Link Search Menu Expand Document

S1_USBDeviceMovement

ID: 100063

Description:

USB device seen connected to multiple machines

Repository: Group: SentinelOne Type: event

Default Status:

Enabled

Tags:
@usb
 

Selector:

Query:

@event_type: @sentinelone AND @sentinelone.endpointDeviceControlSerial:*

Filters:

Field MUST hit
@sentinelone.eventID 5126
@sentinelone.endpointDeviceControlInterface USB
Field MUST NOT hit
   

Behavior Rule:

Key Type Behavior Category
@sentinelone.endpointDeviceControlSerial asset security alert

Risks:

Risks Base Score Dimension
     

Attributes:

Alias Key
DeviceInterface @sentinelone.endpointDeviceControlInterface
DeviceClass @sentinelone.endpointDeviceControlClass
DeviceVendor @sentinelone.endpointDeviceControlVendor
DeviceProduct @sentinelone.endpointDeviceControlProduct
DeviceSerial @sentinelone.endpointDeviceControlSerial
DeviceName @sentinelone.endpointDeviceControlDeviceName
SourceUserID @sentinelone.sourceUserId
UserName @sentinelone.sourceUserName
HostName @fields.Hostname

Correlation Rules:

First Occurrence:

Name Window Fields  
S1_USBDeviceMovement 1 day @sentinelone.endpointDeviceControlSerial @fields.Hostname
  Risks: ALERT_POLICY  

History:

| User | Date | | :— | :— | | — | — |

This page was automatically created/formatted on Tue, 2021 Oct 19 00:29:17 EDT, from rule_dump.json (db47c470500ce8686ead334f5eda0596)