This detection rule, authored by Elastic, aims to identify newly mounted removable devices such as USB drives connected to endpoints. The rule leverages Elastic Defend's device mount events to capture incidents involving removable storage, specifically through monitoring device serial numbers and host identifiers. While the activity of connecting a USB device is not inherently malicious, it poses potential risks such as data exfiltration or malware introduction, making it crucial for analysts to monitor these events closely. The detection operates on a set timeframe, analyzing logs for successful mount events of removable volumes in both Windows and macOS environments. The rule encourages analysts to verify the legitimacy of newly connected devices by checking their serial numbers, reviewing their usage history, and cross-referencing logs for any suspicious activity. It also outlines proactive measures against false positives regarding common scenarios where legitimate devices could trigger alerts, such as frequent use of company-issued USB drives or routine IT maintenance activities. With a risk score of 21 on a low severity level, this rule indicates a baseline for potential threats involving removable devices. Overall, this detection rule enhances organizational security by allowing teams to mitigate risks associated with unauthorized access or data exfiltration through USB storage devices.