projects / ossec-hids.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
new upstream release (3.3.0); modify package compatibility for Stretch
[ossec-hids.git] / etc / rules / ms1016_usbdetect_rules.xml
diff --git a/etc/rules/ms1016_usbdetect_rules.xml b/etc/rules/ms1016_usbdetect_rules.xml
new file mode 100644 (file)
index 0000000..24fd618
--- /dev/null
+++ b/etc/rules/ms1016_usbdetect_rules.xml
@@ -0,0 +1,10 @@
+<!-- OSSEC USB-detection Rule for Windows 2016 / Windows 10 (previous versions does not log usb connection) - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6416 -->
+
+<group name="windows,usb,">
+  <rule id="53626" level="8">
+    <if_sid>18104</if_sid>
+    <id>^6416$</id>
+    <description>A new external device was recognized by the System</description>
+    <group>windows,</group>
+  </rule>
+</group>
ossec-hids