This query will detect if any USB storage device was removed from a Windows machine (confirmed on Windows 7). sourcetype=WinRegistry key_path=”HKLM\\system\\controlset*\\enum\\usbstor\\*” process_image=”c:\\Windows\\System32\\svchost.exe” registry_type=DeleteKey | eval Date=strftime(_time, “%Y/%m/%d %H:%M:%S”) | rex “key_path.*usbstor\S(?<DeviceType>.*)&ven\S(?<Vendor>.*)&prod\S(?<Product>\S*)&rev\S” | stats count by Date, host, Vendor, Product, DeviceType | fields – count | sort – Date
