Chain: (1) a new external device is recognized by Windows (USB/Thunderbolt/PCIe) or a new block device appears; (2) within a short window, the same user/session spawns processes or the OS mounts a new volume; (3) optional follow-on activity such as HID keystroke injection, DMA driver load, or new network interface MAC on DHCP. Correlate Security EID 6416 / Kernel-PnP with sysmon and DHCP/network metadata.
| Data Component | Name | Channel |
|---|---|---|
| Application Log Content (DC0038) | WinEventLog:Security | EventCode=6416 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Driver Load (DC0079) | WinEventLog:Sysmon | EventCode=6 |
| Module Load (DC0016) | WinEventLog:Sysmon | EventCode=7 |
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=22 |
| Drive Creation (DC0042) | WinEventLog:System | Kernel-PnP 410/400 device install, disk added |
| Network Traffic Flow (DC0078) | wineventlog:dhcp | DHCP Lease Granted |
| Field | Description |
|---|---|
| TrustedDeviceVIDPID | Vendor/Product IDs that are approved (e.g., keyboards, mice). Unknown/rare VID:PID raise risk. |
| ExpectedBusTypes | Allow-listed bus types for server classes (e.g., USB disabled on DCs). |
| TimeWindow | Correlation window between device recognition and follow-on process/mount/network activity (e.g., 10m–60m). |
| TrustedMACs | Known NIC/USB-NIC MAC addresses allowed by policy. |
Chain: (1) udev / kernel logs show hot-plug (USB/Thunderbolt/PCIe); (2) block device created by udisks/diskarbitration; (3) optional: new network interface or DHCP lease observed. Correlate /var/log/messages|syslog, auditd SYSCALL open/creat on /dev, and DHCP/Zeek.
| Data Component | Name | Channel |
|---|---|---|
| Drive Creation (DC0042) | auditd:SYSCALL | mknod,open,openat |
| Application Log Content (DC0038) | linux:syslog | usb * new|thunderbolt|pci .* added|block.*: new .* device |
| Network Traffic Flow (DC0078) | NSM:Flow | LEASE_GRANTED |
| Field | Description |
|---|---|
| BlocklistDeviceStrings | Indicators such as 'RubberDucky', 'BadUSB', unfamiliar USB-NIC chipsets. |
| ServerClassesNoUSB | Hosts where any USB attach should alert (DCs, hypervisors). |
| DHCPVlanScopes | Scopes allowed to issue leases for corp endpoints vs. guest/IoT. |
Chain: (1) unified logs report IOUSBHost/IOThunderbolt device arrival; (2) diskarbitrationd attaches a new volume; (3) optional: config profile manipulation or new network interface MAC obtains a lease. Correlate unifiedlogs (subsystems: IOUSBHost, IOKit, diskarbitrationd), FSEvents, and DHCP/Zeek.
| Data Component | Name | Channel |
|---|---|---|
| Application Log Content (DC0038) | macos:unifiedlog | Device attached|enumerated VID/PID |
| Drive Creation (DC0042) | macos:unifiedlog | mounted|appeared|DA: disk* attached |
| Network Traffic Flow (DC0078) | NSM:Flow | MAC not in allow-list acquiring IP (DHCP) |
| Field | Description |
|---|---|
| ManagedUSBPolicy | MDM profile expectations for external media and Thunderbolt mode; deviations alert. |
| KnownAppleAccessories | VID/PID for corporate-issued docks/keyboards. |