Scribd
Upload
29 views8 pages

Usb Wazuh

The document outlines a procedure for implementing a real-time USB device detection system on Linux using udev rules and Wazuh Agent to monitor unauthorized USB connections. It highlights the importance of USB detection for preventing data theft, incident response, and compliance, detailing SOC responsibilities such as monitoring, alerting, log analysis, and policy enforcement. The document also provides step-by-step instructions for setting up the detection mechanism and integrating it with Wazuh for alert management.

Uploaded by

Luis Cepeda
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
29 views8 pages

Usb Wazuh

The document outlines a procedure for implementing a real-time USB device detection system on Linux using udev rules and Wazuh Agent to monitor unauthorized USB connections. It highlights the importance of USB detection for preventing data theft, incident response, and compliance, detailing SOC responsibilities such as monitoring, alerting, log analysis, and policy enforcement. The document also provides step-by-step instructions for setting up the detection mechanism and integrating it with Wazuh for alert management.

Uploaded by

Luis Cepeda
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 8

🧪 Objective:

Implement a real-time USB device detection mechanism on Linux (Kali) using a udev
rule and Wazuh Agent. The goal is to monitor unauthorized USB connections and
generate alerts in Wazuh Dashboard.

🔍 Basic Concept: USB Detection with Wazuh


USB detection with Wazuh involves monitoring and alerting when a USB device (like a
flash drive or external HDD) is connected to or removed from a system. This is
important for security, especially in environments where data exfiltration or malware
spreading via USB is a risk.

🎯 Why USB Detection is Useful


​ 🛡 Prevents Data Theft: Detects unauthorized USB use in secure environments.
​ 🧪 Incident Response: Tracks potential malware sources introduced by USBs.
​ 🧾 Audit & Compliance: Helps meet compliance requirements (e.g., ISO 27001,
HIPAA).

​ 📈
Behavioral Monitoring: Identifies suspicious user behavior (e.g., plugging in
devices outside working hours).

🔐 SOC Responsibilities for USB Detection


1.​ 📡 Real-time Monitoring​
SOC analysts watch Wazuh dashboards for alerts related to USB device
insertion/removal.​
2.​ 🚨 Incident Detection & Alerting​
When a USB is connected (especially on sensitive systems), Wazuh sends an
alert.​
The SOC team reviews the alert to decide if it's suspicious or authorized.​

3.​ 🔎 Log Analysis​


Analysts investigate logs collected by Wazuh:​

○​ Who connected the USB?​

○​ When and where?​

○​ What device type?​

○​ Was data copied or executed?​

4.​ 🚫 Response & Containment​


If the USB is unauthorized, SOC may:​

○​ Disconnect the device remotely (if supported)​

○​ Isolate the machine from the network​

○​ Alert IT or HR​

5.​ 📁 Reporting & Documentation​


Every USB-related alert must be:​

○​ Logged​

○​ Classified (e.g., harmless, policy violation, threat)​

○​ Reported in incident tracking systems​

6.​ 📚 Policy Enforcement​


SOC ensures only authorized USB devices are allowed based on company
policy.​
Repeated USB alerts may lead to security policy updates.​
Step 1 lists all USB devices currently connected to your Linux system.

Step 2: Create a udev Rule (Run Script on USB Detection)

Step 3: Create a Script to Save USB Information


Step 5: Test It — Plug in a USB Device

Step 6: Edit the Wazuh Agent configuration file.

Step 7:Add this block inside or below it.


<localfile>

<log_format>json</log_format>

<location>/var/log/usb_detect.json</location>

</localfile>

Step 8: Restart Wazuh Agent

sudo systemctl restart wazuh-agent

Step 9: Wazuh Server pe Rule Add Karo

sudo nano /var/ossec/etc/rules/local_rules.xml

<rule id="100100" level="7">


<decoded_as>json</decoded_as>
<field name="device">.*</field>
<description>USB device detected</description>
</rule>
Step 10 Check the alert on the Wazuh dashboard.

You might also like