The goal of this article is to explain how to generate an alert when a USB storage device is connected to a Windows system that is being monitored by Wazuh. Additionally, you will learn how to create a list of authorized devices, being able to detect an unauthorized intrusion.


Kibana Dashboard



  • Wazuh 2.0.
  • This use case is prepared for Windows 10 and Windows Server 2016. For other Windows versions you can follow the same process, however check the number of the event generated (in our case 6416, as seen later in this article) […]