Ad slot: top
GoSplunk SPL + dashboard repository
Log in Register

SPL

USB and Removable Media Detection

WinRegistry

Description

Submitted by SplunkNinja

This splunk query will show information about USB mass storage device uses. You must be monitoring the registry using the Windows Technology Add-on (TA).
2 1 
sourcetype=WinRegistry key_path="HKLM\\system\\controlset*\\enum\\usbstor\\*"  registry_type=CreateKey | eval Date=strftime(_time, "%Y/%m/%d %H:%M:%S") | rex "key_path.*usbstor\S(?<DeviceType>.*)&ven\S(?<Vendor>.*)&prod\S(?<Product>\S*)&rev\S"   | stats  count by Date, host, Vendor, Product, DeviceType   | fields  - count   | sort  - Date

Comments

0 total

Be the first to comment on this SPL.

Leave a comment

You must log in to post a comment.

Ad slot: bottom