This rule monitors modifications within specific Windows Registry keys related to removable USB media devices. The aim is to detect potentially unauthorized access or activities involving USB devices, which can pose security risks like data exfiltration or malware execution. When a USB device is connected, changes are made to the keys `HKLM\SOFTWARE\Microsoft\Windows Portable Devices\Devices\` or `HKLM\System\CurrentControlSet\Enum\SWD\WPDBUSENUM\`. By querying Sysmon event logs for specific registry changes, this analytic can identify the attachment of USB devices and assess their risk level. False positives can occur with legitimate USB usage; hence, verification is necessary to filter out benign events.