<# .SYNOPSIS Calls RSC Threat Hunt GraphQL for yara rules. .DESCRIPTION Calls RSC Threat Hunt GraphQL for yara rules. .NOTES File Name : Connect-RSC.ps1 Author : Adam.Turner@rubrik.com .EXAMPLE ./Connect-RSC.ps1 -jsonPath aturner.json | ./New-RubrikThreatHunt.ps1 -access_token $access_token -rscDomain "rubrik-dc" -clusterId "3422dc50-dbb0-4476-8026-971177e5aa59" -objectIDs "5fe08775-9ad7-52ca-a51c-d98f7f3b96d3","73297448-5653-514d-9890-a5ef644ea000" -scanName "CobaltStrike" -iocTpe IOC_YARA -iocPath *.yara ./New-RubrikThreatHunt.ps1 -access_token $access_token -rscDomain "rubrik-dc" -clusterId "3422dc50-dbb0-4476-8026-971177e5aa59" -objectIDs "5fe08775-9ad7-52ca-a51c-d98f7f3b96d3","73297448-5653-514d-9890-a5ef644ea000" -scanName "CobaltStrike" -iocTpe IOC_YARA -iocPath *.yara .INPUTTYPE Object IDs presented as "5fe08775-9ad7-52ca-a51c-d98f7f3b96d3","73297448-5653-514d-9890-a5ef644ea000" #> param( [Parameter(Mandatory = $True)] [String]$rscDomain, [Parameter(Mandatory = $True)] [PSCustomObject]$access_token, [Parameter(Mandatory = $True)] [String]$clusterId, [Parameter(Mandatory = $True)] [PSCustomObject]$objectIDs, [Parameter(Mandatory = $True)] [String]$iocType, [Parameter(Mandatory = $True)] [String]$iocPath, [Parameter(Mandatory = $True)] [String]$scanName, [Parameter(Mandatory = $False)] [String]$fileInclude, [Parameter(Mandatory = $False)] [String]$fileExclude ) $rscGraphQueryEndpoint = "https://$rscDomain.my.rubrik.com/api/graphql" $objectIDsFormatted = '"' + ($objectIDs -join '","') + '"' #Authentication Header $headers = @{ 'Content-Type' = 'application/json'; 'Accept' = 'application/json'; 'Authorization' = ('Bearer ' + $access_token.access_token); } #Read Raw IOCs [String]$iocInput = Get-Content $iocPath -Raw | ConvertTo-Json $body = @{"query" = "mutation startThreatHunt{ startThreatHunt ( input: { clusterUuid: `"$clusterId`", objectFids: [$objectIdsFormatted] name: `"$scanName`", indicatorsOfCompromise: { iocKind: $iocType, iocValue: $iocInput } fileScanCriteria: { pathFilter: { includes: `"$fileInclude`", excludes: `"$fileExclude`" } } snapshotScanLimit: { maxSnapshotsPerObject: 1 } } ){ huntStatus { id } } }"; } #echo ($body | ConvertTo-Json) Invoke-RestMethod -Method Post -URi $rscGraphQueryEndpoint -body $($body | ConvertTo-Json) -Headers $headers