Submit a ticketCall us

WebinarFREE IT Monitoring Webcast

Don’t miss out on our webcast, Essential IT Monitoring with SolarWinds ipMonitor, where we will show you how to keep an eye on your IT environment from one centralized, affordable, and lightweight monitoring tool: SolarWinds® ipMonitor®.

Register now.

Home > Success Center > Log & Event Manager (LEM) > Log & Event Manager (LEM) Documentation > LEM Administrator Guide > Configure the Detach USB Device active response in LEM

Configure the Detach USB Device active response in LEM

Updated: September 7, 2018

Use the Windows active response to detach a USB device from a LEM Agent running USB Defender. This action is useful for allowing only specific devices to be attached to your Windows computers or detaching any device exhibiting suspicious behavior, and can be automated in a LEM rule, or executed manually from the Respond menu on the Manage > Nodes page..

USB Defender is an option when the Agent is originally installed. If not installed at the time of Agent install, re-install the Agent with USB Defender. Additionally, configure the Windows Active Response tool on each LEM Agent where you require an active response.

Verify that USB Defender is installed on a LEM Agent

  1. Open the LEM console. See Log in to the LEM web console or Log in to the LEM desktop console for steps.

  2. On the LEM toolbar, navigate to Manage > Nodes.

  3. If you have a long list of nodes, filter your list using the Node, OS, or USB drop-down menus.

    You can install USB Defender only on Windows Agents.

  4. Locate icon-usb.png in the USB column, indicating that USB Defender is installed on the node.

  5. If USB Defender is not installed on one or more LEM Agents, reinstall the Agent and ensure that you select Install USB-Defender after you confirm the Manager Communication Settings.

Configure the Windows Active Response connector on a LEM Agent

  1. Open the LEM console. See Log in to the LEM web console or Log in to the LEM desktop console for steps.

  2. On the LEM toolbar, navigate to Manage > Nodes.

  3. Locate the LEM Agent that requires a new connector.

  4. Next to the Agent, click button-gear_18x15.png, and then select Connectors.

  5. In the Refine Results search box, enter Windows Active Response.

  6. Next to the connector, click button-gear_18x15.png, and then select New.

  7. Enter a custom alias name for the new connector, or accept the default.

  8. Click Save.

  9. Next to the new connector, click button-gear_18x15.png, and then select Start.

  10. To exit the Connector Configuration window, click Close.

Detach USB devices

By default, USB devices are audited and the USB File Audit Activity filter will display those events. The filter is set for FileAuditAlerts.ProviderSID=*USB* To monitor all USB device activity, create a filter for AnyAlert.ProviderSID=*USB*

USB devices are not detached by default. You must configure a rule to detach the device. The Templates grid includes several templates you can clone and modify as needed.

You can enforce USB Defender policy locally. See Configure the USB Defender local policy connector in LEM for details.

Last modified

Tags

Classifications

Public