Collect Rubrik Security Cloud logs
Supported in:
This document explains how to ingest Rubrik Security Cloud logs to Google Security Operations using webhooks.
Rubrik Security Cloud (RSC) is a SaaS-based data security platform that provides backup, recovery, anomaly detection, and data governance capabilities across cloud and on-premises environments. RSC generates security events, audit logs, and operational activity logs in PagerDuty Common Event Format (PD-CEF) JSON that can be pushed to Google SecOps for centralized monitoring and analysis.
Before you begin
Make sure you have the following prerequisites:
- A Google SecOps instance
- Privileged access to Rubrik Security Cloud console with permissions to manage webhooks
- Network connectivity from Rubrik Security Cloud to the Google SecOps webhook endpoint
- Access to Google Cloud Console for API key creation
Create a webhook feed in Google SecOps
Create the feed
- Go to SIEM Settings > Feeds.
- Click Add New Feed.
- On the next page, click Configure a single feed.
- In the Feed name field, enter a name for the feed (for example,
Rubrik Security Cloud Events). - Select Webhook as the Source type.
- Select Rubrik Security Cloud as the Log type.
- Click Next.
- Specify values for the following input parameters:
- Split delimiter (optional): Leave empty as each webhook request contains a single event.
- Asset namespace: The asset namespace.
- Ingestion labels: The label to be applied to the events from this feed.
- Click Next.
- Review your new feed configuration in the Finalize screen, and then click Submit.
Generate and save a secret key
After creating the feed, you must generate a secret key for authentication:
- On the feed details page, click Generate Secret Key.
- A dialog displays the secret key.
- Copy and save the secret key securely.
Get the feed endpoint URL
- Go to the Details tab of the feed.
- In the Endpoint Information section, copy the Feed endpoint URL.
- Save this URL for the next steps.
- Click Done.
Create a Google Cloud API key
Google SecOps requires an API key for authentication. Create a restricted API key in the Google Cloud Console.
Create the API key
- Go to the Google Cloud Console Credentials page.
- Select your project (the project associated with your Google SecOps instance).
- Click Create credentials > API key.
- An API key is created and displayed in a dialog.
- Click Edit API key to restrict the key.
Restrict the API key
- In the API key settings page:
- Name: Enter a descriptive name (for example,
Chronicle Webhook API Key).
- Name: Enter a descriptive name (for example,
- Under API restrictions:
- Select Restrict key.
- In the Select APIs drop-down, search for and select Google SecOps API (or Chronicle API).
- Click Save.
- Copy the API key value from the API key field at the top of the page.
Save the API key securely.
Configure a Rubrik Security Cloud webhook
Construct the webhook URL
Combine the Google SecOps endpoint URL and API key:
<ENDPOINT_URL>?key=<API_KEY>Example:
https://malachiteingestion-pa.googleapis.com/v2/unstructuredlogentries:batchCreate?key=AIzaSyD...
Create the webhook in Rubrik Security Cloud
- Sign in to Rubrik Security Cloud at
https://<account>.my.rubrik.com. - Click the gear icon in the upper right corner and select Settings.
- Click Notifications and select Webhooks.
- Click Add Webhook.
- The Add Webhook wizard appears.
In Provider, select Generic.
In Webhook name, enter a descriptive name (for example,
Google SecOps Integration).In Endpoint, paste the complete webhook URL with API key from above.
Turn on Authentication and select Custom as the authentication method.
Add a custom header:
- Header Key: Enter
X-Chronicle-Auth. - Header Value: Paste the secret key from the Google SecOps feed creation.
- Header Key: Enter
Click Next.
Click Test Webhook to verify that the specified webhook configuration works and click Next.
The Select event and severity window appears.
Select the events that RSC sends to the configured webhook endpoint:
- Under Events, select the event types to forward:
- Backup
- Recovery
- Anomaly
- Configuration
- Diagnostic
- Sync
- Maintenance
- System
- Under Audit, select the audit types to forward.
- Under Severity, select the severity levels for triggering alerts:
- Critical
- Warning
- Informational
- Under Events, select the event types to forward:
Click Next.
Review the configuration details on the Confirmation window and click Save.
Verify the webhook is working
Check Rubrik Security Cloud webhook status
- Sign in to Rubrik Security Cloud.
- Go to Settings > Notifications > Webhooks.
- Check the Status column for your webhook (should show Enabled).
- Monitor for any error messages in the webhook details.
Check Google SecOps feed status
- Go to SIEM Settings > Feeds in Google SecOps.
- Check the Status column for your webhook feed (should be Active).
- Check Events received count (should be incrementing).
- Check Last succeeded on timestamp (should be recent).
Verify logs in Google SecOps
- Go to Search > UDM Search.
Use the following query:
metadata.vendor_name = "Rubrik" AND metadata.product_name = "Rubrik Security Cloud"Adjust time range to last 1 hour.
Verify events appear in results.
Webhook payload reference
Rubrik Security Cloud sends events in PagerDuty Common Event Format (PD-CEF) by default. The following is an example event payload:
{ "summary": "Failed backup of vSphere VM 'example-vm'.", "source": "Rubrik Security Cloud", "severity": "critical", "timestamp": "2024-07-18T06:39:40.46Z", "class": "Backup", "custom_details": { "seriesId": "ccd7a8a5-4c58-4c88-bff9-7bdffddb6099", "id": "c2b47274-6323-4025-b307-afed1cfb7574", "type": "Event", "objectId": "83c4a80a-4a57-5699-b399-651089135586", "objectName": "example-vm", "objectType": "VmwareVm", "status": "Failure", "clusterId": "6a271636-9392-4cba-90c5-bdbe227854ab", "clusterName": "production-cluster", "eventName": "Snapshot.BackupFailed", "errorId": "Snapshot.VmwareSnapshotError", "errorCode": "", "errorRemedy": "", "errorReason": "", "auditUserName": "", "auditUserId": "", "location": "vcenter.example.com", "url": "", "customerID": "rubrik-customer", "logicalSizeInBytes": "", "dataTransferredInBytes": "", "effectiveThroughput": "" } }
UDM mapping table
| Log Field | UDM Mapping | Logic |
|---|---|---|
audit_info_label |
additional.fields |
Merged |
effectiveThroughput_label |
additional.fields |
Merged |
group_label |
additional.fields |
Merged |
isPolarisAudit_label |
additional.fields |
Merged |
label_name_label |
additional.fields |
Merged |
node_label |
additional.fields |
Merged |
orgID_label |
additional.fields |
Merged |
snappable_name_label |
additional.fields |
Merged |
snappable_type_label |
additional.fields |
Merged |
snapshot_date_label |
additional.fields |
Merged |
type_label |
additional.fields |
Merged |
userNote_label |
additional.fields |
Merged |
has_target |
extensions.auth.type |
Mapped: true → AUTHTYPE_UNSPECIFIED |
hunt_date |
metadata.event_timestamp |
Parsed as ISO8601 |
timestamp |
metadata.event_timestamp |
Parsed as ISO8601 |
has_principal |
metadata.event_type |
Mapped: true → SCAN_HOST, true → STATUS_UPDATE |
has_target |
metadata.event_type |
Mapped: true → USER_LOGIN |
custom_details.eventName |
metadata.product_event_type |
Directly mapped |
custom_details.id |
metadata.product_log_id |
Directly mapped |
source |
metadata.product_name |
Directly mapped |
custom_details.url |
metadata.url_back_to_product |
Directly mapped |
custom_details.dataTransferredInBytes |
network.sent_bytes |
Directly mapped |
custom_details.customerID |
principal.administrative_domain |
Directly mapped |
domain |
principal.domain.name |
Directly mapped |
custom_details.ipAddress |
principal.ip |
Merged |
ip_address |
principal.ip |
Merged |
is_ip_assigned |
principal.ip |
Mapped: false → ip_address |
custom_details.clusterName |
principal.resource.name |
Directly mapped |
custom_details.clusterId |
principal.resource.product_object_id |
Directly mapped |
user_email |
principal.user.email_addresses |
Merged |
custom_details.auditUserName |
principal.user.user_display_name |
Directly mapped |
user_name |
principal.user.user_display_name |
Directly mapped |
action_name |
security_result.action |
Merged |
custom_details.status |
security_result.action_details |
Directly mapped |
category_temp |
security_result.category |
Merged |
class |
security_result.category_details |
Merged |
confidence |
security_result.confidence_details |
Directly mapped |
custom_details.errorMessage |
security_result.description |
Directly mapped |
access_type_label |
security_result.detection_fields |
Merged |
action_date_label |
security_result.detection_fields |
Merged |
detection_time_label |
security_result.detection_fields |
Merged |
directories_snoozed_label |
security_result.detection_fields |
Merged |
directories_unsnoozed_label |
security_result.detection_fields |
Merged |
document_count_label |
security_result.detection_fields |
Merged |
encryption_level_label |
security_result.detection_fields |
Merged |
errorCode_label |
security_result.detection_fields |
Merged |
errorId_label |
security_result.detection_fields |
Merged |
errorReason_label |
security_result.detection_fields |
Merged |
errorRemedy_label |
security_result.detection_fields |
Merged |
event_info_label |
security_result.detection_fields |
Merged |
failed_document_count_label |
security_result.detection_fields |
Merged |
file_matches_label |
security_result.detection_fields |
Merged |
files_created_count_label |
security_result.detection_fields |
Merged |
files_modified_count_label |
security_result.detection_fields |
Merged |
files_removed_count_label |
security_result.detection_fields |
Merged |
files_suspicious_count_label |
security_result.detection_fields |
Merged |
hash_tf_version_label |
security_result.detection_fields |
Merged |
identity_name_label |
security_result.detection_fields |
Merged |
num_files_with_matches_label |
security_result.detection_fields |
Merged |
num_hash_matches_label |
security_result.detection_fields |
Merged |
num_of_violating_identities_label |
security_result.detection_fields |
Merged |
num_yara_rule_matches_label |
security_result.detection_fields |
Merged |
obj_failed_label |
security_result.detection_fields |
Merged |
obj_partially_succeeded_label |
security_result.detection_fields |
Merged |
obj_succeeded_label |
security_result.detection_fields |
Merged |
object_matches_label |
security_result.detection_fields |
Merged |
policy_name_label |
security_result.detection_fields |
Merged |
reason_label |
security_result.detection_fields |
Merged |
remediation_type_label |
security_result.detection_fields |
Merged |
remedy_label |
security_result.detection_fields |
Merged |
risk_name_label |
security_result.detection_fields |
Merged |
seriesID_label |
security_result.detection_fields |
Merged |
seriesId_label |
security_result.detection_fields |
Merged |
skipped_document_count_label |
security_result.detection_fields |
Merged |
strain_name_label |
security_result.detection_fields |
Merged |
successful_document_count_label |
security_result.detection_fields |
Merged |
total_accessible_files_at_risk_count_label |
security_result.detection_fields |
Merged |
vm_count_label |
security_result.detection_fields |
Merged |
yara_tf_version_label |
security_result.detection_fields |
Merged |
hunt_name |
security_result.rule_name |
Directly mapped |
hunt_type |
security_result.rule_type |
Directly mapped |
is_severity_assigned |
security_result.severity |
Mapped: false → INFORMATIONAL, false → MEDIUM |
severity |
security_result.severity |
Mapped: INFO → INFORMATIONAL, WARNING → MEDIUM |
severity_name |
security_result.severity |
Mapped: INFO → INFORMATIONAL, WARNING → MEDIUM |
severity |
security_result.severity_details |
Directly mapped |
severity_name |
security_result.severity_details |
Directly mapped |
summary |
security_result.summary |
Directly mapped |
threat_feed_type |
security_result.threat_feed_name |
Directly mapped |
custom_details.logicalSizeInBytes |
target.file.size |
Directly mapped |
client_id_label |
target.labels |
Merged |
client_name_label |
target.labels |
Merged |
custom_details.location |
target.location.name |
Directly mapped |
custom_details.objectName |
target.resource.name |
Directly mapped |
object_name |
target.resource.name |
Directly mapped |
resource_name |
target.resource.name |
Directly mapped |
custom_details.objectId |
target.resource.product_object_id |
Directly mapped |
component |
target.resource.resource_subtype |
Directly mapped |
custom_details.objectType |
target.resource.resource_subtype |
Directly mapped |
is_object_type_assigned |
target.resource.resource_type |
Mapped: false → UNSPECIFIED |
class |
target.user.email_addresses |
Mapped: Login → user_email |
user_email |
target.user.email_addresses |
Merged |
each_group |
target.user.group_identifiers |
Merged |
custom_details.auditUserName |
target.user.user_display_name |
Directly mapped |
user_name |
target.user.user_display_name |
Directly mapped |
custom_details.auditUserId |
target.user.userid |
Directly mapped |
| N/A | extensions.auth.type |
Constant: AUTHTYPE_UNSPECIFIED |
| N/A | metadata.event_type |
Constant: USER_LOGIN |
| N/A | metadata.product_name |
Constant: RUBRIK SECURITY CLOUD |
| N/A | metadata.vendor_name |
Constant: RUBRIK |
| N/A | principal.resource.resource_type |
Constant: CLUSTER |
| N/A | security_result.severity |
Constant: INFORMATIONAL |
| N/A | target.resource.resource_type |
Constant: UNSPECIFIED |
Need more help? Get answers from Community members and Google SecOps professionals.