Documentation forSecurity Event Manager

Configure the Detach USB Device active response in SEM

Use the Windows active response to detach a USB device from a SEM agent running USB Defender. This procedure allows only specific devices to be attached to your Windows computers or detach any device exhibiting suspicious behavior. You can automate this procedure in a SEM rule.

USB Defender is an option when the agent is originally installed. If not installed at the time of agent install, re-install the agent with USB Defender. Additionally, configure the Windows Active Response tool on each SEM agent where you require an active response.

Verify that USB Defender is installed on a SEM Agent

  1. Log in to the SEM Console.
  2. On the toolbar, click Configure > Nodes.
  3. In the Refine Results column, expand Type and select the Agent checkbox.
  4. Under Refine Results, expand USB Monitoring and select the Installed check box.

    The check next to USB indicates USB defender is installed.

    If USB Defender is not installed on one or more SEM agents, reinstall the agent and ensure that you select Install USB-Defender after you confirm the Manager Communication Settings.

Detach USB devices

By default, USB devices are audited and the USB File Audit Activity filter will display those events. The filter is set for:
FileAuditAlerts.ProviderSID=*USB*

To monitor all USB device activity, create a filter for:

AnyAlert.ProviderSID=*USB*

USB devices are not detached by default. You must configure a rule to detach the device. The SEM Console includes several templates you can access and modify, as shown below.

You can enforce USB Defender policy locally. See Configure the USB Defender local policy connector for details.