PingSentry   |   Discord   |   System32   |   GitHub   |   Free tools

Configure EventSentry to track external USB storage devices and send an email alert

Article ID: 554
Category: Monitoring
Updated: 2026-05-15

You can use the EventSentry Hardware Inventory to track USB storage devices using the following EventSentry Event IDs:

12040: A %1 drive has been added.
12041: A %1 drive has been removed.

Where %1 represents the device interface:

Steps

1- Verify that the Hardware Inventory package under System Health is enabled to track hardware changes (1) and assigned to the hosts you want to monitor (or made global). It is highly recommended that changes are being written to your database (2).

2- Under Packages -> Event Logs, create a package with a descriptive name (or use an existing one). Ensure it is assigned to the hosts you want to monitor or made global.

3- Create a new Include Filter with a descriptive name (e.g., "Device Added - 12040") and the following settings:


4- Save and deploy the changes: Navigate to Home (in the ribbon) > Save.

This filter will be triggered by event id 12040, which is logged by the EventSentry agent whenever it detects a new removable storage device.

You can use the following JSON script for quick creation. Copy the script and use the 'Apply JSON Rule' button in the ribbon (a package must be selected for this option to work). Remember to adjust the settings for your environment, as Actions are not defined:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41

{
"type": 0,
"active": 1,
"name": "Device Added - 12040",
"uuid": "f3091c35-c780-4f59-8fbb-c773c61a29ed",
"version": 1,
"order": 0,
"builtin": 0,
"isfolder": 0,
"applyToCollectorSideThresholds": 0,
"requireAck": 0,
"stopProcessing": 0,
"anomalyFiltering": 0,
"threatWeight": 0,
"logs": [ "APP" ],"severities": [ "INFO","WARNING","ERROR","CRITICAL" ],"source": "EventSentry",
"eventid": "12040",
"contentFilterType": 0,
"chainType": 0,
"textfilters": [ { "insertionString": 0,
"comparisonType": 0,
"text": "*USB*",
"type": 1
}],"threshold": {
"type": 0,
"limit": 0,
"interval": 0,
"intervalScale": 0,
"processBefore": 0,
"processAfter": 0,
"processAfterFirstOnly": 0,
"logImmediate": 0,
"logInterval": 0,
"logSeverity": 0,
"matchType": 0

},"timer": {
"enable": 0,
"interval": 0,
"intervalScale": 0
},"bootBehavior": 0
}

Note

You can add Event ID 12041 to this same filter to be notified when a USB device is removed from a host, or you can create a separate filter specifically for that Event ID.

More information:

https://system32.eventsentry.com/eventsentry/event/12040
https://system32.eventsentry.com/eventsentry/event/12040

Related Articles:

How to get notified if a user copies a file to a removable drive (e.g. USB memory stick)?


Support Resources

Knowledge BaseKnowledge Base
DocumentationDocumentation
ScreenshotScreencasts
BlogBlog

Contact Support

Phone1-877-NETIKUS
Emailsupport@netikus.net

Tags

usbdrivestorageeventsentry

Try EventSentry on-premise

FREE 30-day evaluation

Download Now