Feb 04 2023 12:31 PM
I configured Device control for removable storage via GPO - used 2 XMLs as described here https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/protect-your-removable-storag...
Wondering if there is any place on endpoint (windows 10) to look for logs when removable storage is blocked? Like event log or something. To not using Advanced hunting https://security.microsoft.com/v2/advanced-hunting
I cannot find anywhere information about Bluetooth connected storage blocking (like paring phone and copy files via Bluetooth). Anyone ?
Mar 08 2023 11:11 AM - edited Mar 08 2023 11:12 AM
You can use advanced hunting for it. Query:
DeviceEvents
| where DeviceName contains "hostname"
| where ActionType contains "Pnp"
OR
DeviceEvents
| where DeviceName contains "hostname"
| where ActionType == "PnpDeviceConnected" and Timestamp > ago(7d)
| extend ClassName = parse_json(AdditionalFields).ClassName
| extend DeviceId = parse_json(AdditionalFields).DeviceId
| extend VendorIds = parse_json(AdditionalFields).VendorIds
| extend DeviceDescription = parse_json(AdditionalFields).DeviceDescription
| project ClassName, DeviceDescription, Timestamp, DeviceId, VendorIds, DeviceName
| where ClassName contains "drive" or ClassName contains "usb"
change "ago(7d)" value with how many days you want to go back.
Also you can check Security Event ID 6416 in EventViewer.