This analytic is designed to detect when a USB removable media device is connected to Windows hosts by monitoring modifications to the registry key located at HKLM\System\CurrentControlSet\Enum\USBSTOR\. This monitoring is essential as adversarial actors and insider threats may utilize these devices for various malicious purposes such as gaining initial access, executing unauthorized software, or exfiltrating sensitive data. The detection leverages Sysmon EventIDs 12 and 13 for tracking registry changes that indicate device connection. Anomalies in this registry activity warrant further investigation, especially in the context of potential security incidents where removable media usage is not aligned with organizational policy. The implementation requires proper ingestion and mapping of endpoint logging data to ensure accurate detection.