I came across countless requests for device control and blocking mass storage devices in various forms. The most common is the external blocking storage and monitor access—this time something short and less in the world of incident response or Microsoft Sentinel. Below, a brief guide that focuses on securing, monitoring, and a quick query for MDE.

This post is part of a series of articles that help understand device control with Microsoft Defender for Endpoint and intune. The first article focuses on the complete blocking and monitoring of mass storage devices. It will discuss controlling Mass Storage in many situations, including USB devices, safelists, and others.

The series of articles will focus on the following topics

• Blocking Specific Hardware
• Preventing Write Access Removable Storage
• Control printer protection on Windows

Microsoft Defender for Endpoints has excellent features to protect devices against data loss. This feature provides a layered approach to secure removable hardware like a mass storage device with Device Control. When using Device Control, you could make sure users cannot install specific hardware on the devices or make sure removable storage can’t be used.

The only prerequisite? It would be best to make sure Microsoft Defender for Endpoints is enabled and active, and you’ve got Endpoint Manager to apply the Device Control policy.

Microsoft Defender for Endpoint device control protects against data loss by monitoring and controlling media use by devices in your organization, such as removable storage devices and USB drives.

With the device control report, you can view events that relate to media usage, such as:

• Audit events show the number of audit events that occur when external media is connected
• Policy events show the number of policy events that happen when a device control policy is triggered

The audit events include:

• USB drive mounts and unmount audit events are generated when a USB drive is mounted or unmounted.
• PnP audit events are generated when connected by remote storage, a printer, or Bluetooth media.
• Removable storage access control events are generated when triggered by a removable storage access control policy. It can be Audit, blocked, or Allowed.

Block Removable Storage

First, let’s create a policy that blocks mass storage of USB external devices from the Endpoint Manager console. This device control policy is part of the Endpoint Security and Attack Surface Reduction.

When creating the policy, make sure to choose Device Control.

The configuration settings must configure with Block removable storage that provides locking removable storage on the device.

Next, assign the relevant group and create the policy.

Once the policy applies to the Windows 10 machine, we can check if the procedure is working. You can show the following notification on your File Explorer if everything is excellent.

Now that we know we are safe from external mass storage, let’s check how MDE provides excellent insight into the activity.

Monitor Mass Storage

Microsoft Defender for Endpoint provides valuable ways to monitor device control, from Report to Query.

First, let’s understand the threat activity involving USB devices.

• UsbDriveMount
• UsbDriveUnmount
• UsbDriveDriveLetterChanged

Checking USB drive events can help you locate attempts to introduce malware or steal sensitive information through removable drives. Each of these action types includes relevant contextual information, such as:

• Drive letter
• Bus type
• Product name of the device
• Product revision
• Serial number
• Manufacturer
• Volume

MDE Side

#Microsoft Defender for Endpoint Reports option provides information about security trends and tracks the protection status of your identities, data, devices, apps, and infrastructure. One of these reports is Device Control.

Device control in Microsoft Defender for Endpoint empowers admins with tools that enable them to track their organization’s device control security through reports. You can find the device control report in the XDR console by going to Reports > Device protection.

The Device protection card on the Reports dashboard shows the number of audit events generated by media type over the last 180 days. The page provides a dashboard with an aggregated number of events per type and a list of events. Administrators can filter on time range, media class name, and device ID.

When you select a specific event, a new window appears on the right side that shows you more information:

• General details with date, action mode, policy, and Access to this event.
• Location details device name, user, and device ID. Media information includes Media name, Class name, Class GUID, Device ID, Vendor ID, Serial number, and Bus type.

In addition, you can filter the results based on policy and media class.

Once you filter with some values, the results will show like the image below.

From there, we can open Advanced Hunting and query the results that we’ve already got. But it’s not a friendly query, so let’s take something else.

The query below provides a friendly result with names and values that we can understand.

The query available on my GitHub MassStorage_MDE.kusto

Detection

Like any other scenario, we want to know if someone is trying to plug external mass storage and which action is made on each step. This can be done via the detection rule. If you run the query successfully, create a new detection rule. This option automatically prevents devices with alerts from connecting to the network.

If you’re working with device state and it’s recommended to choose informational on severity because

DeviceID is part of the query, so you must choose these entities.

The auto mitigation is cool because you can respond with one or more of the following actions.

Then, select your device group.