03-28-2022 06:42 AM
Is there any way to set up an alert for each time a USB device is plugged into a host?
Even if it's not malicious.
03-28-2022 02:10 PM
Are you looking for USB device plugin alert or alert on activity such as File operation, execution operation via removable media?
USB Device plugin alert may not be possible but definitely you should be able to create a BIOC rule for USB/RemovableMedia file operation, process operation activity with a low severity priority which will only trigger an alert in Alerts Table but not create an Incident.
Will be keen to know if someone has other idea.
03-29-2022 02:19 PM
In the Restrictions Profile you have the option to configure notifications for Removable Media for file executions launched from external drives attached to endpoints in your network. To configure:
**You may add files or folders to an allow list or block list as well.
Save and then apply the Restrictions profile to the Security Profiles to Endpoints.
If you already have a Restrictions Profile configured, you may edit and follow steps 5 - 8
You may also create an alert via a BIOC rule from an XQL Query for event logs for Windows and Linux system. For example, an XQL query for the Windows event ID 6416: A new external device was recognized by the system. To build the BIOC rule query through a specific entity:
Navigate to Detection Rules > BIOC > + Add BIOC > Select the Event Log Icon
Enter EVENT_ID = 6416 (optional to enter other parameters), Save
Select the Type, Severity, Optional select a MITRE Technique or Tactic to associate with the event, such as Technique - T1092 Removal Media and Tactic - TA0010 - Exfiltration. Enter a comment for tracking, then OK.
The rule will be displayed in the BIOC Rules table. Right-Click on the Rule to add it to the appropriate Restrictions Profile shown in the sub menu for the endpoints you would like monitored.
Add a New Restrictions Security Profile (paloaltonetworks.com)
03-29-2022 02:42 PM
Pretty cool way of monitoring of removable media activity, i think the only thing which will be required from the endpoint side will be enable event logging for Removable media?
03-29-2022 02:44 PM
Isnt it enabled in windows by default ?
Really good and creative solution from Jtalton.
That deserves likes, isnt it ?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!