Rule Description
Detect Non-Approved removable media on Windows devices, with support for volume name exclusions.
Detect
event: VOLUME_MOUNT
op: and
rules:
- op: is
path: event/DEVICE_TYPE
value: "REMOVABLE"
- op: is
not: true
path: event/VOLUME_NAME
value: "APPROVED_DEVICE_NAME_1"
- op: is
not: true
path: event/VOLUME_NAME
value: "APPROVED_DEVICE_NAME_2"
Respond
- action: report
name: Non-Approved Removable Media
Test Event Target(s)
(optional, delete if none) If you have test telemetry items that can be used to test the rule, please provide below.
{
"event": {
"DEVICE_TYPE": "REMOVABLE",
"VOLUME_NAME": "Sarahs Thumbdrive",
"VOLUME_PATH": "F:\\"
},
"routing": {
"arch": 2,
"did": "",
"event_id": "3bd81b93-2f0f-4dc7-a8df-2f3d2c473af2",
"event_time": 1741373799112,
"event_type": "VOLUME_MOUNT",
"ext_ip": "1.2.3.4",
"hostname": "windev2309eval.localdomain",
"iid": "6e904fad-a376-45fa-a667-4b2454de7b7b",
"int_ip": "192.168.57.139",
"latency": 259,
"moduleid": 2,
"oid": "df2eb9e5-12b8-454c-b75e-5bc8699eef23",
"plat": 268435456,
"sid": "c1d4026d-5619-4942-b7ee-6e927eb5b9da",
"tags": [
"windows"
],
"this": "a39759f01618f8f5126e85a167cb4167"
},
"ts": "2025-03-07 18:56:39"
}