Just spit balling here but Windows Events might have an EventID for new USB devices. If so you can use the

windows_eventlog

table to query that event ID

Another option would be to use the kolide_wmi table and run something like this:

WITH pnp_raw AS (
  SELECT * FROM kolide_wmi WHERE class = 'Win32_PnPEntity' AND properties = 'Availability,Caption,ClassGuid,CompatibleID,ConfigManagerErrorCode,ConfigManagerUserConfig,CreationClassName,Description,DeviceID,ErrorCleared,ErrorDescription,HardwareID,InstallDate,LastErrorCode,Manufacturer,Name,PNPClass,PNPDeviceID,PowerManagementCapabilities,PowerManagementSupported,Present,Service,Status,StatusInfo,SystemCreationClassName,SystemName'),
pivot_wmi AS (
  SELECT 
    MAX(CASE WHEN key = 'Availability' THEN value END) AS availability,
    MAX(CASE WHEN key = 'Caption' THEN value END) AS caption,
    MAX(CASE WHEN key = 'ClassGuid' THEN value END) AS class_guid,
    MAX(CASE WHEN key = 'CompatibleID' THEN value END) AS compatible_id,
    MAX(CASE WHEN key = 'ConfigManagerErrorCode' THEN value END) AS config_mgr_err_code,
    MAX(CASE WHEN key = 'ConfigManagerUserConfig' THEN value END) AS config_mgr_user_config,
    MAX(CASE WHEN key = 'CreationClassName' THEN value END) AS creation_class_name,
    MAX(CASE WHEN key = 'Description' THEN value END) AS description,
    MAX(CASE WHEN key = 'DeviceID' THEN value END) AS device_id,
    MAX(CASE WHEN key = 'ErrorCleared' THEN value END) AS error_cleared,
    MAX(CASE WHEN key = 'ErrorDescription' THEN value END) AS error_description,
    MAX(CASE WHEN key = 'HardwareID' THEN value END) AS hardware_id,
    MAX(CASE WHEN key = 'InstallDate' THEN value END) AS install_date,
    MAX(CASE WHEN key = 'LastErrorCode' THEN value END) AS last_error_code,
    MAX(CASE WHEN key = 'Manufacturer' THEN value END) AS manufacturer,
    MAX(CASE WHEN key = 'Name' THEN value END) AS name,
    MAX(CASE WHEN key = 'PNPClass' THEN value END) AS pnp_class,
    MAX(CASE WHEN key = 'PNPDeviceID' THEN value END) AS pnp_device_id,
    MAX(CASE WHEN key = 'PowerManagementCapabilities' THEN value END) AS pwr_mgmt_capabilities,
    MAX(CASE WHEN key = 'PowerManagementSupported' THEN value END) AS pwr_mgmt_supported,
    MAX(CASE WHEN key = 'Present' THEN value END) AS present,
    MAX(CASE WHEN key = 'Service' THEN value END) AS service,
    MAX(CASE WHEN key = 'Status' THEN value END) AS status,
    MAX(CASE WHEN key = 'StatusInfo' THEN value END) AS status_info,
    MAX(CASE WHEN key = 'SystemCreationClassName' THEN value END) AS system_creation_class_name,
    MAX(CASE WHEN key = 'SystemName ' THEN value END) AS system_name
  FROM pnp_raw
  GROUP BY parent)
SELECT * FROM pivot_wmi WHERE pnp_class = 'USBDevice'

your tip for looking at the "disk_info" table was the one that suited me so I can filter through the "USB" type field and get the following example result Disk drive13997486080Kingston DataTraveler 2.0 USB Device\\.\PHYSICALDRIVE1(Standard disk drives)\\.\PHYSICALDRIVE11USBSTOR\DISK&VEN_KINGSTON&PROD_DATATRAVELER_2.0&REV_1.00\0013729B6EB8F9B0361F0EB6&00013729B6EB8F9B0361F0EB6