Elastic Security Detection Rules

New USB Storage Device Mounted

Last updated a month ago on 2025-11-11
Created a month ago on 2025-11-11

About

Identifies newly seen removable devices by device.serial_number and host.id using the Elastic Defend device mount events. While this activity is not inherently malicious, analysts can use those events to aid monitoring for data exfiltration over those devices.
Tags
Domain: EndpointOS: WindowsOS: macOSUse Case: Threat DetectionUse Case: Device ControlTactic: Initial AccessTactic: ExfiltrationData Source: Elastic DefendLanguage: kuery
Severity
low
Risk Score
21
MITRE ATT&CK™

Initial Access (TA0001)(external, opens in a new tab or window)

Replication Through Removable Media (T1091)(external, opens in a new tab or window)

Exfiltration (TA0010)(external, opens in a new tab or window)

Exfiltration Over Physical Medium (T1052)(external, opens in a new tab or window)

License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
New Terms Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-endpoint.events.device-*
Related Integrations

endpoint(external, opens in a new tab or window)

Query
text code block:
host.os.type:(macos or windows) and event.type:device and event.action:mount and event.outcome:success and volume.removable:true

Install detection rules in Elastic Security

Detect New USB Storage Device Mounted in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).