Detect PnP devices connected to my Endpoints

Lately, I’ve been diving into a bunch of articles and posts about the risks of Bluetooth, USBs, and other Plug-and-Play (PnP) devices.
Based on it, I decided to look into DefenderXDR to verify if some table was registering these kind of events and yes, DeviceEvents is doing this job.

Basically, you can use the action types «PnpDeviceConnected» / «PnpDeviceConnected» to have a list of PnP devices connected to your endpoints and it was helping me with some concerns such as:

1. Keeping an eye out for PnP devices like USB drives or external disks being connected to critical servers (like DC’s, Exchange servers, or any machine with sensitive info).

2. If I’m handling sensitive info that shouldn’t be shared or printed, I want to make sure no printers are connected to my endpoints

3. Spotting unfamiliar devices from unknown vendors

4. Finding PnP devices that might be out of date and need attention

And more..
I’ve got a hunch that this KQL query is like the Swiss Army knife of detections—use it for all sorts of things! So go ahead, help yourself! 😄🔍