Proofpoint | ObserveIT On-Premises Insider Threat Management

Detect Connected USB - Did What

This topic describes how to define alert rule conditions using the options available in the Detect connected USB group category in the Did what? section of the Create Alert Rule page. (For more about the Did what? section, see Defining the "Did What?" Conditions.)

This option is available for alert type rules on Windows and Mac-based operating systems.

You can define which devices will trigger alerts when connected.

USB Devices

You can define alert triggers for:

  • Any USB device: Alert is triggered when any USB device is connected.

  • White listed USB devices only: Alert is triggered when any white listed USB device is connected.

  • Unlisted USB devices only: Alert is triggered when any unlisted USB device is connected.

  • Specific USB by: Alert is triggered when a specific USB device is connected.

    You identify the USB device by:

    • Model: for example, Cruzer Blade

    • Label: for example, Vol1

    • Vendor: for example, SanDisk

    • Serial Number: for example, 4C531000147102712020241

    • USB ID: For example, USB\ROOT_HUB30

    Use the operators is, is not, contains, does not contain, starts with, does not start with, ends with, does not end with, empty, or not empty with these options.

USB Device Lists in Alerts

You can create lists of USB devices:

  • Create a list manually: You can enter multiple values separated by commas either directly or by clicking the […] icon to open a popup in which you can enter the values. You can use the * as a wild card. For example any connected USB device whose mode is Cruzer * triggers alerts for Cruzer Edge, Cruzer Blade, Cruzer Force and any other USB devices with Cruzer in the model name.

  • Use a predfined list: You can choose to select a predefined List instead of entering a set of values when Lists are supported. By hovering over the values field, two icons appear that enable you to switch between the Values and List modes: or . When List mode is selected, a drop-down list shows all the predefined Public and Private lists that are authorized for this Console User. You can edit the list contents, if required. For details, see Editing Lists

Creating an Alert Rule for Connected USB Devices

  1. In the Alerts & Prevent Rules tab, click the New Alerts Rule button. In the Create Rule page, fill in the Alert Rule Details and Rule Assignment sections. In the Detection Policy section, in the Did What? area. select Detect connected USB.

  2. Do one of the following:

    Create a rule to alert for any connected USB devices, white listed USB devices, or unlisted USB

    • From the Detect connected USB option, select To which USB.

      The To which USB device options display.

    Create a rule to alert for specific USB devices, by USB model, USB vendor, USB label, or USB serial number

    • From the USB device available option, select USB model, USB vendor, USB label, USB ID or USB S/N.

      Use the operators in the drop-down list to specify which USBs trigger alerts. In the example above, any connected USB device whose model is Cruzer Blade triggers alerts.

 

version 7.12.2

Copyright © 2021 ObserveIT a division of Proofpoint