Thanks for your answer, I guess I need to provide more detail. This is a windows 11 client and Windows Server 2012 System. I was not able to find an event ID for this activity in event manager.  

Maybe you need to have these enabled, work with your Windows Admin to get them enabled or check for you. Or simple insert a drives and look for the logs. Here are some common event IDs that I was able to find using Google!

Some may be logged others not when drives are added etc, but you will have to work with your Windows Admin to find out if they have been enabled or are logging etc or use sysmon which is a tool to also monitor and create events. I have listed the TA's that you will need to use once you have all the logs in place.


Event ID 12: This event is logged when a removable media is inserted into the computer.
Event ID 106: This event is logged when a new external storage device is connected to the system.
Event ID 20001: This event is logged by Microsoft-Windows-DriverFrameworks-UserMode when a new device is connected to the system.
Event ID 20003: This event is logged by Microsoft-Windows-DriverFrameworks-UserMode when a device is removed from the system.
Event ID 1001: This event is logged when a device is enumerated by the Plug and Play manager.
Event ID 1003: This event is logged when a device is started.
Event ID 1004: This event is logged when a device is stopped

Splunk TA's
Windows Logs
https://splunkbase.splunk.com/app/742
Sysmon logs / info
https://splunkbase.splunk.com/app/5709

Thanks, yes I'm aware of those. We have media connected to our clients for various reasons. I'm specifically looking for an alert that data is being burned onto removeable media. 

 Yes, I understand it’s the copy part, you want, unless the system logs it its going to be tricky.

 This may be of help not sure, so now I remember many years ago, I helped a company, to monitor for when their important/sensitive files in a Windows Server were being accessed/copied or deleted. 

 We got the Windows Administrator to enable security/auditing for the important files etc (read/write/delete attributes) etc.

 We then tested for files being copied/deleted/accessed, the event ID's were something like below, and we sent these to Splunk and was able to monitor them for insider threats. (This was only done for the most important files as they could generate lots of events)  If you enable these they may contain more info as to the device as well, cant remember, but worth a go. 

Event ID 4656: A handle to an object was requested.

Event ID 4663: An attempt was made to access an object.

Event ID 4660: An object was deleted.

That's a great idea! I'll give it a shot.