The way that USB Defender works (and all that it does) is log mass storageall device IDs to the Windows Application Event log. The events look like this:
Log Name: Application
Source: TriGeo USB-Defender
Date: 1/31/2017 4:23:20 PM
Event ID: 32004
Task Category: None
Level: Information
Keywords: Classic
User: DOMAIN\username
Computer: HOSTNAME.domain.com
Description:
USB Device Detached
Device ID: USB\VID_0930&PID_6545\00187D0F56ACEE50D000339D
Serial number: 00187D0F56ACEE50D000339D
Device name: \\?\usb#vid_0930&pid_6545#00187d0f56acee50d000339d#{a5dcbf10-6530-11d2-901f-00c04fb951ed}
Device path: \\?\usb#vid_0930&pid_6545#00187d0f56acee50d000339d#{a5dcbf10-6530-11d2-901f-00c04fb951ed}
Friendly name:
Description: USB Mass Storage Device
Manufacturer: Compatible USB storage device
Device setup class: USB
Setup class guid: {36fc9e60-c465-11cf-8056-444553540000}
Capabilities:
Lock supported: No
Eject supported: No
Removable: Yes
Dock device: No
Unique ID: Yes
Silent install: No
Raw device ok: No
Surprise removal ok: Yes
Hardware disabled: No
Nondynamic: No
Configurations:
Disabled: No
Removed: No
Manual install: No
Ignore boot: No
Net boot: No
Reinstall: No
Failed install: No
Cannot stop a child: No
Can remove ROM: No
No remove at exit: No
Finish install: No
Needs forced configuration: No
Partial log configuration: No
Driver software key: {36fc9e60-c465-11cf-8056-444553540000}\0014
Service name: USBSTOR
Device address: 1
Bus number: 0
Bus type guid: {9D7DEBBC-C85D-11D1-9EB4-006008C3A19A}
Device type:
Enumerator name: USB
Legacy bus type: 15
Hardware location:
Physical device object name:
Security descriptor:
Hardware IDs::
USB\VID_0930&PID_6545&REV_0100
USB\VID_0930&PID_6545
Compatible IDs:
USB\Class_08&SubClass_06&Prot_50
USB\Class_08&SubClass_06
USB\Class_08
These events are sent to LEM by the LEM Agent, and the LEM looks at the data and matches it to rules and does (or doesn't) take an action depending on how you have it setup. There is another version of USB Defender connector (the Extended edition) that creates parses these events for every USB device, and then you can have LEM check those events out or run them against USB Defender Local Policy. You'll need to get that version from Support.