S1_USBDevice_New
ID: 100062
Description:
New USB device seen connected to machine
Repository: Group: SentinelOne Type: event
Default Status:
Enabled
| Tags: |
|---|
| @usb |
Selector:
Query:
@event_type: @sentinelone
Filters:
| Field | MUST hit |
|---|---|
| @sentinelone.eventID | 5126 |
| @sentinelone.endpointDeviceControlInterface | USB |
| Field | MUST NOT hit |
|---|---|
Behavior Rule:
| Key | Type | Behavior Category |
|---|---|---|
| @sentinelone.sourceHostName | asset |
Risks:
| Risks | Base Score | Dimension |
|---|---|---|
Attributes:
| Alias | Key |
|---|---|
| DeviceInterface | @sentinelone.endpointDeviceControlInterface |
| DeviceClass | @sentinelone.endpointDeviceControlClass |
| DeviceVendor | @sentinelone.endpointDeviceControlVendor |
| DeviceProduct | @sentinelone.endpointDeviceControlProduct |
| DeviceSerial | @sentinelone.endpointDeviceControlSerial |
| DeviceName | @sentinelone.endpointDeviceControlDeviceName |
| SourceUserID | @sentinelone.sourceUserId |
| UserName | @sentinelone.sourceUserName |
Correlation Rules:
First Occurrence:
| Name | Window | Fields | ||
|---|---|---|---|---|
| NewDeviceConnected | 1 day | @sentinelone.endpointDeviceControlInterface | @sentinelone.endpointDeviceControlClass | @sentinelone.endpointDeviceControlVendor |
| @sentinelone.endpointDeviceControlProduct | @sentinelone.endpointDeviceControlSerial | @sentinelone.endpointDeviceControlDeviceName | ||
| Risks: | ALERT_POLICY |
History:
| User | Date | | :— | :— | | — | — |
This page was automatically created/formatted on Wed, 2022 May 4 21:43:53 EDT, from rule_dump.json (4d88bffdfb1cea26b3985f2193033606)