alert search: dvc_plug_success
which is:
index=epo source=epo prod_action=Block threat_type="Device Plug" | eval et_time=strftime(_time, %m/%d/%y %H:%M:%S") | table time, event_id, hostname, ipaddress, domain, username, bus_type, dev_plug_utc, threat_vector, threat_type, product_action, dev_class_name,dev_desc,dev_name,dev_compatible_id, dev_instance_id, pci_vendor_id, pci_device_id, usb_class, usb_vendor_id, usb_product_id, usb_serial, fs_type, fs_state, fs_vol_serial, fs_vol_label
Alert settings are:
alert type: real-time
trigger alert when "Per Result"
Actions: Send Email
Message: default email alerts
To include: link to alert, link to results, Inline: Table, Attach PDF
Type: HTML&Plain Text
Let me know if you need anything else.
... View more