SPL
Removal of USB Storage Device
Description
This query will detect if any USB storage device was removed from a Windows machine (confirmed on Windows 7).
5 0
sourcetype=WinRegistry key_path="HKLM\\system\\controlset*\\enum\\usbstor\\*" process_image="c:\\Windows\\System32\\svchost.exe" registry_type=DeleteKey | eval Date=strftime(_time, "%Y/%m/%d %H:%M:%S") | rex "key_path.*usbstor\S(?<DeviceType>.*)&ven\S(?<Vendor>.*)&prod\S(?<Product>\S*)&rev\S" | stats count by Date, host, Vendor, Product, DeviceType | fields - count | sort - Date
Comments
1 total
Just wanted to comment here that you must be monitoring the windows registry! The query won't work unless you have that data :)
Leave a comment
You must log in to post a comment.