Endpoint USB Activity Detection Script
Safetica DLP script: Data loss incidents frequently originate from simple endpoint actions — removable media being one of the most common.
This script demonstrates how endpoint-level signals can support user activity analysis and complement Safetica policies.
Use Case
- Identify unauthorized USB usage
- Validate DLP coverage
- Support insider risk investigations
Logic Overview
- Queries connected USB devices
- Logs connection timestamps
- Maps activity to user sessions
Conceptual Snippet
Get-WmiObject Win32_USBControllerDevice
Notes
- Visibility ≠ enforcement
- Best used alongside DLP platforms
- Requires policy context
