How configure A new external device was recognized by the System/ "Windows: PNP device connected" in windows home edition
227 views
Skip to first unread message
Yolanda Prieto
Oct 25, 2017, 2:17:55 PM10/25/17
to Wazuh mailing list
Hi All
Following the instructions based in this link:
I configured: The Local Security Policy
I was able to detected the event: 6416(S): A new external device was recognized by the System
In the controller
In the manager configuration:
<alerts>
<log_alert_level>3</log_alert_level>
<email_alert_level>12</email_alert_level>
</alerts>
.....
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>no</logall>
<logall_json>no</logall_json>
<email_notification>yes</email_notification>
<smtp_server>localhost</smtp_server>
<email_from>oss...@example.wazuh.com</email_from>
<email_to>ppp...@yyyyyy.com</email_to>
<email_maxperhour>12</email_maxperhour>
</global>
in local rules added:
<rule id="100003" level="12">
<if_sid>18104</if_sid>
<id>^6416$</id>
<description>Windows: PNP device connected.</description>
</rule>
And works perfectly.I configured it in Windows 10 ( This link sets:This use case is prepared for Windows 10 and Windows Server 2016)
Looking a soliction for another version of windows, I found this link:
Applies To: Windows 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Vista
But now I found that for another versions of Windows ( for example windows 7 home edition), those intructions are noy suitable.
Do you know how configure it in for example for windows Home editions? Someone had this problem before?
Thanks for any advise.
Regards
Yolanda
Alberto Marín
Oct 25, 2017, 9:22:48 PM10/25/17
to Wazuh mailing list
Hi Yolanda,
The 'Audit PNP Activity' policy is available from Windows 8.1 and Windows Server 2012R2. For older Windows versions this option is not included.
The 'Audit PNP Activity' policy is available from Windows 8.1 and Windows Server 2012R2. For older Windows versions this option is not included.
Regards.
On Wednesday, October 25, 2017 at 11:17:55 AM UTC-7, Yolanda Prieto wrote:
Hi AllFollowing the instructions based in this link:I configured: The Local Security PolicyI was able to detected the event: 6416(S): A new external device was recognized by the SystemIn the controllerIn the manager configuration:<alerts><log_alert_level>3</log_alert_level><email_alert_level>12</email_alert_level></alerts>.....<global><jsonout_output>yes</jsonout_output><alerts_log>yes</alerts_log><logall>no</logall><logall_json>no</logall_json><email_notification>yes</email_notification><smtp_server>localhost</smtp_server>
<email_from>ossecm@example.wazuh.com</email_from>
Reply all
Reply to author
Forward
0 new messages