Monitor for plug in of USB volume. Output drive letter for additional enrichment artifacts
name: Windows.Monitor.USBPlugIn
description: |
Monitor for plug in of USB volume. Output drive letter for
additional enrichment artifacts
type: CLIENT_EVENT
sources:
- query: |
SELECT
timestamp(winfiletime=int(int=Parse.TIME_CREATED)) as TimeCreated,
Parse.DriveName as DriveName,
Parse.EventType as EventType,
Parse.__Type as Source,
Raw
FROM wmi_events(
query="SELECT * FROM Win32_VolumeChangeEvent WHERE EventType = 2",
namespace="ROOT/CIMV2",
wait=50000000)