[Threat - %TITLE_PLACEHOLDER% - Rule]
action.correlationsearch.annotations = %MITRE_ATTACK_PLACEHOLDER%
action.correlationsearch.enabled = 1
action.correlationsearch.label = %NOTABLE_TITLE_PLACEHOLDER%
action.customsearchbuilder.enabled = false
action.makestreams.param.verbose = 0
action.nbtstat.param.verbose = 0
action.notable = 1
action.notable.param.drilldown_name = %DRILLDOWN_TITLE_PLACEHOLDER%
action.notable.param.drilldown_search = %DRILLDOWN_SEARCH_PLACEHOLDER%
action.notable.param.rule_description = Generated from AttackIQ Sigma Rule for Scenario '%TITLE_PLACEHOLDER%'
action.notable.param.rule_title = %TITLE_PLACEHOLDER%
action.notable.param.security_domain = threat
action.notable.param.severity = high
action.notable.param.verbose = 0
action.nslookup.param.verbose = 0
action.ping.param.verbose = 0
action.risk.forceCsvResults = 1
action.risk.param._risk = [{"risk_object_field":"","risk_object_type":"","risk_score":1}]
action.risk.param._risk_score = 0
action.risk.param.verbose = 0
action.send2uba.param.verbose = 0
action.threat_add.param.verbose = 0
alert.suppress = 0
alert.track = 1
counttype = number of events
cron_schedule = */10 * * * *
description = This rule was automatically generated by AttackIQ Sigma Rules for scenario '%TITLE_PLACEHOLDER%'. Please edit the settings for your own environment's needs.
dispatch.earliest_time = -10m
dispatch.latest_time = now
dispatch.rt_backfill = 1
enableSched = 1
quantity = 0
relation = greater than
request.ui_dispatch_app = SplunkEnterpriseSecuritySuite
search = %SEARCH_PLACEHOLDER%