Windows Monitor - USB Drive Script

Problem Overview

USB drives can pose serious security and data-leak risks, especially if inserted into protected or high-compliance systems without authorization. Manually tracking who has plugged in a USB device is impractical, particularly across multiple endpoints. This script solves the problem by automatically detecting connected USB drives and triggering an immediate alert.

Description

This PowerShell script examines the Win32_DiskDrive class to see if any drives are connected via USB. If it locates at least one USB device, it produces an “ALERT” message. By setting up this script as a monitor in Level, you can immediately spot unauthorized or unexpected USB storage activity.

You can also pair it with a scheduled Automation in Level for periodic checks, ensuring continuous oversight. If an alert appears, you can take additional steps—such as generating a help desk ticket or running a remediation script—to safeguard your data.

Script

1<#
2This resource is provided as a convenience for Level users. We cannot 
3guarantee it will work in all environments. Please test before deploying 
4to your production environment. We welcome contributions to our community 
5library
6
7Level Library
8https://level.io/library/script-windows-monitor-usb-drive
9#>
10
11# Look for USB Drives
12$USBDrivePresent = Get-CimInstance -ClassName Win32_DiskDrive | Where-Object { $_.InterfaceType -eq 'USB' }
13
14if ($USBDrivePresent) {
15    # If USB drive is present, send console message for Level to alert on
16    Write-Host "ALERT"
17}

Use Cases

• Monitoring data-sensitive machines for unauthorized external storage
• Preventing data exfiltration in regulated industries
• Enforcing organizational policies against USB drive usage
• Alerting on newly attached USB devices in real time

Recommendations

• Test this script in a non-production environment before implementing widely
• Use a script-based monitor in Level to trigger real-time alerts
• Schedule via a Level Automation for repeated checks at regular intervals
• Pair with a remediation script or policy to disable or eject the drive if necessary
• Review logs to identify when and where USB drives appear, then address accordingly

FAQ

• How can I run this script on multiple machines?
  ‍Import the script into Level and deploy it to the targets using script-based monitors or Automations.

• Does the script remove or block USB drives?
  ‍No, it only detects the presence of USB devices and alerts accordingly.

• What if a USB device is attached but not currently in use?
  ‍The script identifies any USB disk drive detected by Windows, regardless of whether it’s actively being used.

• Are there any OS or permission requirements?
  ‍This script runs under System permissions in Level, ensuring full visibility into connected devices.

• Can I customize the alert message?
  ‍Yes, you can modify the Write-Host "ALERT" line in the script to suit your specific logging or notification needs.