Detecting Unauthorized Removable Media

Rule Description
Detect Non-Approved removable media on Windows devices, with support for volume name exclusions.

Detect

event: VOLUME_MOUNT
op: and
rules:
  - op: is
    path: event/DEVICE_TYPE
    value: "REMOVABLE"
  - op: is
    not: true
    path: event/VOLUME_NAME
    value: "APPROVED_DEVICE_NAME_1"
  - op: is
    not: true
    path: event/VOLUME_NAME
    value: "APPROVED_DEVICE_NAME_2"

Respond

- action: report
  name: Non-Approved Removable Media

Test Event Target(s)
(optional, delete if none) If you have test telemetry items that can be used to test the rule, please provide below.

{
  "event": {
    "DEVICE_TYPE": "REMOVABLE",
    "VOLUME_NAME": "Sarahs Thumbdrive",
    "VOLUME_PATH": "F:\\"
  },
  "routing": {
    "arch": 2,
    "did": "",
    "event_id": "3bd81b93-2f0f-4dc7-a8df-2f3d2c473af2",
    "event_time": 1741373799112,
    "event_type": "VOLUME_MOUNT",
    "ext_ip": "1.2.3.4",
    "hostname": "windev2309eval.localdomain",
    "iid": "6e904fad-a376-45fa-a667-4b2454de7b7b",
    "int_ip": "192.168.57.139",
    "latency": 259,
    "moduleid": 2,
    "oid": "df2eb9e5-12b8-454c-b75e-5bc8699eef23",
    "plat": 268435456,
    "sid": "c1d4026d-5619-4942-b7ee-6e927eb5b9da",
    "tags": [
      "windows"
    ],
    "this": "a39759f01618f8f5126e85a167cb4167"
  },
  "ts": "2025-03-07 18:56:39"
}