tag:blogger.com,1999:blog-5331176366167100625.post2278968146581886540..comments2024-03-20T03:15:18.893-07:00Comments on SecuritySynapse: Monitoring USB Storage Activity with Splunk – Part II (Read/Write/Delete/Modify events)Tony Leehttp://www.blogger.com/profile/04935721260910647091noreply@blogger.comBlogger15125tag:blogger.com,1999:blog-5331176366167100625.post-63898242958953555752022-03-11T05:29:55.717-08:002022-03-11T05:29:55.717-08:00Glad you found it useful and thanks for the additi...Glad you found it useful and thanks for the additional resource! We appreciate it. Have an awesome day.Tony Leehttps://www.blogger.com/profile/04935721260910647091noreply@blogger.comtag:blogger.com,1999:blog-5331176366167100625.post-86072040817175546072022-03-11T05:09:23.459-08:002022-03-11T05:09:23.459-08:00Great guide Tony! Thank you so much for posting :)...Great guide Tony! Thank you so much for posting :)<br /><br />I had a issue of being able to see EventCode 2003 and 2102 in Event Viewer and subsequently in Splunk (part1 of this series), but not EventCode 4663. Followed this guide: https://www.surfacetablethelp.com/2018/12/removable-storage-inspection-not-generate-4663-events-logged-with-windows-10-1809.html.<br /><br />Now I can see the events in both Event Viewer and Splunk :)Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5331176366167100625.post-46967207251270765512020-09-17T20:14:21.361-07:002020-09-17T20:14:21.361-07:00looks like you have to do some extraction based on...looks like you have to do some extraction based on Vendor ID.<br />the message for Iphone shows USB\VID_05AC not USBSTOR#DISK.<br /><br />Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5331176366167100625.post-18919116146759635012020-09-17T19:50:49.704-07:002020-09-17T19:50:49.704-07:00Interesting... Need to see if I can replicate or r...Interesting... Need to see if I can replicate or research. Let me know if you find something first.Tony Leehttps://www.blogger.com/profile/04935721260910647091noreply@blogger.comtag:blogger.com,1999:blog-5331176366167100625.post-41627005817083930092020-09-17T19:18:49.086-07:002020-09-17T19:18:49.086-07:00I tried above mentioned event IDs for Western Digi...I tried above mentioned event IDs for Western Digital Passport did not work. Please see messages for event ID 2004 & 2003 for Western Digital Passport<br /><br /> <br />Message<br />The UMDF Host is loading driver WpdFs at level 0 for device SWD\WPDBUSENUM\{92047E88-F82B-11EA-8570-00224D50661A}#000000AA60D00000.<br /><br />Event ID 2003<br />The UMDF Host Process ({510b5eb8-b9fb-4f2f-bd3c-320f6db1eaec}) has been asked to load drivers for device SWD\WPDBUSENUM\{92047E88-F82B-11EA-8570-00224D50661A}#000000AA60D00000. <br />Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5331176366167100625.post-39415284473629142272020-09-17T03:59:25.410-07:002020-09-17T03:59:25.410-07:00Did you check the other event IDs for anything tha...Did you check the other event IDs for anything that would be a better fit? You are probably using event ID 2003 for this? How about any of these:<br />2004<br />2006<br />2010<br />2100<br />2101<br />2105<br />2106Tony Leehttps://www.blogger.com/profile/04935721260910647091noreply@blogger.comtag:blogger.com,1999:blog-5331176366167100625.post-54283799053214191102020-09-17T03:56:09.753-07:002020-09-17T03:56:09.753-07:00Thanks for confirming the logs.
Do you have other...Thanks for confirming the logs.<br /><br />Do you have other USB hard drives to confirm this with? I believe I used a Western Digital Passport to confirm functionality at one point?Tony Leehttps://www.blogger.com/profile/04935721260910647091noreply@blogger.comtag:blogger.com,1999:blog-5331176366167100625.post-50676120820053582342020-09-16T19:49:59.626-07:002020-09-16T19:49:59.626-07:00looks like its a different log message in Splunk f...looks like its a different log message in Splunk for Thumb Drive and USB Hard Drive or even for Phones.<br /><br />USB Hard Drive Message is:<br /> The UMDF Host Process ({510b5eb8-b9fb-4f2f-bd3c-320f6db1eaec}) has been asked to load drivers for device SWD\WPDBUSENUM\{92047E88-F82B-11EA-8570-00224D50661A}#000000AA60D00000.<br /><br />USB Thumb Drive:<br /> The UMDF Host Process ({510b5eb8-b9fb-4f2f-bd3c-320f6db1eaec}) has been asked to load drivers for device SWD\WPDBUSENUM\_??_USBSTOR#DISK&VEN_SANDISK&PROD_CRUZER_GLIDE_3.0&REV_1.00#4C530000100930118272&0#{53F56307-B6BF-11D0-94F2-00A0C91EFB8B}.<br /><br />Iphone:<br />The UMDF Host Process ({a5dcff3f-af0e-4aee-b7e1-4ca2183c76eb}) has been asked to load drivers for device USB\VID_05AC&PID_12A8&MI_00\7&472CBA0&0&0000. <br /><br /><br />Thumb Drive shows Vendor and your field extraction work for Thumb Drive but nor for Other USB Devices. <br /><br />Any solution to this?<br /><br />Thank youAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-5331176366167100625.post-15217536768427499282020-09-16T18:22:47.105-07:002020-09-16T18:22:47.105-07:00Thank you getting back to me quickly.
Logs are th...Thank you getting back to me quickly.<br /><br />Logs are there in Windows Event log, Splunk Universal forwarder is configured and sending logs to Splunk.<br /><br /><br />Only issue is the USB Hard Drives otherwise Thumb Drives shows up in Splunk, but when i plugin USB Hard Drives the counter wont increment in the Dashboard stay the same. Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5331176366167100625.post-4651421617098614692020-09-16T17:54:28.027-07:002020-09-16T17:54:28.027-07:00Should be the same event ID. First try to find th...Should be the same event ID. First try to find the log in the Windows Event log. That way you eliminate Splunk from being the potential cause.<br /><br />So it sounds like you are generating the Windows Security Event, but it is not being sent to Splunk? If that is the case, it is probably the Universal forwarder config. Remember when you change the UF config, you also need to restart the Splunk UF service to read in the config again.Tony Leehttps://www.blogger.com/profile/04935721260910647091noreply@blogger.comtag:blogger.com,1999:blog-5331176366167100625.post-10513742431711646612020-09-16T17:31:36.539-07:002020-09-16T17:31:36.539-07:00Auditing for Success and Failure? Yes
Windows Secu...Auditing for Success and Failure? Yes<br />Windows Security Event logs generated? yes<br /><br />just see Thumb drives in Splunk but not USB Hard Drives the counter not even go up or down when plugin USB Hard Drives<br /><br />I see number of logs go up in splunk.<br /><br />for USB Hard Drives do they use different Event ID?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5331176366167100625.post-50828520126534684112020-09-16T15:01:56.743-07:002020-09-16T15:01:56.743-07:00Interesting... Ensure you are auditing for Succes...Interesting... Ensure you are auditing for Success and Failure. Also, be sure to check the windows security event logs on the local system using event viewer to make sure they are being generated. If they are generated, it is a Splunk issue. If they are not being generated, it is a Windows event logging issue.<br /><br />Also in regards to the USB hard drives vs. thumb drives.... they should both be detected.Tony Leehttps://www.blogger.com/profile/04935721260910647091noreply@blogger.comtag:blogger.com,1999:blog-5331176366167100625.post-82825946135498117722020-09-16T14:27:18.497-07:002020-09-16T14:27:18.497-07:001) You enabled the control via group or local poli...1) You enabled the control via group or local policy? Local Policy<br />2) Windows 8 / 2008 and above? Win 10<br />3) Did you reboot for good measure? Yes<br />4) You plugged in a device right? Yes<br />5) Do you have any device control software preventing the drive from mounting, which may prevent the event ID? No<br /><br />Also Part I worked great for USB Pen Drives but not for USB Hard Drives Can you please explain how to detect all kind of USB Devices when pluggedin.<br /><br />Thank youAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-5331176366167100625.post-14595554058792341372020-09-16T05:05:57.649-07:002020-09-16T05:05:57.649-07:00Hmmm... Let's go down a quick checklist:
1) ...Hmmm... Let's go down a quick checklist:<br /> 1) You enabled the control via group or local policy?<br /> 2) Windows 8 / 2008 and above?<br /> 3) Did you reboot for good measure?<br /> 4) You plugged in a device right?<br /> 5) Do you have any device control software preventing the drive from mounting, which may prevent the event ID?<br /><br />Let us know!Tony Leehttps://www.blogger.com/profile/04935721260910647091noreply@blogger.comtag:blogger.com,1999:blog-5331176366167100625.post-80161815859537670262020-09-15T20:36:03.410-07:002020-09-15T20:36:03.410-07:00Hi,
I followed the steps but still not able to se...Hi,<br /><br />I followed the steps but still not able to see events 4663 and 4665 in Event Viewer. Is there anything missing?Anonymousnoreply@blogger.com