File tree Expand file tree Collapse file tree 1 file changed +11
-22
lines changed Expand file tree Collapse file tree 1 file changed +11
-22
lines changed Original file line number Diff line number Diff line change @@ -34,40 +34,29 @@ drilldown_searches:
3434 search : ' | from datamodel:Endpoint.Registry | search dest=$dest$ registry_path IN ("HKLM\\System\\CurrentControlSet\\Enum\\USBSTOR\\*")'
3535 earliest_offset : $info_min_time$
3636 latest_offset : $info_max_time$
37+ rba :
38+ message : A removable storage device named [$object_name$] with drive letter [$object_handle$] was attached to $dest$
39+ risk_objects :
40+ - field : dest
41+ type : system
42+ score : 10
43+ threat_objects :
44+ - field : object_name
45+ type : registry_value_name
46+ - field : object_handle
47+ type : registry_value_text
3748tags :
3849 analytic_story :
3950 - Data Protection
4051 asset_type : Endpoint
41- confidence : 50
42- impact : 20
43- message : A removable storage device named [$object_name$] with drive letter [$object_handle$] was attached to $dest$
4452 mitre_attack_id :
4553 - T1200
4654 - T1025
4755 - T1091
48- observable :
49- - name : dest
50- type : Hostname
51- role :
52- - Victim
53- - name : object_name
54- type : Other
55- role :
56- - Attacker
57- - name : object_handle
58- type : Other
59- role :
60- - Attacker
6156 product :
6257 - Splunk Enterprise
6358 - Splunk Enterprise Security
6459 - Splunk Cloud
65- required_fields :
66- - Registry.registry_path
67- - Registry.registry_value_name
68- - Registry.dest
69- - Registry.registry_value_data
70- risk_score : 10
7160 security_domain : endpoint
7261tests :
7362- name : True Positive Test
You can’t perform that action at this time.
0 commit comments