I want to block absolutely all USB devices except keyboards and mice - I have created a rule but it does not appear to work!
The rule is quite simple -
Correlations: Systemstatus.EventInfo="Attached" SystemStatus.ProviderSID="USB"
Correlation Time: Events Within: 30 seconds Response Window: 5 minutes (default)
Actions: Detach USB Device - Agent: SystemStatus.InspectionIP Device: SystemStatus.ExtraneousInfo
Rule is enabled and shows no errors.
I am a bit of a beginner with this and would appreciate any help and comments.
FIXED! Changed the constants - removed quotes and put wildcard at end (*). All working great.
i.e. "Attached" becomes Attached* and "USB" becomes USB*