How to perform removable disk auditing in EventLog Analyzer

How to perform removable disk auditing in EventLog Analyzer

Objective 

This article explains how to enable removable disk auditing for EventLog Analyzer.

 Prerequisites 

  • Windows 8 or Windows Server 2012 and above.
  • Permission to enable the audit policy.
  • Access to add a registry entry. To enable this:
    • The winreg registry key should should have read/write control.
    • Firewall ports configured as per this chart:

Ports

Inbound

Outbound

Service

TCP 135

Target Windows Device

EventLog Analyzer Server

RPC

TCP 137

Target Windows Device

EventLog Analyzer Server

NetBIOS name resolution RPC/named pipes (NP)

TCP 138

Target Windows Device

EventLog Analyzer Server

NetBIOS datagram

TCP 139

Workgroup Server

EventLog Analyzer Server

NetBIOS session RPC/NP

TCP 445

Workgroup Server

EventLog Analyzer Server

SMB RPC/NP

 

Steps to follow 

Step 1: Create a registry key in the targeted computer. This can be done in two ways:

Case 2: Manual method

Case 1:  Using Configure Event Source file option in the EventLog Analyzer Device Management page

This option requires the ports and user permissions mentioned in the prerequisites.
    • Log in to EventLog Analyzer as an administrator.
    • Navigate to Settings > Log source configuration > Devices > Windows devices.
    • Click the Configure Event Source File button located next the checkbox beside the respective machine.
    • Enable the checkbox for Microsoft-Windows-DriverFrameworks-UserMode/Operational and click Configure.



Case 2:  Manual method 

    • Use the Remote Desktop Protocol to establish a connection with the targeted Windows device.

    • Press Windows + to open Run and type regedit.msc in the dialogue box to open the Registry Editor.

    • Open the path: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog and right-click EventLog > New > Key.


    • Set the key name as: Microsoft-Windows-DriverFrameworks-UserMode/Operational
      To configure the event source on multiple computers, refer to this article.

Step 2: Enable audit policy

Navigate to Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Object Access and enable the following audit policies: (Screenshot below)

  • Audit Handle Manipulation

  • Audit Removable Storage

  • Audit File System


Note: For domain-joined machines, this can be enabled at the local policy or domain level based on the Group Policy order for both success and failure.

Step 3: Enable event logging in Event Viewer:

Press Windows + R, type eventvwr.msc into the Run dialog box, and press Enter to open Event Viewer.

In the left pane, expand Applications and Services Logs > Microsoft > Windows > DriverFrameworks-UserMode > Operational. Right-click Operational and click Enable Log.


Step 4: Some versions of Windows 10 require a registry key. Here are the steps to enable the registry:

  • Press Windows + R, type regedit.exe into the Run dialog box and click OK.

  • Within the registry editor, open the path: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Storage

  • On the right pane, right-click HotplugSecureOpen, and click Modify.

  • Change the REG_DWORD value from 0 to 1 and click OK to save the changes.

    For more details, refer to this article.

Step 5: Connect to the target computer, then verify whether the below event IDs are getting logged under the EventLog Analyzer >> Reports >> Removable Storage Device reports category.

  • Event ID 4663: Logs successful attempts to write to or read from a removable storage device.

  • Event ID 6416: Logs removable device plugins.

 Tips

  1. Enable USB device or port for required devices and enable auditing for them.

  2. Configure the required alerts with SOAR in EventLog Analyzer to mitigate potential threats caused by removable storage devices.

                  New to ADSelfService Plus?

                    • Related Articles

                    • Disk Space Alert: EventLog Analyzer Installation Drive Reaching Capacity Threshold

                      Issue description This document provides a technical overview, possible causes, recommended resolution steps, and best practices for handling the "Disk Space Alert: EventLog Analyzer Installation Drive Reaching Capacity Threshold" notification. This ...
                    • Unable to start EventLog Analyzer

                      Issue description This issue occurs when the EventLog Analyzer service fails to start, or when users are unable to access the web client through the browser (typically on ports 8400 or 8445). Users may experience one or more of the following ...
                    • How to perform offline log collection using the EventLog Analyzer agent

                      Objective When there is a intermittent connection or loss of communication between the agent and EventLog Analyzer server, the agent can perform offline log collection and store the logs to a data directory of a defined size. Once the connection is ...
                    • How to configure notifications for low disk space in EventLog Analyzer

                      Objective EventLog Analyzer allows you to configure email alerts for low disk space on the installation drive. When free space drops below a specified limit, an automated notification is sent, helping you take action before log collection or ...
                    • Introduction to EventLog Analyzer

                      What is log management?  An enterprise network consists of different entities—perimeter devices, workstations, servers, applications, and more. Each entity records every activity that unfolds within it in the form of logs. These logs hold information ...