How to Configure USB Drive - Removable Media Log Monitoring

This article indicates how to setup USB Drive log monitoring with the RocketCyber SOC.

Use cases:

  • Regulatory mandate requirements (PCI, HIPAA, CMMC, etc.)
  • Monitor for potential data loss leaving the network
  • Monitor attack vector to prevent malware from entering the network


The Goal

Our objective is two-fold; identify:

a. When a USB Device is connected to a PC

b. When a USB Device is disconnected from a PC



There are 3 Windows OS event log IDs that need to be added to the RocketCyber "Suspicious Event Log Monitor" app policy.

Event ID Description Log Source
4663 Removable Media (General) Security
1003 USB Media Connected Microsoft-Windows-DriverFrameworks-UserMode/Operational
1008 USB Media Disconnected Microsoft-Windows-DriverFrameworks-UserMode/Operational


How to configure on Windows OS's:

These event logs can not be monitored with Microsoft default settings. In order to detect such events, the auditing of these events need to be enabled. See illustration and set to both Success & Failure:


Open GPO, >

Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Object Access > Audit Removable Storage > Success & Failure


How to configure on the RocketCyber SOC platform:

  1. Navigate to the correct tenant level where these detections need to take place (Provider / Organization / Device).
  2. Scroll down and find the Event Log Monitor app and click on the gear.
  3. Event ID 4663 - scroll down and click on + Add Custom Event Log, then configure as illustrated, then click Update:Screen_Shot_2021-03-30_at_7.47.44_PM.png

4.  Event ID 1003 & 1008 - These events are not obtained from the traditional Microsoft Big 3 log sources as shown above. Instead these will be configured by scrolling down to + Add Custom Event from Channel as illustrated:



Click update and repeat the process #4 as shown above for ID 1008.


Note - Theoretically you have the option to choose either the Security Log Source or the Microsoft Channel Path option. Our monitoring experience is to include both options as the results (output) varies depending upon what you are trying to achieve.

In summary, configuring event IDs by Log Source & Channel Path Source resulting in accomplishing our initial goal - the monitoring and detection of: USB Devices Connected & Disconnected.

Output summary >



Have more questions?

Contact us

Was this article helpful?
0 out of 0 found this helpful

Provide feedback for the Documentation team!

Browse this section