6416 A new external device was recognized by the System
Written when the system recognizes a new external device. It captures the connection of USB drives and the like, usable to detect data exfiltration and the introduction of rogue devices.
Overview
The subcategory is Audit PNP Activity. It is generated when Plug and Play (PnP) recognizes a new external device (USB storage, HID, network adapter, etc.). It includes the device class, identifiers (vendor/product ID, etc.), and the user involved.
How it is triggered
- A new connection of a USB drive, external disk, or various peripherals.
Security review points
- Data exfiltration / rogue devices: connecting USB storage relates to data exfiltration or the introduction of malicious devices (BadUSB, Rubber Ducky keystroke injection). Check the connected device’s class and identifiers.
- Correlate with writes to removable storage after connection (4663, Audit Removable Storage) to track what was taken. Note connections of unauthorized device IDs.
Notes for log review
- It also occurs with normal peripheral connections. Baseline device classes and vendor/product IDs, and narrow to unauthorized or unknown storage devices.
- If you run device control (USB restriction), view it together with forbidden-device install attempts 6423.
Key fields
| Field | Meaning |
|---|---|
Device ID / Class | The device identifier and class |
Vendor/Product | Vendor/product information |
Subject\Account Name | The user involved |