Documentation forSecurity Event Manager

Configure the USB Defender local policy connector in SEM

The USB Defender Local Policy connector enables a SEM agent to enforce restrictions on USB devices, even when the agent is not connected to the SEM Manager. Instead of using rules when disconnected, the connector uses a list of permitted users or devices. The agent compares the fields in all USB device-attached events to a locally stored white list of users or devices. If none of the fields match an entry on the list, the agent detaches the device.

See Configure the Detach USB Device active response in SEM for more information.

When the Agent is connected to the Manager through the network, the Manager rule also applies. Any devices listed in the local white list must be in the User Defined Group for authorized devices. Otherwise, the rule takes effect and the device detaches even though it was allowed by the white list in the USB Defender local policy. When the agent is connected, the USB Defender Local Policy and the SEM rule are active.

  1. Create a text file with one entry per line.

    This file serves as the local policy. Each entry can be a user name or a USB device ID, from the Extraneous Info field of an attached alert.

  1. Log in to the SEM Console.
  2. On the toolbar, click Configure > Nodes.
  3. Select a node, and then click Manage node connectors.
  4. In the search box, type USB defender.
  5. Select the USB Defender Local Policy connector, and then click Add Connector.
  6. In the Name field, enter a new name, or keep the existing name.
  7. Click Browse, and then locate and upload the text file you created above.
  8. Click Add.

    The connector appears on the Manager Connectors tab under Configured connectors.

  9. Under Configured connectors, select your connector, and then click Start.

The authorized devices in the local white list must also be in the UDG for Manager Detach Unauthorized USB rule or the rule on the Manager enforces detachment when the laptop is connected to the network. In reverse, if you are using a blacklist and the device is in the USB Local Policy and not in the User Defined Group of the rule, the device still detaches.

Having a device or user in one white list or black list and not in the other is not recommended and yields inconsistent results.