A community member sought assistance with creating a ControlUp trigger or alert to detect when storage devices are added to a physical endpoint and assigned a drive letter or mounted. The data relevant to this event is visible in the ControlUp 4D (CU4D) Performance tab under the Operating System location and stored in the _devices index. Specifically, the data is found in the os_disk_configuration field, which contains a JSON array showing details about mounted drives, including drive letters. The user’s challenge was to configure an alert that could detect any newly mounted drive except the system drive C:\ without having to set multiple alerts for every potential drive letter (e.g., D:\, E:\, etc.). They noted the lack of regex support in the filter queries limited their options.
The issue arises because the os_disk_configuration field holds a JSON array with multiple drive entries, and filtering out drive_letter “C:\” naively removes all entries due to the structure of the array. Attempts to use a “does not contain” filter eliminated all Windows devices, only showing macOS devices, complicating detection on Windows endpoints. The user also tried to narrow the focus to removable media but learned that their security team’s use case requires alerting on any disk, mounted by drive letter, which remains the best indicator available.
Advice provided during the discussion included adding filters for platform or OS to ensure the alert targets only Windows devices (e.g., platform set to 1 or OS equals Windows). This helped reduce irrelevant results but did not completely solve the filtering problem. Suggestions included playing with additional filters such as combining conditions to exclude drive_letter “C:\” while explicitly including removable devices, though this required trial and error. A recommendation was to test filter configurations in the CU4D index view, including setting the platform to 1 to target Windows devices specifically.
Ultimately, the thread highlights the challenge in using ControlUp’s current filtering capabilities on complex JSON arrays like os_disk_configuration for dynamic drive letters without regex support. The workaround involves narrowing the scope by platform/OS filters and experimenting with composite negation filters, although a straightforward out-of-the-box solution for this specific alert scenario is limited. Users needing comprehensive coverage for any drive letter other than C:\ must create a series of alerts or await enhanced filter features. For now, leveraging the detailed disk configuration data in the _devices index with strategic filter layering is the best approach.
For further reading on creating and troubleshooting alerts and filters in ControlUp, users can consult official documentation at https://docs.controlup.com and explore ControlUp Academy resources at https://cuacademy.controlup.com.
Read the entire ‘How to Alert on Added Storage Devices by Drive Letter in ControlUp Using os_disk_configuration Filters’ thread below:
Question – trying to do a trigger/alert for when storage devices are added to a physical endpoint and assigned a drive letter/mounted. Within the CU4D performance tab I can see the data in Operating System location, which I know gets saved to the _devices index. The column I am looking to report on is the os_disk_configuration, which is able to return the same data I see in the Performance Tab dashboard.
The issue I am running into is someone could mount a device with a different letter than D, so I’d want there to be the ability to search for any drive letter other than C. Unfortunately, since this is in the same JSON array, I can’t filter out conditions where “[{“drive_letter”:”C:\\” is found, as it will just remove all of the possible data. I’d also like to avoid creating 25 different alerts where I would change the os_disk_configuration filter to drive_letter”:”D:\\, then drive_letter”:”E:\\, etc. and it doesn’t look like the filter supports a regex query.
Also, I attempted to create a similar alert specifically looking for removable media, but a use case that is important to our information security team is ANY disk and so far, mounted drive letter is the best way I can accomplish that with my current knowledge.
Any ideas?
I hope this makes sense and I’ll also need to try /test in the the morning
But you could look at creating the alert to alert if somthing gets mounted that doesn’t Contain C drive
If I do a “does not contain” filter it wipes all of my windows devices out and only shows mac
You are using _devices I thing there should be a platform or Os
So you can set the platform to 1 for windows or OS to windows
So it must be windows and then the doesn’t contain C
Think *
Looks like it is still excluding it
I’ll play with this in the morning any let you know
Try putting 1 in the max in platform
os_..disk -!