debian/ossec-hids/var/ossec/rules/ms1016_usbdetect_rules.xml

   1 <!-- OSSEC USB-detection Rule for Windows 2016 / Windows 10 (previous versions does not log usb connection) - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6416 -->
   2
   3 <group name="windows,usb,">
   4   <rule id="53626" level="8">
   5     <if_sid>18104</if_sid>
   6     <id>^6416$</id>
   7     <description>A new external device was recognized by the System</description>
   8     <group>windows,</group>
   9   </rule>
  10 </group>