S1_USBDeviceMovement
ID: 100063
Description:
USB device seen connected to multiple machines
Repository: Group: SentinelOne Type: event
Default Status:
Enabled
| Tags: |
|---|
| @usb |
Selector:
Query:
@event_type: @sentinelone AND @sentinelone.endpointDeviceControlSerial:*
Filters:
| Field | MUST hit |
|---|---|
| @sentinelone.eventID | 5126 |
| @sentinelone.endpointDeviceControlInterface | USB |
| Field | MUST NOT hit |
|---|---|
Behavior Rule:
| Key | Type | Behavior Category |
|---|---|---|
| @sentinelone.endpointDeviceControlSerial | asset | security alert |
Risks:
| Risks | Base Score | Dimension |
|---|---|---|
Attributes:
| Alias | Key |
|---|---|
| DeviceInterface | @sentinelone.endpointDeviceControlInterface |
| DeviceClass | @sentinelone.endpointDeviceControlClass |
| DeviceVendor | @sentinelone.endpointDeviceControlVendor |
| DeviceProduct | @sentinelone.endpointDeviceControlProduct |
| DeviceSerial | @sentinelone.endpointDeviceControlSerial |
| DeviceName | @sentinelone.endpointDeviceControlDeviceName |
| SourceUserID | @sentinelone.sourceUserId |
| UserName | @sentinelone.sourceUserName |
| HostName | @fields.Hostname |
Correlation Rules:
First Occurrence:
| Name | Window | Fields | |
|---|---|---|---|
| S1_USBDeviceMovement | 1 day | @sentinelone.endpointDeviceControlSerial | @fields.Hostname |
| Risks: | ALERT_POLICY |
History:
| User | Date | | :— | :— | | — | — |
This page was automatically created/formatted on Wed, 2022 May 4 21:43:53 EDT, from rule_dump.json (4d88bffdfb1cea26b3985f2193033606)