Skip to main content

Rubrik IOC Scan - Rubrik Polaris

This Playbook is part of the Rubrik Polaris Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

This playbook starts an IOC Scan with the provided IOC values. It can be looped until recoverable snapshots are obtained or the limit to loop is reached.

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

  • GenericPolling

Integrations#

  • RubrikPolaris

Scripts#

  • Set

Commands#

  • rubrik-radar-ioc-scan-results
  • rubrik-radar-ioc-scan

Playbook Inputs#


NameDescriptionDefault ValueRequired
ClusterIdCluster ID of the object.Required
ObjectIdID of the object.Required
StartDateStart Date for IOC Scan.

Formats accepted: 2 minutes, 2 hours, 2 days, 2 weeks, 2 months, 2 years, yyyy-mm-dd, yyyy-mm-ddTHH:MM:SSZ, etc.

Examples of more supported values can be found at https://dateparser.readthedocs.io/en/latest/\#relative-dates.
7 days agoRequired
EndDateEnd Date for IOC Scan.

Formats accepted: 2 minutes, 2 hours, 2 days, 2 weeks, 2 months, 2 years, yyyy-mm-dd, yyyy-mm-ddTHH:MM:SSZ, etc.

Examples of more supported values can be found at https://dateparser.readthedocs.io/en/latest/\#relative-dates.
nowRequired
IOCPathPath of IOC to scan. Supports comma separated multiple values.

Note: Do not provide quoted values.
Optional
IOCHashHash of IOC to scan. Supports comma separated multiple values.

Note: Do not provide quoted values.
Optional
IOCYaraRuleYara Rule(s) for IOC scan.

Note: Do not provide quoted values.
Optional
PollingIntervalFrequency that the IOC scan command will run (minutes).5Optional
PollingTimeoutAmount of time to poll before declaring a timeout and resuming the playbook (in minutes).720Optional
TimeDeltaProvide the time delta to move backward while looping to find out the recoverable snapshot. If not provided, it defaults to the time difference between provided start date, and end date.Optional
PathsToIncludePaths to include in the scan. Supports comma separated values.

Format accepted:
path_to_include_1, path_to_include_2
Optional
PathsToExcludePaths to exclude from the scan. Supports comma separated values.

Format accepted:
path_to_exclude_1, path_to_exclude_2
Optional
PathsToExemptPaths to exempt from exclusion. Supports comma separated values.

Format accepted:
path_to_exempt_1, path_to_exempt_2
Optional
LimitThe maximum number of times to run IOC scans to find recoverable snapshot.1Required
RequestedHashTypeThe type of the hash values of the matched files to be blocked, if enabled.Optional
ScanNameName of the scan. Default value is "PAXSOAR-1.1.0".Optional

Playbook Outputs#


PathDescriptionType
RubrikPolaris.RecoverableSnapshot.idID of the snapshot that can be recovered.unknown
RubrikPolaris.RadarIOCScanThe results of the IOC scan.unknown
RubrikPolaris.RecoverableSnapshot.isLatestInfectedBoolean value to indicate whether the newest snapshot is infected or not.unknown

Playbook Image#


Rubrik IOC Scan - Rubrik Polaris