Add Rubrik Security Cloud Protection Status CCP Data Connector

[marcusfaust]

Change(s):

• Added new Codeless Connector Platform (CCP) data connector for Rubrik Security Cloud
• Ingests comprehensive backup and protection status data for Azure VMs into Microsoft Sentinel
• Added 5 files under Solutions/RubrikSecurityCloud/Data Connectors/RubrikSecurityCloud_CCP/:
  • connectorDefinition.json - UI definition
  • DCR.json - Data Collection Rule and Endpoint
  • PollerConfig.json - REST API Poller configuration
  • table - RubrikProtectionStatus.json - Custom table schema (49 columns)
  • README.md - Comprehensive documentation with sample queries

Reason for Change(s):

• Enables security teams to correlate security alerts with backup/protection status
• Provides ransomware recovery readiness visibility
• Complements the existing RubrikWebhookEvents connector in the same solution
• Built on the Codeless Connector Platform (CCP) framework for easy deployment

Version Updated:

• N/A - This is a new data connector, not a detection/analytic rule template

Testing Completed:

• Yes
• Deployed and tested in Azure Sentinel workspace
• Data ingestion verified with 100+ records from Rubrik Security Cloud
• UI tested in Azure Portal - all configuration fields working correctly
• All 49 data fields validated in custom table RubrikProtectionStatus_CL
• Sample KQL queries tested with live data
• OAuth2 authentication flow verified
• 60-minute polling interval tested

Checked that the validations are passing and have addressed any issues that are present:

• Yes
• All JSON files validated
• No KQL validation required (data connector only, no detection rules)
• README.md follows documentation standards

---

Summary

This PR adds a new Codeless Connector Platform (CCP) data connector for Rubrik Security Cloud that ingests comprehensive backup and protection status data for Azure VMs into Microsoft Sentinel.

Connector Details

• Name: Rubrik Security Cloud Protection Status
• Type: Codeless Connector Platform (CCP)
• API: Rubrik Security Cloud GraphQL API
• Authentication: OAuth2 (client credentials)
• Polling Frequency: 60 minutes
• Data Table: RubrikProtectionStatus_CL

Data Collected

The connector ingests 49 backup attributes per Azure VM including:

• Multi-tier compliance status (backup, archival, replication)
• Snapshot counts and distribution
• Storage metrics (logical, physical, data reduction)
• SLA domain assignments
• Cluster and organization information

Use Cases

• Security alert correlation - Enrich security incidents with backup status to assess recovery options
• Ransomware recovery readiness - Quickly identify which compromised VMs have recent backups
• Compliance monitoring - Track backup compliance across Azure VMs
• Storage efficiency analysis - Monitor data reduction and storage metrics

The README includes sample KQL queries demonstrating how to correlate security alerts with backup data.

Related

This connector complements the existing RubrikWebhookEvents connector in the same solution.

---

[marcusfaust]

@microsoft-github-policy-service agree company="Rubrik"

[v-maheshbh]

Hi @marcusfaust

Kindly refer to the below-mentioned solution for the correct folder structure and update the necessary changes.

https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Cloudflare%20CCF

Thanks!