Security

Can Splunk monitor access to USB ports/drives?

pchukwuma
New Member

Can Splunk tell me when something is plugged into or removed from the USB port?

Tags (3)
0 Karma

Damine
New Member

I have created this simple windows service to monitor and send log events to splunk indexer along with the files copied ,the ip address of the user and the username(json format) it will only send an event if the user copies something.
this is the link to the applications

http://www.codeproject.com/Tips/1109707/Log-USB-Events-to-Splunk-Or-Any-syslog-Server

0 Karma

radialdrillingv
New Member

Can this indexer capture information coming into USB in Microsoft UL protocol?

0 Karma

pchukwuma
New Member

Thank you NuS for your response.

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi pchukwuma

since most OS's are able to somehow log when an USB device is plugged or unplugged, you can image that splunk> can eat up those logs. For Example on *nix you would find something in messages or could write a hot-plug event script to generate splunk> events. On Windows you would find the event in the event logs which splunk> is also able to read.

Based on that, you could setup alerts in splunk> and therefore the answer is: yes, splunk> can tell you when some USB device is plugged or unplugged.

cheers,
MuS

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...