Update windows_detect_process_executed_from_removable_media.yml

nterl0k · web-flow · commit 7d84fa2fcb27 · 2025-01-31T11:59:24.000-05:00
diff --git a/detections/endpoint/windows_detect_process_executed_from_removable_media.yml b/detections/endpoint/windows_detect_process_executed_from_removable_media.yml
@@ -43,57 +43,38 @@ drilldown_searches:
   search: '| from datamodel:Endpoint.Processes | search dest=$dest$ process_current_directory=$object_handle$*'
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
+rba:
+  message: The process [$process_name$] was launched using files on a removable storage device named [$object_name$] by [$user$] on $dest$
+  risk_objects:
+  - field: user
+    type: user
+    score: 35
+  - field: dest
+    type: system
+    score: 35
+  threat_objects:
+  - field: process_name
+    type: process_name
+  - field: object_name
+    type: registry_value_name
+  - field: object_handle
+    type: registry_value_text    
 tags:
   analytic_story: 
   - Data Protection
   asset_type: Endpoint
-  confidence: 50
-  impact: 70
-  message: The process [$process_name$] was launched using files on a removable storage device named [$object_name$] by [$user$] on $dest$
   mitre_attack_id: 
   - T1200
   - T1025
   - T1091
-  observable: 
-  - name: dest
-    type: Hostname
-    role:
-    - Victim
-  - name: user
-    type: User
-    role:
-    - Victim
-  - name: object_name
-    type: Other
-    role:
-    - Attacker
-  - name: object_handle
-    type: Other
-    role:
-    - Attacker
-  - name: process_name
-    type: Process Name
-    role:
-    - Attacker
   product: 
   - Splunk Enterprise
   - Splunk Enterprise Security
   - Splunk Cloud
-  required_fields: 
-  - Processes.dest 
-  - Processes.user 
-  - Processes.process_name 
-  - Processes.parent_process_name 
-  - Processes.process_current_directory
-  - Registry.registry_path
-  - Registry.registry_value_name
-  - Registry.dest
-  - Registry.registry_value_data
-  risk_score: 35
   security_domain: endpoint
 tests:
 - name: True Positive Test
   attack_data:
   - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1200/sysmon_usb_use_execution/sysmon_usb_use_execution.log
     source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
-    sourcetype: XmlWinEventLog
+    sourcetype: XmlWinEventLog
