Regarding Usb_ block of unauthorised usb PNP device
51 views
Skip to first unread message
Monish Chandrashekar
May 13, 2024, 4:15:34 AM5/13/24
to Wazuh | Mailing List
Can someone help me to automatically blocks the usb in wazuh for unauthorised PNP Usb device so I can customise and try to set the rules for every agent please help me in this guys.
Manuel Pedro Gomez Castro
May 15, 2024, 11:22:30 AM5/15/24
to Wazuh | Mailing List
Hi! Thank you for reaching out to us and apologies for the delayed response!
You could use Wazuh to detect PNP Usb devices and filter by authorized and unauthroized devices. With such a configuration, plugging a device would trigger an alert on your wazuh server.
https://wazuh.com/blog/monitoring-usb-drives-in-windows-using-wazuh/
Setting up these alerts can be useful to automatically block the devices when combined with Wazuh's Active response, that can execute a command in the affected endpoint as a response to an alert. How Active response works and how to configure it is explained in greater detail in our documentation
https://documentation.wazuh.com/current/user-manual/capabilities/active-response/index.html
Lastly, in order to configure your agents in bulk, Wazuh does have an option to set certain configurations remotely. You also have the option to group your agents and apply varied configurations to each as a group if a global policy would not fit all
https://documentation.wazuh.com/current/user-manual/reference/centralized-configuration.html
I believe these articles could be a good starting point in your research, if you have any further questions on this topic, we would love to hear more about them and the use case you are applying this configuration to.
Have a great day!
You could use Wazuh to detect PNP Usb devices and filter by authorized and unauthroized devices. With such a configuration, plugging a device would trigger an alert on your wazuh server.
https://wazuh.com/blog/monitoring-usb-drives-in-windows-using-wazuh/
Setting up these alerts can be useful to automatically block the devices when combined with Wazuh's Active response, that can execute a command in the affected endpoint as a response to an alert. How Active response works and how to configure it is explained in greater detail in our documentation
https://documentation.wazuh.com/current/user-manual/capabilities/active-response/index.html
Lastly, in order to configure your agents in bulk, Wazuh does have an option to set certain configurations remotely. You also have the option to group your agents and apply varied configurations to each as a group if a global policy would not fit all
https://documentation.wazuh.com/current/user-manual/reference/centralized-configuration.html
I believe these articles could be a good starting point in your research, if you have any further questions on this topic, we would love to hear more about them and the use case you are applying this configuration to.
Have a great day!
Reply all
Reply to author
Forward
0 new messages