INCIDENT RESPONSE — EASY ⭐⭐
IR-04
USB DEVICE INSERTION — DLP / ENDPOINT TRIAGE
Loading incident: SOC-IR-0047 — USB insertion on restricted host...

OBJECTIVES

Read the incident ticket
Find the USB insertion event (Event 2003)
Identify the device name and serial number
Determine which files were accessed
Identify if data was copied to the device
Check which DLP policies were violated
Submit the IR report
🎫
Incident Ticket
🪟
Event Viewer
📂
File Access Log
🛡️
DLP Policies
📝
Notes
📊
IR Report
SOC WORKSTATION
Ticket
Event Viewer
File Access
DLP Policies
Notes
IR Report
--:--:--
PHASE 1 — TRIAGE
MISSION BRIEF
IR-07 — EASY ⭐⭐ — SEC+ / CySA+

USB DEVICE INSERTION ALERT

TICKET: SOC-IR-0047 | Host: HR-WORKSTATION-04 | Priority: HIGH

SCENARIO

The DLP system triggered an alert when a USB mass storage device was inserted into HR-WORKSTATION-04, a restricted endpoint in the HR department. USB storage is prohibited on HR workstations per policy. Your job is to examine Windows Event Viewer and the file access log to determine what — if anything — was copied to the device.

WHAT TO DO

  • Read the Incident Ticket first
  • Open Event Viewer — find the USB insertion event and device details
  • Check the File Access Log — which files were opened and copied?
  • Review DLP Policies — which policies were violated?
  • Complete and submit the IR Report

KEY CONCEPTS

Windows Event ID 2003 — logged when a removable storage device connects. Contains device name, serial number, and the user account active at insertion.

Data Loss Prevention (DLP) — security controls that detect and prevent unauthorised data transfer. USB DLP policies restrict which devices can connect to which endpoints.

Insider threat indicators — large file copies to external storage, especially from HR or finance systems, are a key data exfiltration indicator regardless of whether the employee is malicious or negligent.

HOST DETAILS

ItemDetail
HostnameHR-WORKSTATION-04
Userm.chen (Margaret Chen, HR Coordinator)
OSWindows 11 Pro
ClassificationRestricted — HR data
USB policyProhibited — all removable storage
INCIDENT TICKET — SOC-IR-0047
SOC-IR-0047 — Unauthorised USB Device on Restricted Host
Severity:
HIGH
Created:
2026-05-10 14:22 UTC
Source:
DLP System — USB insertion alert
Host:
HR-WORKSTATION-04
User at time:
APEXCORP\m.chen
Department:
Human Resources
Status:
OPEN — Awaiting analyst triage
ALERT DESCRIPTION

At 14:18 UTC the DLP system detected a USB mass storage device being inserted into HR-WORKSTATION-04. This host is classified as Restricted — all removable storage devices are prohibited per Policy POL-DLP-04 (HR Endpoint Protection). The device was connected for approximately 9 minutes before being removed at 14:27 UTC.

The HR department handles sensitive data including: employee salary records, performance reviews, medical leave information, and candidate interview notes. Unauthorised data removal from this host is a potential data breach and policy violation.

ANALYST TASKS
1. Identify the USB device (name, serial number) from Windows Event Viewer
2. Determine which files were accessed during the 9-minute window
3. Establish whether any files were copied to the USB device
4. Identify which DLP policies were violated
5. Determine severity: negligent or intentional data exfiltration?
WINDOWS EVENT VIEWER — HR-WORKSTATION-04
All
USB Events
DLP Events
Warning+
Event ID
Time (UTC)
Level
Description
Click an event to inspect it
FILE ACCESS LOG — 14:15–14:30 UTC
FILE OPERATIONS — HR-WORKSTATION-04 — APEXCORP\m.chen
DLP POLICY REVIEW — HR Endpoint
ANALYST NOTES
IR REPORT — SOC-IR-0047
INCIDENT FINDINGS
Score: 0 / 7