Hello,
I am posting to find out if this feature is still on the Elastic Team’s roadmap? I found previous posts from 2022 and 2023 requesting this feature.
In short, it would be a nice feature if the Elastic Agent could block new USB connections by default. An allowed list of serial numbers to tie back to for approved media could also be added to make this feature more useful. It could potentially query the attached USB devices as well to generate a pre-approved allowed list? That might be overkill/too complicated but would be another “ease of use” step for other users would might be interested in implementing this.
I did find that there is a first time connection prebuilt rule in the elastic SIEM but I would like something more in-depth.
Thanks!
1 Like
Hello,
Thank you for reaching out and for your ongoing interest in the development of USB device management within Elastic. We're happy to confirm that the feature you referenced—enabling Elastic Defend to block new USB storage device connections by default, with support for an allowed list of approved serial numbers—is officially on the Elastic Team’s roadmap and is scheduled for release soon.
This upcoming functionality will allow administrators to enforce stricter USB controls by default, while providing the flexibility to pre-approve specific devices based on their serial numbers. The ability to query attached USB devices for easier creation of an allow list is not currently on the roadmap, but will be considered to further enhance user experience and simplify implementation.
We appreciate you highlighting previous discussions from 2022 and 2023, as well as your thoughtful suggestions regarding device pre-approval and ease of use. The feedback from the community has been instrumental in shaping the direction of this feature, and we're excited to bring these enhancements to you in the near future.
Thank you!
3 Likes