I've recently had some Ransomware that I think came off of a users USB drive. I am worried he might have shared it with other people but he can't remember the name of the USB drive and now he lost it :-/. I found a search on http://gosplunk.com/ (see below) that I thought would work, but it doesn't find it for his Windows 10 machine. Anyone have any ideas? I am collecting most windows logs AND WinRegistry
sourcetype=WinRegistry key_path="HKLM\\system\\controlset*\\enum\\usbstor\\*" registry_type=CreateKey | eval Date=strftime(_time, "%Y/%m/%d %H:%M:%S") | rex "key_path.*usbstor\S(?<DeviceType>.*)&ven\S(?<Vendor>.*)&prod\S(?<Product>\S*)&rev\S" | stats count by Date, host, Vendor, Product, DeviceType | fields - count | sort - Date
... View more