This article explains how to enable removable disk auditing for EventLog Analyzer.
Ports | Inbound | Outbound | Service |
TCP 135 | Target Windows Device | EventLog Analyzer Server | RPC |
TCP 137 | Target Windows Device | EventLog Analyzer Server | NetBIOS name resolution RPC/named pipes (NP) |
TCP 138 | Target Windows Device | EventLog Analyzer Server | NetBIOS datagram |
TCP 139 | Workgroup Server | EventLog Analyzer Server | NetBIOS session RPC/NP |
TCP 445 | Workgroup Server | EventLog Analyzer Server | SMB RPC/NP
|
Step 1: Create a registry key in the targeted computer. This can be done in two ways:
Case 2: Manual methodCase 1: Using Configure Event Source file option in the EventLog Analyzer Device Management page
This option requires the ports and user permissions mentioned in the prerequisites.
Case 2: Manual method
Use the Remote Desktop Protocol to establish a connection with the targeted Windows device.
Press Windows + R to open Run and type regedit.msc in the dialogue box to open the Registry Editor.
Open the path: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog and right-click EventLog > New > Key.
Set the key name as: Microsoft-Windows-DriverFrameworks-UserMode/Operational
To configure the event source on multiple computers, refer to this article.
Step 2: Enable audit policy
Navigate to Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Object Access and enable the following audit policies: (Screenshot below)
Audit Handle Manipulation
Audit Removable Storage
Audit File System
Note: For domain-joined machines, this can be enabled at the local policy or domain level based on the Group Policy order for both success and failure.
Step 3: Enable event logging in Event Viewer:
Press Windows + R, type eventvwr.msc into the Run dialog box, and press Enter to open Event Viewer.
In the left pane, expand Applications and Services Logs > Microsoft > Windows > DriverFrameworks-UserMode > Operational. Right-click Operational and click Enable Log.
Step 4: Some versions of Windows 10 require a registry key. Here are the steps to enable the registry:
Press Windows + R, type regedit.exe into the Run dialog box and click OK.
Within the registry editor, open the path: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Storage
On the right pane, right-click HotplugSecureOpen, and click Modify.
Change the REG_DWORD value from 0 to 1 and click OK to save the changes.
For more details, refer to this article.
Step 5: Connect to the target computer, then verify whether the below event IDs are getting logged under the EventLog Analyzer >> Reports >> Removable Storage Device reports category.
Event ID 4663: Logs successful attempts to write to or read from a removable storage device.
Event ID 6416: Logs removable device plugins.
Tips
Enable USB device or port for required devices and enable auditing for them.
Configure the required alerts with SOAR in EventLog Analyzer to mitigate potential threats caused by removable storage devices.