Receive events whenever someone plugs/unplugs a USB device

From Splunk Wiki

Jump to: navigation, search

"I had a prospect ask me if we can see data that shows ... if a USB is being used on a desktop. Is that data we can collect via Windows logs? Will it show [what port is being used and what drive on a desktop]? How do we collect it?"

There are lots of places that track this information. The question is are you getting what you want?

You can monitor HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB. That is the most direct way. However, it won't necessarily tell you in layman's terms what device was added, as you get a lot of binary keys with arbitrary and self-described terms (e.g. if a person used a purpose-built device that obfuscates it's function this won't tell you much)

You can configure your audit policy to capture all system changes to the security event log. This is the pretty-print way, and probably the best. However you will capture all device changes (drive mappings at logon, etc) not strictly USB related changes.

Finally, you can use WMI instrumentation to 'track' changes to the USB system. This isn't a bad way, though it doesn't maintain any state so you're really polling the current USB config over and over and de-duping at search time. Its documented here:

Receive events whenever someone plugs/unplugs a USB device to/from the computer

interval = 1
wql = select * from __InstanceOperationEvent within 1 where TargetInstance ISA 'Win32_PnPEntity' and TargetInstance.Description='USB Mass Storage Device'
disabled = 0
current_only = 1
Personal tools
Hot Wiki Topics

About Splunk >
  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk