This detection rule identifies when an external disk drive or USB storage device is connected to a Windows system. It utilizes Event ID 6416 from the Windows security logs, which logs events related to the connection of removable storage devices. The rule specifically looks for events where the ClassName is 'DiskDrive' and the DeviceDescription is 'USB Mass Storage Device'. The rule is intended to alert security personnel of potential unauthorized device connections, which could indicate lateral movement or initial access attempts by threat actors. Since this rule is configured with a 'low' severity level, it is advisable for security teams to review these alerts with consideration of context as there may be numerous legitimate uses of USB devices in everyday operations.