USB Device Monitoring on Windows Systems

Applies to Product: USM Appliance™ LevelBlue OSSIM®

In LevelBlue USM Appliance version 5.3, Host Intrusion Detection System (HIDS) rules and plugins have been updated to capture USB device events on Windows machines.

Configuration Changes on the HIDS Agent

If you are deploying USM Appliance version 5.3 or later, you do not need to do anything. This feature is enabled by default.

If you are updating to USM Appliance version 5.3 or later from a previous version, and you want to use the USB device detection feature, you need to do one of the following:

  • On the host you wish to monitor, remove the existing HIDS agent and redeploy it. For instructions, see Deploy AlienVault HIDS Agents to Windows Hosts.
  • Alternatively, you can change the configuration on Windows manually, as detailed below.

Change the Configuration on Windows Manually

Since full_command must be configured in each Windows system's ossec.conf file, you need to change the HIDS agent configuration on each Windows machine that you want to monitor USB devices.

To change the configuration on the client machine:

  1. Go to C:\Program Files (x86)\ossec-agent.
  2. Open ossec.conf with a text editor.
  3. Locate the line "<ossec_config>" and add the following configuration right below that line:



    <command>wmic logicaldisk where drivetype=2 get deviceid, description, FileSystem, Size, VolumeSerialNumber</command>



    Your configuration file should look similar to this:

    ossec-config on Windows machine

    Some customers have reported that the wmic command above does not work in their environment. LevelBlue has not been able to reproduce the problem but suspect that it may be related to newer HIDS versions or older Windows versions. If you run into the same issue, try using the following command instead:

    <command>wmic logicaldisk where "drivetype=2 AND NOT deviceid like "a\"" get deviceid, description, FileSystem, Size, VolumeSerialNumber</command>

  4. Launch the win32ui application located in the same directory.

    1. Select Manage.
    2. Click Restart.

      Launching the ossec-agent manager from within the win32ui application


Once USB activity has been detected on that host, you should be able to see new LevelBlue HIDS events with the event name LevelBlue HIDS: New USB Device Found. And the Event Details pane includes information about Drive, FileSystem, Size, and Serial Number:

USB device added/removed event details

AlienVault OSSIM Limitations: Both LevelBlue OSSIM and the USM Appliance HIDS decoders are fully featured, with all of their information coming from the Plugin Feed Updates that USM Appliance and LevelBlue OSSIM provide. However, LevelBlue OSSIM lacks the depth of NIDS information that is provided to USM Appliance through the Threat Intelligence Updates.