
San Francisco, CA, USA

rubrik-cdm-cluster-connection-state#


Find the CDM Connection State of a CDM Cluster.

Base Command#

rubrik-cdm-cluster-connection-state

Input#

Argument NameDescriptionRequired
clusterIdThe ID of the CDM cluster. When used in combination with "Rubrik Radar Anomaly" incidents, this value will automatically be looked up using the incident context. Otherwise, it is a required value.

Note: Users can retrieve the list of the cluster IDs by executing the "rubrik-gps-cluster-list" command.
Required

Context Output#

PathTypeDescription
Rubrik.CDM.Cluster.ConnectionStateStringThe Connection State of the Rubrik CDM Cluster.
Rubrik.CDM.ClusterIdStringThe ID of the cluster.

Command Example#

!rubrik-cdm-cluster-connection-state clusterId="cc19573c-db6c-418a-9d48-067a256543ba"

Human Readable Output#

CDM Cluster Connection State#

Connection State
Connected

rubrik-polaris-object-search#


Search for Rubrik discovered objects of any type, return zero or more matches.

Base Command#

rubrik-polaris-object-search

Input#

Argument NameDescriptionRequired
limitNumber of results to retrieve in the response. Maximum size allowed is 1000. Default is 50.Optional
object_nameThe name of the object to search for.Required
sort_bySpecify the field to use for sorting the response.

Note: Supported values are "ID" and "NAME" only. For any other values, the obtained result is sorted or not is not confirmed. Default is ID.
Optional
sort_orderSpecify the order to sort the data in.

Possible values are: "ASC", "DESC". Default is ASC.
Optional
next_page_tokenThe next page cursor to retrieve the next set of results.Optional

Context Output#

PathTypeDescription
RubrikPolaris.GlobalSearchObject.idStringThe ID of the object.
RubrikPolaris.GlobalSearchObject.nameStringThe name of the object.
RubrikPolaris.GlobalSearchObject.objectTypeStringThe type of the object.
RubrikPolaris.GlobalSearchObject.physicalPath.fidStringThe FID of the physical path of the object.
RubrikPolaris.GlobalSearchObject.physicalPath.nameStringThe name of the physical path where the object relies.
RubrikPolaris.GlobalSearchObject.physicalPath.objectTypeStringThe object type of the physical path where the object relies.
RubrikPolaris.GlobalSearchObject.azureRegionStringThe azure region of the object.
RubrikPolaris.GlobalSearchObject.awsRegionStringThe aws region of the object.
RubrikPolaris.GlobalSearchObject.emailAddressStringThe email address of the object.
RubrikPolaris.GlobalSearchObject.isRelicBooleanWhether the object is relic (historical) or not.
RubrikPolaris.GlobalSearchObject.effectiveSlaDomain.idStringThe effective SLA domain ID of the object.
RubrikPolaris.GlobalSearchObject.effectiveSlaDomain.nameStringThe effective SLA domain name of the object.
RubrikPolaris.GlobalSearchObject.effectiveSlaDomain.descriptionStringThe effective SLA domain description of the object.
RubrikPolaris.GlobalSearchObject.effectiveSlaDomain.fidStringThe FID of the object's effective SLA domain.
RubrikPolaris.GlobalSearchObject.effectiveSlaDomain.cluster.idStringThe cluster ID of the object's effective SLA domain.
RubrikPolaris.GlobalSearchObject.effectiveSlaDomain.cluster.nameStringThe cluster name of the object's effective SLA domain.
RubrikPolaris.GlobalSearchObject.physicalChildConnection.countStringThe count of physical child connection of the object.
RubrikPolaris.GlobalSearchObject.physicalChildConnection.edges.node.idStringThe ID of physical child connection of the object.
RubrikPolaris.GlobalSearchObject.physicalChildConnection.edges.node.nameStringThe name of the physical child connection of the object.
RubrikPolaris.GlobalSearchObject.physicalChildConnection.edges.node.replicatedObjects.cluster.idStringThe cluster ID of the replicated objects of physical child connection of the object.
RubrikPolaris.GlobalSearchObject.physicalChildConnection.edges.node.replicatedObjects.cluster.nameStringThe cluster name of the replicated objects of physical child connection of the object.
RubrikPolaris.GlobalSearchObject.cluster.idStringThe cluster ID related to the object.
RubrikPolaris.GlobalSearchObject.cluster.nameStringThe name of the cluster related to the object.
RubrikPolaris.GlobalSearchObject.primaryClusterLocation.idStringThe primary cluster location ID of the object.
RubrikPolaris.GlobalSearchObject.gcpZoneStringThe gcp zone of the object.
RubrikPolaris.GlobalSearchObject.gcpRegionStringThe gcp region of the object.
RubrikPolaris.GlobalSearchObject.gcpNativeProject.nameStringThe gcp native project name of the object.
RubrikPolaris.PageToken.GlobalSearchObject.next_page_tokenStringNext page token.
RubrikPolaris.PageToken.GlobalSearchObject.nameStringName of the command.
RubrikPolaris.PageToken.GlobalSearchObject.has_next_pageBooleanWhether the result has the next page or not.

Command Example#

!rubrik-polaris-object-search object_name="admin" limit=2

Human Readable Output#

Global Objects#

Object IDObject NameTypeSLA Domain
0f667954-9052-42c8-ac20-2149da4d0ec4Hoang-Admin NguyenO365MailboxUNPROTECTED
3e5d0800-71f6-4e42-badc-ae8b98c8a808Admin o365O365MailboxUNPROTECTED

Note: To retrieve the next set of results use, "next_page_token" = xyz

rubrik-sonar-policies-list#


Retrieve the list of all the available Sonar policies.

Base Command#

rubrik-sonar-policies-list

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
RubrikPolaris.SonarPolicy.idStringUnique ID of the policy.
RubrikPolaris.SonarPolicy.nameStringName of the policy.
RubrikPolaris.SonarPolicy.descriptionStringDescriptive name of the policy.
RubrikPolaris.SonarPolicy.creator.emailStringEmail of the user who created the policy.
RubrikPolaris.SonarPolicy.totalObjectsNumberNumber of total objects present in the policy.
RubrikPolaris.SonarPolicy.numAnalyzersNumberNumber of analyzers present in the policy.
RubrikPolaris.SonarPolicy.objectStatuses.idStringID of the object present in the policy.
RubrikPolaris.SonarPolicy.objectStatuses.latestSnapshotResult.snapshotFidStringSnapshot ID of the object present in the policy.
RubrikPolaris.SonarPolicy.objectStatuses.policyStatuses.policyIdStringPolicy ID.
RubrikPolaris.SonarPolicy.objectStatuses.policyStatuses.statusStringPolicy status.

Command Example#

!rubrik-sonar-policies-list

Human Readable Output#

Sonar Policies#

IDNameDescriptionAnalyzersObjectsCreator Email
bdb8c043-ee89-43ef-a3e2-73e94b5b3900CCPACalifornia Consumer Privacy Act53dummy.email@rubrik.com
53e447ed-9114-4fcd-b5a6-7ac759980fdeGLBAU.S. Gramm-Leach-Bliley Act43

rubrik-sonar-policy-analyzer-groups-list#


List the analyzer group policies.

Base Command#

rubrik-sonar-policy-analyzer-groups-list

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
RubrikPolaris.SonarAnalyzerGroup.idStringThe analyzer group ID.
RubrikPolaris.SonarAnalyzerGroup.nameStringThe name of the analyzer group.
RubrikPolaris.SonarAnalyzerGroup.groupTypeStringThe analyzer group type.
RubrikPolaris.SonarAnalyzerGroup.analyzers.idStringThe ID of the analyzers belong to the group.
RubrikPolaris.SonarAnalyzerGroup.analyzers.nameStringThe name of the analyzers belong to the group.
RubrikPolaris.SonarAnalyzerGroup.analyzers.analyzerTypeStringThe type of the analyzers belong to the group.

Command Example#

!rubrik-sonar-policy-analyzer-groups-list

Human Readable Output#

Sonar Policy Analyzer Groups#

IDNameGroup TypeAnalyzers
97c6a54a-acfc-5ab2-a24a-6a7f3a9a1553GLBAGLBAid: ed30dfa0-334f-55ff-a1b7-03b6bdd7849b, Name: Credit Card, Analyzer Type: CREDIT_CARD

id: 3e60a612-3e97-5f03-b3a1-cfb7a6a67e8f, Name: US Bank Acct, Analyzer Type: US_BANK_ACCT

id: 03b3dc9e-81c1-561c-8235-17cf2fc1c729, Name: US ITIN, Analyzer Type: US_ITIN

id: d5ce3ae5-f530-562a-85b1-4a84264a350a, Name: US SSN, Analyzer Type: US_SSN
543dd5e0-c72c-50e2-a3d9-1688343f472cHIPAAHIPAAid: 9da675b3-944b-5da3-a2da-ed149d300075, Name: US/UK Passport, Analyzer Type: PASSPORT

id: 18665533-c28c-5a40-b747-4b6508fecdfa, Name: US NPI, Analyzer Type: US_HEALTHCARE_NPI

id: 03b3dc9e-81c1-561c-8235-17cf2fc1c729, Name: US ITIN, Analyzer Type: US_ITIN

id: d5ce3ae5-f530-562a-85b1-4a84264a350a, Name: US SSN, Analyzer Type: US_SSN

id: 6bcc8e4e-0ec9-5538-b91d-a506dac47ec6, Name: US DEA, Analyzer Type: DEA_NUMBER
16bd3864-bad6-513b-b38d-a108e648cf4aPCI_DSS
c8c8072a-9454-5e68-9a23-bbcb9824838eU.S. FinancialsUS_FINANCEid: bb9a929b-3f29-5d3f-a768-de74e8ee5a9c, Name: n/a, Analyzer Type: CUSIP_NUMBER

rubrik-polaris-vm-object-metadata-get#


Retrieve details for a Vsphere object based on the provided object ID.

Base Command#

rubrik-polaris-vm-object-metadata-get

Input#

Argument NameDescriptionRequired
object_idThe ID of the object to get details.

Note: Users can get the list of the object IDs by executing the "rubrik-polaris-vm-objects-list" command.
Required

Context Output#

PathTypeDescription
RubrikPolaris.VSphereVm.idStringUnique ID of the object.
RubrikPolaris.VSphereVm.metadata.authorizedOperationsUnknownList of operations performed by the object.
RubrikPolaris.VSphereVm.metadata.nameStringThe name of the object.
RubrikPolaris.VSphereVm.metadata.isRelicBooleanWhether the object is relic or not.
RubrikPolaris.VSphereVm.metadata.effectiveSlaDomain.idStringID of the SLA domain.
RubrikPolaris.VSphereVm.metadata.effectiveSlaDomain.nameStringName of the SLA domain.
RubrikPolaris.VSphereVm.metadata.effectiveSlaDomain.cluster.idStringID of the cluster of the SLA domain.
RubrikPolaris.VSphereVm.metadata.effectiveSlaDomain.cluster.nameStringName of the cluster of the SLA domain.
RubrikPolaris.VSphereVm.metadata.effectiveSlaSourceObject.fidStringSLA Source object FID.
RubrikPolaris.VSphereVm.metadata.effectiveSlaSourceObject.nameStringSLA source object name.
RubrikPolaris.VSphereVm.metadata.effectiveSlaSourceObject.objectTypeStringSLA source object type.
RubrikPolaris.VSphereVm.metadata.protectionDateStringProtection date of the object.
RubrikPolaris.VSphereVm.metadata.reportSnappable.idStringThe ID of the snappable for a particular report related to an object. Snappable supports backups or filesets of physical machines using the rubrik connector.
RubrikPolaris.VSphereVm.metadata.reportSnappable.logicalBytesNumberLogical bytes of snappable report.
RubrikPolaris.VSphereVm.metadata.reportSnappable.physicalBytesNumberThe physical byte of the snappable for a particular report related to an object.
RubrikPolaris.VSphereVm.metadata.reportSnappable.archiveStorageNumberThe archived storage of the snappable for a particular report related to an object.
RubrikPolaris.VSphereVm.metadata.cluster.idStringUnique ID of the cluster which is the datastore for the recovered virtual machine.
RubrikPolaris.VSphereVm.metadata.cluster.nameStringCluster name of the VM to which the object belongs.
RubrikPolaris.VSphereVm.metadata.cluster.statusStringCluster status of the VM to which the object belongs.
RubrikPolaris.VSphereVm.metadata.cluster.versionStringCluster version of the VM to which the object belongs.
RubrikPolaris.VSphereVm.metadata.cluster.lastConnectionTimeStringLast time when the vm was connected to the cluster.
RubrikPolaris.VSphereVm.metadata.cluster.defaultAddressStringDefault address where the cluster is stored.
RubrikPolaris.VSphereVm.metadata.cluster.clusterNodeConnection.nodes.idStringNode ID of the node connection related to cluster.
RubrikPolaris.VSphereVm.metadata.cluster.clusterNodeConnection.nodes.statusStringNode status of the node connection related to cluster.
RubrikPolaris.VSphereVm.metadata.cluster.clusterNodeConnection.nodes.ipAddressStringIP address of the node connection related to cluster.
RubrikPolaris.VSphereVm.metadata.cluster.state.connectedStateStringConnected state of the cluster.
RubrikPolaris.VSphereVm.metadata.cluster.state.clusterRemovalStateStringState of the cluster if it is registered for removal or not.
RubrikPolaris.VSphereVm.metadata.cluster.passesConnectivityCheckBooleanWhether the cluster passes connectivity check or not.
RubrikPolaris.VSphereVm.metadata.cluster.globalManagerConnectivityStatus.urls.urlStringURL of Global Manager Connectivity Status.
RubrikPolaris.VSphereVm.metadata.cluster.globalManagerConnectivityStatus.urls.isReachableBooleanWhether the url in global Manager Connectivity Status is reachable or not.
RubrikPolaris.VSphereVm.metadata.cluster.connectivityLastUpdatedStringDate time when the connectivity status of the cluster is lastly updated.
RubrikPolaris.VSphereVm.metadata.primaryClusterLocation.idStringThe location ID of the primary cluster to which the object belongs.
RubrikPolaris.VSphereVm.metadata.primaryClusterLocation.nameStringThe location name of the primary cluster to which the object belongs.
RubrikPolaris.VSphereVm.metadata.arrayIntegrationEnabledBooleanWhether the array integration is enabled or not.
RubrikPolaris.VSphereVm.metadata.snapshotConsistencyMandateStringData consistency in recovery points is the snapshot consistency mandate. It is broadly classified into 3 categories: inconsistent, crash-consistent, app-consistent.
RubrikPolaris.VSphereVm.metadata.agentStatus.agentStatusStringThe status of an agent related to an object. In Rubrik agents are connectors also known as Rubrik Backup Service.
RubrikPolaris.VSphereVm.metadata.logicalPath.fidStringThe logical path ID of the node to which the object belongs.
RubrikPolaris.VSphereVm.metadata.logicalPath.objectTypeStringThe logical object type of the node to which the object belongs.
RubrikPolaris.VSphereVm.metadata.logicalPath.nameStringThe logical name of the node to which the object belongs.
RubrikPolaris.VSphereVm.metadata.physicalPath.fidStringThe physical path of where the VM resides.
RubrikPolaris.VSphereVm.metadata.physicalPath.objectTypeStringThe physical path object type of the VM.
RubrikPolaris.VSphereVm.metadata.physicalPath.nameStringThe physical Name of the VM.
RubrikPolaris.VSphereVm.metadata.vsphereTagPath.fidStringFID of Vsphere tag.
RubrikPolaris.VSphereVm.metadata.vsphereTagPath.objectTypeStringObject type of Vsphere tag.
RubrikPolaris.VSphereVm.metadata.vphereTagPath.nameStringName of Vsphere tag.
RubrikPolaris.VSphereVm.metadata.oldestSnapshot.idStringThe ID of the oldest snapshot.
RubrikPolaris.VSphereVm.metadata.oldestSnapshot.dateStringThe date when the oldest snapshot was generated.
RubrikPolaris.VSphereVm.metadata.oldestSnapshot.isIndexedBooleanWhether the oldest snapshot is indexed or not.
RubrikPolaris.VSphereVm.metadata.totalSnapshots.countNumberTotal snapshot counts.
RubrikPolaris.VSphereVm.metadata.replicatedObjects.idStringThe ID of the object which is replicated in the VM.
RubrikPolaris.VSphereVm.metadata.replicatedObjects.primaryClusterLocation.idStringThe primary cluster location ID where the replicated object resides.
RubrikPolaris.VSphereVm.metadata.replicatedObjects.primaryClusterLocation.nameStringThe primary cluster location name where the replicated object resides.
RubrikPolaris.VSphereVm.metadata.replicatedObjects.cluster.nameStringThe cluster name where the replicated object resides.
RubrikPolaris.VSphereVm.metadata.replicatedObjects.cluster.idStringThe cluster ID where the replicated object resides.
RubrikPolaris.VSphereVm.metadata.newestArchivedSnapshot.idStringID of the newest archived snapshot.
RubrikPolaris.VSphereVm.metadata.newestArchivedSnapshot.dateStringThe date when the newest archived snapshot was generated.
RubrikPolaris.VSphereVm.metadata.newestArchivedSnapshot.isIndexedBooleanWhether the newest archived snapshot is indexed or not.
RubrikPolaris.VSphereVm.metadata.newestArchivedSnapshot.archivalLocations.idStringID of the archival location of the newest archived snapshot.
RubrikPolaris.VSphereVm.metadata.newestArchivedSnapshot.archivalLocations.nameStringName of the archival location of the newest archival snapshot.
RubrikPolaris.VSphereVm.metadata.newestReplicatedSnapshot.idStringThe ID of the newest replicated snapshot.
RubrikPolaris.VSphereVm.metadata.newestReplicatedSnapshot.dateStringThe date when the newest replicated snapshot was generated.
RubrikPolaris.VSphereVm.metadata.newestReplicatedSnapshot.isIndexedBooleanWhether the newest replicated snapshot is indexed or not.
RubrikPolaris.VSphereVm.metadata.newestReplicatedSnapshot.replicationLocations.idStringThe ID of the replication locations of the newest replicated snapshot.
RubrikPolaris.VSphereVm.metadata.newestReplicatedSnapshot.replicationLocations.nameStringThe name of the replication locations of the newest replicated snapshot.
RubrikPolaris.VSphereVm.metadata.newestSnapshot.idStringThe ID of the newest snapshot.
RubrikPolaris.VSphereVm.metadata.newestSnapshot.dateStringThe date when the newest snapshot was generated.
RubrikPolaris.VSphereVm.metadata.newestSnapshot.isIndexedBooleanWhether the newest snapshot is indexed or not.
RubrikPolaris.VSphereVm.metadata.onDemandSnapshotCountNumberCount of how many on demand snapshot created in a VM.
RubrikPolaris.VSphereVm.metadata.vmwareToolsInstalledBooleanWhether the Vmware tools are installed or not.
RubrikPolaris.VSphereVm.metadata.cdmLinkStringThe Cloud Data Management link to navigate to the VM on cloud.

Command Example#

!rubrik-polaris-vm-object-metadata-get object_id="e060116b-f9dc-56a1-82a6-1b968d2f6cef"

Human Readable Output#

VM Object Data#

Object IDNameSnappable IDSLA DomainCluster NameTotal SnapshotsOldest Snapshot DateLatest Snapshot Date
e060116b-f9dc-56a1-82a6-1b968d2f6cefKali-VMVirtualMachine:::ae4484c6-b4c0-4ce8-b2ba-206a4184540b-vm-521DO_NOT_PROTECTsand2-rbk01422019-04-24T16:21:12.000Z2020-02-12T14:00:36.000Z

rubrik-polaris-vm-objects-list#


Retrieve a list of all the objects of the Vsphere Vm known to the Rubrik.

Base Command#

rubrik-polaris-vm-objects-list

Input#

Argument NameDescriptionRequired
is_relicFilter based on whether VM objects are moved to relic/archive or not.

Possible values are: "True", "False".
Optional
is_replicatedFilter based on whether VM objects are replicated or not.

Possible values are: "True", "False".
Optional
limitNumber of results to retrieve in the response. Maximum size allowed is 1000. Default is 50.Optional
sort_bySpecify the field to use for sorting the response.

Note: Supported values are "ID" and "NAME" only. For any other values, the obtained result is sorted or not is not confirmed. Default is ID.
Optional
sort_orderSpecify the order to sort the data in.

Possible values are: "ASC", "DESC". Default is ASC.
Optional
next_page_tokenThe next page cursor to retrieve the next set of results.Optional

Context Output#

PathTypeDescription
RubrikPolaris.VSphereVm.idStringUnique ID of the object.
RubrikPolaris.VSphereVm.nameStringName of the node to which the object belongs.
RubrikPolaris.VSphereVm.objectTypeStringObject type of the node to which the object belongs.
RubrikPolaris.VSphereVm.replicatedObjectCountNumberNumber of objects replicated in the node in which the object relies.
RubrikPolaris.VSphereVm.cluster.idStringID of the cluster which is the datastore for the recovered virtual machine.
RubrikPolaris.VSphereVm.cluster.nameStringCluster name of the node to which the object belongs.
RubrikPolaris.VSphereVm.cluster.versionStringCluster version of the node to which the object belongs.
RubrikPolaris.VSphereVm.cluster.statusStringCluster status of the node to which the object belongs.
RubrikPolaris.VSphereVm.effectiveSlaDomain.idStringID of the SLA domain which is simply a set of policies that define at what frequencies backups should be performed of the protected objects within Rubrik and for how long they should be either locally or a replication partner or on the archival location.
RubrikPolaris.VSphereVm.effectiveSlaDomain.nameStringDescriptive name of the SLA domain.
RubrikPolaris.VSphereVm.effectiveSlaDomain.descriptionStringDescription of the SLA domain.
RubrikPolaris.VSphereVm.effectiveSlaDomain.fidStringFID of the SLA domain.
RubrikPolaris.VSphereVm.effectiveSlaDomain.cluster.idStringID of the cluster related to the effective SLA domain.
RubrikPolaris.VSphereVm.effectiveSlaDomain.cluster.nameStringName of the cluster related to the effective SLA domain.
RubrikPolaris.VSphereVm.effectiveSlaSourceObject.fidStringSLA source object FID.
RubrikPolaris.VSphereVm.effectiveSlaSourceObject.nameStringSLA source object name.
RubrikPolaris.VSphereVm.effectiveSlaSourceObject.objectTypeStringSLA source object type.
RubrikPolaris.VSphereVm.slaAssignmentStringA SLA rule when referred at assignment is SLA assignment.
RubrikPolaris.VSphereVm.isRelicBooleanWhether the object is relic or not.
RubrikPolaris.VSphereVm.authorizedOperationsUnknownList of operations that can be performed on the object.
RubrikPolaris.VSphereVm.primaryClusterLocation.idStringThe location ID of the primary cluster to which the object belongs.
RubrikPolaris.VSphereVm.primaryClusterLocation.nameStringThe location name of the primary cluster to which the object belongs.
RubrikPolaris.VSphereVm.logicalPath.fidStringThe logical path ID of the node to which the object belongs.
RubrikPolaris.VSphereVm.logicalPath.nameStringThe logical path name of the node to which the object belongs.
RubrikPolaris.VSphereVm.logicalPath.objectTypeStringThe logical object type of the node to which the object belongs.
RubrikPolaris.VSphereVm.snapshotDistribution.idStringRubrik uses a snapshot for powerful data protection. Snapshot distribution ID is the ID of the snapshot distribution node related to a particular object.
RubrikPolaris.VSphereVm.snapshotDistribution.onDemandCountNumberThe demand count of distribution of snapshot related to an object.
RubrikPolaris.VSphereVm.snapshotDistribution.retrievedCountNumberThe retrieved count of distribution of snapshot related to an object.
RubrikPolaris.VSphereVm.snapshotDistribution.scheduledCountNumberThe scheduled count of distribution of snapshot related to an object.
RubrikPolaris.VSphereVm.snapshotDistribution.totalCountNumberThe total count of distribution of snapshot related to an object.
RubrikPolaris.VSphereVm.reportSnappable.idStringThe ID of the snappable for a particular report related to an object. Snapple supports backups or filesets of physical machines using the rubrik connector.
RubrikPolaris.VSphereVm.reportSnappable.archieveStorageNumberThe archived storage of the snappable for a particular report related to an object.
RubrikPolaris.VSphereVm.reportSnappable.physicalBytesNumberThe physical byte of the snappable for a particular report related to an object.
RubrikPolaris.VSphereVm.vmwareToolsInstalledBooleanWhether the vm tools are installed or not.
RubrikPolaris.VSphereVm.agentStatus.agentStatusStringThe status of an agent related to an object. The Rubrik agents are connectors also known as Rubrik Backup Service.
RubrikPolaris.VSphereVm.agentStatus.disconnectReasonStringDisplays the reason if the agent disconnects.
RubrikPolaris.PageToken.VSphereVm.next_page_tokenStringNext page token.
RubrikPolaris.PageToken.VSphereVm.nameStringName of the command.
RubrikPolaris.PageToken.VSphereVm.has_next_pageBooleanWhether the result has the next page or not.

Command Example#

!rubrik-polaris-vm-objects-list limit=2

Human Readable Output#

Objects List#

Object IDNameSnappable IDClusterObject TypeSLA DomainAssignmentSnapshotsRBS StatusSource StorageArchival Storage
0242e84c-773a-5877-b955-1d52765ac852sx1-ganebala-l1VirtualMachine:::868aa03d-4145-4cb1-808b-e10c4f7a3741-vm-206037sand1-rbk01VmwareVirtualMachineDO_NOT_PROTECTDirect0Unregistered00
0556f691-b750-556c-baea-800dbb2920e7linux-a-Fri Feb 15 2019 04:43:40 GMT+0000 (Greenwich Mean Time)-9P4tVirtualMachine:::d2f41f4b-5d53-4063-a618-25046a0f4c7d-vm-35806sand1-rbk01VmwareVirtualMachineUNPROTECTEDUnassigned34Unregistered01.115023609 GB

Note: To retrieve the next set of results use, "next_page_token" = xyz

rubrik-sonar-ondemand-scan#


Trigger an on-demand scan of a system. Supports "Vsphere VM" object type only.

Note: To know the scan status use the "rubrik-sonar-ondemand-scan-status" command. To download the completed request use the "rubrik-sonar-ondemand-scan-result" command.

Base Command#

rubrik-sonar-ondemand-scan

Input#

Argument NameDescriptionRequired
scan_nameName of the scan. If not provided, it defaults to "<today's date> Classification".Optional
sonar_policy_analyzer_groupsList of sonar policies to scan.

Note: Users can get the list of analyzer groups by executing the "rubrik-sonar-policy-analyzer-groups-list" command.

Format Accepted:
[
{
"id": "543dd5e0-c72c-50e2-a3d9-1688343f472c",
"name": "HIPAA",
"groupType": "HIPAA",
"analyzers": [
{
"id": "9da675b3-944b-5da3-a2da-ed149d300075",
"name": "US/UK Passport",
"analyzerType": "PASSPORT"
},
{
"id": "18665533-c28c-5a40-b747-4b6508fecdfa",
"name": "US NPI",
"analyzerType": "US_HEALTHCARE_NPI"
}
]
}
].
Required
objects_to_scanList of VM object IDs to scan.

Note: Users can get the list of VM object IDs by executing the "rubrik-polaris-vm-objects-list" command.
Required

Context Output#

PathTypeDescription
RubrikPolaris.SonarOndemandScan.crawlIdStringUnique crawl ID.

Command Example#

!rubrik-sonar-ondemand-scan scan_name="GLBA Scan for new user" sonar_policy_analyzer_groups='[{"id":"97c6a54a-acfc-5ab2-a24a-6a7f3a9a1553","name":"GLBA","groupType":"GLBA","analyzers":[{"id":"ed30dfa0-334f-55ff-a1b7-03b6bdd7849b","name":"CreditCard","analyzerType":"CREDIT_CARD"},{"id":"3e60a612-3e97-5f03-b3a1-cfb7a6a67e8f","name":"BANK_ACCT","analyzerType":"US_BANK_ACCT"},{"id":"03b3dc9e-81c1-561c-8235-17cf2fc1c729","name":"USITIN","analyzerType":"US_ITIN"},{"id":"d5ce3ae5-f530-562a-85b1-4a84264a350a","name":"USSSN","analyzerType":"US_SSN"}]}]' objects_to_scan="0887e71c-56ac-59f7-8763-54b726e64dd6, a82e888c-2440-5af9-8c2a-447a97f6746c"

Human Readable Output#

Sonar On-Demand Scan#

Crawl ID
bb4eedc0-594b-4566-b06d-24de0bf752ca

rubrik-sonar-ondemand-scan-status#


Retrieve the status of a scanned system.

Note: To download the completed request use the "rubrik-sonar-ondemand-scan-result" command.

Base Command#

rubrik-sonar-ondemand-scan-status

Input#

Argument NameDescriptionRequired
crawl_idID for which scanning status is to be obtained.

Note: Users can get the crawl ID by executing the "rubrik-sonar-ondemand-scan" command.
Required

Context Output#

PathTypeDescription
RubrikPolaris.SonarOndemandScan.crawlIdStringCrawl ID of the scan for which the rubrik-sonar-ondemand-scan command is hit.
RubrikPolaris.SonarOndemandScan.Status.errorStringError description if any.
RubrikPolaris.SonarOndemandScan.Status.snappable.idStringSnappable ID of the scanned object.
RubrikPolaris.SonarOndemandScan.Status.snappable.nameStringSnappable Name of the scanned object.
RubrikPolaris.SonarOndemandScan.Status.snappable.objectTypeStringSnappable object type of the scanned object.
RubrikPolaris.SonarOndemandScan.Status.snapshotTimeNumberTime when the snapshot is taken.
RubrikPolaris.SonarOndemandScan.Status.statusStringStatus of the scanning or scanned object.
RubrikPolaris.SonarOndemandScan.Status.progressNumberCount of objects that are in progress.
RubrikPolaris.SonarOndemandScan.Status.totalHitsNumberNumber of total hits obtained from an object that is scanned.
RubrikPolaris.SonarOndemandScan.Status.analyzerGroupResults.analyzerGroup.groupTypeStringGroup type of the analyzer.
RubrikPolaris.SonarOndemandScan.Status.analyzerGroupResults.analyzerGroup.idStringGroup ID of the analyzer.
RubrikPolaris.SonarOndemandScan.Status.analyzerGroupResults.analyzerGroup.nameStringGroup Name of the analyzer.
RubrikPolaris.SonarOndemandScan.Status.analyzerGroupResults.analyzerResults.hits.totalHitsNumberNumber of total hits obtained from an analyzer that is scanned.
RubrikPolaris.SonarOndemandScan.Status.analyzerGroupResults.analyzerResults.hits.violationsNumberNumber of violations obtained from an analyzer that is scanned.
RubrikPolaris.SonarOndemandScan.Status.analyzerGroupResults.analyzerResults.hits.permittedHitsNumberNumber of permitted hits obtained from an analyzer that is scanned.
RubrikPolaris.SonarOndemandScan.Status.analyzerGroupResults.analyzerResults.analyzer.idStringID of the analyzer that is scanned.
RubrikPolaris.SonarOndemandScan.Status.analzerGroupResults.analyzerResults.analyzer.nameStringName of the analyzer that is scanned.
RubrikPolaris.SonarOndemandScan.Status.analyzerGroupResults.analyzerResults.analyzer.analyzerTypeStringType of the analyzer that is scanned.
RubrikPolaris.SonarOndemandScan.Status.analyzerGroupResults.hits.totalHitsNumberNumber of total hits obtained from an analyzer group.
RubrikPolaris.SonarOndemandScan.Status.analyzerGroupResults.hits.violationsNumberNumber of violations obtained from an analyzer group.
RubrikPolaris.SonarOndemandScan.Status.analyzerGroupResults.hits.permittedHitsNumberNumber of permitted hits obtained from an analyzer group.
RubrikPolaris.SonarOndemandScan.Status.analyzerGroupResults.hits.violationsDeltaNumberNumber of violation delta obtained from an analyzer group.
RubrikPolaris.SonarOndemandScan.Status.analyzerGroupResults.hits.totalHitsDeltaNumberNumber of total hits delta obtained from an analyzer group.
RubrikPolaris.SonarOndemandScan.Status.cluster.idStringCluster ID in which the object is getting scanned.
RubrikPolaris.SonarOndemandScan.Status.cluster.nameStringCluster name in which the object is getting scanned.
RubrikPolaris.SonarOndemandScan.Status.cluster.typeStringCluster type in which the object is getting scanned.

Command Example#

!rubrik-sonar-ondemand-scan-status crawl_id="bb4eedc0-594b-4566-b06d-24de0bf752ca"

Human Readable Output#

Sonar On-Demand Scan Status#

Final status of scan with crawl ID bb4eedc0-594b-4566-b06d-24de0bf752ca is IN_PROGRESS

Object IDObject NameScan Status
6e307121-e5dc-5e6a-9a6b-37e1c9afd6b1AllTheThingsCOMPLETE
a82e888c-2440-5af9-8c2a-447a97f6746c/tmpIN_PROGRESS

rubrik-polaris-vm-object-snapshot-list#


Search for a Rubrik snapshot of an object based on the provided snapshot ID, exact timestamp, or specific value like earliest/latest, or closest before/after a timestamp.

Base Command#

rubrik-polaris-vm-object-snapshot-list

Input#

Argument NameDescriptionRequired
object_idThe object ID for which the snapshots are to be searched.

Note: Users can get the list of the object IDs by executing the "rubrik-polaris-vm-objects-list" command.
Required
snapshot_group_byGrouping the snapshots on the basis of the selected value.

Possible values are: "Month", "Day", "Year", "Week", "Hour", "Quarter". Default is Day.
Optional
missed_snapshot_group_byGrouping the missed snapshots on the basis of the selected value.

Possible values are: "MONTH", "DAY", "YEAR", "WEEK", "HOUR", "QUARTER". Default is DAY.
Optional
start_dateThe start date to get snapshots from.

Formats accepted: 2 minutes, 2 hours, 2 days, 2 weeks, 2 months, 2 years, yyyy-mm-dd, yyyy-mm-ddTHH:MM:SSZ, etc.
Required
end_dateThe end date to get snapshots until.

Formats accepted: 2 minutes, 2 hours, 2 days, 2 weeks, 2 months, 2 years, yyyy-mm-dd, yyyy-mm-ddTHH:MM:SSZ, etc.
Required
timezone_offsetThe timezone offset from UTC changes to match the configured time zone. Use this argument to filter the data according to the provided timezone offset.

Formats accepted: 1, 1.5, 2, 2.5, 5.5, etc.
Required
cluster_connectedWhether the cluster is connected or not.

Possible values are: "True", "False". Default is True.
Optional

Context Output#

PathTypeDescription
RubrikPolaris.VSphereVm.idStringUnique ID of the object.
RubrikPolaris.VSphereVm.Snapshot.snapshotGroupByConnection.nodes.groupByInfo.unitStringUnit of snapshot group by connection nodes.
RubrikPolaris.VSphereVm.Snapshot.snapshotGroupByConnection.nodes.groupByInfo.startStringStart date of snapshot group by connection nodes.
RubrikPolaris.VSphereVm.Snapshot.snapshotGroupByConnection.nodes.groupByInfo.endStringEnd date of snapshot group by connection nodes.
RubrikPolaris.VSphereVm.Snapshot.snapshotGroupByConnection.nodes.snapshotConnection.countNumberCount of snapshot connections related to the object.
RubrikPolaris.VSphereVm.Snapshot.snapshotGroupByConnection.nodes.snapshotConnection.nodes.idStringID of snapshot connection related to the object.
RubrikPolaris.VSphereVm.Snapshot.snapshotGroupByConnection.nodes.snapshotConnection.nodes.isIndexedBooleanWhether the node is indexed or not.
RubrikPolaris.VSphereVm.Snapshot.snapshotGroupByConnection.nodes.snapshotConnection.nodes.isUnindexableBooleanWhether the node is unindexable or not.

Command Example#

!rubrik-polaris-vm-object-snapshot-list object_id="86db05d1-292f-5973-b616-2ae3977f4428" start_date="2020-05-19T18:30:00.000000Z" end_date="2020-05-20T18:30:00.000000Z" timezone_offset=5.5

Human Readable Output#

VM Object Snapshots#

Snapshot DetailsSnapshot IDs
Total Snapshots: 2
Date Range: From 2020-05-19T22:30:00.000Z to 2020-05-20T22:29:59.999Z
33060f59-9c99-5c48-8305-8d1edfe402d2,
57eac609-9529-5cb5-845a-b7cc78998222

rubrik-sonar-ondemand-scan-result#


Retrieve the download link for the requested scanned file.

Base Command#

rubrik-sonar-ondemand-scan-result

Input#

Argument NameDescriptionRequired
crawl_idID for which file needs to be downloaded.

Note: Users can get the crawl_id by executing the "rubrik-sonar-ondemand-scan" command.
Required
file_typeThe type of the file that needs to be downloaded.

Possible values are: "ANY", "HITS", "STALE", "OPEN_ACCESS", "STALE_HITS", "OPEN_ACCESS_HITS".
Required

Context Output#

PathTypeDescription
RubrikPolaris.SonarOndemandScan.crawlIdStringCrawl ID of the file that needs to be downloaded.
RubrikPolaris.SonarOndemandScan.Result.downloadLinkStringLink to download the file when scan status is complete.

Command Example#

!rubrik-sonar-ondemand-scan-result crawl_id="bb4eedc0-594b-4566-b06d-24de0bf752ca" file_type="HITS"

Human Readable Output#

Sonar On-Demand Scan Result#

Scan result CSV Download Link
Download the CSV file to see the result.

rubrik-radar-anomaly-csv-analysis#


Request for the analysis and retrieve the download link for the Radar CSV analyzed file.

Base Command#

rubrik-radar-anomaly-csv-analysis

Input#

Argument NameDescriptionRequired
cluster_idThe unique ID of the cluster.

Note: Users can retrieve the list of the cluster IDs by executing the "rubrik-gps-cluster-list" command.
Required
snapshot_idThe CDM snapshot ID.

Note: Users can retrieve the list of snapshot IDs by executing the "rubrik-polaris-vm-object-snapshot-list" command.
Use the "rubrik-radar-suspicious-file-list" command to retrieve the actual CDM ID from the Anomaly ID.
Example format to get the snapshot CDM ID from Anomaly ID: "<Cluster-ID>:::VirtualMachine:::<Snappable-ID>:::<CDM-ID>".
Required
object_idThe VM object ID (Snappable ID).

Note: Users can retrieve the list of Snappable IDs by executing the "rubrik-polaris-vm-objects-list" command.
Example format to get the Snappable ID: "VirtualMachine:::<Snappable-ID>".
Required

Context Output#

PathTypeDescription
RubrikPolaris.RadarAnomalyCSV.clusterIdStringCluster ID of the CSV.
RubrikPolaris.RadarAnomalyCSV.snapshotIdStringSnapshot ID of the CSV.
RubrikPolaris.RadarAnomalyCSV.objectIdStringObject ID of the CSV.
RubrikPolaris.RadarAnomalyCSV.investigationCsvDownloadLink.downloadLinkStringThe download link of the CSV analysis.

Command Example#

!rubrik-radar-anomaly-csv-analysis cluster_id="cc19573c-db6c-418a-9d48-067a256543ba" snapshot_id="7b71d588-911c-4165-b6f3-103a1684d2a3" object_id="868aa03d-4145-4cb1-808b-e10c4f7a3741-vm-4335"

Human Readable Output#

Radar Anomaly CSV Analysis#

CSV Download Link
Download the analyzed CSV file.

rubrik-sonar-csv-download#


Request to download the Sonar CSV Snapshot results file.

Note: To know the ID and status of the download, use the "rubrik-user-downloads-list" command. To download the file, use the "rubrik-sonar-csv-result-download" command.

Base Command#

rubrik-sonar-csv-download

Input#

Argument NameDescriptionRequired
snapshot_idID of the snapshot.

Note: Users can retrieve the list of snapshot IDs by executing the "rubrik-polaris-vm-object-snapshot-list" command.
Required
object_idObject ID.

Note: Users can retrieve the list of object IDs by executing "rubrik-polaris-vm-objects-list" command.
Required
file_typeThe type of the file that needs to be downloaded.

Possible values are: "ANY", "HITS", "STALE", "OPEN_ACCESS", "STALE_HITS", "OPEN_ACCESS_HITS".
Optional

Context Output#

PathTypeDescription
RubrikPolaris.SonarCSVDownload.snapshotIdStringSnapshot ID of the CSV requested to download.
RubrikPolaris.SonarCSVDownload.objectIdStringObject ID of the CSV requested to download.
RubrikPolaris.SonarCSVDownload.downloadSnapshotResultsCsv.isSuccessfulBooleanThe status of the download.

Command Example#

!rubrik-sonar-csv-download snapshot_id="c38ec074-0c45-5c72-b611-3322cbd46776" object_id="ac0a6844-a2fc-52b0-bb71-6a55f43677be"

Human Readable Output#

Sonar CSV Download#

Download Status
Success

rubrik-gps-snapshot-files-list#


Retrieve the list of the available files that can be downloaded.

Note: To initiate the file download request use the "rubrik-gps-snapshot-files-download" command.

Base Command#

rubrik-gps-snapshot-files-list

Input#

Argument NameDescriptionRequired
snapshot_idThe Snapshot ID of the file that needs to be downloaded.

Note: Users can retrieve the list of the snapshot IDs by executing the "rubrik-polaris-vm-object-snapshot-list" command.
Required
pathThe path of the folder to list the sub-files. If not provided the root directory files will be returned.

Format accepted : "/<directory name>/<sub directory name or file name>"

Example: "/C:", "/C:/Users".
Optional
search_prefixProvide a keyword to search in the file names.

Example: "admin".
Optional
limitNumber of results to retrieve in the response. Maximum size allowed is 1000. Default is 50.Optional
next_page_tokenThe next page cursor to retrieve the next set of results.Optional

Context Output#

PathTypeDescription
RubrikPolaris.GPSSnapshotFile.snapshotIdStringSnapshot ID provided as an argument to retrieve the files.
RubrikPolaris.GPSSnapshotFile.node.absolutePathStringThe absolute path of the file.
RubrikPolaris.GPSSnapshotFile.node.displayPathStringThe display path of the file.
RubrikPolaris.GPSSnapshotFile.node.pathStringThe path of the file.
RubrikPolaris.GPSSnapshotFile.node.filenameStringThe name of the file.
RubrikPolaris.GPSSnapshotFile.node.fileModeStringThe mode of the file.
RubrikPolaris.GPSSnapshotFile.node.sizeStringThe size of the file.
RubrikPolaris.GPSSnapshotFile.node.lastModifiedStringThe last modified time of the file.
RubrikPolaris.PageToken.GPSSnapshotFile.next_page_tokenStringNext page token.
RubrikPolaris.PageToken.GPSSnapshotFile.nameStringName of the command.
RubrikPolaris.PageToken.GPSSnapshotFile.has_next_pageBooleanWhether the result has the next page or not.

Command Example#

!rubrik-gps-snapshot-files-list snapshot_id=90858c2f-e572-5b9c-b455-ba309d50c1a2

Human Readable Output#

GPS Snapshot Files#

File NameAbsolute PathPathFile ModeLast Modified
C:/C:C:DIRECTORY2020-10-05T18:56:18.000Z
disk_0_part_1/disk_0_part_1DIRECTORY2018-06-14T00:47:18.000Z

Note: To retrieve the next set of results use, "next_page_token" = xyz

rubrik-gps-vm-export#


Request to initiate an export of a snapshot of a virtual machine.

Note: To know about the exported VM's status, use the "rubrik-gps-async-result" command.

Base Command#

rubrik-gps-vm-export

Input#

Argument NameDescriptionRequired
vm_nameName given to the VM that runs the snapshot. If not provided the name will be "<Snapshot VM Name> <MM/DD of snapshot creation> <hh/mm of snapshot creation> <Num>".Optional
object_idThe VM object ID whose snapshot needs to be exported.

Note: Users can get the list of object IDs by executing the "rubrik-polaris-vm-objects-list" command.
Required
snapshot_idThe ID of the snapshot that is to be exported.

Note: Users can get the list of snapshot IDs by executing the "rubrik-polaris-vm-object-snapshot-list" command.
Required
datastore_idThe ID of the datastore which will be used by the new VM.

Note: Users can get the list of datastore IDs by executing the "rubrik-gps-vm-datastore-list" command.
Required
host_idThe ID of the Vsphere ESXi host on which the new VM will be made. Either host_id or host_compute_cluster_id must be provided.

Note: Users can get the list of host IDs by executing the "rubrik-gps-vm-host-list" command.
Optional
host_compute_cluster_idThe ID of the VSphere Compute Cluster of a host. Either host_id or host_compute_cluster_id must be provided.

Note: Users can get the list of Compute Cluster IDs by executing the "rubrik-gps-vm-host-list" command. The ID must belong to the VSphereComputeCluster objectType.
Optional
power_onWhether to turn on the new VM or not.

Possible values are: "True", "False".
Optional
keep_mac_addressesWhether the mac addresses of network devices of the new VM be removed or not.

Possible values are: "True", "False".
Optional
remove_network_devicesWhether the network devices on the original VM be kept or not.

Possible values are: "True", "False".
Optional
recover_tagsWhether to keep vSphere tags associated with the original VM or not.

Possible values are: "True", "False".
Optional
disable_networkWhether to disable networking on the new VM or not.

Possible values are: "True", "False".
Optional

Context Output#

PathTypeDescription
RubrikPolaris.GPSVMSnapshotExport.idStringSnapshot export request ID.

Command Example#

!rubrik-gps-vm-export object_id=d39e956f-a3c9-5307-865b-58ed045b59c5 snapshot_id=07fa66e1-137a-5473-8a8e-825547075d7b datastore_id=5fe3a92a-d848-5325-a1a2-ef6cf7a16376 host_compute_cluster_id=0dc88a78-0d46-57d7-86c6-f1bd97ff979f

Human Readable Output#

GPS VM Export#

Snapshot Export Request ID
dummy_id

rubrik-user-downloads-list#


Retrieve the user downloads. This would return the current and past download history.

Note: To download the requested Sonar CSV Snapshot results file use the "rubrik-sonar-csv-result-download" command.

Base Command#

rubrik-user-downloads-list

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
RubrikPolaris.UserDownload.idNumberThe ID of the download.
RubrikPolaris.UserDownload.nameStringThe name of the download.
RubrikPolaris.UserDownload.statusStringThe status of the download.
RubrikPolaris.UserDownload.progressNumberThe progress of the download.
RubrikPolaris.UserDownload.identifierStringThe identifier of the download or the type of download requested.
RubrikPolaris.UserDownload.createTimeStringThe creation time of the download.
RubrikPolaris.UserDownload.completeTimeStringThe completion time of the download.

Command Example#

!rubrik-user-downloads-list

Human Readable Output#

User Downloads#

Download IDNameStatusIdentifierCreation TimeCompletion Time
156GDIT-billing-test-oct10COMPLETEDSONAR_DOWNLOAD2021-10-06T07:25:51.676432470Z2021-10-06T07:25:51.856374014Z

rubrik-gps-sla-domain-list#


Enumerates the available SLA Domains to apply to the on-demand snapshot as a retention policy.

Base Command#

rubrik-gps-sla-domain-list

Input#

Argument NameDescriptionRequired
nameName of the SLA Domain to search for.Optional
cluster_idCluster, the SLA domain is managed by.

Note: Users can retrieve the list of the cluster IDs by executing the "rubrik-gps-cluster-list" command.
Optional
object_typeFilters SLA domain based on the provided object types. Supports comma separated values.

Possible values are: "FILESET_OBJECT_TYPE", "VSPHERE_OBJECT_TYPE".
Optional
show_cluster_slas_onlyWhether to show Cluster SLAs and not Global SLAs. "False" value will result in showing only Global SLAs.

Possible values are: "True", "False". Default is True.
Optional
sort_bySpecify the field to use for sorting the response.

Possible values are: "NAME", "PROTECTED_OBJECT_COUNT". Default is NAME.
Optional
sort_orderSpecify the order to sort the data in.

Possible values are: "ASC", "DESC". Default is ASC.
Optional

Context Output#

PathTypeDescription
RubrikPolaris.GPSSLADomain.nameStringName of the SLA domain.
RubrikPolaris.GPSSLADomain.idStringID of the SLA domain.
RubrikPolaris.GPSSLADomain.descriptionStringDescription of the SLA domain.
RubrikPolaris.GPSSLADomain.protectedObjectCountNumberNumber of objects under the SLA Domain.
RubrikPolaris.GPSSLADomain.baseFrequency.durationNumberBase snapshot frequency duration.
RubrikPolaris.GPSSLADomain.baseFrequency.unitStringBase snapshot frequency unit (HOURS, DAYS etc).
RubrikPolaris.GPSSLADomain.archivalSpec.archivalLocationNameStringLocation where the archives are stored.
RubrikPolaris.GPSSLADomain.archivalSpecs.storageSetting.idStringID of the archival target.
RubrikPolaris.GPSSLADomain.archivalSpecs.storageSetting.nameStringName of the archival target.
RubrikPolaris.GPSSLADomain.archivalSpecs.storageSetting.groupTypeStringGroup type of the archival target.
RubrikPolaris.GPSSLADomain.archivalSpecs.storageSetting.targetTypeStringTarget type of the archival target.
RubrikPolaris.GPSSLADomain.replicationSpec.replicationTypeStringEnum value representing the type of replication. Values: UNKNOWN_REPLICATION_TYPE, UNIDIRECTIONAL_REPLICATION_TO_CLUSTER, REPLICATION_TO_CLOUD_REGION, REPLICATION_TO_CLOUD_LOCATION.
RubrikPolaris.GPSSLADomain.replicationSpec.specificReplicationSpec.unidirectionalSpec.replicationTargetNameStringCloud replication target name.
RubrikPolaris.GPSSLADomain.replicationSpec.specificReplicationSpec.cloudRegionSpec.replicationTargetRegionStringCloud replication target region.
RubrikPolaris.GPSSLADomain.replicationSpec.specificReplicationSpec.cloudRegionSpec.cloudProviderStringCloud replication service provider. Values: AWS, AZURE.
RubrikPolaris.GPSSLADomain.replicationSpec.specificReplicationSpec.cloudLocationSpec.targetMapping.idStringID of the cloud target where replication takes place.
RubrikPolaris.GPSSLADomain.replicationSpec.specificReplicationSpec.cloudLocationSpec.targetMapping.nameStringName of the cloud target where replication takes place.
RubrikPolaris.GPSSLADomain.replicationSpecsV2.cluster.idStringID of the cluster where replication takes place.
RubrikPolaris.GPSSLADomain.replicationSpecsV2.cluster.nameStringName of the cluster where replication takes place.
RubrikPolaris.GPSSLADomain.replicationSpecsV2.awsTarget.accountIdStringAccount ID on AWS where the replication happens.
RubrikPolaris.GPSSLADomain.replicationSpecsV2.awsTarget.accountNameStringAccount name on AWS where the replication happens.
RubrikPolaris.GPSSLADomain.replicationSpecsV2.awsTarget.regionStringAccount region on AWS where the replication happens.
RubrikPolaris.GPSSLADomain.replicationSpecsV2.azureTarget.regionStringAccount region on Azure where the replication happens.
RubrikPolaris.GPSSLADomain.replicationSpecsV2.retentionDuration.durationNumberReplication retention duration.
RubrikPolaris.GPSSLADomain.replicationSpecsV2.retentionDuration.unitStringReplication retention duration unit.
RubrikPolaris.GPSSLADomain.replicationSpecsV2.targetMapping.idStringID of the object target where replication takes place.
RubrikPolaris.GPSSLADomain.replicationSpecsV2.targetMapping.nameStringName of the object target where replication takes place.
RubrikPolaris.GPSSLADomain.localRetentionLimit.durationNumberLocal retention limit duration.
RubrikPolaris.GPSSLADomain.localRetentionLimit.unitStringLocal retention limit duration unit.
RubrikPolaris.GPSSLADomain.snapshotSchedule.minute.basicSchedule.frequencyNumberSnapshot frequency every minute.
RubrikPolaris.GPSSLADomain.snapshotSchedule.minute.basicSchedule.retentionNumberSnapshot retention value per minute snapshots.
RubrikPolaris.GPSSLADomain.snapshotSchedule.minute.basicSchedule.retentionUnitStringSnapshot retention time unit per minute snapshots.
RubrikPolaris.GPSSLADomain.snapshotSchedule.hourly.basicSchedule.frequencyNumberSnapshot hourly frequency.
RubrikPolaris.GPSSLADomain.snapshotSchedule.hourly.basicSchedule.retentionNumberSnapshot retention value per hour snapshots.
RubrikPolaris.GPSSLADomain.snapshotSchedule.hourly.basicSchedule.retentionUnitStringSnapshot retention time unit per hour snapshots.
RubrikPolaris.GPSSLADomain.snapshotSchedule.daily.basicSchedule.frequencyNumberSnapshot daily frequency.
RubrikPolaris.GPSSLADomain.snapshotSchedule.daily.basicSchedule.retentionNumberSnapshot retention value per day snapshots.
RubrikPolaris.GPSSLADomain.snapshotSchedule.daily.basicSchedule.retentionUnitStringSnapshot retention unit per day snapshots.
RubrikPolaris.GPSSLADomain.snapshotSchedule.weekly.basicSchedule.frequencyNumberSnapshot weekly frequency.
RubrikPolaris.GPSSLADomain.snapshotSchedule.weekly.basicSchedule.retentionNumberSnapshot retention value per week snapshots.
RubrikPolaris.GPSSLADomain.snapshotSchedule.weekly.basicSchedule.retentionUnitStringSnapshot retention unit per week snapshots.
RubrikPolaris.GPSSLADomain.snapshotSchedule.weekly.dayOfWeekStringStarting day of the weekly snapshot.
RubrikPolaris.GPSSLADomain.snapshotSchedule.monthly.basicSchedule.frequencyNumberSnapshot monthly frequency.
RubrikPolaris.GPSSLADomain.snapshotSchedule.monthly.basicSchedule.retentionNumberSnapshot retention value per month snapshots.
RubrikPolaris.GPSSLADomain.snapshotSchedule.monthly.basicSchedule.retentionUnitStringSnapshot retention unit per month snapshots.
RubrikPolaris.GPSSLADomain.snapshotSchedule.monthly.dayOfMonthStringStarting day of the month snapshot.
RubrikPolaris.GPSSLADomain.snapshotSchedule.quarterly.basicSchedule.frequencyNumberSnapshot quarterly frequency.
RubrikPolaris.GPSSLADomain.snapshotSchedule.quarterly.basicSchedule.retentionNumberSnapshot retention value per quarter snapshots.
RubrikPolaris.GPSSLADomain.snapshotSchedule.quarterly.basicSchedule.retentionUnitStringSnapshot retention unit per quarter snapshots.
RubrikPolaris.GPSSLADomain.snapshotSchedule.quarterly.dayOfQuarterStringStarting day of the quarterly snapshot.
RubrikPolaris.GPSSLADomain.snapshotSchedule.quarterly.quarterStartMonthStringStarting month of the quarterly snapshot.
RubrikPolaris.GPSSLADomain.snapshotSchedule.yearly.basicSchedule.frequencyNumberSnapshot yearly frequency.
RubrikPolaris.GPSSLADomain.snapshotSchedule.yearly.basicSchedule.retentionNumberSnapshot retention value per year snapshots.
RubrikPolaris.GPSSLADomain.snapshotSchedule.yearly.basicSchedule.retentionUnitStringSnapshot retention unit per year snapshots.
RubrikPolaris.GPSSLADomain.snapshotSchedule.yearly.dayOfYearStringStarting day of the yearly snapshot.
RubrikPolaris.GPSSLADomain.snapshotSchedule.yearly.yearStartMonthStringStarting month of the yearly snapshot.
RubrikPolaris.GPSSLADomain.objectSpecificConfigs.awsRdsConfig.logRetention.durationNumberDuration of retentioning AWS Relational database logs.
RubrikPolaris.GPSSLADomain.objectSpecificConfigs.awsRdsConfig.logRetention.unitStringUnit of duration of retentioning AWS Relational database logs.
RubrikPolaris.GPSSLADomain.objectSpecificConfigs.sapHanaConfig.incrementalFrequency.durationNumberDuration of retentioning SAP HANA incremental backups.
RubrikPolaris.GPSSLADomain.objectSpecificConfigs.sapHanaConfig.incrementalFrequency.unitStringUnit of duration of retentioning SAP HANA incremental backups.
RubrikPolaris.GPSSLADomain.objectSpecificConfigs.sapHanaConfig.differentialFrequency.durationNumberDuration of retentioning SAP HANA differential backups.
RubrikPolaris.GPSSLADomain.objectSpecificConfigs.sapHanaConfig.differentialFrequency.unitStringUnit of duration of retentioning SAP HANA differential backups.
RubrikPolaris.GPSSLADomain.objectSpecificConfigs.sapHanaConfig.logRetention.durationNumberDuration of retensioning SAP HANA Database logs.
RubrikPolaris.GPSSLADomain.objectSpecificConfigs.sapHanaConfig.logRetention.unitStringUnit of duration of retentioning SAP HANA Database logs.
RubrikPolaris.GPSSLADomain.objectSpecificConfigs.vmwareVmConfig.logRetentionSecondsNumberSeconds of retentioning VMWare virtual machine logs.
RubrikPolaris.GPSSLADomain.objectTypesUnknownList of object types associated with this SLA Domain.

Command Example#

!rubrik-gps-sla-domain-list cluster_id=4d4a41d5-8910-4e4d-9dca-0798f5fc6d61 limit=2

Human Readable Output#

GPS SLA Domains#

SLA Domain IDSLA Domain NameBase FrequencyProtected Object CountArchival LocationDescriptionReplication Target 1Replication Target 2
00000000-0000-0000-0000-000000000002Bronzecd1 Days0AWS S3:bucket-1234Rubrik default Bronze level SLA Domain policysand2-rbk01sand2-rbk02
00000000-0000-0000-0000-000000000000Gold4 Hours0Rubrik default Gold level SLA Domain policysand2-rbk01

rubrik-sonar-csv-result-download#


Retrieve the download link for the requested Sonar CSV Snapshot file.

Base Command#

rubrik-sonar-csv-result-download

Input#

Argument NameDescriptionRequired
download_idThe ID of the download, requested using "rubrik-sonar-csv-download" command.

Note: Users can retrieve the list of downloads containing ID by executing the "rubrik-user-downloads-list" command.
Required

Context Output#

PathTypeDescription
RubrikPolaris.SonarCSVDownload.downloadIdStringThe download ID of the download request.
RubrikPolaris.SonarCSVDownload.getDownloadUrl.urlStringThe link of the file that needs to be downloaded.

Command Example#

!rubrik-sonar-csv-result-download download_id=65

Human Readable Output#

Sonar CSV Result#

Download URL
Download the CSV file to see the result.

rubrik-gps-vm-snapshot-create#


Triggers an on-demand snapshot of a system.

Note: To know about the status of the on-demand snapshot creation, use the "rubrik-gps-async-result" command.

Base Command#

rubrik-gps-vm-snapshot-create

Input#

Argument NameDescriptionRequired
object_idThe ID of the object whose snapshot is to be created.

Note: Users can get the list of object IDs by executing the "rubrik-polaris-vm-objects-list" command.
Required
sla_domain_idThe ID of the SLA domain retention policy to be applied on the object.

Note: Users can get the list of SLA Domain IDs by executing the "rubrik-gps-sla-domain-list" command.
Optional

Context Output#

PathTypeDescription
RubrikPolaris.GPSOndemandSnapshot.idStringID of the requested snapshot.
RubrikPolaris.GPSOndemandSnapshot.statusStringStatus of the requested snapshot.

Command Example#

!rubrik-gps-vm-snapshot-create object_id=ac0a6844-a2fc-52b0-bb71-6a55f43677be

Human Readable Output#

GPS VM Snapshot#

On-Demand Snapshot Request IDStatus
dummy_idQUEUED

rubrik-gps-snapshot-files-download#


Request to download the snapshot file from the backup.

Note: To know about the file information and which file can be downloaded, use the "rubrik-gps-snapshot-files-list" command. To know about the status of the downloadable files, use the "rubrik-gps-async-result" command.

Base Command#

rubrik-gps-snapshot-files-download

Input#

Argument NameDescriptionRequired
snapshot_idThe Snapshot ID of the file that needs to be downloaded.

Note: Users can retrieve the list of the snapshot IDs by executing the "rubrik-polaris-vm-object-snapshot-list" command.
Required
file_pathThe absolute path of the file to be downloaded. A list of files can be downloaded as a zip folder. Multiple file paths can be separated with comma(,).

Note: Users can retrieve the list of the files with absolute path by executing the "rubrik-gps-snapshot-files-list" command.

Format accepted: "/<directory name>/<sub directory name or file name>"

Example: "/C:/PerfLogs/Admin", "/C:/Windows/Microsoft.NET".
Required
object_typeThe type of object for which the file to be downloaded.

Possible values are: "WindowsFileset", "LinuxFileset", "VolumeGroup", "VmwareVm". Default is VmwareVm.
Optional

Context Output#

PathTypeDescription
RubrikPolaris.GPSSnapshotFileDownload.idStringThe ID of the download.
RubrikPolaris.GPSSnapshotFileDownload.statusStringStatus of the download.
RubrikPolaris.GPSSnapshotFileDownload.links.hrefStringLink of the download.
RubrikPolaris.GPSSnapshotFileDownload.links.relStringRelationship of the download.

Command Example#

!rubrik-gps-snapshot-files-download snapshot_id=3765b5b5-827b-5588-8c34-5cb737a28685 file_path="/.autorelabel"

Human Readable Output#

Snapshot File Request ID#

IDStatus
dummy_idQUEUED

rubrik-gps-vm-livemount#


Performs a live mount of a virtual machine snapshot.

Note: To know about the live mount status, use the "rubrik-gps-async-result" command.

Base Command#

rubrik-gps-vm-livemount

Input#

Argument NameDescriptionRequired
snappable_idThe snappable ID.Required
should_recover_tagsWhether to keep vSphere tags associated with the VM or not.

Possible values are: "True", "False". Default is True.
Optional
power_onWhether to power on the mount or not.

Possible values are: "True", "False". Default is True.
Optional
keep_mac_addressesWhether the mac addresses of network devices be removed or not.

Possible values are: "True", "False". Default is False.
Optional
remove_network_devicesWhether the network devices of the original VM be kept.

Possible values are: "True", "False". Default is False.
Optional
host_idThe ID of the Vsphere ESXi host on which the new VM will be mounted.

Note: Users can get the list of host IDs by executing the "rubrik-gps-vm-host-list" command.
Optional
cluster_idID of the compute cluster where the new VM will be mounted.

Note: Users can retrieve the list of the cluster IDs by executing the "rubrik-gps-cluster-list" command.
Optional
resource_pool_idID of the resource pool where the new VM will be mounted.Optional
snapshot_fidID of the snapshot to recover.Optional
vm_nameName given to the VM that runs the snapshot. If not provided the name will be "<Snapshot VM Name> <MM/DD of snapshot creation> <hh/mm of snapshot creation> <Num>".Optional
vnic_bindingsList of network bindings for vNIC of the VM.

e.g. [{"networkDeviceInfo":{"key":2000,"name":"Network adapter"},"backingNetworkInfo":{"moid":"db68871d-0fbf-5551-97de-4c234885766b","name":"Router"}}]
Optional
recovery_pointPoint in time to recover to, e.g.: "2023-03-04T05:06:07.890".Optional

Context Output#

PathTypeDescription
RubrikPolaris.GPSVMLiveMount.idStringID of the Live mount request.

Command Example#

!rubrik-gps-vm-livemount snapshot_id=d680b484-0084-5231-a05d-18e9cd5402fc vm_name=live-mount-demo

Human Readable Output#

GPS VM Livemount#

VM Live Mount Request ID
dummy_id

rubrik-gps-vm-host-list#


Retrieve the list of available Vsphere Hosts.

Base Command#

rubrik-gps-vm-host-list

Input#

Argument NameDescriptionRequired
nameThe name of the host to search for.Optional
cluster_idTo list hosts from the specific cluster.

Note: Users can retrieve the list of the cluster IDs by executing the "rubrik-gps-cluster-list" command.
Optional
limitNumber of results to retrieve in the response. Maximum size allowed is 1000. Default is 50.Optional
next_page_tokenThe next page cursor to retrieve the next set of results.Optional
sort_bySpecify the field to use for sorting the response.

Note: Supported values are "ID" and "NAME" only. For any other values, the obtained result is sorted or not is not confirmed. Default is ID.
Optional
sort_orderSpecify the order to sort the data in.

Possible values are: "ASC", "DESC". Default is ASC.
Optional

Context Output#

PathTypeDescription
RubrikPolaris.GPSVMHost.idStringID of the Vsphere host.
RubrikPolaris.GPSVMHost.nameStringName of the Vsphere host.
RubrikPolaris.GPSVMHost.physicalPath.fidStringID of a physical path of a node.
RubrikPolaris.GPSVMHost.physicalPath.nameStringName of a physical path of a node.
RubrikPolaris.GPSVMHost.physicalPath.objectTypeStringType of a physical path of a node, for example, VSphereComputeCluster, VSphereDatacenter etc.
RubrikPolaris.PageToken.GPSVMHost.next_page_tokenStringNext page token.
RubrikPolaris.PageToken.GPSVMHost.nameStringName of the command.
RubrikPolaris.PageToken.GPSVMHost.has_next_pageBooleanWhether the result has the next page or not.

Command Example#

!rubrik-gps-vm-host-list

Human Readable Output#

GPS VM Hosts#

VSphere Host IDNamePhysical Host
f57bfebf-c7c9-5310-a5fd-1f0aeea5ba25sjc-40302-sand1-esx02.rubrikdemo.com{'id': '72480b29-0eaa-57a9-8c5c-45b7e1c2c826', 'name': 'Sandbox-1 SJC Cluster', 'objectType': 'VSphereComputeCluster'},
{'id': '3f3a92de-c7f3-57f7-989f-3731db83aeab', 'name': 'Sandbox-1 Datacenter', 'objectType': 'VSphereDatacenter'},
{'id': '415859e2-fd22-53ea-8de1-041d99298fe3', 'name': 'sand1-vcsa.rubrikdemo.com', 'objectType': 'VSphereVCenter'}

rubrik-gps-vm-datastore-list#


Retrieve the list of the available datastores on a Vsphere Host.

Base Command#

rubrik-gps-vm-datastore-list

Input#

Argument NameDescriptionRequired
nameThe name of the datastore to search for.Optional
host_idThe ID of a Vsphere host whose datastores are to be listed.

Note: Users can get the list of host IDs by executing the "rubrik-gps-vm-host-list" command.
Required
limitNumber of results to retrieve in the response. Maximum size allowed is 1000. Default is 50.Optional
next_page_tokenThe next page cursor to retrieve the next set of results.Optional
sort_bySpecify the field to use for sorting the response.

Note: Supported values are "ID" and "NAME" only. For any other values, the obtained result is sorted or not is not confirmed. Default is ID.
Optional
sort_orderSpecify the order to sort the data in.

Possible values are: "ASC", "DESC". Default is ASC.
Optional

Context Output#

PathTypeDescription
RubrikPolaris.GPSVMHost.idStringID of the Vsphere host.
RubrikPolaris.GPSVMHost.Datastore.idStringID of the Vsphere datastore.
RubrikPolaris.GPSVMHost.Datastore.nameStringName of the Vsphere datastore.
RubrikPolaris.GPSVMHost.Datastore.capacityNumberDatastore capacity in bytes.
RubrikPolaris.GPSVMHost.Datastore.isLocalBooleanWhether the datastore is local or remote.
RubrikPolaris.GPSVMHost.Datastore.freeSpaceNumberFree space on the datastore in bytes.
RubrikPolaris.GPSVMHost.Datastore.datastoreTypeStringType of datastore, for example, "NFS", "VMFS" etc.
RubrikPolaris.PageToken.GPSVMHost.Datastore.next_page_tokenStringNext page token.
RubrikPolaris.PageToken.GPSVMHost.Datastore.nameStringName of the command.
RubrikPolaris.PageToken.GPSVMHost.Datastore.has_next_pageBooleanWhether the result has the next page or not.

Command Example#

!rubrik-gps-vm-datastore-list

Human Readable Output#

GPS VM Datastores#

VSphere Datastore IDNameCapacityFree SpaceDatastore Type
dummy_datastore_iddummy-repo0.53362190336 TB0.188318314496 TBNFS

rubrik-event-list#


Retrieve the list of events.

Base Command#

rubrik-event-list

Input#

Argument NameDescriptionRequired
activity_statusFilter the events based on the provided activity statuses. Supports comma separated values.

Possible values are: "UNKNOWN_EVENT_STATUS", "SUCCESS", "FAILURE", "INFO", "CANCELED", "RUNNING", "WARNING", "CANCELING", "TASK_SUCCESS", "QUEUED", "TASK_FAILURE", "PARTIAL_SUCCESS".
Optional
activity_typeFilter the events based on provided activity types. Supports comma separated values.

Possible values are: "UNKNOWN_EVENT_TYPE", "ARCHIVE", "AUTH_DOMAIN", "AWS_EVENT", "BACKUP", "CLASSIFICATION", "CLOUD_NATIVE_SOURCE", "CLOUD_NATIVE_VIRTUAL_MACHINE", "CLOUD_NATIVE_VM", "CONFIGURATION", "CONVERSION", "CONNECTION", "DIAGNOSTIC", "DISCOVERY", "DOWNLOAD", "FAILOVER", "FILESET", "HARDWARE", "HDFS", "HOST_EVENT", "HYPERV_SCVMM", "HYPERV_SERVER", "INDEX", "INSTANTIATE", "LEGAL_HOLD", "LOCAL_RECOVERY", "MAINTENANCE", "NUTANIX_CLUSTER", "RANSOMWARE_INVESTIGATION_ANALYSIS", "RECOVERY", "REPLICATION", "RESOURCE_OPERATIONS", "ANOMALY", "STORAGE", "STORAGE_ARRAY", "STORM_RESOURCE", "SUPPORT", "SYNC", "SYSTEM", "TEST_FAILOVER", "THREAT_HUNT", "TPR", "LOCK_SNAPSHOT", "UPGRADE", "VCENTER", "VCD", "VOLUME_GROUP", "EMBEDDED_EVENT", "ISOLATED_RECOVERY", "OWNERSHIP", "LOG_BACKUP", "K8S".
Optional
severityFilter the events based on provided severities. Supports comma separated values.

Possible values are: "SEVERITY_INFO", "SEVERITY_CRITICAL", "SEVERITY_WARNING".
Optional
object_nameFilter out events based on object name.

Note: Users can get the object names by executing the "rubrik-polaris-vm-objects-list" or "rubrik-polaris-object-search" command.
Optional
object_typeFilter the events based on provided object types. Supports comma separated values.

Possible values are: "UNKNOWN_EVENT_OBJECT_TYPE", "RUBRIK_SAAS_ACCOUNT", "APP_BLUEPRINT", "APP_FLOWS", "OBJECT_TYPE_AUTH_DOMAIN", "AWS_ACCOUNT", "AWS_EVENT_TYPE", "AZURE_NATIVE_SUBSCRIPTION", "AZURE_NATIVE_VM", "AZURE_NATIVE_DISK", "AZURE_SQL_DATABASE", "AZURE_SQL_MANAGED_INSTANCE", "AZURE_SQL_DATABASE_SERVER", "AZURE_SQL_MANAGED_INSTANCE_DATABASE", "CAPACITY_BUNDLE", "OBJECT_TYPE_CLOUD_NATIVE_VIRTUAL_MACHINE", "OBJECT_TYPE_CLOUD_NATIVE_VM", "CERTIFICATE", "CLUSTER", "COMPUTE_INSTANCE", "DATA_LOCATION", "DB2_DATABASE", "DB2_INSTANCE", "EC2_INSTANCE", "ENVOY", "FAILOVER_CLUSTER_APP", "EXOCOMPUTE", "EXCHANGE_DATABASE", "OBJECT_TYPE_HDFS", "HOST", "OBJECT_TYPE_HYPERV_SCVMM", "OBJECT_TYPE_HYPERV_SERVER", "HYPERV_VM", "JOB_INSTANCE", "LDAP", "LINUX_FILESET", "LINUX_HOST", "MANAGED_VOLUME", "MSSQL", "NAS_FILESET", "WEBHOOK", "NAS_HOST", "NAS_SYSTEM", "OBJECT_TYPE_NUTANIX_CLUSTER", "NUTANIX_VM", "O365_CALENDAR", "O365_MAILBOX", "O365_ONEDRIVE", "O365_SITE", "O365_SHARE_POINT_DRIVE", "O365_SHARE_POINT_LIST", "O365_TEAM", "O365_ORGANIZATION", "O365_GROUP", "OBJECT_PROTECTION", "ORACLE", "ORACLE_DB", "ORACLE_HOST", "ORACLE_RAC", "AWS_NATIVE_ACCOUNT", "AWS_NATIVE_EBS_VOLUME", "AWS_NATIVE_EC2_INSTANCE", "RUBRIK_SAAS_EBS_VOLUME", "RUBRIK_SAAS_EC2_INSTANCE", "PUBLIC_CLOUD_MACHINE_INSTANCE", "SAML_SSO", "SAP_HANA_DB", "SAP_HANA_SYSTEM", "SHARE_FILESET", "SLA_DOMAIN", "SMB_DOMAIN", "SNAP_MIRROR_CLOUD", "OBJECT_TYPE_STORAGE_ARRAY", "STORAGE_ARRAY_VOLUME_GROUP", "STORAGE_LOCATION", "STORM", "SUPPORT_BUNDLE", "USER", "OBJECT_TYPE_UPGRADE", "OBJECT_TYPE_VCD", "VCD_VAPP", "OBJECT_TYPE_VCENTER", "VMWARE_COMPUTE_CLUSTER", "VMWARE_VM", "OBJECT_TYPE_VOLUME_GROUP", "WINDOWS_FILESET", "WINDOWS_HOST", "GCP_NATIVE_PROJECT", "AWS_NATIVE_RDS_INSTANCE", "GCP_NATIVE_GCE_INSTANCE", "GCP_NATIVE_DISK", "KUPR_CLUSTER", "KUPR_NAMESPACE", "CASSANDRA_COLUMN_FAMILY", "CASSANDRA_KEYSPACE", "CASSANDRA_SOURCE", "MONGODB_COLLECTION", "MONGODB_DATABASE", "MONGODB_SOURCE", "CLOUD_DIRECT_NAS_EXPORT", "MONGO_COLLECTION", "MONGO_DATABASE", "MONGO_SOURCE", "CERTIFICATE_MANAGEMENT", "AWS_NATIVE_S3_BUCKET", "AZURE_STORAGE_ACCOUNT", "K8S_CLUSTER", "K8S_RESOURCE_SET", "AZURE_AD_TENANT".
Optional
cluster_idFilter the events based on provided cluster IDs. Supports comma separated values.

Note: Users can get the list of cluster IDs by executing the "rubrik-gps-cluster-list" command.
Optional
start_dateThe start date to fetch updated events from.

Formats accepted: 2 minutes, 2 hours, 2 days, 2 weeks, 2 months, 2 years, yyyy-mm-dd, yyyy-mm-ddTHH:MM:SSZ, etc.
Optional
end_dateThe end date to fetch updated events until.

Formats accepted: 2 minutes, 2 hours, 2 days, 2 weeks, 2 months, 2 years, yyyy-mm-dd, yyyy-mm-ddTHH:MM:SSZ, etc.
Optional
limitNumber of results to retrieve in the response. Maximum size allowed is 1000. Default is 50.Optional
next_page_tokenThe next page cursor to retrieve the next set of results.Optional
sort_bySpecify the field to use for sorting the response.

Note: Possible values are: "LAST_UPDATED", "LOCATION", "OBJECT_TYPE", "CLUSTER_NAME", "OBJECT_NAME", "START_TIME", "ACTIVITY_TYPE", "SEVERITY", "ACTIVITY_STATUS". Default is LAST_UPDATED.
Optional
sort_orderSpecify the order to sort the data in.

Possible values are: "ASC","DESC". Default is DESC.
Optional

Context Output#

PathTypeDescription
RubrikPolaris.Event.idNumberID of the event.
RubrikPolaris.Event.startTimeStringStart time of the event.
RubrikPolaris.Event.fidStringFID of the event.
RubrikPolaris.Event.activitySeriesIdStringActivity Series ID of the event.
RubrikPolaris.Event.lastUpdatedStringDate time when the event was last updated.
RubrikPolaris.Event.lastActivityTypeStringLast Activity Type of the event.
RubrikPolaris.Event.lastActivityStatusStringLast Activity Status of the event.
RubrikPolaris.Event.locationStringLocation of the event.
RubrikPolaris.Event.objectIdStringID of the object.
RubrikPolaris.Event.objectNameStringName of the object.
RubrikPolaris.Event.objectTypeStringType of the object.
RubrikPolaris.Event.severityStringSeverity of the event.
RubrikPolaris.Event.progressStringProgress of the event.
RubrikPolaris.Event.cluster.idStringThe ID of the cluster.
RubrikPolaris.Event.cluster.nameStringThe name of the cluster.
RubrikPolaris.Event.activityConnection.nodes.idStringID of the activity connection.
RubrikPolaris.Event.activityConnection.nodes.messageStringMessage of the activity connection.
RubrikPolaris.Event.activityConnection.nodes.severityStringSeverity of the activity connection.
RubrikPolaris.Event.activityConnection.nodes.timeStringDate time when the activity connection was last updated.
RubrikPolaris.PageToken.Event.next_page_tokenStringNext page token.
RubrikPolaris.PageToken.Event.nameStringName of the command.
RubrikPolaris.PageToken.Event.has_next_pageBooleanWhether the result has the next page or not.

Command Example#

!rubrik-event-list limit=1

Human Readable Output#

Events#

Event IDActivity Series IDCluster IDObject IDObject NameSeverityStart TimeLast UpdatedLast Activity TypeLast Activity Status
7739500422d17c0-737d-44df-98a0-a7fa9f714c0dcc19573c-db6c-418a-9d48-067a256543baFileset:::f2666679-5b94-4116-9cbf-6ab69e575522AllTheThingsInfo2021-10-25T12:15:36.911Z2021-10-25T12:16:10.212ZIndexSuccess

Note: To retrieve the next set of results use, "next_page_token" = xyz

rubrik-polaris-object-list#


Retrieve the list of Rubrik objects, based on the provided filters.

Base Command#

rubrik-polaris-object-list

Input#

Argument NameDescriptionRequired
type_filterFilter the objects based on the provided object types. Supports comma separated values.

Possible values are: "MONGODB_DATABASE", "FilesetTemplate", "VcdOrgVdc", "ShareFileset", "KuprNamespace", "O365Group", "AwsNativeEbsVolume", "OracleDatabase", "O365Mailbox", "MONGO_DB", "AzureNativeResourceGroup", "AZURE_SQL_MANAGED_INSTANCE_DB", "Db2Database", "HOST_FAILOVER_CLUSTER", "VolumeGroup", "AzureNativeVm", "VcdOrg", "Db2Instance", "PhysicalHost", "AwsNativeRdsInstance", "AzureSqlManagedInstanceServer", "O365Site", "VmwareVirtualMachine", "O365User", "ORACLE_DATA_GUARD_GROUP", "AwsNativeEc2Instance", "MssqlInstance", "NutanixVirtualMachine", "CASSANDRA_COLUMN_FAMILY", "MONGO_COLLECTION", "O365Org", "OracleHost", "NAS_FILESET", "SapHanaDatabase", "AllSubHierarchyType", "AWS_NATIVE_S3_BUCKET", "NasSystem", "O365Teams", "VSphereFolder", "VSphereResourcePool", "GcpNativeDisk", "AwsNativeAccount", "VSphereDatacenter", "AZURE_STORAGE_ACCOUNT", "VSphereComputeCluster", "HypervCluster", "CASSANDRA_SOURCE", "VSphereTag", "VcdVapp", "RubrikEbsVolume", "NasVolume", "NasNamespace", "Vcd", "VcdVimServer", "AZURE_SQL_DATABASE_DB", "VSPHERE_VIRTUAL_DISK", "MssqlDatabaseBatchMaintenance", "EXCHANGE_SERVER", "CLOUD_DIRECT_NAS_EXPORT", "VcdCatalog", "O365File", "HypervSCVMM", "Blueprint", "AzureSqlDatabaseServer", "FeldsparSite", "CloudNativeTagRule", "Mssql", "MONGO_SOURCE", "HostShare", "SnapMirrorCloud", "O365Calendar", "O365SharePointDrive", "VSphereNetwork", "Fileset", "SapHanaSystem", "O365Onedrive", "Hdfs", "Ec2Instance", "WindowsCluster", "GcpNativeProject", "MONGODB_COLLECTION", "MONGO_DATABASE", "VSphereDatastore", "AZURE_AD_TENANT", "HypervServer", "VSphereHost", "AppBlueprint", "MssqlAvailabilityGroup", "LinuxFileset", "MANAGED_VOLUME_EXPORT", "CASSANDRA_KEYSPACE", "HypervVirtualMachine", "GcpNativeGCEInstance", "StorageArrayVolumeGroup", "O365SharePointList", "ExchangeDatabase", "NutanixCluster", "AzureNativeManagedDisk", "AzureNativeSubscription", "VSPHERE_DATASTORE_CLUSTER", "ManagedVolume", "FAILOVER_CLUSTER_APP", "VSphereVCenter", "NasShare", "EXCHANGE_DAG", "KuprCluster", "OracleRac", "MONGODB_SOURCE", "ORCHESTRATED_APPLICATION_RECOVERY_BLUEPRINT", "VSphereTagCategory", "ORCHESTRATED_APPLICATION_RECOVERY_PLAN", "WindowsVolumeGroup", "RubrikEc2Instance", "WindowsFileset".
Required
cluster_idFilter the objects based on the provided cluster IDs. Supports comma separated values.

Note: Users can get the list of cluster IDs by executing the "rubrik-gps-cluster-list" command.
Optional
limitNumber of results to retrieve in the response. Maximum size allowed is 1000. Default is 50.Optional
next_page_tokenThe next page cursor to retrieve the next set of results.Optional
sort_bySpecify the field to use for sorting the response.

Note: Supported values are "ID" and "NAME" only. For any other values, the obtained result is sorted or not is not confirmed. Default is ID.
Optional
sort_orderSpecify the order to sort the data in.

Possible values are: "ASC", "DESC". Default is ASC.
Optional

Context Output#

PathTypeDescription
RubrikPolaris.Object.idStringID of the object.
RubrikPolaris.Object.effectiveSlaDomain.nameStringName of the SLA domain of the object.
RubrikPolaris.Object.effectiveSlaDomain.idStringID of the SLA domain of the object.
RubrikPolaris.Object.effectiveSlaDomain.descriptionStringDescription of the SLA domain of the object.
RubrikPolaris.Object.effectiveSlaDomain.cluster.idStringCluster ID of effective SLA domain of the object.
RubrikPolaris.Object.effectiveSlaDomain.cluster.nameStringCluster name of effective SLA domain of the object.
RubrikPolaris.Object.effectiveSlaDomain.fidStringFID of effective SLA domain of the object.
RubrikPolaris.Object.isPassthroughBooleanWhether the object is passthrough or not.
RubrikPolaris.Object.cluster.idStringCluster ID of the object.
RubrikPolaris.Object.cluster.nameStringCluster name of the object.
RubrikPolaris.Object.primaryClusterLocation.idStringID of the primary cluster location of the object.
RubrikPolaris.Object.logicalPath.nameStringName of the logical path of the object.
RubrikPolaris.Object.logicalPath.objectTypeStringObject Type of the logical path of the object.
RubrikPolaris.Object.physicalPath.nameStringName of the physical path of the object.
RubrikPolaris.Object.physicalPath.objectTypeStringObject Type of the physical path of the object.
RubrikPolaris.Object.nameStringName of the object.
RubrikPolaris.Object.objectTypeStringType of the object.
RubrikPolaris.PageToken.Object.has_next_pageBooleanWhether the result has the next page or not.
RubrikPolaris.PageToken.Object.nameStringName of the command.
RubrikPolaris.PageToken.Object.next_page_tokenStringNext page token.

Command Example#

!rubrik-polaris-object-list limit=1

Human Readable Output#

Objects#

Object IDObject NameObject TypeLocationCluster NameSLA Domain Name
0014037c-70ae-4c53-b1cf-df6926b88968Christian LeCorreO365UserRubrik Demo\EMEA Users\AMER UsersxUNPROTECTED

Note: To retrieve the next set of results use, "next_page_token" = xyz

rubrik-polaris-object-snapshot-list#


Retrieve Rubrik snapshot(s) of an object, based on the provided object ID.

Base Command#

rubrik-polaris-object-snapshot-list

Input#

Argument NameDescriptionRequired
object_idThe object ID for which the snapshots are to be searched.

Note: Users can get the list of the object IDs by executing the "rubrik-polaris-object-list" command.
Required
start_dateThe start date to get snapshots from.

Formats accepted: 2 minutes, 2 hours, 2 days, 2 weeks, 2 months, 2 years, yyyy-mm-dd, yyyy-mm-ddTHH:MM:SSZ, etc.

Note: start_date and end_date both or none must be initialized.
Optional
end_dateThe end date to get snapshots until.

Formats accepted: 2 minutes, 2 hours, 2 days, 2 weeks, 2 months, 2 years, yyyy-mm-dd, yyyy-mm-ddTHH:MM:SSZ, etc.

Note: start_date and end_date both or none must be initialized.
Optional
limitNumber of results to retrieve in the response. Maximum size allowed is 1000. Default is 50.Optional
next_page_tokenThe next page cursor to retrieve the next set of results.Optional
snapshot_typeList of snapshot types to filter snapshots. Supports comma separated values.

Possible values are: "SCHEDULED", "ON_DEMAND", "DOWNLOADED".
Optional
sort_orderSpecify the order to sort the data in.

Possible values are: "Asc", "Desc". Default is Asc.
Optional

Context Output#

PathTypeDescription
RubrikPolaris.Object.idStringID of the object.
RubrikPolaris.Object.Snapshot.idStringID of the snapshot.
RubrikPolaris.Object.Snapshot.dateStringDate of the snapshot.
RubrikPolaris.Object.Snapshot.isArchivalCopyBooleanWhether the snapshot is an archival copy or not.
RubrikPolaris.Object.Snapshot.isReplicaBooleanWhether the snapshot is a replica or not.
RubrikPolaris.Object.Snapshot.isOnDemandSnapshotBooleanWhether the snapshot is on demand or not.
RubrikPolaris.Object.Snapshot.isDownloadedSnapshotBooleanWhether the snapshot is downloaded or not.
RubrikPolaris.Object.Snapshot.cluster.idStringCluster ID of the snapshot.
RubrikPolaris.Object.Snapshot.cluster.nameStringCluster name of the snapshot.
RubrikPolaris.Object.Snapshot.cluster.versionStringCluster version of the snapshot.
RubrikPolaris.Object.Snapshot.cluster.statusStringCluster status of the snapshot.
RubrikPolaris.Object.Snapshot.slaDomain.nameStringName of the SLA domain of the snapshot.
RubrikPolaris.Object.Snapshot.slaDomain.fidStringFID of the SLA domain of the snapshot.
RubrikPolaris.Object.Snapshot.slaDomain.cluster.idStringCluster ID of the SLA domain of the snapshot.
RubrikPolaris.Object.Snapshot.slaDomain.cluster.nameStringCluster name of the SLA domain of the snapshot.
RubrikPolaris.Object.Snapshot.slaDomain.idStringID of the SLA domain of the snapshot.
RubrikPolaris.Object.Snapshot.snapshotRetentionInfo.archivalInfos.nameStringArchival name of snapshot retention of the snapshot.
RubrikPolaris.Object.Snapshot.snapshotRetentionInfo.archivalInfos.isExpirationDateCalculatedStringWhether archival expiration date of snapshot retention of the snapshot is calculated or not.
RubrikPolaris.Object.Snapshot.snapshotRetentionInfo.archivalInfos.expirationTimeStringArchival expiration time of snapshot retention of the snapshot.
RubrikPolaris.Object.Snapshot.snapshotRetentionInfo.localInfo.nameStringName of snapshot retention of the snapshot.
RubrikPolaris.Object.Snapshot.snapshotRetentionInfo.localInfo.isExpirationDateCalculatedBooleanWhether the expiration date is calculated or not.
RubrikPolaris.Object.Snapshot.snapshotRetentionInfo.localInfo.expirationTimeStringExpiration time of snapshot retention of the snapshot.
RubrikPolaris.PageToken.Object.Snapshot.has_next_pageBooleanWhether the result has the next page or not.
RubrikPolaris.PageToken.Object.Snapshot.nameStringName of the command.
RubrikPolaris.PageToken.Object.Snapshot.next_page_tokenStringNext Page Token.

Command Example#

!rubrik-polaris-object-snapshot-list object_id=06515737-388a-57aa-9c8e-54b3f1ee5d8b limit=1

Human Readable Output#

Object Snapshots#

Snapshot IDCreation DateCluster NameSLA Domain Name
a7adc499-b896-5ad6-bfc2-0aae0ed994592021-10-28T19:35:52.000Zsand2-rbk0112hr-30d-AWS

Note: To retrieve the next set of results use, "next_page_token" = xyz

rubrik-radar-ioc-scan#


Triggers an IOC scan of a system.

Note: To know the results of the scan use the "rubrik-radar-ioc-scan-results" command and to list the running/completed IOC scans on a cluster use the "rubrik-radar-ioc-scan-list" command.

Base Command#

rubrik-radar-ioc-scan

Input#

Argument NameDescriptionRequired
cluster_idID of the cluster on which to perform a scan.

Note: Users can retrieve the list of the cluster IDs by executing the "rubrik-gps-cluster-list" command.
Required
object_idObject ID of the system on which to perform the scan. Supports comma separated values.

Note: Users can get the list of object IDs by executing the "rubrik-polaris-vm-objects-list" command.
Required
scan_nameName of the scan. Default is PAXSOAR-1.1.0.Optional
ioc_typeThe type of the indicator to scan for.

Possible values are: "INDICATOR_OF_COMPROMISE_TYPE_PATH_OR_FILENAME", "INDICATOR_OF_COMPROMISE_TYPE_HASH", "INDICATOR_OF_COMPROMISE_TYPE_YARA_RULE".

Note: To provide multiple IOCs use the argument "advance_ioc".
Optional
ioc_valueValue of the indicator to scan for.

Note: To provide multiple IOCs use the argument "advance_ioc".
Optional
advance_iocJson encoded Indicators Of Compromise to scan. Json keys signify the type of IOC and the corresponding list of values are the values of the IOC's. If provided, will ignore the ioc_type and ioc_value arguments.

Possible keys to indicate type of indicator:
INDICATOR_OF_COMPROMISE_TYPE_PATH_OR_FILENAME, INDICATOR_OF_COMPROMISE_TYPE_HASH, INDICATOR_OF_COMPROMISE_TYPE_YARA_RULE

Format Accepted:
{
"<ioc_type1>": ["<ioc_value1>", "<ioc_value2>"],
"<ioc_type2>": "<ioc_value2>"
}

Example:
{
"INDICATOR_OF_COMPROMISE_TYPE_PATH_OR_FILENAME": ["C:\Users\Malware_Executible.ps1", "\bin\Malware_Executible"],
"INDICATOR_OF_COMPROMISE_TYPE_HASH": ["e5c1b9c44be582f895eaea3d3738c5b4", "f541b9844be897f895eaea3d3738cfb2"],
"INDICATOR_OF_COMPROMISE_TYPE_YARA_RULE": "rule match_everything {condition:true}"
}.
Optional
start_dateFilter the snapshots from the provided date. Any snapshots taken before the provided date-time will be excluded.

Formats accepted: 2 minutes, 2 hours, 2 days, 2 weeks, 2 months, 2 years, yyyy-mm-dd, yyyy-mm-ddTHH:MM:SSZ, etc.

Examples of more supported values can be found at https://dateparser.readthedocs.io/en/latest/#relative-dates.
Optional
end_dateFilter the snapshots until the provided date. Any snapshots taken after the provided date-time will be excluded.

Formats accepted: 2 minutes, 2 hours, 2 days, 2 weeks, 2 months, 2 years, yyyy-mm-dd, yyyy-mm-ddTHH:MM:SSZ, etc.

Examples of more supported values can be found at https://dateparser.readthedocs.io/en/latest/#relative-dates.
Optional
max_snapshots_per_objectMaximum number of snapshots to scan per object.Optional
max_file_sizeMaximum size of the file in bytes that will be included in the scan. The maximum allowed size is 15000000 bytes. Default is 5000000.Optional
snapshot_idProvide comma separated snapshot IDs on which to perform a scan separated by colon for each object ID (in the same order). Supports comma separated values.

Format accepted:
object_1_snapshot_id_1, object_1_snapshot_id_2: object_2_snapshot_id_1

Example:
B405e8c0-1fcd-401c-a6f6-42f758aad6df, e179eb47-534b-4624-b155-f33d188902e2: 1e1681bf-4479-4339-a4bb-59901598caa5

Note: Users can retrieve the list of snapshot IDs by executing the "rubrik-polaris-vm-object-snapshot-list" command.

Note: Do not provide "snapshot_start_date", "snapshot_end_date" and, "max_snapshots_per_object" arguments if snapshot ID is provided.
Optional
paths_to_includePaths to include in the scan. Supports comma separated values.

Format accepted:
path_to_include_1, path_to_include_2.
Optional
paths_to_excludePaths to exclude from the scan. Supports comma separated values.

Format accepted:
path_to_exclude_1, path_to_exclude_2.
Optional
paths_to_exemptPaths to exempt from exclusion. Supports comma separated values.

Format accepted:
path_to_exempt_1, path_to_exempt_2.
Optional
requested_hash_typesThe type of hash values of the matched files to return in the result. Supports comma separated values.

Possible values are: "HASH_TYPE_M_D5", "HASH_TYPE_SH_A1", "HASH_TYPE_SH_A256".
Optional

Context Output#

PathTypeDescription
RubrikPolaris.RadarIOCScan.idStringID of the IOC scan.
RubrikPolaris.RadarIOCScan.statusStringStatus of the IOC scan trigger request.

Command Example#

!rubrik-radar-ioc-scan scan_name="Revil Ransomware Scan" ioc_type="INDICATOR_OF_COMPROMISE_TYPE_PATH_OR_FILENAME" ioc_value="revil.exe" cluster_id="052bf7af-93a3-44e9-a7d7-bc8dad4d6b43" object_id="868aa03d-4145-4cb1-808b-e10c4f7a3741"

Human Readable Output#

Radar IOC Scan#

Scan IDStatus
dummy-ioc-idRUNNING

rubrik-radar-ioc-scan-results#


Retrieves the results of IOC scan of a system.

Note: To initiate a scan use the "rubrik-radar-ioc-scan" command and to list the running/completed scans on a cluster use the "rubrik-radar-ioc-scan-list" command.

Base Command#

rubrik-radar-ioc-scan-results

Input#

Argument NameDescriptionRequired
scan_idID of the IOC scan whose results are to be retrieved.

Note: Users can get the scan ID by executing the "rubrik-radar-ioc-scan" command.
Required
cluster_idID of the cluster on which the scan was performed.

Note: Users can retrieve the list of the cluster IDs by executing the "rubrik-gps-cluster-list" command.
Required

Context Output#

PathTypeDescription
RubrikPolaris.RadarIOCScan.idStringID of the IOC scan.
RubrikPolaris.RadarIOCScan.statusStringOverall status of the scan.
RubrikPolaris.RadarIOCScan.indicatorsOfCompromise.iocTypeStringType of IOC that was scanned.
RubrikPolaris.RadarIOCScan.indicatorsOfCompromise.iocValueStringValue of the IOC that was scanned.
RubrikPolaris.RadarIOCScan.results.objectIdStringID of the system that was scanned.
RubrikPolaris.RadarIOCScan.results.snapshotResults.statusStringStatus of the scan on the snapshot. Values: MALWARE_SCAN_IN_SNAPSHOT_STATUS_PENDING, MALWARE_SCAN_IN_SNAPSHOT_STATUS_FINISHED, MALWARE_SCAN_IN_SNAPSHOT_STATUS_ERROR.
RubrikPolaris.RadarIOCScan.results.snapshotResults.snapshotDateStringThe date-time at which the snapshot was taken.
RubrikPolaris.RadarIOCScan.results.snapshotResults.snapshotIdStringID of the snapshot that was scanned.
RubrikPolaris.RadarIOCScan.results.snapshotResults.scanStats.numFilesNumberNumber of files encountered during scan.
RubrikPolaris.RadarIOCScan.results.snapshotResults.scanStats.numFilesScannedNumberNumber of files that were scanned on that snapshot.
RubrikPolaris.RadarIOCScan.results.snapshotResults.scanStats.totalFilesScannedSizeBytesNumberThe total file size of the files scanned.
RubrikPolaris.RadarIOCScan.results.snapshotResults.matches.indicatorIndexNumberIndex of indicator in inputs for the scan.
RubrikPolaris.RadarIOCScan.results.snapshotResults.matches.paths.aclDetailsStringJSON encoded file access control list (ACL) information.
RubrikPolaris.RadarIOCScan.results.snapshotResults.matches.paths.creationTimeStringFile creation date-time.
RubrikPolaris.RadarIOCScan.results.snapshotResults.matches.paths.modificationTimeStringFile modification date-time.
RubrikPolaris.RadarIOCScan.results.snapshotResults.matches.paths.pathStringFile path that matched the malware Indicator Of Compromise.
RubrikPolaris.RadarIOCScan.results.snapshotResults.matches.paths.yaraMatchDetails.nameStringThe name of the matching YARA rule.
RubrikPolaris.RadarIOCScan.results.snapshotResults.matches.paths.yaraMatchDetails.tagsUnknownOptional YARA tags. Described in https://yara.readthedocs.io/en/latest/writingrules.html\#rule-tags.
RubrikPolaris.RadarIOCScan.results.snapshotResults.matches.paths.requestedHashDetails.hashTypeStringHash algorithm type.
RubrikPolaris.RadarIOCScan.results.snapshotResults.matches.paths.requestedHashDetails.hashValueStringHash value of the content at path.

Command Example#

!rubrik-radar-ioc-scan-results scan_id="bf687fcf-84d7-47f6-8bd1-54e8cf439680" cluster_id="052bf7af-93a3-44e9-a7d7-bc8dad4d6b43"

Human Readable Output#

Radar IOC Scan Results#

Scan ID: bf687fcf-84d7-47f6-8bd1-54e8cf439680 Status: FINISHED

Snapshot IDSnapshot DateObject IDSnapshot Scan StatusScan StatisticsMatches
b7d6b871-796e-4e7c-99cf-328007c9d5c12021-10-29T07:03:30.669ZVirtualMachine:::868aa03d-4145-4cb1-808b-e10c4f7a3741-vm-81407MALWARE_SCAN_IN_SNAPSHOT_STATUS_FINISHEDNumber of Files: 142630, Number of Files Scanned: 0, Total Files Scanned In Bytes: 01
3779a895-94bf-437e-b63a-61e73e2159012021-10-28T07:00:09.297ZVirtualMachine:::868aa03d-4145-4cb1-808b-e10c4f7a3741-vm-81407MALWARE_SCAN_IN_SNAPSHOT_STATUS_FINISHEDNumber of Files: 142630, Number of Files Scanned: 0, Total Files Scanned In Bytes: 01
a871683f-f4fa-475f-806c-58f06e6782dc2021-10-26T07:04:07.139ZVirtualMachine:::868aa03d-4145-4cb1-808b-e10c4f7a3741-vm-81407MALWARE_SCAN_IN_SNAPSHOT_STATUS_FINISHEDNumber of Files: 142630, Number of Files Scanned: 0, Total Files Scanned In Bytes: 01
129f22f4-0359-4e7d-aa53-9edf4e33cff12021-10-29T12:01:43.383ZVirtualMachine:::868aa03d-4145-4cb1-808b-e10c4f7a3741-vm-72277MALWARE_SCAN_IN_SNAPSHOT_STATUS_FINISHEDNumber of Files: 142138, Number of Files Scanned: 0, Total Files Scanned In Bytes: 01
b9264942-c71c-4b91-b9a7-74a7ba0f61662021-10-29T08:01:39.388ZVirtualMachine:::868aa03d-4145-4cb1-808b-e10c4f7a3741-vm-72277MALWARE_SCAN_IN_SNAPSHOT_STATUS_FINISHEDNumber of Files: 142138, Number of Files Scanned: 0, Total Files Scanned In Bytes: 01
9f12b533-b740-4fb9-af94-4411b0aee01d2021-10-29T00:01:04.357ZVirtualMachine:::868aa03d-4145-4cb1-808b-e10c4f7a3741-vm-72277MALWARE_SCAN_IN_SNAPSHOT_STATUS_FINISHEDNumber of Files: 142139, Number of Files Scanned: 0, Total Files Scanned In Bytes: 01

rubrik-gps-async-result#


Retrieve the result of an asynchronous request. This command will retrieve the result of requests made by commands "rubrik-gps-snapshot-files-download", "rubrik-gps-vm-livemount", "rubrik-gps-vm-export", "rubrik-gps-vm-snapshot-create", and "rubrik-gps-vm-recover-files".

Base Command#

rubrik-gps-async-result

Input#

Argument NameDescriptionRequired
request_idID of the request.

Note: Users can get the request ID by executing any of the commands that make a request. Possible commands are mentioned in the command description.
Required
cluster_idID of the cluster on which request was made.

Note: Users can retrieve the list of the cluster IDs by executing the "rubrik-gps-cluster-list" command.
Required
cluster_ip_addressIP address of the cluster node to access the download link. Only required to retrieve the results of the command "rubrik-gps-snapshot-files-download".

Note: Users can retrieve the list of the IP addresses by executing the "rubrik-gps-cluster-list" command.
Optional

Context Output#

PathTypeDescription
RubrikPolaris.GPSAsyncResult.idStringThe ID of the request.
RubrikPolaris.GPSAsyncResult.statusStringStatus of the request.
RubrikPolaris.GPSAsyncResult.nodeIdStringID of the node.
RubrikPolaris.GPSAsyncResult.progressNumberProgress of the request in range 0 to 100.
RubrikPolaris.GPSAsyncResult.error.messageStringJSON stringified message object when an error occurs.
RubrikPolaris.GPSAsyncResult.links.hrefStringLink to a resource.
RubrikPolaris.GPSAsyncResult.links.relStringType of the resource pointed by the link.

Command Example#

!rubrik-gps-async-result request_id="EXPORT_VMWARE_SNAPSHOT_6e101218-141f-4101-b334-3c1bf440bfee_466b7d74-0d13-4e54-9a57-2ea4d7b00a0c:::0" cluster_id="052bf7af-93a3-44e9-a7d7-bc8dad4d6b43"

Human Readable Output#

GPS Asynchronous Request Result#

IDStatusNode IDLinks
dummy_idFAILEDcluster:::RVMHM219S004941self

rubrik-gps-cluster-list#


Retrieve the list of the available rubrik clusters.

Base Command#

rubrik-gps-cluster-list

Input#

Argument NameDescriptionRequired
typeFilter out clusters based on their type. Supports comma separated values.

Possible values are: "Cloud", "Robo", "ExoCompute", "OnPrem", "Polaris", "Unknown".
Optional
nameFilter out clusters based on name. Supports comma separated values.Optional
sort_bySpecify the field to use for sorting the response.

Possible values are: "ClusterName", "ClusterType", "RegisteredAt", "ESTIMATED_RUNWAY". Default is ClusterName.
Optional
sort_orderSpecify the order to sort the data in.

Possible values are: "Asc", "Desc". Default is Asc.
Optional

Context Output#

PathTypeDescription
RubrikPolaris.GPSCluster.idStringID of the cluster.
RubrikPolaris.GPSCluster.nameStringName of the cluster.
RubrikPolaris.GPSCluster.typeStringType of the cluster. Values are Cloud, Robo, ExoCompute, OnPrem, Unknown, Polaris.
RubrikPolaris.GPSCluster.statusStringStatus of the cluster. Values are Connected, Disconnected, Initializing.
RubrikPolaris.GPSCluster.versionStringVersion of the cluster.
RubrikPolaris.GPSCluster.defaultAddressStringDefault address assigned to the cluster.
RubrikPolaris.GPSCluster.cdmUpgradeInfo.clusterStatus.messageStringMessage about the cluster upgrade/current condition.
RubrikPolaris.GPSCluster.cdmUpgradeInfo.clusterStatus.statusStringUpgrade/current status of the cluster. It provides information like -- upgrading, upgrade scheduled, stable, downloading packages, pre-checks running and many more.
RubrikPolaris.GPSCluster.cdmUpgradeInfo.overallProgressNumberProgress (in percentage) of an upgrade, if running.
RubrikPolaris.GPSCluster.cdmUpgradeInfo.scheduleUpgradeAtStringShows the date-time of a scheduled upgrade.
RubrikPolaris.GPSCluster.cdmUpgradeInfo.downloadedVersionStringThe version that was downloaded but not yet installed.
RubrikPolaris.GPSCluster.cdmUpgradeInfo.versionStringThe current version of the cluster.
RubrikPolaris.GPSCluster.productTypeStringThe product type. Values are CDM, DATOS, POLARIS.
RubrikPolaris.GPSCluster.estimatedRunwayNumberEstimated number of days remaining before additional data storage space is required on the cluster.
RubrikPolaris.GPSCluster.snapshotCountNumberThe total number of snapshots that are taken of different objects in the cluster.
RubrikPolaris.GPSCluster.geoLocation.addressStringGeological address of the cluster.
RubrikPolaris.GPSCluster.lastConnectionTimeStringTime when the cluster was last polled.
RubrikPolaris.GPSCluster.metric.totalCapacityNumberTotal storage capacity of the cluster in Bytes.
RubrikPolaris.GPSCluster.metric.availableCapacityNumberAvailable storage capacity of the cluster in Bytes.
RubrikPolaris.GPSCluster.snappableConnection.countNumberThe number of objects in the cluster whose snapshots can be taken.
RubrikPolaris.GPSCluster.state.connectedStateStringStatus of the cluster. Values are Connected, Disconnected, Initializing.
RubrikPolaris.GPSCluster.state.clusterRemovalStateStringState of the cluster when it is being removed from the platform. Values are DATA_DELETING, WAITING_FOR_DATA_DELETION, UNREGISTERED, FAILED, DISCONNECTING, REGISTERED.
RubrikPolaris.GPSCluster.clusterNodeConnection.nodes.idStringID of a node in a cluster.
RubrikPolaris.GPSCluster.clusterNodeConnection.nodes.statusStringStatus of a node in a cluster.
RubrikPolaris.GPSCluster.clusterNodeConnection.nodes.ipAddressStringIP Address of a node in a cluster.
RubrikPolaris.GPSCluster.passesConnectivityCheckBooleanWhether the cluster passes the connectivity check.
RubrikPolaris.GPSCluster.globalManagerConnectivityStatus.urls.urlStringURL of a global manager of the cluster.
RubrikPolaris.GPSCluster.globalManagerConnectivityStatus.urls.isReachableBooleanWhether the global manager is reachable.
RubrikPolaris.GPSCluster.connectivityLastUpdatedStringThe date-time of when the cluster was last polled for connectivity.
RubrikPolaris.GPSCluster.lambdaFeatureHistory.wasRadarEverEnabledBooleanWhether Polaris Radar was ever enabled on the cluster.
RubrikPolaris.GPSCluster.lambdaFeatureHistory.wasSonarEverEnabledBooleanWhether Polaris Sonar was ever enabled on the cluster.

Command Example#

!rubrik-gps-cluster-list name="sand1"

Human Readable Output#

GPS Clusters#

Cluster IDCluster NameConnection StatusCluster LocationTotal CapacityFree SpaceProtected ObjectsCluster VersionIP Address
cc19573c-db6c-418a-9d48-067a256543basand1-rbk01ConnectedSan Francisco, CA, USA52.605821063168 TB45.484602130432 TB2057.0.0-EA1-14307X.X.X.X, X.X.X.X

rubrik-radar-ioc-scan-list#


Lists the running/completed IOC scans on a cluster.

Note: To know the results of the scan use the "rubrik-radar-ioc-scan-results" command. To initiate a scan use the "rubrik-radar-ioc-scan" command.

Base Command#

rubrik-radar-ioc-scan-list

Input#

Argument NameDescriptionRequired
cluster_idID of the cluster whose IOC scans are to be listed.

Note: Users can retrieve the list of the cluster IDs by executing the "rubrik-gps-cluster-list" command.
Required

Context Output#

PathTypeDescription
RubrikPolaris.RadarIOCScan.idStringID of the IOC scan.
RubrikPolaris.RadarIOCScan.startTimeStringStart time of the scan.
RubrikPolaris.RadarIOCScan.endTimeStringEnd time of the scan.
RubrikPolaris.RadarIOCScan.snapshots.idStringObject ID of the system.
RubrikPolaris.RadarIOCScan.snapshots.snapshotsUnknownList of snapshot IDs that are included in the scan.

Command Example#

!rubrik-radar-ioc-scan-list cluster_id="052bf7af-93a3-44e9-a7d7-bc8dad4d6b43"

Human Readable Output#

Radar IOC Scans#

Scan IDStart TimeEnd TimeScanned Objects
fcac511b-20b4-472d-9b65-9198cff8cd492021-10-12T04:52:08.777ZNot FinishedVirtualMachine:::90da5ffb-432f-4dac-8c73-39260ff5493e-vm-5952003d-f95c-4ae0-bf9b-b5a80b210935
ad435ff1-617b-468a-b5d3-736fa0e278b02021-10-28T06:05:53.059Z2021-10-28T07:16:16.715ZVirtualMachine:::868aa03d-4145-4cb1-808b-e10c4f7a3741-vm-72277, VirtualMachine:::868aa03d-4145-4cb1-808b-e10c4f7a3741-vm-72279

rubrik-gps-vm-recover-files#


Recovers files from a snapshot backup, back into a system.

Note: To know about the recovery status, use the "rubrik-gps-async-result" command.

Base Command#

rubrik-gps-vm-recover-files

Input#

Argument NameDescriptionRequired
cluster_idID of the cluster where the snapshot resides.

Note: Users can get the cluster ID by executing the "rubrik-gps-cluster-list" command.
Required
snapshot_idID of the snapshot from which to recover files.

Note: Users can get the snapshot ID by executing the "rubrik-polaris-vm-object-snapshot-list" command.
Required
paths_to_recoverComma separated paths of files and directories that will be recovered from the snapshot.

Note: Users can get the list of paths in a snapshot by executing the "rubrik-gps-snapshot-files-list" command.
Required
restore_pathPath on the destination object on which recovery will be done.Required
destination_object_idID of the object where the files will be restored into. If not provided, Rubrik will use the snapshots object.

Note: Users can get the object ID by executing the "rubrik-polaris-vm-objects-list" command.
Optional

Context Output#

PathTypeDescription
RubrikPolaris.GPSVMRecoverFiles.idStringRecover files request ID.

Command Example#

!rubrik-gps-vm-recover-files cluster_id="052bf7af-93a3-44e9-a7d7-bc8dad4d6b43" snapshot_id="e2a0ffa8-82a3-518b-8532-0608a0e7380f" path_to_recover="/bin,/boot" restore_path="/tmp/backup1"

Human Readable Output#

GPS VM Recover Files#

Recover Files Request ID
dummy_id

rubrik-sonar-user-access-list#


Retrieve the user access information.

Base Command#

rubrik-sonar-user-access-list

Input#

Argument NameDescriptionRequired
user_nameThe name of the user to search for.Optional
user_emailThe email or the UPN of the user to search for.Optional
search_time_periodSpecify the search time period to look for user access.

Supported formats: 2 minutes, 2 hours, 2 days, 2 weeks, 2 months, 2 years, yyyy-mm-dd, yyyy-mm-ddTHH:MM:SSZ.

For example: 01 May 2023, 01 Mar 2023 04:45:33, 2023-04-17T14:05:44Z. Default is 7 days.
Optional
risk_levelsThe comma-separated list of risk levels.

Supported values are: UNKNOWN_RISK, HIGH_RISK, MEDIUM_RISK, LOW_RISK, NO_RISK.

Note: For any other values, whether the obtained result is filtered or not, is not confirmed.
Optional
group_idSpecify the group ID to filter with.Optional
include_whitelisted_resultsThe boolean indicates to include the whitelisted results.

Possible values are: "True", "False". Default is False.
Optional
principal_summary_categorySpecify the principal summary category to filter with.

Supported values are: PRINCIPAL_SUMMARY_CATEGORY_UNSPECIFIED, USERS_WITH_SENSITIVE_ACCESS, NEW_USERS_WITH_SENSITIVE_ACCESS, USERS_WITH_RISK_LEVEL_INCREASE. Default is USERS_WITH_SENSITIVE_ACCESS.

Note: For any other values, whether the obtained result is filtered or not, is not confirmed.
Optional
limitNumber of results to retrieve in the response. The maximum allowed size is 1000. Default is 50.Optional
page_numberSpecify the page number to get the particular page of results in the response. Default is 1.

Note: This argument is only applicable when provided with the "user_email" argument.
Optional
sort_bySpecify the field to use for sorting the response.

Supported values are: RISK_LEVEL, RISK_SENSITIVE_FILES, RISK_SENSITIVE_HITS, TOTAL_SENSITIVE_HITS, TOTAL_SENSITIVE_FILES, SID, TOTAL_SENSITIVE_OBJECTS. Default is RISK_LEVEL.

Note: For any other values, whether the obtained result is filtered or not, is not confirmed.
Optional
sort_orderSpecify the order to sort the data in.

Possible values are: "ASC", "DESC". Default is DESC.
Optional
next_page_tokenThe next page cursor to retrieve the next set of results.Optional

Context Output#

PathTypeDescription
RubrikPolaris.UserAccess.principalIdStringThe ID of the user.
RubrikPolaris.UserAccess.fullNameStringThe full name of the user.
RubrikPolaris.UserAccess.upnStringThe user principal name.
RubrikPolaris.UserAccess.riskLevelStringThe risk level of the user.
RubrikPolaris.UserAccess.sensitiveFiles.highRiskFileCount.totalCountNumberThe total number of high-risk files.
RubrikPolaris.UserAccess.sensitiveFiles.highRiskFileCount.violatedCountNumberThe number of high-risk files that violate policies.
RubrikPolaris.UserAccess.sensitiveFiles.highRiskFileCount.__typenameStringThe high-risk file count field type.
RubrikPolaris.UserAccess.sensitiveFiles.mediumRiskFileCount.totalCountNumberTotal number of medium-risk files.
RubrikPolaris.UserAccess.sensitiveFiles.mediumRiskFileCount.violatedCountNumberThe number of medium-risk files that violate policies.
RubrikPolaris.UserAccess.sensitiveFiles.mediumRiskFileCount.__typenameStringThe type of the medium risk file count field.
RubrikPolaris.UserAccess.sensitiveFiles.lowRiskFileCount.totalCountNumberThe total number of low-risk files.
RubrikPolaris.UserAccess.sensitiveFiles.lowRiskFileCount.violatedCountNumberThe number of low-risk files that violate policies.
RubrikPolaris.UserAccess.sensitiveFiles.lowRiskFileCount.__typenameStringThe type of the low-risk file count field.
RubrikPolaris.UserAccess.sensitiveFiles.__typenameStringThe type of the sensitive files field.
RubrikPolaris.UserAccess.totalSensitiveHits.totalHitsNumberThe total number of sensitive hits.
RubrikPolaris.UserAccess.totalSensitiveHits.violatedHitsNumberThe number of sensitive hits that violate policies.
RubrikPolaris.UserAccess.totalSensitiveHits.__typenameStringThe type of the total sensitive hits field.
RubrikPolaris.UserAccess.sensitiveObjectCount.totalCountNumberThe total number of sensitive objects.
RubrikPolaris.UserAccess.sensitiveObjectCount.violatedCountNumberThe Number of sensitive objects that violate policies.
RubrikPolaris.UserAccess.sensitiveObjectCount.__typenameStringThe type of the sensitive object count field.
RubrikPolaris.UserAccess.numDescendantsNumberThe number of descendant users associated with this user.
RubrikPolaris.UserAccess.domainNameStringThe domain name associated with this user.
RubrikPolaris.UserAccess.__typenameStringThe type of the User Access field.
RubrikPolaris.PageToken.UserAccess.nameStringName of the command.
RubrikPolaris.PageToken.UserAccess.startCursorStringThe start cursor for the current page.
RubrikPolaris.PageToken.UserAccess.endCursorStringThe end cursor for the current page.
RubrikPolaris.PageToken.UserAccess.hasNextPageBooleanWhether the result has the next page or not.
RubrikPolaris.PageToken.UserAccess.hasPreviousPageBooleanWhether the result has the previous page or not.
RubrikPolaris.PageToken.UserAccess.next_upn_page_numberStringThe next UPN page number.
RubrikPolaris.PageToken.UserAccess.has_next_upn_pageBooleanWhether the result has the next UPN page or not.

Command example#

!rubrik-sonar-user-access-list user_name="Demo Rubrik" user_email="demo@rubrik.com" limit="1"

Context Example#

{
"RubrikPolaris": {
"PageToken": {
"UserAccess": {
"endCursor": "cursor_1",
"hasNextPage": false,
"hasPreviousPage": false,
"has_next_upn_page": false,
"name": "rubrik-sonar-user-access-list",
"next_upn_page_number": 1,
"startCursor": "cursor_1"
}
},
"UserAccess": {
"__typename": "PrincipalSummary",
"domainName": "rubrik.com",
"fullName": "Demo Rubrik",
"numDescendants": 0,
"principalId": "S-1-0-01-0000000000-0000000000-000000000-0001",
"riskLevel": "HIGH_RISK",
"sensitiveFiles": {
"__typename": "SensitiveFiles",
"highRiskFileCount": {
"__typename": "SummaryCount",
"totalCount": 0,
"violatedCount": 124
},
"lowRiskFileCount": {
"__typename": "SummaryCount",
"totalCount": 0,
"violatedCount": 0
},
"mediumRiskFileCount": {
"__typename": "SummaryCount",
"totalCount": 0,
"violatedCount": 0
}
},
"sensitiveObjectCount": {
"__typename": "SummaryCount",
"totalCount": 0,
"violatedCount": 1
},
"totalSensitiveHits": {
"__typename": "SummaryHits",
"totalHits": 0,
"violatedHits": 86972
},
"upn": "demo@rubrik.com"
}
}
}

Human Readable Output#

User Access (Showing Records 1-1 out of 1)#

User IDUser Full NameUser Principal NameRisk LevelTotal Sensitive ObjectsTotal Sensitive FilesTotal Sensitive Hits
S-1-0-01-0000000000-0000000000-000000000-0001Demo Rubrikdemo@rubrik.comHIGH_RISK112486972

Note: To retrieve the next set of results, use next_page_token = "cursor_2".
If next_page_token is provided, then it will reset the record numbers. For the initial use of next_page_token, please avoid specifying the page_number.

rubrik-sonar-user-access-get#


Retrieve the user access information based on the provided user ID.

Base Command#

rubrik-sonar-user-access-get

Input#

Argument NameDescriptionRequired
user_idSpecify the user_id to retrieve the user access information.

Note: Users can get the list of the user IDs by executing the "rubrik-sonar-user-access-list" command.
Required
search_time_periodSpecify the search time period to look for user access. Default is 7 days.

Supported formats: 2 minutes, 2 hours, 2 days, 2 weeks, 2 months, 2 years, yyyy-mm-dd, yyyy-mm-ddTHH:MM:SSZ.

For example: 01 May 2023, 01 Mar 2023 04:45:33, 2023-04-17T14:05:44Z.
Optional
historical_delta_daysSpecify the number of days in the past to collect delta for the sensitive hits. Default is 7.Optional
include_whitelisted_resultsThe boolean indicates to include the whitelisted results. Default is False.

Possible values are: "True", "False".
Optional

Context Output#

PathTypeDescription
RubrikPolaris.UserAccess.principalIdStringThe ID of the user.
RubrikPolaris.UserAccess.fullNameStringThe full name of the user.
RubrikPolaris.UserAccess.upnStringThe user principal name.
RubrikPolaris.UserAccess.riskLevelStringThe risk level of the user.
RubrikPolaris.UserAccess.policy_hits_summary.__typenameStringThe type of object representing the policy hits summary.
RubrikPolaris.UserAccess.policy_hits_summary.policyIdStringThe unique identifier of the policy associated with the hits summary.
RubrikPolaris.UserAccess.policy_hits_summary.policyNameStringThe human-readable name of the policy associated with the hits summary.
RubrikPolaris.UserAccess.policy_hits_summary.sidAnalyzerHits.__typenameStringThe type of object representing the analyzer hits for a specific SID.
RubrikPolaris.UserAccess.policy_hits_summary.sidAnalyzerHits.highRiskHits.__typenameStringThe type of object representing high-risk hits for the analyzer.
RubrikPolaris.UserAccess.policy_hits_summary.sidAnalyzerHits.highRiskHits.totalHitsNumberThe total number of high-risk hits detected by the analyzer.
RubrikPolaris.UserAccess.policy_hits_summary.sidAnalyzerHits.highRiskHits.violatedHitsNumberThe number of high-risk hits that violated security policies.
RubrikPolaris.UserAccess.policy_hits_summary.sidAnalyzerHits.lowRiskHits.__typenameStringThe type of object representing low-risk hits for the analyzer.
RubrikPolaris.UserAccess.policy_hits_summary.sidAnalyzerHits.lowRiskHits.totalHitsNumberThe total number of low-risk hits detected by the analyzer.
RubrikPolaris.UserAccess.policy_hits_summary.sidAnalyzerHits.lowRiskHits.violatedHitsNumberThe number of low-risk hits that violated security policies.
RubrikPolaris.UserAccess.policy_hits_summary.sidAnalyzerHits.mediumRiskHits.__typenameStringThe type of object representing medium-risk hits for the analyzer.
RubrikPolaris.UserAccess.policy_hits_summary.sidAnalyzerHits.mediumRiskHits.totalHitsNumberThe total number of medium-risk hits detected by the analyzer.
RubrikPolaris.UserAccess.policy_hits_summary.sidAnalyzerHits.mediumRiskHits.violatedHitsNumberThe number of medium-risk hits that violated security policies.
RubrikPolaris.UserAccess.policy_hits_summary.sidAnalyzerHits.totalHits.__typenameStringThe type of object representing the total number of hits for the analyzer.
RubrikPolaris.UserAccess.policy_hits_summary.sidAnalyzerHits.totalHits.totalHitsNumberThe total number of hits detected by the analyzer (all risk levels combined).
RubrikPolaris.UserAccess.policy_hits_summary.sidAnalyzerHits.totalHits.violatedHitsNumberThe number of hits detected by the analyzer that violated security policies (all risk levels combined).
RubrikPolaris.UserAccess.policy_hits_summary.sidDeltaAnalyzerHits.__typenameStringThe type of object representing the difference in analyzer hits between the current and previous periods.
RubrikPolaris.UserAccess.policy_hits_summary.sidDeltaAnalyzerHits.highRiskHits.__typenameStringThe type of object representing the difference in high-risk hits for the analyzer between the current and previous periods.
RubrikPolaris.UserAccess.policy_hits_summary.sidDeltaAnalyzerHits.highRiskHits.totalHitsNumberThe difference in the total number of high-risk hits detected by the analyzer between the current and previous periods.
RubrikPolaris.UserAccess.policy_hits_summary.sidDeltaAnalyzerHits.highRiskHits.violatedHitsNumberThe difference in the number of high-risk hits that violated security policies between the current and previous periods.
RubrikPolaris.UserAccess.policy_hits_summary.sidDeltaAnalyzerHits.lowRiskHits.__typenameStringThe type of object representing the difference in low-risk hits for the analyzer between the current and previous periods.
RubrikPolaris.UserAccess.policy_hits_summary.sidDeltaAnalyzerHits.lowRiskHits.totalHitsNumberThe difference in the total number of low-risk hits detected by the analyzer between the current and previous periods.
RubrikPolaris.UserAccess.policy_hits_summary.sidDeltaAnalyzerHits.lowRiskHits.violatedHitsNumberThe difference in the number of low-risk hits that violated security policies between the current and previous periods.
RubrikPolaris.UserAccess.policy_hits_summary.sidDeltaAnalyzerHits.mediumRiskHits.__typenameStringThe type of object representing the difference in medium-risk hits for the analyzer between the current and previous periods.
RubrikPolaris.UserAccess.policy_hits_summary.sidDeltaAnalyzerHits.mediumRiskHits.totalHitsNumberThe difference in the total number of medium-risk hits detected by the analyzer between the current and previous periods.
RubrikPolaris.UserAccess.policy_hits_summary.sidDeltaAnalyzerHits.mediumRiskHits.violatedHitsNumberThe difference in the number of medium-risk hits that violated security policies between the current and previous periods.
RubrikPolaris.UserAccess.policy_hits_summary.sidDeltaAnalyzerHits.totalHits.__typenameStringThe type of object representing the total difference in hits for the analyzer between the current and previous periods (all risk levels combined).
RubrikPolaris.UserAccess.policy_hits_summary.sidDeltaAnalyzerHits.totalHits.totalHitsNumberThe total difference in the number of hits detected by the analyzer between the current and previous periods (all risk levels combined).
RubrikPolaris.UserAccess.policy_hits_summary.sidDeltaAnalyzerHits.totalHits.violatedHitsNumberThe difference in the number of hits detected by the analyzer that violated security policies between the current and previous periods (all risk levels combined).
RubrikPolaris.UserAccess.policy_hits_summary.sidDeltaRiskHits.__typenameStringThe type of object representing the difference in risk hits between the current and previous periods.
RubrikPolaris.UserAccess.policy_hits_summary.sidDeltaRiskHits.highRiskHits.__typenameStringThe type of object representing the difference in high-risk hits between the current and previous periods.
RubrikPolaris.UserAccess.policy_hits_summary.sidDeltaRiskHits.highRiskHits.totalHitsNumberThe difference in the total number of high-risk hits detected between the current and previous periods.
RubrikPolaris.UserAccess.policy_hits_summary.sidDeltaRiskHits.highRiskHits.violatedHitsNumberThe difference in the number of high-risk hits that violated security policies between the current and previous periods.
RubrikPolaris.UserAccess.policy_hits_summary.sidDeltaRiskHits.lowRiskHits.__typenameStringThe type of object representing the difference in low-risk hits between the current and previous periods.
RubrikPolaris.UserAccess.policy_hits_summary.sidDeltaRiskHits.lowRiskHits.totalHitsNumberThe difference in the total number of low-risk hits detected between the current and previous periods.
RubrikPolaris.UserAccess.policy_hits_summary.sidDeltaRiskHits.lowRiskHits.violatedHitsNumberThe difference in the number of low-risk hits that violated security policies between the current and previous periods.
RubrikPolaris.UserAccess.policy_hits_summary.sidDeltaRiskHits.mediumRiskHits.__typenameStringThe type of object representing the difference in medium-risk hits between the current and previous periods.
RubrikPolaris.UserAccess.policy_hits_summary.sidDeltaRiskHits.mediumRiskHits.totalHitsNumberThe difference in the total number of medium-risk hits detected between the current and previous periods.
RubrikPolaris.UserAccess.policy_hits_summary.sidDeltaRiskHits.mediumRiskHits.violatedHitsNumberThe difference in the number of medium-risk hits that violated security policies between the current and previous periods.
RubrikPolaris.UserAccess.policy_hits_summary.sidDeltaRiskHits.totalHits.__typenameStringThe type of object representing the total difference in risk hits between the current and previous periods (all risk levels combined).
RubrikPolaris.UserAccess.policy_hits_summary.sidDeltaRiskHits.totalHits.totalHitsNumberThe total difference in the number of risk hits detected between the current and previous periods (all risk levels combined).
RubrikPolaris.UserAccess.policy_hits_summary.sidDeltaRiskHits.totalHits.violatedHitsNumberThe difference in the number of risk hits detected that violated security policies between the current and previous periods (all risk levels combined).
RubrikPolaris.UserAccess.policy_hits_summary.sidRiskHits.__typenameStringThe type of object representing the risk hits for a specific SID.
RubrikPolaris.UserAccess.policy_hits_summary.sidRiskHits.highRiskHits.__typenameStringThe type of object representing high-risk hits for the risk engine.
RubrikPolaris.UserAccess.policy_hits_summary.sidRiskHits.highRiskHits.totalHitsNumberThe total number of high-risk hits detected by the risk engine for the specific SID.
RubrikPolaris.UserAccess.policy_hits_summary.sidRiskHits.highRiskHits.violatedHitsNumberThe number of high-risk hits that violated security policies for the specific SID.
RubrikPolaris.UserAccess.policy_hits_summary.sidRiskHits.lowRiskHits.__typenameStringThe type of object representing low-risk hits for the risk engine.
RubrikPolaris.UserAccess.policy_hits_summary.sidRiskHits.lowRiskHits.totalHitsNumberThe total number of low-risk hits detected by the risk engine for the specific SID.
RubrikPolaris.UserAccess.policy_hits_summary.sidRiskHits.lowRiskHits.violatedHitsNumberThe number of low-risk hits that violated security policies for the specific SID.
RubrikPolaris.UserAccess.policy_hits_summary.sidRiskHits.mediumRiskHits.__typenameStringThe type of object representing medium-risk hits for the risk engine.
RubrikPolaris.UserAccess.policy_hits_summary.sidRiskHits.mediumRiskHits.totalHitsNumberThe total number of medium-risk hits detected by the risk engine for the specific SID.
RubrikPolaris.UserAccess.policy_hits_summary.sidRiskHits.mediumRiskHits.violatedHitsNumberThe number of medium-risk hits that violated security policies for the specific SID.
RubrikPolaris.UserAccess.policy_hits_summary.sidRiskHits.totalHits.__typenameStringThe type of object representing the total number of risk hits for the specific SID (all risk levels combined).
RubrikPolaris.UserAccess.policy_hits_summary.sidRiskHits.totalHits.totalHitsNumberThe total number of risk hits detected by the risk engine for the specific SID (all risk levels combined).
RubrikPolaris.UserAccess.policy_hits_summary.sidRiskHits.totalHits.violatedHitsNumberThe number of risk hits detected by the risk engine that violated security policies for the specific SID (all risk levels combined).
RubrikPolaris.UserAccess.policy_hits_summary.sidSensitiveFiles.__typenameStringThe type of object representing the sensitive files associated with the specific SID.
RubrikPolaris.UserAccess.policy_hits_summary.sidSensitiveFiles.totalFileCount.__typenameStringThe type of object representing the total number of sensitive files associated with the specific SID.
RubrikPolaris.UserAccess.policy_hits_summary.sidSensitiveFiles.totalFileCount.totalCountNumberThe total number of sensitive files associated with the specific SID, including both compliant and non-compliant files.
RubrikPolaris.UserAccess.policy_hits_summary.sidSensitiveFiles.totalFileCount.violatedCountNumberThe number of sensitive files associated with the specific SID that violate security policies.
RubrikPolaris.UserAccess.riskReasons.accessRiskReasonsUnknownThe reasons why the user's access is considered risky.
RubrikPolaris.UserAccess.riskReasons.insecureReasonsUnknownThe reasons why the user's access is considered insecure.
RubrikPolaris.UserAccess.riskReasons.__typenameStringThe type of the risk reasons field.
RubrikPolaris.UserAccess.sensitiveFiles.highRiskFileCount.totalCountNumberThe total number of high-risk files.
RubrikPolaris.UserAccess.sensitiveFiles.highRiskFileCount.violatedCountNumberThe number of high-risk files that violate policies.
RubrikPolaris.UserAccess.sensitiveFiles.highRiskFileCount.__typenameStringThe high-risk file count field type.
RubrikPolaris.UserAccess.sensitiveFiles.mediumRiskFileCount.totalCountNumberTotal number of medium-risk files.
RubrikPolaris.UserAccess.sensitiveFiles.mediumRiskFileCount.violatedCountNumberThe number of medium-risk files that violate policies.
RubrikPolaris.UserAccess.sensitiveFiles.mediumRiskFileCount.__typenameStringThe type of the medium risk file count field.
RubrikPolaris.UserAccess.sensitiveFiles.lowRiskFileCount.totalCountNumberThe total number of low-risk files.
RubrikPolaris.UserAccess.sensitiveFiles.lowRiskFileCount.violatedCountNumberThe number of low-risk files that violate policies.
RubrikPolaris.UserAccess.sensitiveFiles.lowRiskFileCount.__typenameStringThe type of the low-risk file count field.
RubrikPolaris.UserAccess.sensitiveFiles.__typenameStringThe type of the sensitive files field.
RubrikPolaris.UserAccess.totalSensitiveHits.totalHitsNumberThe total number of sensitive hits.
RubrikPolaris.UserAccess.totalSensitiveHits.violatedHitsNumberThe number of sensitive hits that violate policies.
RubrikPolaris.UserAccess.totalSensitiveHits.__typenameStringThe type of the total sensitive hits field.
RubrikPolaris.UserAccess.sensitiveObjectCount.totalCountNumberThe total number of sensitive objects.
RubrikPolaris.UserAccess.sensitiveObjectCount.violatedCountNumberThe Number of sensitive objects that violate policies.
RubrikPolaris.UserAccess.sensitiveObjectCount.__typenameStringThe type of the sensitive object count field.
RubrikPolaris.UserAccess.numDescendantsNumberThe number of descendant users associated with this user.
RubrikPolaris.UserAccess.domainNameStringThe domain name associated with this user.
RubrikPolaris.UserAccess.directGroups.nameStringThe name of the direct group.
RubrikPolaris.UserAccess.directGroups.sidStringThe security identifier (SID) of the direct group.
RubrikPolaris.UserAccess.directGroups.__typenameStringThe type of the direct groups field.
RubrikPolaris.UserAccess.__typenameStringThe type of the User Access field.

Command example#

!rubrik-sonar-user-access-get user_id="S-1-0-01-0000000000-0000000000-000000000-0001"

Context Example#

{
"RubrikPolaris": {
"UserAccess": {
"__typename": "PrincipalSummary",
"directGroups": [
{
"__typename": "UserAccessGroup",
"name": "Domain Admins",
"sid": "S-1-0-01-0000000000-0000000000-000000000-002"
},
{
"__typename": "UserAccessGroup",
"name": "Domain Users",
"sid": "S-1-0-01-0000000000-0000000000-000000000-003"
}
],
"domainName": "rubrik.com",
"fullName": "DemoRubrik",
"numDescendants": 0,
"principalId": "S-1-0-01-0000000000-0000000000-000000000-0001",
"riskLevel": "HIGH_RISK",
"policy_hits_summary": [
{
"policyId": "00000000-0000-0000-0000-000000000001",
"policyName": "Policy 1",
"sidSensitiveFiles": {
"totalFileCount": {
"totalCount": 164,
"violatedCount": 164,
"__typename": "SummaryCount"
},
"__typename": "SensitiveFiles"
},
"sidAnalyzerHits": {
"highRiskHits": {
"totalHits": 0,
"violatedHits": 0,
"__typename": "SummaryHits"
},
"mediumRiskHits": {
"totalHits": 138118,
"violatedHits": 138118,
"__typename": "SummaryHits"
},
"lowRiskHits": {
"totalHits": 0,
"violatedHits": 0,
"__typename": "SummaryHits"
},
"totalHits": {
"totalHits": 138118,
"violatedHits": 138118,
"__typename": "SummaryHits"
},
"__typename": "SensitiveHits"
},
"sidDeltaAnalyzerHits": {
"highRiskHits": {
"totalHits": 0,
"violatedHits": 0,
"__typename": "SummaryHits"
},
"mediumRiskHits": {
"totalHits": 0,
"violatedHits": 0,
"__typename": "SummaryHits"
},
"lowRiskHits": {
"totalHits": 0,
"violatedHits": 0,
"__typename": "SummaryHits"
},
"totalHits": {
"totalHits": 0,
"violatedHits": 0,
"__typename": "SummaryHits"
},
"__typename": "SensitiveHits"
},
"sidRiskHits": {
"highRiskHits": {
"totalHits": 138118,
"violatedHits": 138118,
"__typename": "SummaryHits"
},
"mediumRiskHits": {
"totalHits": 0,
"violatedHits": 0,
"__typename": "SummaryHits"
},
"lowRiskHits": {
"totalHits": 0,
"violatedHits": 0,
"__typename": "SummaryHits"
},
"totalHits": {
"totalHits": 138118,
"violatedHits": 138118,
"__typename": "SummaryHits"
},
"__typename": "SensitiveHits"
},
"sidDeltaRiskHits": {
"highRiskHits": {
"totalHits": 0,
"violatedHits": 0,
"__typename": "SummaryHits"
},
"mediumRiskHits": {
"totalHits": 0,
"violatedHits": 0,
"__typename": "SummaryHits"
},
"lowRiskHits": {
"totalHits": 0,
"violatedHits": 0,
"__typename": "SummaryHits"
},
"totalHits": {
"totalHits": 0,
"violatedHits": 0,
"__typename": "SummaryHits"
},
"__typename": "SensitiveHits"
},
"__typename": "PolicyHitsSummary"
},
{
"policyId": "00000000-0000-0000-0000-000000000002",
"policyName": "Policy 2",
"sidSensitiveFiles": {
"totalFileCount": {
"totalCount": 130,
"violatedCount": 130,
"__typename": "SummaryCount"
},
"__typename": "SensitiveFiles"
},
"sidAnalyzerHits": {
"highRiskHits": {
"totalHits": 0,
"violatedHits": 0,
"__typename": "SummaryHits"
},
"mediumRiskHits": {
"totalHits": 101434,
"violatedHits": 101434,
"__typename": "SummaryHits"
},
"lowRiskHits": {
"totalHits": 0,
"violatedHits": 0,
"__typename": "SummaryHits"
},
"totalHits": {
"totalHits": 101434,
"violatedHits": 101434,
"__typename": "SummaryHits"
},
"__typename": "SensitiveHits"
},
"sidDeltaAnalyzerHits": {
"highRiskHits": {
"totalHits": 0,
"violatedHits": 0,
"__typename": "SummaryHits"
},
"mediumRiskHits": {
"totalHits": 0,
"violatedHits": 0,
"__typename": "SummaryHits"
},
"lowRiskHits": {
"totalHits": 0,
"violatedHits": 0,
"__typename": "SummaryHits"
},
"totalHits": {
"totalHits": 0,
"violatedHits": 0,
"__typename": "SummaryHits"
},
"__typename": "SensitiveHits"
},
"sidRiskHits": {
"highRiskHits": {
"totalHits": 101434,
"violatedHits": 101434,
"__typename": "SummaryHits"
},
"mediumRiskHits": {
"totalHits": 0,
"violatedHits": 0,
"__typename": "SummaryHits"
},
"lowRiskHits": {
"totalHits": 0,
"violatedHits": 0,
"__typename": "SummaryHits"
},
"totalHits": {
"totalHits": 101434,
"violatedHits": 101434,
"__typename": "SummaryHits"
},
"__typename": "SensitiveHits"
},
"sidDeltaRiskHits": {
"highRiskHits": {
"totalHits": 0,
"violatedHits": 0,
"__typename": "SummaryHits"
},
"mediumRiskHits": {
"totalHits": 0,
"violatedHits": 0,
"__typename": "SummaryHits"
},
"lowRiskHits": {
"totalHits": 0,
"violatedHits": 0,
"__typename": "SummaryHits"
},
"totalHits": {
"totalHits": 0,
"violatedHits": 0,
"__typename": "SummaryHits"
},
"__typename": "SensitiveHits"
},
"__typename": "PolicyHitsSummary"
}
],
"riskReasons": {
"__typename": "PrincipalRiskReasons",
"accessRiskReasons": [
"MEDIUM_RISK_ANALYZER_HITS",
"OPEN_ACCESS"
],
"insecureReasons": [
"PASSWORD_NEVER_EXPIRES"
]
},
"sensitiveFiles": {
"__typename": "SensitiveFiles",
"highRiskFileCount": {
"__typename": "SummaryCount",
"totalCount": 0,
"violatedCount": 250
},
"lowRiskFileCount": {
"__typename": "SummaryCount",
"totalCount": 0,
"violatedCount": 0
},
"mediumRiskFileCount": {
"__typename": "SummaryCount",
"totalCount": 0,
"violatedCount": 0
}
},
"sensitiveObjectCount": {
"__typename": "SummaryCount",
"totalCount": 0,
"violatedCount": 2
},
"totalSensitiveHits": {
"__typename": "SummaryHits",
"totalHits": 0,
"violatedHits": 173954
},
"upn": "demo@rubrik.com"
}
}
}

Human Readable Output#

User Access#

User IDUser Full NameUser Principal NameRisk LevelAccess Risk Reason(s)Insecure Reason(s)GroupsTotal Sensitive ObjectsTotal Sensitive FilesTotal Sensitive Hits
S-1-0-01-0000000000-0000000000-000000000-0001DemoRubrikdemo@rubrik.comHIGH_RISKMEDIUM_RISK_ANALYZER_HITS, OPEN_ACCESSPASSWORD_NEVER_EXPIRESDomain Admins, Domain Users2250173954

Sensitive Hits#

Policy NameTotal Sensitive FilesTotal Sensitive HitsSensitive Hits DeltaHigh Risk HitsMedium Risk HitsLow Risk Hits
Policy 1164138118001381180
Policy 2130101434001014340

rubrik-sonar-file-context-list#


Retrieve the context of the file, folder, or file share for the provided object and the file details.

Base Command#

rubrik-sonar-file-context-list

Input#

Argument NameDescriptionRequired
object_idThe Object ID or the Snappable ID.

Note: Users can get the list of the object IDs by executing the "rubrik-polaris-object-list" command.
Required
snapshot_idThe Snapshot ID of the object.

Note: Users can get the list of the snapshot IDs by executing the "rubrik-polaris-object-snapshot-list" command.
Required
file_nameSpecify the name of the file, folder, or file share object.Optional
file_pathSpecify the standard file path to filter with.Optional
user_idSpecify the user ID to filter with.

Note: Users can get the list of the user IDs by executing the "rubrik-sonar-user-access-list" command.
Optional
include_whitelisted_resultsThe boolean indicates to include the whitelisted results.

Possible values are: "True", "False". Default is False.
Optional
limitNumber of results to retrieve in the response. The maximum allowed size is 1000. Default is 50.Optional
sort_bySpecify the field to use for sorting the response.

Supported values are: HITS, NAME, DAILY_CHANGE, LAST_ACCESS_TIME, OPEN_ACCESS_TYPE, FILES_WITH_HITS, FILES_WITH_OPEN_ACCESS_HITS, STALE_FILES_WITH_HITS, CLUSTER, OBJECT_NAME, OBJECT_LOCATION, SNAPSHOT_TIME, NUM_ACTIVITIES, NUM_ACTIVITIES_DELTA, NATIVE_PATH. Default is HITS.

Note: For any other values, whether the obtained result is filtered or not, is not confirmed.
Optional
sort_orderSpecify the order to sort the data in.

Possible values are: "ASC", "DESC". Default is DESC.
Optional
next_page_tokenThe next page cursor to retrieve the next set of results.Optional

Context Output#

PathTypeDescription
RubrikPolaris.FileContext.nativePathStringThe native path of the file.
RubrikPolaris.FileContext.stdPathStringThe standardized path of the file.
RubrikPolaris.FileContext.filenameStringThe filename.
RubrikPolaris.FileContext.modeStringThe file mode.
RubrikPolaris.FileContext.sizeNumberThe file size in bytes.
RubrikPolaris.FileContext.lastAccessTimeNumberThe last access time of the file in milliseconds since the epoch.
RubrikPolaris.FileContext.lastModifiedTimeNumberThe last modified time of the file in milliseconds since the epoch.
RubrikPolaris.FileContext.directoryStringThe value of Directory.
RubrikPolaris.FileContext.numDescendantFilesNumberThe number of descendant files of the file.
RubrikPolaris.FileContext.numDescendantErrorFilesNumberThe number of descendant files of the file that could not be processed.
RubrikPolaris.FileContext.numDescendantSkippedExtFilesNumberThe number of descendant files of the file that were skipped because of their file extension.
RubrikPolaris.FileContext.numDescendantSkippedSizeFilesNumberThe number of descendant files of the file that were skipped because of their file size.
RubrikPolaris.FileContext.errorCodeStringThe error code, if any, for the file.
RubrikPolaris.FileContext.hits.totalHitsNumberThe total number of hits for the file.
RubrikPolaris.FileContext.hits.violationsNumberThe number of violations for the file.
RubrikPolaris.FileContext.hits.violationsDeltaNumberThe change in the number of violations for the file since the last scan.
RubrikPolaris.FileContext.hits.totalHitsDeltaNumberThe change in the total number of hits for the file since the last scan.
RubrikPolaris.FileContext.hits.__typenameStringThe type of the hits field.
RubrikPolaris.FileContext.filesWithHits.totalHitsNumberThe total number of files with hits.
RubrikPolaris.FileContext.filesWithHits.violationsNumberThe number of files with violations.
RubrikPolaris.FileContext.filesWithHits.__typenameStringThe type of the files with hits field.
RubrikPolaris.FileContext.openAccessFilesWithHits.totalHitsNumberThe total number of open access files with hits.
RubrikPolaris.FileContext.openAccessFilesWithHits.violationsNumberThe number of open access files with violations.
RubrikPolaris.FileContext.openAccessFilesWithHits.__typenameStringThe type of the open access files with hits field.
RubrikPolaris.FileContext.staleFilesWithHits.totalHitsNumberThe total number of stale files with hits.
RubrikPolaris.FileContext.staleFilesWithHits.violationsNumberThe number of stale files with violations.
RubrikPolaris.FileContext.staleFilesWithHits.__typenameStringThe type of the stale files with hits field.
RubrikPolaris.FileContext.analyzerGroupResults.analyzerGroup.groupTypeStringThe type of the analyzer group.
RubrikPolaris.FileContext.analyzerGroupResults.analyzerGroup.idStringThe ID of the analyzer group.
RubrikPolaris.FileContext.analyzerGroupResults.analyzerGroup.nameStringThe name of the analyzer group.
RubrikPolaris.FileContext.analyzerGroupResults.analyzerGroup.__typenameStringThe type of the analyzer group field.
RubrikPolaris.FileContext.analyzerGroupResults.analyzerResults.hits.totalHitsNumberThe total number of hits for the analyzer results.
RubrikPolaris.FileContext.analyzerGroupResults.analyzerResults.hits.violationsNumberThe number of violations for the analyzer results.
RubrikPolaris.FileContext.analyzerGroupResults.analyzerResults.hits.__typenameStringThe type of the hits field.
RubrikPolaris.FileContext.analyzerGroupResults.analyzerResults.analyzer.idStringThe ID of the analyzer.
RubrikPolaris.FileContext.analyzerGroupResults.analyzerResults.analyzer.nameStringThe name of the analyzer.
RubrikPolaris.FileContext.analyzerGroupResults.analyzerResults.analyzer.analyzerTypeStringThe type of the analyzer.
RubrikPolaris.FileContext.analyzerGroupResults.analyzerResults.analyzer.__typenameStringThe type of the analyzer field.
RubrikPolaris.FileContext.analyzerGroupResults.analyzerResults.__typenameStringThe type of the analyzer results field.
RubrikPolaris.FileContext.analyzerGroupResults.hits.totalHitsNumberThe total number of hits for the analyzer group results.
RubrikPolaris.FileContext.analyzerGroupResults.hits.violationsNumberThe number of violations for the analyzer group results.
RubrikPolaris.FileContext.analyzerGroupResults.hits.violationsDeltaNumberThe change in the number of violations for the analyzer group results since the last scan.
RubrikPolaris.FileContext.analyzerGroupResults.hits.totalHitsDeltaNumberThe change in the total number of hits for the analyzer group results since the last scan.
RubrikPolaris.FileContext.analyzerGroupResults.hits.__typenameStringThe type of the hits field.
RubrikPolaris.FileContext.analyzerGroupResults.__typenameStringThe type of the analyzer group results field.
RubrikPolaris.FileContext.sensitiveFiles.highRiskFileCount.totalCountNumberThe total number of high-risk files for the policy object.
RubrikPolaris.FileContext.sensitiveFiles.highRiskFileCount.violatedCountNumberThe number of high-risk files for the policy object that violates policies.
RubrikPolaris.FileContext.sensitiveFiles.highRiskFileCount.__typenameStringThe type of the high-risk file count field.
RubrikPolaris.FileContext.sensitiveFiles.mediumRiskFileCount.totalCountNumberTotal number of medium-risk files for the policy object.
RubrikPolaris.FileContext.sensitiveFiles.mediumRiskFileCount.violatedCountNumberThe number of medium-risk files for the policy object that violates policies.
RubrikPolaris.FileContext.sensitiveFiles.mediumRiskFileCount.__typenameStringThe type of the medium risk file count field.
RubrikPolaris.FileContext.sensitiveFiles.lowRiskFileCount.totalCountNumberTotal number of low-risk files for the policy object.
RubrikPolaris.FileContext.sensitiveFiles.lowRiskFileCount.violatedCountNumberThe number of low-risk files for the policy object that violates policies.
RubrikPolaris.FileContext.sensitiveFiles.lowRiskFileCount.__typenameStringThe type of the low-risk file count field.
RubrikPolaris.FileContext.sensitiveFiles.__typenameStringThe type of the sensitive files field.
RubrikPolaris.FileContext.openAccessTypeStringThe open access type for the file.
RubrikPolaris.FileContext.stalenessTypeStringThe staleness type for the file.
RubrikPolaris.FileContext.numActivitiesNumberThe number of activities for the file.
RubrikPolaris.FileContext.numActivitiesDeltaNumberThe change in the number of activities for the file since the last time it was checked.
RubrikPolaris.FileContext.__typenameStringThe type of the file context field.
RubrikPolaris.PageToken.FileContext.nameStringName of the command.
RubrikPolaris.PageToken.FileContext.endCursorStringThe end cursor for the current page.
RubrikPolaris.PageToken.FileContext.hasNextPageBooleanWhether the result has the next page or not.

Command example#

!rubrik-sonar-file-context-list object_id="1" snapshot_id="1" limit="2"

Context Example#

{
"RubrikPolaris": {
"FileContext": [
{
"__typename": "FileResult",
"analyzerGroupResults": [
{
"__typename": "AnalyzerGroupResult",
"analyzerGroup": {
"__typename": "AnalyzerGroup",
"groupType": "CUSTOM",
"id": "00000000-0000-0000-0000-000000000001",
"name": "UK PII"
},
"analyzerResults": [
{
"__typename": "AnalyzerResult",
"analyzer": {
"__typename": "Analyzer",
"analyzerType": "UK_DL",
"id": "00000000-0000-0000-0000-000000000001",
"name": "UK DL"
},
"hits": {
"__typename": "Hits",
"totalHits": 0,
"violations": 2000
}
}
],
"hits": {
"__typename": "Hits",
"totalHits": 0,
"totalHitsDelta": 0,
"violations": 2000,
"violationsDelta": 0
}
}
],
"directory": "/C:/File Shares",
"errorCode": "NOERROR",
"filename": "uk_drivers_license_number.xlsx",
"filesWithHits": {
"__typename": "Hits",
"totalHits": 0,
"violations": 1
},
"hits": {
"__typename": "Hits",
"totalHits": 0,
"totalHitsDelta": 0,
"violations": 2000,
"violationsDelta": 0
},
"lastAccessTime": 1648099578,
"lastModifiedTime": 1648099578,
"mode": "FILE",
"nativePath": "/C:/File Shares/uk_drivers_license_number.xlsx",
"numActivities": 0,
"numActivitiesDelta": 0,
"numDescendantErrorFiles": 0,
"numDescendantFiles": 0,
"numDescendantSkippedExtFiles": 0,
"numDescendantSkippedSizeFiles": 0,
"openAccessFilesWithHits": {
"__typename": "Hits",
"totalHits": 0,
"violations": 1
},
"openAccessType": "INHERITED",
"sensitiveFiles": {
"__typename": "SensitiveFiles",
"highRiskFileCount": {
"__typename": "SummaryCount",
"totalCount": 0,
"violatedCount": 1
},
"lowRiskFileCount": {
"__typename": "SummaryCount",
"totalCount": 0,
"violatedCount": 0
},
"mediumRiskFileCount": {
"__typename": "SummaryCount",
"totalCount": 0,
"violatedCount": 0
}
},
"size": 85708,
"staleFilesWithHits": {
"__typename": "Hits",
"totalHits": 0,
"violations": 1
},
"stalenessType": "IS_STALE",
"stdPath": "/C:/File Shares/uk_drivers_license_number.xlsx"
},
{
"__typename": "FileResult",
"analyzerGroupResults": [
{
"__typename": "AnalyzerGroupResult",
"analyzerGroup": {
"__typename": "AnalyzerGroup",
"groupType": "CUSTOM",
"id": "00000000-0000-0000-0000-000000000001",
"name": "UK PII"
},
"analyzerResults": [
{
"__typename": "AnalyzerResult",
"analyzer": {
"__typename": "Analyzer",
"analyzerType": "UK_NINO",
"id": "00000000-0000-0000-0000-000000000001",
"name": "UK NINO"
},
"hits": {
"__typename": "Hits",
"totalHits": 0,
"violations": 1712
}
}
],
"hits": {
"__typename": "Hits",
"totalHits": 0,
"totalHitsDelta": 0,
"violations": 1712,
"violationsDelta": 0
}
}
],
"directory": "/C:/File Shares",
"errorCode": "NOERROR",
"filename": "uk_national_insurance_number.csv",
"filesWithHits": {
"__typename": "Hits",
"totalHits": 0,
"violations": 1
},
"hits": {
"__typename": "Hits",
"totalHits": 0,
"totalHitsDelta": 0,
"violations": 1712,
"violationsDelta": 0
},
"lastAccessTime": 1648099580,
"lastModifiedTime": 1648099580,
"mode": "FILE",
"nativePath": "/C:/File Shares/uk_national_insurance_number.csv",
"numActivities": 0,
"numActivitiesDelta": 0,
"numDescendantErrorFiles": 0,
"numDescendantFiles": 0,
"numDescendantSkippedExtFiles": 0,
"numDescendantSkippedSizeFiles": 0,
"openAccessFilesWithHits": {
"__typename": "Hits",
"totalHits": 0,
"violations": 1
},
"openAccessType": "INHERITED",
"sensitiveFiles": {
"__typename": "SensitiveFiles",
"highRiskFileCount": {
"__typename": "SummaryCount",
"totalCount": 0,
"violatedCount": 1
},
"lowRiskFileCount": {
"__typename": "SummaryCount",
"totalCount": 0,
"violatedCount": 0
},
"mediumRiskFileCount": {
"__typename": "SummaryCount",
"totalCount": 0,
"violatedCount": 0
}
},
"size": 120064,
"staleFilesWithHits": {
"__typename": "Hits",
"totalHits": 0,
"violations": 1
},
"stalenessType": "IS_STALE",
"stdPath": "/C:/File Shares/uk_national_insurance_number.csv"
}
],
"PageToken": {
"FileContext": {
"endCursor": "cursor_2",
"hasNextPage": true,
"name": "rubrik-sonar-file-context-list"
}
}
}
}

Human Readable Output#

File Context#

File NameFile Size in BytesTotal Sensitive HitsDaily Hits ChangeFile PathAccess TypeLast Access TimeLast Modified Time
uk_drivers_license_number.xlsx8570820000/C:/File Shares/uk_drivers_license_number.xlsxINHERITED2022-03-24T05:26:18Z2022-03-24T05:26:18Z
uk_national_insurance_number.csv12006417120/C:/File Shares/uk_national_insurance_number.csvINHERITED2022-03-24T05:26:20Z2022-03-24T05:26:20Z

Note: To retrieve the next set of results use, "next_page_token" = cursor_2

rubrik-radar-suspicious-file-list#


Retrieve the suspicious list of files for a snapshot ID with detected file anomalies.

Base Command#

rubrik-radar-suspicious-file-list

Input#

Argument NameDescriptionRequired
snapshot_idThe Snapshot ID of the object or Activity Series ID.

Note: Users can get the list of the snapshot IDs by executing the "rubrik-polaris-object-snapshot-list" command. For the Activity Series ID, the users can execute the "rubrik-event-list" command with the "activity_type" argument set to "ANOMALY".
Required

Context Output#

PathTypeDescription
RubrikPolaris.SuspiciousFile.idStringThe anomaly result ID.
RubrikPolaris.SuspiciousFile.snapshotFidStringThe snapshot ID.
RubrikPolaris.SuspiciousFile.cluster.idStringThe cluster ID.
RubrikPolaris.SuspiciousFile.cluster.defaultAddressStringThe default address of the cluster.
RubrikPolaris.SuspiciousFile.cluster.systemStatusAffectedNodes.ipAddressStringThe IP address of the affected node.
RubrikPolaris.SuspiciousFile.cluster.nameStringThe cluster name.
RubrikPolaris.SuspiciousFile.cluster.versionStringThe cluster version.
RubrikPolaris.SuspiciousFile.cluster.statusStringThe cluster status.
RubrikPolaris.SuspiciousFile.cluster.__typenameStringThe type name of the cluster response.
RubrikPolaris.SuspiciousFile.cdmIdStringThe snapshot CDM ID.
RubrikPolaris.SuspiciousFile.managedIdStringThe managed object ID.
RubrikPolaris.SuspiciousFile.anomalyProbabilityNumberThe probability of the anomaly.
RubrikPolaris.SuspiciousFile.workloadIdStringThe workload ID.
RubrikPolaris.SuspiciousFile.locationStringThe location of the anomaly.
RubrikPolaris.SuspiciousFile.isAnomalyBooleanIndicates if the file is an anomaly.
RubrikPolaris.SuspiciousFile.objectTypeStringThe object type.
RubrikPolaris.SuspiciousFile.snappableNew.objectTypeStringThe object type of the snapshot.
RubrikPolaris.SuspiciousFile.severityStringThe severity of the anomaly.
RubrikPolaris.SuspiciousFile.detectionTimeDateThe detection time of the anomaly.
RubrikPolaris.SuspiciousFile.snapshotDateDateThe snapshot date of the anomaly.
RubrikPolaris.SuspiciousFile.encryptionStringThe encryption standard of the anomaly.
RubrikPolaris.SuspiciousFile.anomalyInfo.strainAnalysisInfo.strainIdStringThe ID of the Ransomware Strain.
RubrikPolaris.SuspiciousFile.anomalyInfo.strainAnalysisInfo.totalAffectedFilesNumberThe total number of affected files.
RubrikPolaris.SuspiciousFile.anomalyInfo.strainAnalysisInfo.totalRansomwareNotesNumberThe total number of ransomware notes.
RubrikPolaris.SuspiciousFile.anomalyInfo.strainAnalysisInfo.sampleAffectedFilesInfo.filePathStringThe path of the affected file.
RubrikPolaris.SuspiciousFile.anomalyInfo.strainAnalysisInfo.sampleAffectedFilesInfo.lastModifiedDateThe last modified time of the affected file.
RubrikPolaris.SuspiciousFile.anomalyInfo.strainAnalysisInfo.sampleAffectedFilesInfo.fileSizeBytesNumberThe size of the affected file in bytes.
RubrikPolaris.SuspiciousFile.anomalyInfo.strainAnalysisInfo.sampleAffectedFilesInfo.__typenameStringThe type name of the affected file response.
RubrikPolaris.SuspiciousFile.anomalyInfo.strainAnalysisInfo.sampleRansomwareNoteFilesInfo.filePathStringThe path of the ransomware note file.
RubrikPolaris.SuspiciousFile.anomalyInfo.strainAnalysisInfo.sampleRansomwareNoteFilesInfo.lastModifiedDateThe last modified time of the ransomware note file.
RubrikPolaris.SuspiciousFile.anomalyInfo.strainAnalysisInfo.sampleRansomwareNoteFilesInfo.fileSizeBytesNumberThe size of the ransomware note file in bytes.
RubrikPolaris.SuspiciousFile.anomalyInfo.strainAnalysisInfo.sampleRansomwareNoteFilesInfo.__typenameStringThe type name of the ransomware note file response.
RubrikPolaris.SuspiciousFile.anomalyInfo.strainAnalysisInfo.__typenameStringThe type name of the strain analysis response.
RubrikPolaris.SuspiciousFile.anomalyInfo.__typenameStringThe type name of the anomaly response.
RubrikPolaris.SuspiciousFile.__typenameStringThe type name of the suspicious file response.

Command example#

!rubrik-radar-suspicious-file-list snapshot_id="00000000-0000-0000-0000-000000000001"

Context Example#

{
"RubrikPolaris": {
"SuspiciousFile": {
"id": "00000000-0000-0000-0000-000000000001:::VirtualMachine:::00000000-0000-0000-0000-000000000001-vm-206:::00000000-0000-0000-0000-000000000001",
"snapshotFid": "00000000-0000-0000-0000-000000000001",
"cluster": {
"id": "00000000-0000-0000-0000-000000000001",
"defaultAddress": "cluster.rubrik",
"systemStatusAffectedNodes": [
{
"ipAddress": "0.0.0.0"
}
],
"name": "Cluster_B",
"version": "8.1.3",
"status": "Connected",
"__typename": "Cluster"
},
"snappableNew": {
"objectType": "VmwareVirtualMachine"
},
"cdmId": "00000000-0000-0000-0000-000000000001",
"managedId": "VirtualMachine:::00000000-0000-0000-0000-000000000001-vm-206",
"anomalyProbability": 0.949999988079071,
"workloadId": "00000000-0000-0000-0000-000000000001-vm-206",
"location": "instance.rubrik",
"isAnomaly": true,
"severity": "Critical",
"detectionTime": "2024-02-05T18:49:03.000Z",
"snapshotDate": "2024-02-05T16:59:30.000Z",
"encryption": "HIGH",
"anomalyInfo": {
"strainAnalysisInfo": [
{
"strainId": "LockBit",
"totalAffectedFiles": 1,
"totalRansomwareNotes": 1,
"sampleAffectedFilesInfo": [
{
"filePath": "/C:/Shares/Restore-My-Files.txt.lockbit",
"lastModified": "2024-02-05T16:00:44.000Z",
"fileSizeBytes": 2512,
"__typename": "SuspiciousFileInfo"
}
],
"sampleRansomwareNoteFilesInfo": [
{
"filePath": "/C:/Users/Public/Desktop/Restore-My-Files.txt",
"lastModified": "2024-02-08T02:00:03.000Z",
"fileSizeBytes": 2484,
"__typename": "SuspiciousFileInfo"
}
],
"__typename": "StrainInfo"
}
],
"__typename": "AnomalyInfo"
},
"__typename": "GetAnomalyDetailsReply"
}
}
}

Human Readable Output#

Anomaly Information#

Anomaly IDIs AnomalyAnomaly ProbabilitySeverityEncryptionAnomaly TypeTotal Suspicious FilesTotal Ransomware NoteDetection TimeSnapshot Time
00000000-0000-0000-0000-000000000001:::VirtualMachine:::00000000-0000-0000-0000-000000000001-vm-206:::00000000-0000-0000-0000-000000000001true0.949999988079071CriticalHIGHLockBit112024-02-05T18:49:03.000Z2024-02-05T16:59:30.000Z

Suspicious Files#

File PathSuspicious ActivityFile Size in BytesLast Modified Time
/C:/Shares/Restore-My-Files.txt.lockbitRansomware Encryption25122024-02-05T16:00:44.000Z
/C:/Users/Public/Desktop/Restore-My-Files.txtRansomware Note24842024-02-08T02:00:03.000Z