Can my MAC agent get USB events?

Owned by Carlos Osorio
Nov 09, 2020
1 min read


SUMMARY

Oct 29, 2015

When a USB drive is inserted, it will generate kernel events which the Snare Enterprise Agent for OSX will pick up.
When you mount the file system to access the files these will also generate mount kernel events which the agent will pick up on.
The same applies to CDROM devices, so when the CDROM is inserted, it gets mounted and will raise kernel events.
The default objective settings for the Snare Enterprise Agent for OSX covers these events. Also covered in the objectives are any execve system calls for any commands that are run from the USB/CDROM devices.