Windows External Media Detection

Detection of USB device (e.g., mass storage devices) usage is important in some environments, such as air gapped networks. This section attempts to take the proactive avenue to detect USB insertion at real-time. Event ID 43 only appears under certain circumstances. The following events and event logs are only available in Windows 8 and above.Microsoft-Windows-USB-USBHUB3-Analytic is not an event log per se it is a trace session log that stores tracing events in an Event Trace Log (.etl) file. The events created by Microsoft-Windows-USB-USBHUB3 publisher are sent to a direct channel (i.e., Analytic log) and cannot be subscribed to for event collection. Administrators should seek an alternative method of collecting and analyzing this event (43).

SIEM Events

New Device Information

Event Source - Microsoft-Windows-USB-USBHUB3 - Event Log - Microsoft-Windows-USB-USBHUB3-Analytic

New Mass Storage Installation

Event Source - Microsoft-Windows-Kernel-PnP - Event Log - Microsoft-Windows-Kernel-PnP/Device Configuration

Last modified March 24, 2021