Rubrik Release 1.7.0

[crestdatasystems]

Contributing to Cortex XSOAR Content

Make sure to register your contribution by filling the contribution registration form

The Pull Request will be reviewed only after the contribution registration form is filled.

Status

• In Progress
• Ready
• In Hold - (Reason for hold)

Description

Updated Integration "Rubrik Security Cloud":

• Added support for fetching Rubrik DSPM Violation as an XSOAR incident.
• Added support for DSPM Violation Categories parameter to filter DSPM violation by categories.
• Added support for DSPM Violation Object Types parameter to filter DSPM violation by object types.
• Added support for DSPM Violation Severity Levels parameter to filter DSPM violation by severity levels.
• Added support for DSPM Violation Sensitivity Levels parameter to filter DSPM violation by sensitivity levels.
• Added support for DSPM Violation Statuses parameter to filter DSPM violation by statuses.
• Added a new command rubrik-data-security-violation-list command.
• Added a new command rubrik-data-security-violation-get command.
• Added a new command rubrik-data-security-violation-status-update command.
• Added a new command rubrik-data-security-violation-file-list command.
• Added a new command rubrik-data-security-violation-csv-download command.
• Added a new command rubrik-data-security-violation-log-download command.

Added following Playbooks:

Rubrik Quarantine Files using MS Graph Search

• This playbook quarantines files using the Microsoft Graph Search (O365 File Management) integration by downloading them, uploading them to a quarantine folder and deleting them from their original location.

Rubrik Quarantine Files General

• This playbook quarantines files using Microsoft Graph Search (O365 File Management) integration.

Rubrik DSPM Violation Remediation - Rubrik Security Cloud

• This playbook remediates DSPM violations by retrieving violation details and affected file information, downloading the affected file details and remediation logs as CSV files, quarantining the affected files and updating the violation status.

Must have

• Tests
• Documentation

relates: https://jira-dc.paloaltonetworks.com/browse/CIAC-16692

[content-bot]

Thank you for your contribution. Your generosity and caring are unrivaled! Make sure to register your contribution by filling the Contribution Registration form, so our content wizard @kamalq97 will know the proposed changes are ready to be reviewed.
For your convenience, here is a link to the contributions SLAs document.

[content-bot]

Hi @crestdatasystems, thanks for contributing to the XSOAR marketplace. To receive credit for your generous contribution please follow this link.

[content-bot]

🤖 AI-Powered Code Review Available

Hi @kamalq97, @Benimanela, you can leverage AI-powered code review to assist with this PR!

Available Commands:

• @marketplace-ai-reviewer start review - Initiate a full AI code review
• @marketplace-ai-reviewer re-review - Incremental review for new commits

[Benimanela]

Hi @crestdatasystems, Thank you for the work on this contribution. The implementation looks good overall.

I have a few comments from a security and standards perspective at this stage:

General

• Please run demisto-sdk format on the changed files. In particular, playbook-Rubrik_Quarantine_Files_using_MS_Graph_Search.yml is being auto-detected as a silent playbook by the SDK (it would prefix id/name with silent-, bump fromversion to 8.9.0, and add issilent: true). Please either accept the format output and commit it, or confirm this playbook is not intended to be silent.

Incident Fields

• incidentfield-Rubrik_Files_At_Risk.json and incidentfield-Rubrik_Violation_Status.json still contain a "modified" timestamp key from a UI export (e.g. "modified": "2026-04-03T11:15:42.429603116+05:30"). Please remove that key from both files.
• incidentfield-Rubrik_CDM_Cluster_Name.json is restricted to "marketplaces": ["xsoar"] but its associatedTypes now includes Rubrik DSPM Violation, so DSPM incidents on XSIAM will be missing this field. Please confirm this is intentional or drop the marketplace restriction.
• For the new fields with "unsearchable": false (Account Name, Location, Region, Policy Name, Snapshot ID, Violation ID, Violation Name, Violation Status), please confirm which ones genuinely need to be searchable and flip the rest to true.

Incident Type

• incidenttype-Rubrik_DSPM_Violation.json — the extractSettings block configures rubrikcdmclusterid, rubrikobjectaccountname, rubrikobjectlocation, and rubrikpolarisobjectname to extract domainRepUnified indicators. These values are not domains and will generate incorrect indicators on every DSPM incident. Please disable this extraction or map to the correct indicator types.

Layout

• The layout has "marketplaces": ["xsoar"] only, but the incident type and fields are not restricted. On XSIAM/marketplacev2 analysts will see the incident type without a layout. Please extend the layout marketplaces to include marketplacev2 and platform, or restrict the incident type and fields to xsoar to match.
• The quickView in layoutscontainer-Rubrik_DSPM_Violation.json includes a "Custom Fields" section with ~264 generic incident_* system fields - please confirm this is intentional or trim it down to the fields actually relevant to DSPM violations.

Classifier / Mapper

• classifier-Rubrik_Polaris_Radar_-_Mapping.json (Rubrik DSPM Violation section) contains duplicate mappings for the same field:

  • "Rubrik Object Location" (correct)
  • "Rubrik Object location" (lowercase l, unused)
    Please remove the lowercase duplicate.

• The Rubrik DSPM Violation mapper section does not map any field to occurred. Please map occurred to createdAt (or the appropriate detection-time field) so incidents reflect the correct timeline.

Playbooks

Rubrik_Quarantine_Files_using_MS_Graph_Search.yml

• Task 11 (Delete the file from its original location) runs after task 10 (Upload to quarantine folder) with continueonerror: true on both. If the upload fails, the original file may still be deleted, which introduces a data-loss risk. Please guard the delete action on successful upload (e.g., validate upload output) or adjust the error handling.
• Tasks 8, 10, 11, and condition 17 filter FileInfo using two containsGeneral clauses combined with AND (input vs. form answer). The intended logic appears to be OR — please clarify or correct this.
• In task 8, the item_id filter references inputs.file_name while the parallel object_type_id filter references inputs.file_path. This looks inconsistent — please confirm the logic.
• Form 16 defines both file path and file name as required: false. Please clarify whether at least one should be required.
• Inputs file_name and file_path are both optional, but the descriptions do not clarify expected formats or whether one alone is sufficient. Please update the documentation.
• The Set the delete keys and Clear Previous Inputs flow lacks explanation. Please add a description explaining its purpose.
• The SDK format command auto-detects this playbook as silent (see General). Please run demisto-sdk format and either accept or investigate.

Rubrik_DSPM_Violation_Remediation_-_Rubrik_Security_Cloud.yml

• Task 20 includes a loop block (max: 100, wait: 1) without forEach or exitCondition. Please clarify intent or fix the implementation.
• Task 11 (Yes/No prompt) has no #default# path. Timed-out prompts may stall execution — please add a default route.
• The limit input default is set to "1000" (maximum). Please confirm this is intended or reduce the default.

Rubrik_Quarantine_Files_General.yml

• The flow appears misordered: cleanup of previous form answers (tasks 11 + 12) runs before the condition that determines whether the form is needed (task 18). Please reorder or clarify the logic.
• The Set the delete keys indirection (writing a static value to context just to read it in DeleteContext) lacks clear rationale — please simplify or document the reasoning.
• The file_information input is described generically but used as a list of objects with {name, path}. Please document the expected schema explicitly.
• There is no integration availability check before calling the MS Graph sub-playbook. Please add an IsIntegrationAvailable guard.

General Playbook Notes

• All three new playbooks define outputs: []. Since these playbooks perform destructive operations, consider returning status/results so calling playbooks can make decisions based on outcomes.

If you have any questions, feel free to reach out on DFIR Slack.

Let me know once the fixes are in place so I can take another look.

[crestdatasystems]

Hi @Benimanela,

We have applied suggested changes and please find the replies for the post comments.

General

• The playbooks do not include issilent: true, a silent- prefix in the id/name, or a bumped fromVersion in the file. demisto-sdk format has been run on all files.

Incident Fields

• All requested changes have been implemented.
• The fields Account Name, Location, Region, Policy Name, Snapshot ID, Violation ID, Violation Name, and Violation Status are intentionally kept searchable, as they serve as the primary identifiers analysts use to filter DSPM violations.

Incident Type

• Indicator extraction has been removed from the cluster ID and account name. Domain extraction is retained for the object location and name, as those fields are expected to contain domain values.

Layout

• The layout retains predefined sections such as Child Incidents and Related Incidents. Enabling support for XSIAM/marketplacev2 triggers an LO107 validation error.
• This is a standard XSOAR layout export artifact, auto-generated by the platform UI during layout export, and has no impact on functionality.

Classifier / Mapper

• All requested changes have been implemented.

Playbooks

Rubrik_Quarantine_Files_using_MS_Graph_Search.yml

• Error paths have been added for the download, upload, and delete file tasks to handle failures gracefully and prevent unintended data loss.
• The OR logic is intentional, the path should match either the input value or the value manually entered by the user.
• The file path logic has been updated.
• Users are only required to provide whichever value is missing; this is by design.
• This playbook is invoked as a sub-playbook from the DSPM playbook. If values are not provided, they are collected from the user via a form, making both inputs intentionally optional.
• The descriptions for the Set Delete Keys and Clear Previous Inputs tasks have been updated.
• The playbook has been formatted. It is not intended to function as a silent playbook.

Rubrik_Quarantine_Files_using_MS_Graph_Search.yml

• The loop block has been removed from Task 20, as no forEach field was defined.
• A #default# path has been added to Task 11, routing timed-out prompts to Task 14, consistent with the "No" path behavior.
• The default value of 1000 is intentional, as it matches the API's maximum limit.

Rubrik_Quarantine_Files_General.yml

• Clearing stale context unconditionally at the start is intentional, ensuring the condition task always evaluates against fresh input.
• The descriptions for the Set Delete Keys and Clear Previous Inputs tasks have been updated.
• The description for the expected input schema has been updated.
• The integration availability check for O365 File Management and Microsoft Graph Search is performed at the start of the sub-playbook (Rubrik_Quarantine_Files_using_MS_Graph_Search).

General Playbook Notes

• Declaring all outputs would redundantly duplicate documentation already available at the individual command level. Context written to XSOAR by sub-tasks remains accessible to downstream tasks regardless of whether it is explicitly declared in the playbook outputs.

[Benimanela]

Hi @crestdatasystems, Thank you for addressing all the feedback and implementing the requested fixes. I reviewed the updated changes, and everything looks good from my side.

Approved.

Waiting for the demo.

[marketplace-ai-reviewer]

🤖 Analysis started. Please wait for results...

[content-bot]

For the Reviewer: Trigger build request has been accepted for this contribution PR.

[content-bot]

For the Reviewer: Successfully created a pipeline in GitLab with url: https://gitlab.xdr.pan.local/xdr/cortex-content/content/-/pipelines/8989632

[marketplace-ai-reviewer]

🤖 AI Review Disclaimer

This review was generated by an AI-powered tool and may contain inaccuracies. Please be advised, and we extend our sincere apologies for any inconvenience this may cause.

[marketplace-ai-reviewer]

Hi! Thanks for your contribution to the Rubrik Polaris pack.

I've reviewed the PR and noted a few areas for improvement, primarily around playbook logic, test data sanitization, and documentation. Please correct the playbook filter conditions that incorrectly use an AND operator for mutually exclusive inputs, sanitize the real-world domain (rubrik.us) in your test data, and ensure your release notes and READMEs follow standard formatting guidelines.

Thanks again for your hard work on this update!

Additionally, please address the following file-level notes:

• Packs/RubrikPolaris/README.md: The Integration_description.md file is missing for the Rubrik Security Cloud integration.
• Packs/RubrikPolaris/Scripts/RubrikPullDSPMViolationFileInformation/README.md: This README appears to be missing standard sections such as Command example and Human Readable Output. Please ensure the README is generated using the SDK to include proper formatting, examples, and context output.

You can regenerate it by running:

demisto-sdk generate-docs --insecure -e <path/to/command_examples.txt>

• Packs/RubrikPolaris/Scripts/RubrikPullDSPMViolationInformation/README.md: This README appears to be missing standard sections such as Command example and Human Readable Output. Please ensure the README is generated using the SDK to include proper formatting, examples, and context output.

You can regenerate it by running:

demisto-sdk generate-docs --insecure -e <path/to/command_examples.txt>

• Packs/RubrikPolaris/Scripts/RubrikPushDSPMViolationStatus/README.md: This README appears to be missing standard sections such as Command example and Human Readable Output. Please ensure the README is generated using the SDK to include proper formatting, examples, and context output.

You can regenerate it by running:

demisto-sdk generate-docs --insecure -e <path/to/command_examples.txt>

@kamalq97, @Benimanela please review and approve the results generated by the AI Reviewer by responding 👍 on this comment.

[marketplace-ai-reviewer]

The test data contains a real-world domain rubrik.us in the physicalHost field.

[marketplace-ai-reviewer]

Review indicator extraction settings for rubrikpolarisobjectname.

[marketplace-ai-reviewer]

The example in the file_information input description is inconsistent with the task logic.

[marketplace-ai-reviewer]

Update the 'Integrations' section to include the Rubrik Security Cloud integration.

[marketplace-ai-reviewer]

Consider updating the 'Integrations' section to reflect the dependencies of the sub-playbooks.

[marketplace-ai-reviewer]

Typo in docstring.

Suggested change

	Sync the DSPM Violation file infromation from RSC.
	Sync the DSPM Violation file information from RSC.

[marketplace-ai-reviewer]

Typo in docstring.

Suggested change

	Sync the DSPM Violation infromation from RSC.
	Sync the DSPM Violation information from RSC.

[marketplace-ai-reviewer]

Typo in docstring.

Suggested change

	Push the DSPM Violation Status infromation from XSOAR to RSC.
	Push the DSPM Violation Status information from XSOAR to RSC.

[marketplace-ai-reviewer]

Typo in docstring.

Suggested change

	"""Tests sync_the_violation_status command function with invalid argumets."""
	"""Tests sync_the_violation_status command function with invalid arguments."""

[marketplace-ai-reviewer]

There is a typo in the word "Snapshot".

Suggested change

	| snapshot_id | The Sanpshot ID.<br/><br/>Note: If not provided, the script will try to retrieve it from the incident context. |
	| snapshot_id | The Snapshot ID.<br/><br/>Note: If not provided, the script will try to retrieve it from the incident context. |

[content-bot]

Validate summary
The following errors were reported as warnings: RM108, GR101, MC101, GR110, PB131, PB130.
The following errors were thrown as a part of this pr: AS103, ST110, IF117, GR103.
The following errors can be ignored: AS103, GR103.
The following errors cannot be ignored: ST110, IF117.
If the AG100 validation in the pre-commit GitHub Action fails, the pull request cannot be force-merged.

Verdict: PR can be force merged from validate perspective? ❌

[kamalq97]

Hi @crestdatasystems

Thank you for your contribution.

Please address all comments left by @marketplace-ai-reviewer.

In addition, could you please fix the following validation errors?

Packs/RubrikPolaris/IncidentFields/incidentfield-Rubrik_Files_At_Risk.json: [ST110] - Structure error (value_error.extra) in field runScriptAfterUpdate of incidentfield-Rubrik_Files_At_Risk.json: The field runScriptAfterUpdate is extra and extra fields not permitted
Packs/RubrikPolaris/IncidentFields/incidentfield-Rubrik_Violation_Status.json: [ST110] - Structure error (value_error.extra) in field runScriptAfterUpdate of incidentfield-Rubrik_Violation_Status.json: The field runScriptAfterUpdate is extra and extra fields not permitted
Packs/RubrikPolaris/Classifiers/classifier-Rubrik_Polaris_Radar_-_Mapping.json: [GR103] - Content item 'Rubrik Polaris Radar - Mapping' is using content items: 'Rubrik Create Time' which cannot be found in the repository.
Packs/RubrikPolaris/IncidentFields/incidentfield-Rubrik_Violation_Status.json: [GR101] - Content item 'Rubrik Violation Status' whose from_version is '6.0.0' is using content items: 'RubrikPushDSPMViolationStatus' whose from_version is higher (should be <= 6.0.0)
Packs/RubrikPolaris/IncidentTypes/incidenttype-Rubrik_DSPM_Violation.json: [GR101] - Content item 'Rubrik DSPM Violation' whose from_version is '6.0.0' is using content items: 'Rubrik DSPM Violation Remediation - Rubrik Security Cloud' whose from_version is higher (should be <= 6.0.0)

Please let me know once all the changes were made so we can re-review.