Alert USB activity

BoonHwee — Mon, 04 Oct 2021 15:47:14 GMT

Hi community,

Can I check is there any one create a alert if a user copied more than a certain number of files into a USB drive?

Thank You, Cheers!

Re: Alert USB activity

WSeldenIII — Mon, 04 Oct 2021 16:31:17 GMT

Hi @BoonHwee Cortex XDR analytics offers the ability to detect and alert anomalies with USB storage activity. The following are just two XDR analytics alert references:

Possible data exfiltration over a USB storage device
Possible internal data exfiltration over a USB storage device

Please note, Cortex XDR analytics requires an XDR Pro license, and the USB Storage Device alerts have required data sources (Palo Alto Networks Firewall Logs and XDR agent), and a required detection module with the Identity Analytics.

In terms of XDR Device Control, the feature is designed to block or allow USB-connected removable devices depending on how you have configured your Device Configuration - Extensions profile. If I understand the scope of your question correctly, then the device control configuration option is not available at this time. If you would like to request feature enhancements to device control / alerting, then please coordinate with your XDR SE or Customer Success POCs where applicable.

topic Alert USB activity in Cortex XDR Discussions

Alert USB activity

Re: Alert USB activity