USB device logs

[barakaldes]

Hi guys,
I only need the usb device events (when a user write or read files from usb and things like that). Could you tell me how can i get this information? In Crowdstrike dashboard (USB Device Control section) i can see info about the access but in the api I can not find it.
Thanks

[jshcodes]

Hi @barakaldes!

USB device events can be consumed using the Falcon Data Replicator (FDR) project.

(Please note: the Event Streams API will contain policy changes but not USB device events.)

More details on using Falcon Data Replicator can be found in the CrowdStrike documentation repository.

Hope this helps! 😄

[barakaldes]

Thanks! I am reviewing the Falcon Data Replicator (Primary events, Secondary events). And i don't know where are the usb device events. :(
what is the query to get usb device info?
¡Thank you!

[tsullivan06]

@barakaldes - The USB events are located in the 'Data' folder events. You'll need to decompress them to start and then you can determine what event types they are. The Events Data Dictionary in the Falcon UI (see link above) can help you identify the event types that you're looking for (search for events starting with DcUsb)

[barakaldes]

Sorry but I can't find events of type "DcUsb" in the documentation of Crowdstrike. In the FDR documentation i dont see "DcUsb" anywhere.

[tsullivan06]

It's not in the FDR documentation - it's in the Events Data Dictionary (it's in the same location as the FDR documentation in the UI)

[barakaldes]

thanks @tsullivan06 ,
I see DcUsbConfigurationDescriptor, DcUsbDeviceBlocked, DcUsbDeviceConnected....
but only one question more. We need FDR but: Do we need insights? or only with FDR is enough?
Thanks guys

[jshcodes]

Event types are dependent on modules that would produce the event. If you don't have device control, those events may not be collected