Removable storage ONLINE event from secRMM

Back


Id	A22B2ECF-1478-4400-877E-07A32E53A897
Rulename	Removable storage ONLINE event from secRMM
Description	Detect when a removable storage device is plugged in by the end-user.
Severity	High
Tactics	Collection
Techniques	T1025
Kind	NRT
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Squadra Technologies SecRmm/Analytic Rules/Removable_Storage_ONLINE.yaml
Arm template	A22B2ECF-1478-4400-877E-07A32E53A897.json

KQL

secRMM_CL | where Event_s == "ONLINE" | 
extend AccountCustomEntity = User_s |
extend HostCustomEntity = Computer

YAML

severity: High
tactics:
- Collection
subTechniques: []
name: Removable storage ONLINE event from secRMM
suppressionEnabled: false
entityMappings:
- fieldMappings:
  - columnName: User_s
    identifier: AadUserId
  entityType: Account
- fieldMappings:
  - columnName: Computer
    identifier: HostName
  entityType: Host
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Squadra Technologies SecRmm/Analytic Rules/Removable_Storage_ONLINE.yaml
createIncident: true
suppressionDuration: PT5H
eventGroupingSettings: 
alertDetailsOverride: 
apiVersion: 2025-09-01
query: |
  secRMM_CL | where Event_s == "ONLINE" | 
  extend AccountCustomEntity = User_s |
  extend HostCustomEntity = Computer  
aggregationKind: AlertPerResult
description: Detect when a removable storage device is plugged in by the end-user.
kind: NRT
alertRuleTemplateName: 
displayName: Removable Storage ONLINE
incidentConfiguration: 
enabled: true
customDetails: 
id: A22B2ECF-1478-4400-877E-07A32E53A897
groupingConfiguration:
  groupByEntities: []
  enabled: false
  groupByCustomDetails: []
  lookbackDuration: PT5H
  matchingMethod: AllEntities
  groupByAlertDetails: []
  reopenClosedIncident: false
relevantTechniques:
- T1025

ARM