How to Configure USB Drive - Removable Media Log Monitoring

This article indicates how to setup USB Drive log monitoring with the RocketCyber SOC.

Use cases:

  • Regulatory mandate requirements (PCI, HIPAA, CMMC, etc.)
  • Monitor for potential data loss leaving the network
  • Monitor attack vector to prevent malware from entering the network

 

The Goal

Our objective is two-fold; identify:

a. When a USB Device is connected to a PC

b. When a USB Device is disconnected from a PC

 

Overview

There are 3 Windows OS event log IDs that need to be added to the RocketCyber "Suspicious Event Log Monitor" app policy.

Event ID Description Log Source
4663 Removable Media (General) Security
1003 USB Media Connected Microsoft-Windows-DriverFrameworks-UserMode/Operational
1008 USB Media Disconnected Microsoft-Windows-DriverFrameworks-UserMode/Operational

 

How to configure on Windows OS's:

These event logs can not be monitored with Microsoft default settings. In order to detect such events, the auditing of these events need to be enabled. See illustration and set to both Success & Failure:

Screen_Shot_2021-03-30_at_8.41.07_PM.png

Open GPO, >

Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Object Access > Audit Removable Storage > Success & Failure

 

How to configure on the RocketCyber SOC platform:

  1. Navigate to the correct tenant level where these detections need to take place (Provider / Organization / Device).
  2. Scroll down and find the Event Log Monitor app and click on the gear.
  3. Event ID 4663 - scroll down and click on + Add Custom Event Log, then configure as illustrated, then click Update:Screen_Shot_2021-03-30_at_7.47.44_PM.png

4.  Event ID 1003 & 1008 - These events are not obtained from the traditional Microsoft Big 3 log sources as shown above. Instead these will be configured by scrolling down to + Add Custom Event from Channel as illustrated:

Microsoft-Windows-DriverFrameworks-UserMode/Operational

Screen_Shot_2021-03-30_at_7.50.30_PM.png

Click update and repeat the process #4 as shown above for ID 1008.

 

Note - Theoretically you have the option to choose either the Security Log Source or the Microsoft Channel Path option. Our monitoring experience is to include both options as the results (output) varies depending upon what you are trying to achieve.

In summary, configuring event IDs by Log Source & Channel Path Source resulting in accomplishing our initial goal - the monitoring and detection of: USB Devices Connected & Disconnected.

Output summary >

Screen_Shot_2021-03-30_at_8.34.20_PM.png

 

Have more questions?

Contact us

Was this article helpful?
0 out of 0 found this helpful

Provide feedback for the Documentation team!

Browse this section