Removable Drive Access Control (Optional)
USB ACCESSES
If enabled, you can monitor access to removable devices (USB sticks, external drives, SD or MicroSD cards) on all machines in the network.
To enable the recording of these events, a simple guide is available by clicking the (i) button.
By enabling the notification option, you will receive an alert every time a user inserts a removable device.
⚠️ Warning: Some virtualization platforms may present their virtual drives as if they were removable drives.
In this case, it is Windows that is being “tricked.”
Event 6416 Logging
Windows event 6416 handling has been introduced, which enables automatic logging of external device connections through the Plug and Play mechanism.
In particular, this applies to USB devices with storage capabilities, such as:
-
USB flash drives
-
External hard drives
-
USB smart cards
-
Other removable storage devices
The event is stored under the WINLOG source, in the Plug and Play Events category, with details of the device type and hardware description.
Integration with the SOC Module
The SOC module uses these events to:
-
Report the insertion of USB devices on specific PCs
-
Generate targeted notifications or alarms (e.g., tracking by user or workstation)
-
Provide advanced details (for customers with the active USB plugin), including the contents of connected devices
Alarm Functionality
Event 6416 can be configured as an individual alarm, allowing you to set up automatic notifications based on specific criteria, such as:
-
Insertion by a specific user
-
Connection on a specific machine
-
Detection of a particular device type
Enabling Event 6416 Logging
To enable event logging, configure the following security audit policy:
Local Security Policies →
Advanced Audit Policy Configuration →
System Control Criteria → Detailed Analysis →
Check Plug and Play Activity
Set the option to: Success and Failure ✅
AI ANALYSIS
The new AI Analysis button is available in the log grids (subject to a dedicated license).
This feature allows you to send up to 100 displayed events to the AI, which analyzes them to automatically highlight critical or suspicious logs, providing a contextual and readable assessment even for less experienced users.
The goal is to offer advanced interpretative support, improving the understanding of security logs and speeding up the identification of potentially risky actions.
If more than 100 logs are selected, the system will display a warning and analyze only the first 100.
The generated report can be printed and exported.