Hello,
I am posting to find out if this feature is still on the Elastic Team’s roadmap? I found previous posts from 2022 and 2023 requesting this feature.
In short, it would be a nice feature if the Elastic Agent could block new USB connections by default. An allowed list of serial numbers to tie back to for approved media could also be added to make this feature more useful. It could potentially query the attached USB devices as well to generate a pre-approved allowed list? That might be overkill/too complicated but would be another “ease of use” step for other users would might be interested in implementing this.
I did find that there is a first time connection prebuilt rule in the elastic SIEM but I would like something more in-depth.
Thanks!
1 Like
Hello,
Thank you for reaching out and for your ongoing interest in the development of USB device management within Elastic. We're happy to confirm that the feature you referenced—enabling Elastic Defend to block new USB storage device connections by default, with support for an allowed list of approved serial numbers—is officially on the Elastic Team’s roadmap and is scheduled for release soon.
This upcoming functionality will allow administrators to enforce stricter USB controls by default, while providing the flexibility to pre-approve specific devices based on their serial numbers. The ability to query attached USB devices for easier creation of an allow list is not currently on the roadmap, but will be considered to further enhance user experience and simplify implementation.
We appreciate you highlighting previous discussions from 2022 and 2023, as well as your thoughtful suggestions regarding device pre-approval and ease of use. The feedback from the community has been instrumental in shaping the direction of this feature, and we're excited to bring these enhancements to you in the near future.
Thank you!
4 Likes
Hi @Roxana_Gheorghe
that sounds really good, we want this feature a long time. Is that Feature come for 8.19.x & 9.1.x ? And can you say more detail of the Version ?
thanks in advance
Was this feature released in the 9.2.0 release today? Under features I see
” Adds Elastic Defend support for device control on macOS and Windows.”
Thanks!
Hello,
Yes, happy to announce that Device Control is part of 9.2 release, give it a try and let us know your feedback!
Thank you!
1 Like
Hi @icefish-creativ
This is part only of 9.2 release, let us know your feedback!
Thank you!
1 Like
Hey @Roxana_Gheorghe
very cool , i will try it asap
greetings Tim
Hello Roxana,
I am testing the Device Control feature and it doesn’t appear to be working. I am used a fully updated stack on 9.2.0 and the agent is also on 9.2.0. I can confirm that device control “should” be working as it is set to “Block All”. Additionally, I checked the agent status and it shows all items under device control as green and healthy with nothing obvious in the agent logs. It is my understanding that this should block all forms of removable USBs or other storage devices. However, I can attach a usb and freely move files to and from the usb.
Do we have to do anything else other than ensuring that the Device control feature is enabled and set to that agent’s Elastic Defend policy? Thanks in advance.
Hello Devon,
Thank you for trying this out and providing your feedback. Based on your description, your settings appear correct, and the storage device should present as block storage, preventing the movement of files. Could you please contact our support team and open a case? This will allow them to guide you through the process of collecting the necessary logs for our review. Alternatively, if you are a member of our community Slack(Sign up for a new account), please feel free to contact me there.
Thank you,
Roxana
I’ve opened a support case and I’ll report back here with an update when I have one. Thanks!