SecuritySynapse: 2018

Friday, December 21, 2018

Parsing and Displaying Airwatch Data in Splunk

By Tony Lee

Have you ever searched for a Splunk app or TA and came up empty? We have too... Not to worry though, with a little parsing and some dashboarding we should be able to create visibility where there may not be much previously. This was exactly the case when we tried to parse AirWatch logs (https://www.air-watch.com/).

Figure 1: At the time of writing this article, no app or TA existed for airwatch.

If you have this same situation, hopefully we can help you too. This is the process we followed along with the regex used and the final dashboard produced. As a bonus, not only will we give you our regex that we used, but also the dashboard code at the end of the article.

Figure 2: Final dashboard to display airwatch data

Raw Log

Mar 15 07:43:45 airwatchhost Mar 15 13:43:45 AirWatch AirWatch Syslog Details are as follows Event Type: Device
Event: SecurityInformationConfirmed
User: sysadmin
Enrollment User: TLEE
Event Source: Device
Event Module: Devices
Event Category: Command
Event Data:
Device Friendly Name: TLEE iPhone iOS 12.1.0 GRY9

Fields we need to parse

Event Type
Event
User
Enrollment User
Event Source
Event Module
Event Category
Event Data
Device Friendly Name

Regular Expression Needed

There may be more graceful ways to parse these logs, but this seemed to work for us. Go to Settings > Fields > Field Extractions > New Field Extraction. For the fields use the following:

Select the app
Name: All-Airwatch-Fields
Select the sourcetype for airwatch data
Inline
Extraction: Copy and paste what we have below

Event\sType:\s(?P<EventType>.*?)\sEvent:\s(?P<Event>.*?)\sUser:\s(?P<User>.*?)\sEnrollment\sUser:\s(?P<EnrollmentUser>.*?)\sEvent\sSource:\s(?P<EventSource>.*?)\sEvent\sModule:\s(?P<EventModule>.*?)\sEvent\sCategory:\s(?P<EventCategory>.*?)\sEvent\sData:\s(?P<EventData>.*?)\sDevice\sFriendly\sName:\s(?P<DeviceFriendlyName>.*)

You should not need to restart Splunk, but give it 5 minutes and search with your index and sourcetype again in Verbose mode and the fields should now be parsed.

Conclusion

Even though we did not have a Splunk TA or App to help create visibility, we did this ourselves using the flexibility provided within Splunk. We hope this article helped other save time. If it helped or even if it did not work, feel free to leave a comment below. Happy Splunking!

Dashboard Code

The following dashboard assumes that the appropriate logs are being collected and sent to Splunk. Additionally, the dashboard code assumes an index of airwatch. Feel free to adjust as necessary. Splunk dashboard code provided below:

<form>
<label>Airwatch</label>
<fieldset submitButton="true" autoRun="true">
<input type="time" token="time">
<label>Time Range</label>
<default>
<earliest>-60m@m</earliest>
<latest>now</latest>
</default>
</input>
<input type="text" token="wild">
<label>Wildcard Search</label>
<default>*</default>
<initialValue>*</initialValue>
</input>
</fieldset>
<row>
<panel>
<single>
<title>Event Count</title>
<search>
<query>index=airwatch $wild$ | table _time, EventType, Event, User, EnrollmentUser, EventSource, EventModule, EventCategory, EventData, DeviceFriendlyName | stats count</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
</search>
<option name="drilldown">all</option>
</single>
</panel>
<panel>
<table>
<title>Top Event</title>
<search>
<query>index=airwatch $wild$ | table _time, EventType, Event, User, EnrollmentUser, EventSource, EventModule, EventCategory, EventData, DeviceFriendlyName | top limit=0 Event</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
</search>
<option name="count">10</option>
<option name="drilldown">cell</option>
</table>
</panel>
<panel>
<table>
<title>Top EventModule</title>
<search>
<query>index=airwatch $wild$ | table _time, EventType, Event, User, EnrollmentUser, EventSource, EventModule, EventCategory, EventData, DeviceFriendlyName | top limit=0 EventModule</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
</search>
<option name="count">10</option>
<option name="drilldown">cell</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
<panel>
<table>
<title>Top Enrollment User</title>
<search>
<query>index=airwatch $wild$ | table _time, EventType, Event, User, EnrollmentUser, EventSource, EventModule, EventCategory, EventData, DeviceFriendlyName | top limit=0 EnrollmentUser</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
</search>
<option name="count">10</option>
<option name="drilldown">cell</option>
</table>
</panel>
<panel>
<table>
<title>Top Device Friendly Name</title>
<search>
<query>index=airwatch $wild$ | table _time, EventType, Event, User, EnrollmentUser, EventSource, EventModule, EventCategory, EventData, DeviceFriendlyName | top limit=0 DeviceFriendlyName</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
</search>
<option name="count">10</option>
<option name="drilldown">cell</option>
</table>
</panel>
</row>
<row>
<panel>
<chart>
<title>Top Event over Time</title>
<search>
<query>index=airwatch $wild$ | table _time, EventType, Event, User, EnrollmentUser, EventSource, EventModule, EventCategory, EventData, DeviceFriendlyName | timechart count by Event</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
</search>
<option name="charting.chart">line</option>
<option name="charting.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
<panel>
<chart>
<title>Top Enrollment User over Time</title>
<search>
<query>index=airwatch $wild$ | table _time, EventType, Event, User, EnrollmentUser, EventSource, EventModule, EventCategory, EventData, DeviceFriendlyName | timechart count by EnrollmentUser</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
</search>
<option name="charting.chart">line</option>
<option name="charting.drilldown">none</option>
</chart>
</panel>
</row>
<row>
<panel>
<table>
<title>Details</title>
<search>
<query>index=airwatch $wild$ | table _time, EventType, Event, User, EnrollmentUser, EventSource, EventModule, EventCategory, EventData, DeviceFriendlyName</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">10</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</form>

Monday, November 12, 2018

Monitoring USB Storage Activity with Splunk – Part II (Read/Write/Delete/Modify events)

By Tony Lee

Welcome to Part two in our series on Monitoring USB Storage Activity. In the first article (http://www.securitysynapse.com/2018/11/monitoring-usb-storage-activity-part-1.html), we examined what is required to monitor USB Storage connect and disconnect events. But how about activity that happens after the drives are connected? The good news is that this is also possible using Microsoft Windows Event logs and a bit of data crunching effort. In this article we will again use Splunk to aggregate, process, and display the logs. As a bonus, we will not only outline the steps to accomplish this task, but we will also provide working dashboard code at the end of the article.

Note: The Audit Removable Storage policy is only available in Windows 8 / 2008 and above—It is not available in Windows 7 / 2003. ☹

Figure 1: Dashboard provided at the end of the article

High-level steps

There are two main steps needed to accomplish this task. We need to generate and collect the Windows event logs and then we need to process and display the logs within Splunk. Each is outlined below.

Windows Event Generation
For Windows 8 / 2008 hosts and above, Microsoft USB activity logs can be enabled manually one machine at a time or via Group Policy (see references section below for instructions). For this demo, we will show how to enable it on one machine using Local Security Policy: Advanced Audit Policy Configuration > System Audit Policies > Local Group > Object Access > Audit Removable Storage

Figure 2: Enabling Audit of Removable Storage

Double click and audit for Success and Failure. After enabling auditing, we rebooted for good measure, because hey, this is Windows.

Activity Event IDs
Now that Audit Removable Storage is enabled, open Event Viewer > Windows Logs > Security. Select Filter Current Log on the right-hand side and type in 4663 for event ID and click OK. Insert a USB device and click the Refresh button on the right-hand side. If all is well, there should be multiple 4663 success events. Note that Event ID 4656 is used for failures.

Figure 3: Testing 4663 and 4656 event visibility

Feel free to explore the data within each event but take note that for USB auditing the events that we care about have a Task Category of “Removable Storage”. For convenience we provide a file delete event below:

XX/XX/XXXX 05:54:43 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4663
EventType=0
Type=Information
ComputerName=DESKTOP-8HSPO8Q
TaskCategory=Removable Storage
OpCode=Info
RecordNumber=1211
Keywords=Audit Success
Message=An attempt was made to access an object.

Subject:
Security ID: S-1-5-21-XXXXXXX-XXXXXXXXX-XXXXXXXXXX-XXXX
Account Name: User
Account Domain: DESKTOP-8HSPO8Q
Logon ID: 0x229E9

Object:
Object Server: Security
Object Type: File
Object Name: \Device\HarddiskVolume7\New Microsoft Word Document.docx
Handle ID: 0x1404
Resource Attributes:

Process Information:
Process ID: 0x17b4
Process Name: C:\Windows\explorer.exe

Access Request Information:
Accesses: DELETE

Access Mask: 0x10000

Windows Event Collection
Now that the logs are being generated, they need to be forwarded from the endpoints to a central location—in this case Splunk. This task could be accomplished using a number of methods such as Windows Event Collector (WEC), a Splunk Universal Forwarder agent, or some other forwarding method. For this demo, we will use a Splunk Universal Forwarder shown in next section.

Splunk

While we are assuming a functional Splunk Enterprise installation exists, we still need to collect the logs. We provide a sample Splunk Universal Forwarder configuration file below to help those using the Splunk Universal Forwarder. Note: we will be placing the events into an index called wineventlog. If this index does not already exist, you will first need to create it.

inputs.conf
Located on the Windows endpoint (Usually found here: C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\inputs.conf)

[WinEventLog://Security]
index = wineventlog
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest
whitelist = 4663, 4656

Once the inputs.conf file is properly configured (and the universal forwarder restarted) to collect these logs from the endpoint, we need to verify that the logs are reaching Splunk. Try running the following Splunk search:

index=wineventlog

If you see results, try something more specific, such as either of the following:

index=wineventlog EventCode=4663
index=wineventlog EventCode=4656

Conclusion

Now that we have the proper event IDs flowing into Splunk, we created a Removable Storage Activity dashboard. The dashboard provides statistical analysis for top accounts, hostname, actions, and processes. It even includes events over time by hostname and action along with the details needed to investigate USB connections. Because there may be applications within an environment that scan or interact with removable storage, it may be necessary to add some filters to reduce noise which can be customized for each environment. For your convenience, we included the dashboard code below.

Acknowledgement and References

https://www.eventtracker.com/tech-articles/tracking-removable-storage-windows-security-log/
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj574128(v=ws.11)

Dashboard Code

The following dashboard assumes that the appropriate logs are being collected and sent to Splunk. Additionally, the dashboard code assumes an index of wineventlog. Feel free to adjust as necessary. Splunk dashboard code provided below:

<form>
<label>Removable Storage Activity</label>
<description>index=wineventlog EventCode=4663 TaskCategory="Removable Storage"</description>
<fieldset autoRun="true" submitButton="true">
<input type="time" token="time">
<label>Time Range</label>
<default>
<earliest>0</earliest>
<latest></latest>
</default>
</input>
<input type="text" token="wild">
<label>Wildcard Search</label>
<default>*</default>
<initialValue>*</initialValue>
</input>
<input type="multiselect" token="Accesses">
<label>Actions (Accesses)</label>
<choice value="*">All</choice>
<choice value="ReadData (or ListDirectory)">ReadData (or ListDirectory)</choice>
<choice value="WriteData (or AddFile)">WriteData (or AddFile)</choice>
<choice value="AppendData (or AddSubdirectory or CreatePipeInstance)">AppendData (or AddSubdirectory or CreatePipeInstance)</choice>
<choice value="DELETE">DELETE</choice>
<default>*</default>
<initialValue>*</initialValue>
<valuePrefix>Accesses="</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter> OR </delimiter>
</input>
</fieldset>
<row>
<panel>
<single>
<title>Total events</title>
<search>
<query>index=wineventlog EventCode=4663 TaskCategory="Removable Storage" $wild$ $Accesses$ | dedup _time, Account_Domain, ComputerName, Account_Name, Accesses, Process_Name, Object_Name | table _time, Account_Domain, ComputerName, Account_Name, Accesses, Process_Name, Object_Name | stats count</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
</search>
<option name="drilldown">all</option>
<option name="refresh.display">progressbar</option>
</single>
</panel>
<panel>
<table>
<title>Top Account_Domain</title>
<search>
<query>index=wineventlog EventCode=4663 TaskCategory="Removable Storage" $wild$ $Accesses$ | dedup _time, Account_Domain, ComputerName, Account_Name, Accesses, Process_Name, Object_Name | table _time, Account_Domain, ComputerName, Account_Name, Accesses, Process_Name, Object_Name | top limit=0 Account_Domain</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
</search>
<option name="drilldown">cell</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
<panel>
<table>
<title>Top ComputerName</title>
<search>
<query>index=wineventlog EventCode=4663 TaskCategory="Removable Storage" $wild$ $Accesses$ | dedup _time, Account_Domain, ComputerName, Account_Name, Accesses, Process_Name, Object_Name | table _time, Account_Domain, ComputerName, Account_Name, Accesses, Process_Name, Object_Name | top limit=0 ComputerName</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
</search>
<option name="drilldown">cell</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
<panel>
<table>
<title>Top Account_Name</title>
<search>
<query>index=wineventlog EventCode=4663 TaskCategory="Removable Storage" $wild$ $Accesses$ | dedup _time, Account_Domain, ComputerName, Account_Name, Accesses, Process_Name, Object_Name | table _time, Account_Domain, ComputerName, Account_Name, Accesses, Process_Name, Object_Name | top limit=0 Account_Name</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
</search>
<option name="drilldown">cell</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
<row>
<panel>
<table>
<title>Top Accesses</title>
<search>
<query>index=wineventlog EventCode=4663 TaskCategory="Removable Storage" $wild$ $Accesses$ | dedup _time, Account_Domain, ComputerName, Account_Name, Accesses, Process_Name, Object_Name | table _time, Account_Domain, ComputerName, Account_Name, Accesses, Process_Name, Object_Name | top limit=0 Accesses</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
</search>
<option name="drilldown">cell</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
<panel>
<table>
<title>Top Process_Name</title>
<search>
<query>index=wineventlog EventCode=4663 TaskCategory="Removable Storage" $wild$ $Accesses$ | dedup _time, Account_Domain, ComputerName, Account_Name, Accesses, Process_Name, Object_Name | table _time, Account_Domain, ComputerName, Account_Name, Accesses, Process_Name, Object_Name | top limit=0 Process_Name</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
</search>
<option name="drilldown">cell</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
<row>
<panel>
<chart>
<title>Activity Over Time</title>
<search>
<query>index=wineventlog EventCode=4663 TaskCategory="Removable Storage" $wild$ $Accesses$ | dedup _time, Account_Domain, ComputerName, Account_Name, Accesses, Process_Name, Object_Name | eval ComputerAction = ComputerName + ":" + Accesses | timechart count(ComputerAction) by ComputerAction</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
</search>
<option name="charting.chart">column</option>
<option name="charting.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
</row>
<row>
<panel>
<table>
<title>Details</title>
<search>
<query>index=wineventlog EventCode=4663 TaskCategory="Removable Storage" $wild$ $Accesses$ | dedup _time, Account_Domain, ComputerName, Account_Name, Accesses, Process_Name, Object_Name | table _time, Account_Domain, ComputerName, Account_Name, Accesses, Process_Name, Object_Name</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
</search>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</form>

Tuesday, November 6, 2018

Monitoring USB Storage Activity with Splunk – Part 1 (Connectivity events)

By Tony Lee

Have you ever wanted to monitor what goes on with removable media in your environment, but maybe lack the money or man power to run a Data Loss Prevention (DLP) tool to monitor the USB devices? The good news is that you can do this on the cheap using Microsoft Windows Event logs and a bit of data crunching effort. In this article we will provide a few ways to collect the logs, but we will ultimately use Splunk to aggregate, process, and display the information. As a bonus, we will not only outline the steps to accomplish this task, but we will also provide working dashboard code at the end of the article.

Figure 1: Dashboard provided at the end of the article

High-level steps

There are two main steps needed to accomplish this task. We need to generate and collect the Windows event logs and then we need to process and display the logs within Splunk. Each is outlined below.

Windows Event Generation
Microsoft logs USB connect and disconnect actions in the following Windows Event Viewer location: Application and Services Logs > Microsoft > Windows > DriverFrameworks-UserMode > Operational

Unfortunately, this log is disabled by default. Administrators can manually enable it per machine or take action on a larger scale using a login script or other mechanism outlined in the References section below. For this article, we will enable the logs manually by right clicking on “Operational” and selecting “Properties” to show that it is disabled. Check the box to enable these logs. After checking the box, we rebooted for good measure, because hey, this is Windows.

Figure 2: DriverFrameworks-UserMode enablement and log path

Connect Event IDs
Now that USB connectivity logging is enabled, insert a USB drive and click the refresh button to see some events. You will notice that there are quite a few event IDs associated with connecting a USB device, but fortunately for our situation, not all of them are important. For example, some of the event IDs pertain to USB functions needed to ready the device. For the sake of completeness, the event IDs associated with connecting a device are the following:

2003 – This is a unique event created upon connecting a USB device which contains helpful data
2004
2006
2010
2100
2101
2105
2106

Disconnect Event IDs
Fortunately, there are far fewer event IDs associated with disconnecting a USB device.

2100
2102 – This is a unique event created upon disconnecting a USB device which contains helpful data

Feel free to explore the data within each event but note that we have called out two Event IDs that contain the most amount of data pertaining to connection (2003) and disconnection (2102).

Windows Event Collection
Now that the logs are being generated, they need to be forwarded from the endpoints to a central location—in this case Splunk. This task could be accomplished using a number of methods such as Windows Event Collector (WEC), a Splunk Universal Forwarder agent, or some other forwarding method. For this demo, we will use a Splunk Universal Forwarder shown in next section.

Splunk
While we are assuming a functional Splunk Enterprise installation exists, we still need to collect the logs. We provide a sample Splunk Universal Forwarder configuration file below to help those using the Splunk Universal Forwarder. Note: we will be placing the events into an index called wineventlog. If this index does not already exist, you will first need to create it.

inputs.conf
Located on the Windows endpoint (Usually found here: C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\inputs.conf)

WinEventLog://Microsoft-Windows-DriverFrameworks-UserMode/Operational]
index = wineventlog
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest
whitelist = 2003, 2102

Once the inputs.conf file is properly configured (and the universal forwarder restarted) to collect these logs from the endpoint, we need to verify that the logs are reaching Splunk. Try running the following Splunk search:

index=wineventlog

If you see results, try something more specific, such as either of the following:

index=wineventlog EventCode=2003
index=wineventlog EventCode=2102

Field Extraction

Now that we have the proper Windows Event IDs we need to make sure we can reference the fields. Unfortunately, Windows event logs are a hybrid between human readable and machine readable—which usually means that no one likes to read them. As a result, we need to perform some manual extraction within Splunk to pull out key information such as the USB vendor, product, serial number, and guid. Within Splunk (Settings -> Fields -> Fields extractions) we added the following regex string to enable this parsing:

.*?VEN_(?<vendor>.*?)\&PROD_(?<product>.*?)\&.*?#(?<serialNumber>.*?)&.*?{(?<guid>.*?)}

Figure 3: Example Field Extraction

Figure 4: Example Event ID 2003 showing fields are properly extracted

Conclusion

Now that we have the proper event IDs flowing into Splunk and the necessary fields extracted, we created a Removable Storage Connections dashboard. The dashboard provides statistical analysis for connects, disconnects, top vendors, products, serial numbers, and hosts. It even includes events over time by action and serial number along with the details needed to investigate USB connections. For your convenience, we included the dashboard code below.

Caveats

Per Greg Shultz, “If you find an Event ID 2003 event record for a specific USB flash drive but don't find a corresponding Event ID 2102 event record, that either means that the USB flash drive is still attached to the system or the system was shut down before the device was removed.”

Acknowledgement and References

Big thanks to the following articles which were quite useful:

https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/
https://df-stream.com/2014/01/the-windows-7-event-log-and-usb-device/

Dashboard Code

<form>

<label>Removable Storage Connections</label>

<description>index=wineventlog EventCode=2003 & 2102 - Microsoft-Windows-DriverFrameworks-UserMode/Operational"</description>

<label>Time Range</label>

</default>

</input>

<label>Wildcard Search</label>

</input>

</fieldset>

<row>

<panel>

<title>Number of Connect Events</title>

<query>index=wineventlog EventCode=2003 USBSTOR $wild$ | table _time, ComputerName, EventCode, User, vendor, product, serialNumber | stats count</query>

<earliest>$time.earliest$</earliest>

<latest>$time.latest$</latest>

</search>

<option name="refresh.display">progressbar</option>

</single>

</panel>

<panel>

<title>Number of Disconnect Events</title>

<query>index=wineventlog EventCode=2102 USBSTOR $wild$ | transaction maxspan=5s EventCode, ComputerName, serialNumber | dedup _time, ComputerName, serialNumber | table _time, ComputerName, EventCode, User, vendor, product, serialNumber | stats count</query>

<earliest>$time.earliest$</earliest>

<latest>$time.latest$</latest>

</search>

<option name="refresh.display">progressbar</option>

</single>

</panel>

<panel>

<table>

<title>Top Hosts with USB Activity</title>

<query>index=wineventlog (EventCode=2003 OR EventCode=2102) USBSTOR $wild$ | transaction maxspan=5s EventCode, ComputerName, serialNumber | table _time, ComputerName, EventCode, User, vendor, product, serialNumber | top limit=0 ComputerName</query>

<earliest>$time.earliest$</earliest>

<latest>$time.latest$</latest>

</search>

<option name="refresh.display">progressbar</option>

</table>

</panel>

<panel>

<table>

<title>Top Removable Storage Vendors</title>

<query>index=wineventlog (EventCode=2003 OR EventCode=2102) USBSTOR $wild$ | dedup serialNumber | table _time, ComputerName, EventCode, User, vendor, product, serialNumber | top limit=0 vendor</query>

<earliest>$time.earliest$</earliest>

<latest>$time.latest$</latest>

</search>

<option name="refresh.display">progressbar</option>

</table>

</panel>

<panel>

<table>

<title>Top Removable Storage Products</title>

<earliest>$time.earliest$</earliest>

<latest>$time.latest$</latest>

</search>

<option name="refresh.display">progressbar</option>

</table>

</panel>

<panel>

<table>

<title>Top Serial Numbers</title>

<earliest>$time.earliest$</earliest>

<latest>$time.latest$</latest>

</search>

</table>

</panel>

</row>

<row>

<panel>

<chart>

<title>Events Over Time</title>

<query>index=wineventlog (EventCode=2003 OR EventCode=2102) USBSTOR $wild$ | eval action=case(EventCode == 2003, "Connect", EventCode == 2102, "Disconnect") | table _time, ComputerName, action, EventCode, User, vendor, product, serialNumber | eval ActionSerial = action + ":" + serialNumber | timechart dc(serialNumber) by ActionSerial</query>

<earliest>$time.earliest$</earliest>

<latest>$time.latest$</latest>

</search>

<option name="charting.chart">column</option>

</chart>

</panel>

</row>

<row>

<panel>

<table>

<title>Connect Events (EventCode=2003)</title>

<query>index=wineventlog EventCode=2003 USBSTOR $wild$ | table _time, ComputerName, EventCode, User, vendor, product, serialNumber</query>

<earliest>$time.earliest$</earliest>

<latest>$time.latest$</latest>

</search>

<option name="percentagesRow">false</option>

<option name="refresh.display">progressbar</option>

<option name="rowNumbers">false</option>

<option name="totalsRow">false</option>

</table>

</panel>

<panel>

<table>

<title>Disconnect Events (EventCode=2102)</title>

<earliest>$time.earliest$</earliest>

<latest>$time.latest$</latest>

</search>

<option name="refresh.display">progressbar</option>

</table>

</panel>

</row>

</form>