/
Can my MAC agent get USB events?

Can my MAC agent get USB events?

Owned by Carlos Osorio
Nov 09, 2020
1 min read


SUMMARY

Oct 29, 2015

When a USB drive is inserted, it will generate kernel events which the Snare Enterprise Agent for OSX will pick up.
When you mount the file system to access the files these will also generate mount kernel events which the agent will pick up on.
The same applies to CDROM devices, so when the CDROM is inserted, it gets mounted and will raise kernel events.
The default objective settings for the Snare Enterprise Agent for OSX covers these events. Also covered in the objectives are any execve system calls for any commands that are run from the USB/CDROM devices.

Related content

Permissions and UAC
Permissions and UAC
Snare Solutions
Read with this
About this Guide
About this Guide
Snare macOS Agent v5 Documentation
More like this
Overview of the Snare Agents
Overview of the Snare Agents
Snare Windows Agent v5 Documentation
More like this
Release Notes for Snare Windows Agent with Event Collection v5.2.1
Release Notes for Snare Windows Agent with Event Collection v5.2.1
Snare Windows WEC Agent v5 Documentation
More like this
Log Files
Log Files
Snare macOS Agent v5 Documentation
More like this
Guide_to_Snare_for_OSX-1.1
Guide_to_Snare_for_OSX-1.1
Snare Solutions
More like this