Documentation forSecurity Event Manager

Configure the Detach USB Device active response in SEM

Use the Windows active response to detach a USB device from a SEM Agent running USB Defender. This action is useful for allowing only specific devices to be attached to your Windows computers or detaching any device exhibiting suspicious behavior, and can be automated in a SEM rule, or executed manually from the Respond menu on the Manage > Nodes page.

USB Defender is an option when the Agent is originally installed. If not installed at the time of Agent install, re-install the Agent with USB Defender. Additionally, configure the Windows Active Response tool on each SEM Agent where you require an active response.

Verify that USB Defender is installed on a SEM Agent

  1. On the SEM Console, navigate to Configure > Nodes.

  2. Under Refine Results, expand the Type group, and then select the Agent check box.
  3. Under Refine Results, expand the USB Monitoring group, and then select the Installed check box.

    The check next to USB indicates USB defender is installed.

  4. If USB Defender is not installed on one or more SEM Agents, reinstall the Agent and ensure that you select Install USB-Defender after you confirm the Manager Communication Settings.

Detach USB devices

By default, USB devices are audited and the USB File Audit Activity filter will display those events. The filter is set for FileAuditAlerts.ProviderSID=*USB* To monitor all USB device activity, create a filter for AnyAlert.ProviderSID=*USB*

USB devices are not detached by default. You must configure a rule to detach the device. The SEM Console includes several templates you can access modify as needed.

You can enforce USB Defender policy locally. See Configure the USB Defender local policy connector for details.