Rules to Detect Disconnect PNP Wazuh

[Yogi Valentino]

This is my rules for wazuh to detect Connected USB to device

<!-- DriverFrameworks / USB detection rules -->
<group name="windows-usb-detect,">
 <rule id="111110" level="0">
    <if_sid>60103</if_sid>
    <field name="win.system.eventID">^6416$</field>
    <description> Windows: USB Device $(win.eventdata.deviceDescription) connected to $(win.system.computer)</description>
    <options>no_full_log</options>
    <mitre>
      <id>T1092</id>
    </mitre>
  </rule>

  <rule id="111111" level="5">
    <if_sid>111110</if_sid>
    <list field="win.eventdata.devicedescription" lookup="match_key">etc/lists/usb-drives</list>
    <description>Windows: Authorized PNP device $(win.eventdata.deviceDescription) connected to $(win.system.computer).</description>
  </rule>

  <rule id="111112" level="8">
    <if_sid>111110</if_sid>
    <!-- use relative path for list and ensure list file exists and readable -->
    <list field="win.eventdata.devicedescription" lookup="not_match_key">etc/lists/usb-drives</list>
    <description>Windows: Unauthorized PNP device $(win.eventdata.deviceDescription) connected to $(win.system.computer).</description>
  </rule>
</group>


So do you guys know how to detect if PNP is unplugged/disconnect from device?

[Bony V John]

Hi,

Please allow me some time, I'm working on this and will get back to you with an update as soon as possible.

[Bony V John]

Hi,

You can detect USB device unplug or disconnection events by monitoring the Microsoft-Windows-DriverFrameworks-UserMode/Operational event channel, which logs USB device plug-and-play events.

To do this, you need to configure the Windows agent to monitor this event channel. Add the following localfile configuration to the Wazuh agent configuration file:

File location: C:\Program Files (x86)\ossec-agent\ossec.conf

<localfile>
  <location>Microsoft-Windows-DriverFrameworks-UserMode/Operational</location>
  <log_format>eventchannel</log_format>
</localfile>

You can also deploy this configuration using centralized agent configuration. Please refer to the Wazuh documentation for guidance on centralized configuration.

After applying the configuration, restart the Wazuh agent to apply the changes.

On the Wazuh manager, add the following custom rule to trigger an alert when a USB device is disconnected:

<group name="windows-usb-detect,">

  <rule id="111114" level="6">
    <if_sid>60009</if_sid>
    <field name="win.system.channel">^Microsoft-Windows-DriverFrameworks-UserMode/Operational$</field>
    <field name="win.system.eventID">^2102$</field>
    <field name="win.uMDFHostDeviceRequest.requestMinorCode">^2$</field>
    <description>Windows: USB storage disconnected (minor=2) InstanceId=$(win.uMDFHostDeviceRequest.instanceId) on $(win.system.computer)</description>
    <options>no_full_log</options>
  </rule>
</group>

Reload the Wazuh manager ruleset to apply the new rule.

Once this is done, disconnect a USB device from the Windows endpoint to trigger the alert.

I have tested this configuration in my environment, and it is working as expected. I have also attached a screenshot for your reference.

[Yogi Valentino]

So, How's it going?

[Yogi Valentino]

It's working fine but do you have any idea if i want the log is the deviceDescription not the Device ID?

[Bony V John]

Hi,

Currently, we cannot show the deviceDescription in the alert because this field is not available in the Windows eventchannel log. As a result, Wazuh cannot display it in the alert.

The Windows Event ID 2102, which is used to detect USB device disconnection, only contains the device ID. It does not include the device description. Therefore, at this time, it is not possible to display the deviceDescription in the alert.