USB Monitoring
PnP NotificationMonitor USB device plug and unplug events in real-time.
Overview
USB monitoring tracks when USB devices are connected and disconnected from the system. This helps detect unauthorized device usage and potential data exfiltration via removable media.
Event Types
| Event | Description |
|---|---|
| DeviceArrival | USB device plugged in |
| DeviceRemoval | USB device unplugged |
Captured Information
- • Device ID — Unique device identifier
- • Vendor ID — USB vendor ID (VID)
- • Product ID — USB product ID (PID)
- • Device class — Mass storage, HID, etc.
- • Serial number — Device serial (if available)
- • Friendly name — Human-readable device name
Device Classes
Mass Storage
USB flash drives, external hard drives, SD card readers
HID
Keyboards, mice, game controllers (potential BadUSB)
Network
USB network adapters, mobile tethering
Other
Printers, cameras, audio devices
UI Features
- • USB tab — View all USB events
- • Device class filter — Filter by device type
- • Vendor filter — Focus on specific vendors
- • Timeline view — See device connection history
IPS Rule Examples
USB: MassStorage | Action: Alert
USB: HID | VID: 0x1234 | Action: Block