https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/does-cortex-xdr-device-control-blocks-mobile-hotspots-through/m-p/515956#M2905 <P><SPAN>Hi Max,</SPAN></P> <P>&nbsp;</P> <P><SPAN>Device Control instances under Endpoints &gt; Device Control Violations monitor all attempts to connect </SPAN><STRONG>restricted</STRONG><SPAN> USB-connected devices to Cortex XDR. Because of this, your instances of device allowance will not appear in this output menu.</SPAN></P> <P>&nbsp;</P> <P><SPAN>You are correct that the block would apply to all of the network adapters in Windows. With Device Control exceptions, you are able to create exceptions to this baseline block by adding your trusted network adapter connections.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Permanent/temporary exceptions for your network can be made under Endpoints &gt; Policy Management &gt; Extensions &gt; Device Permanent/Temporary Exceptions. To tune exceptions for particular endpoints, this can be configured to your Device Exceptions profile under Endpoints &gt; Policy Management &gt; Extensions &gt; Profiles.</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="mfakhouri_0-1664210698831.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/44149i2EA53D5EFFFF3C0F/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="mfakhouri_0-1664210698831.png" alt="mfakhouri_0-1664210698831.png" /></span></P> <P>&nbsp;</P> <P>Add your trusted device types here. Your custom network adapter type should come up under "custom device types". Add the corresponding vendor and product or serial number as well.&nbsp;</P> <P>&nbsp;</P> <P><SPAN>After setting your device control policy to block network adapter connections, the configured devices should be exempt from the block.&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN>Further reading:</SPAN></P> <P><SPAN><A href="https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/endpoint-security/hardened-endpoint-security/device-control" target="_blank">https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/endpoint-security/hardened-endpoint-security/device-control</A></SPAN></P> Mon, 26 Sep 2022 17:09:30 GMT mfakhouri 2022-09-26T17:09:30Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/does-cortex-xdr-device-control-blocks-mobile-hotspots-through/m-p/515703#M2872 <P>Hello,&nbsp;<BR /><BR />In my last post I was asking if Cortex XDR was able to block USB network connections and the answer was that by default not.&nbsp;</P> <P>&nbsp;</P> <P>However thanks to the solution I was able to find a settings that lets you add a new device for device control module. This way I connected the smartphone via USB, started USB internet sharing and found the specific device.&nbsp;<BR /><BR /></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="maksymilianjan_0-1663857995892.png" style="width: 540px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/44083i08E4378E2922F9EE/image-dimensions/540x18/is-moderation-mode/true?v=v2" width="540" height="18" role="button" title="maksymilianjan_0-1663857995892.png" alt="maksymilianjan_0-1663857995892.png" /></span></P> <P>&nbsp;</P> <P>Now, to add this device in Cortex you need the GUID and add it as a new device:</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="maksymilianjan_2-1663858118111.png" style="width: 294px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/44085i97A3976385D471F0/image-dimensions/294x300/is-moderation-mode/true?v=v2" width="294" height="300" role="button" title="maksymilianjan_2-1663858118111.png" alt="maksymilianjan_2-1663858118111.png" /></span></P> <P>&nbsp;</P> <P>However this&nbsp;4d36e972-e325-11ce-bfc1-08002be10318 GUID is the same for (i suspect) all of the network adapters in windows.&nbsp;</P> <P>&nbsp;</P> <P>This way there is no ability to block *only* this behavior right? I configured the policy with this device for only "Allow" actions but no events were shown even after tests. Does the "allow" policy in cortex xdr device management works same as a report setting?</P> <P>&nbsp;</P> <P>If this is not possible, is there any other way to block this kind of connections through smartphones (or even other USB portable network adapters).<BR /><BR />Thanks!!<BR /><BR />Max</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 22 Sep 2022 14:51:52 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/does-cortex-xdr-device-control-blocks-mobile-hotspots-through/m-p/515703#M2872 maksymilianjan 2022-09-22T14:51:52Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/does-cortex-xdr-device-control-blocks-mobile-hotspots-through/m-p/515956#M2905 <P><SPAN>Hi Max,</SPAN></P> <P>&nbsp;</P> <P><SPAN>Device Control instances under Endpoints &gt; Device Control Violations monitor all attempts to connect </SPAN><STRONG>restricted</STRONG><SPAN> USB-connected devices to Cortex XDR. Because of this, your instances of device allowance will not appear in this output menu.</SPAN></P> <P>&nbsp;</P> <P><SPAN>You are correct that the block would apply to all of the network adapters in Windows. With Device Control exceptions, you are able to create exceptions to this baseline block by adding your trusted network adapter connections.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Permanent/temporary exceptions for your network can be made under Endpoints &gt; Policy Management &gt; Extensions &gt; Device Permanent/Temporary Exceptions. To tune exceptions for particular endpoints, this can be configured to your Device Exceptions profile under Endpoints &gt; Policy Management &gt; Extensions &gt; Profiles.</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="mfakhouri_0-1664210698831.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/44149i2EA53D5EFFFF3C0F/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="mfakhouri_0-1664210698831.png" alt="mfakhouri_0-1664210698831.png" /></span></P> <P>&nbsp;</P> <P>Add your trusted device types here. Your custom network adapter type should come up under "custom device types". Add the corresponding vendor and product or serial number as well.&nbsp;</P> <P>&nbsp;</P> <P><SPAN>After setting your device control policy to block network adapter connections, the configured devices should be exempt from the block.&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN>Further reading:</SPAN></P> <P><SPAN><A href="https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/endpoint-security/hardened-endpoint-security/device-control" target="_blank">https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/endpoint-security/hardened-endpoint-security/device-control</A></SPAN></P> Mon, 26 Sep 2022 17:09:30 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/does-cortex-xdr-device-control-blocks-mobile-hotspots-through/m-p/515956#M2905 mfakhouri 2022-09-26T17:09:30Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/does-cortex-xdr-device-control-blocks-mobile-hotspots-through/m-p/516167#M2913 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/222081">@maksymilianjan</a>&nbsp;</P> <P>&nbsp;Probably its not going to show in device control as its not considered as portable device or disk drive</P> <P>&nbsp;</P> <P>First try this XQL query if its shows :</P> <P><SPAN>preset = device_control<BR />| fields agent_hostname as hostname, action_device_usb_product_name as product, &nbsp;action_device_usb_vendor_name as vendor, action_device_usb_serial_<WBR />number as serial_number<BR />| dedup hostname, product, vendor, serial_number&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN>If it doesnt.. try this..then from result, you can explore and try to find the device.</SPAN></P> <P><SPAN>preset = xdr_registry<BR />| filter agent_hostname="Hostname" // add hostname that usb was seen on here<BR />| filter lowercase(action_registry_full_key) ~= "enum.*usb"</SPAN></P> Wed, 28 Sep 2022 05:40:54 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/does-cortex-xdr-device-control-blocks-mobile-hotspots-through/m-p/516167#M2913 jcandelaria 2022-09-28T05:40:54Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/does-cortex-xdr-device-control-blocks-mobile-hotspots-through/m-p/518510#M3038 <P>Hey,&nbsp;</P> <P>&nbsp;</P> <P>Sorry for the late reply but this was a lifesaver as I did not know that XQL will show more events.</P> <P>&nbsp;</P> <P>Now there are devices like:&nbsp;Galaxy series, misc. (tethering mode) which is just what I was looking for.&nbsp;</P> <P><BR />Also, just FYI I made this BIOC rule for detecting the activity via registry changes (needs some tuning):</P> <P>&nbsp;</P> <P>preset = xdr_registry <BR />| filter (action_registry_key_name = """HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\usbrndis*\\Enum""") <BR />| filter (action_registry_data contains """USB\\VID""")</P> <P>&nbsp;</P> <P>Regards.</P> Thu, 20 Oct 2022 11:39:36 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/does-cortex-xdr-device-control-blocks-mobile-hotspots-through/m-p/518510#M3038 maksymilianjan 2022-10-20T11:39:36Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/does-cortex-xdr-device-control-blocks-mobile-hotspots-through/m-p/540752#M4271 <P>Is there any device control API endpoint to xdr cortex?</P> Tue, 02 May 2023 10:38:20 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/does-cortex-xdr-device-control-blocks-mobile-hotspots-through/m-p/540752#M4271 aaminahassan 2023-05-02T10:38:20Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/does-cortex-xdr-device-control-blocks-mobile-hotspots-through/m-p/540865#M4276 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/288862">@aaminahassan</a>&nbsp;</P> <P>&nbsp;</P> <P>Did understood your question or ask, could you share your use case or example for your query? Is your ask for api to get list of device control violations? If yes, we do have api for that you may refer here&nbsp;<A href="https://cortex-panw.stoplight.io/docs/cortex-xdr/284c7d894406d-get-violations" target="_self">Get Violations</A></P> <P>&nbsp;</P> <P>Hope this helps!</P> <P>Thanks</P> <P>&nbsp;</P> Wed, 03 May 2023 05:18:41 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/does-cortex-xdr-device-control-blocks-mobile-hotspots-through/m-p/540865#M4276 PiyushKohli 2023-05-03T05:18:41Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/does-cortex-xdr-device-control-blocks-mobile-hotspots-through/m-p/540867#M4278 <P><SPAN>I want to&nbsp; whitelist USB using&nbsp; API call.<BR />Under device control I can see only get_violations. I can get_violations of device but don't know the exact parameters/API end point to whitelist the device. like serial number /vendor etc to be used in which call?</SPAN></P> Wed, 03 May 2023 05:22:24 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/does-cortex-xdr-device-control-blocks-mobile-hotspots-through/m-p/540867#M4278 aaminahassan 2023-05-03T05:22:24Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/does-cortex-xdr-device-control-blocks-mobile-hotspots-through/m-p/541040#M4292 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/288862">@aaminahassan</a>&nbsp;</P> <P>Currently the only way to whitelist the device would be through UI under Device exceptions.&nbsp;</P> <P>Reference: <A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Device-Control?section=UUID-213a05b7-fac8-8a21-8286-5818459654a9_idcf547473-46ef-485e-9b58-acf1e9f37097" target="_self">Device Control</A><BR /><BR /></P> <P>Thanks</P> Thu, 04 May 2023 10:29:18 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/does-cortex-xdr-device-control-blocks-mobile-hotspots-through/m-p/541040#M4292 PiyushKohli 2023-05-04T10:29:18Z