https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/new-pen-drive-plugged-in-detected/m-p/560630#M5268 <P>Can I create a rule to generate an event for detecting USB Plugged?? Is there any method to detect USB Plugged in event using cortex?? If so how??</P> Thu, 05 Oct 2023 06:32:24 GMT Tharaka-Wijesinghe 2023-10-05T06:32:24Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/new-pen-drive-plugged-in-detected/m-p/560630#M5268 <P>Can I create a rule to generate an event for detecting USB Plugged?? Is there any method to detect USB Plugged in event using cortex?? If so how??</P> Thu, 05 Oct 2023 06:32:24 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/new-pen-drive-plugged-in-detected/m-p/560630#M5268 Tharaka-Wijesinghe 2023-10-05T06:32:24Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/new-pen-drive-plugged-in-detected/m-p/560645#M5269 <P>Hello Tharaka,</P> <P>&nbsp;</P> <P><SPAN>USB Device plugin alert may not be possible but definitely you should be able to create a BIOC rule for USB/RemovableMedia file operation, process operation activity with a low severity priority which will only trigger an alert in Alerts Table but not create an Incident.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Let me know, if that helps.</SPAN></P> Thu, 05 Oct 2023 07:58:30 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/new-pen-drive-plugged-in-detected/m-p/560645#M5269 aspatil 2023-10-05T07:58:30Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/new-pen-drive-plugged-in-detected/m-p/560774#M5281 <P>So this will trigger an event only if any of file in the pen drive is clicked???</P> Fri, 06 Oct 2023 04:29:22 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/new-pen-drive-plugged-in-detected/m-p/560774#M5281 Tharaka-Wijesinghe 2023-10-06T04:29:22Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/new-pen-drive-plugged-in-detected/m-p/560796#M5282 <P>Hello Tharaka,</P> <P>&nbsp;</P> <P>You can try with below BIOC query and play around it:</P> <P><SPAN>preset = xdr_registry</SPAN><BR /><SPAN>| filter (action_registry_key_name contains "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\USBSTOR\Enum" and event_sub_type = REGISTRY_CREATE_KEY)<BR /><BR />Or you can&nbsp;</SPAN>consider using the following BIOC to raise alerts when a USB device is plugged in.</P> <P>You can play around with the filters to whitelist allowed device IDs/vendors.</P> <P>dataset = xdr_data</P> <P>| filter event_type = device and event_sub_type = Device Plug</P> <P>&nbsp;</P> <P>Let me know if that helps. Kindly mark accept as solution.</P> <P>&nbsp;</P> <P>Thanks!!</P> <P>&nbsp;</P> Fri, 06 Oct 2023 07:07:14 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/new-pen-drive-plugged-in-detected/m-p/560796#M5282 aspatil 2023-10-06T07:07:14Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/new-pen-drive-plugged-in-detected/m-p/560822#M5283 <P>Can you describe the above two queries? The problem is my plugged in USB devices details are reside on below location.&nbsp;</P> <P>&nbsp;</P> <P>Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR</P> <P>&nbsp;</P> <P>And what is this "<SPAN>event_sub_type = REGISTRY_CREATE_KEY" ??</SPAN></P> Fri, 06 Oct 2023 10:58:03 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/new-pen-drive-plugged-in-detected/m-p/560822#M5283 Tharaka-Wijesinghe 2023-10-06T10:58:03Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/new-pen-drive-plugged-in-detected/m-p/561763#M5346 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/262749">@Tharaka-Wijesinghe</a>&nbsp;</P> <P>&nbsp;</P> <P>You may refer <A href="https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/its-possibele-to-see-which-are-the-endpoint-accesing-usb/td-p/561642" target="_self">here</A> as well.&nbsp;</P> <P>&nbsp;</P> <P>Feel free to write back if you have further query.</P> <P>&nbsp;</P> <P>Hope this helps!</P> <P>Please mark the response as "Accept as Solution" if it answers your query.</P> Mon, 16 Oct 2023 03:12:52 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/new-pen-drive-plugged-in-detected/m-p/561763#M5346 PiyushKohli 2023-10-16T03:12:52Z