Objective 

This article explains how to enable removable disk auditing for EventLog Analyzer.

 Prerequisites 

• Windows 8 or Windows Server 2012 and above.
• Permission to enable the audit policy.
• Access to add a registry entry. To enable this:
• The winreg registry key should should have read/write control.
• Firewall ports configured as per this chart:
  

Steps to follow 

Step 1: Create a registry key in the targeted computer. This can be done in two ways:

Case 1: Using Configure Event Source file option in the EventLog Analyzer Device management page

Case 2: Manual method

Case 1:  Using Configure Event Source file option in the EventLog Analyzer Device Management page

​This option requires the ports and user permissions mentioned in the prerequisites.

• Log in to EventLog Analyzer as an administrator.
• Navigate to Settings > Log source configuration > Devices > Windows devices.
• Click the Configure Event Source File button located next the checkbox beside the respective machine.
• Enable the checkbox for Microsoft-Windows-DriverFrameworks-UserMode/Operational and click Configure.
  
  
  

Case 2:  Manual method 

• Use the Remote Desktop Protocol to establish a connection with the targeted Windows device.

• Press Windows + R to open Run and type regedit.msc in the dialogue box to open the Registry Editor.

• Open the path: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog and right-click EventLog > New > Key.
  
  
  

• Set the key name as: Microsoft-Windows-DriverFrameworks-UserMode/Operational
  To configure the event source on multiple computers, refer to this article.

Step 2: Enable audit policy

Navigate to Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Object Access and enable the following audit policies: (Screenshot below)

• Audit Handle Manipulation

• Audit Removable Storage

• Audit File System
  
  

Note: For domain-joined machines, this can be enabled at the local policy or domain level based on the Group Policy order for both success and failure.

Step 3: Enable event logging in Event Viewer:

Press Windows + R, type eventvwr.msc into the Run dialog box, and press Enter to open Event Viewer.

In the left pane, expand Applications and Services Logs > Microsoft > Windows > DriverFrameworks-UserMode > Operational. Right-click Operational and click Enable Log.


Step 4: Some versions of Windows 10 require a registry key. Here are the steps to enable the registry:

• Press Windows + R, type regedit.exe into the Run dialog box and click OK.

• Within the registry editor, open the path: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Storage

• On the right pane, right-click HotplugSecureOpen, and click Modify.

• Change the REG_DWORD value from 0 to 1 and click OK to save the changes.
  
  For more details, refer to this article.
  
  

Step 5: Connect to the target computer, then verify whether the below event IDs are getting logged under the EventLog Analyzer >> Reports >> Removable Storage Device reports category.

• Event ID 4663: Logs successful attempts to write to or read from a removable storage device.

• Event ID 6416: Logs removable device plugins.

 Tips

1. Enable USB device or port for required devices and enable auditing for them.

2. Configure the required alerts with SOAR in EventLog Analyzer to mitigate potential threats caused by removable storage devices.