USB Use - empty results table rows

PaulThomas00 — Tue, 05 Mar 2024 20:07:53 GMT

Hello,

Currently I am monitoring USB device use within my tenant, with the following query:

config case_sensitive = false | preset = device_control | join (dataset = endpoints ) as EP EP.endpoint_name = agent_hostname | filter event_sub_type = ENUM.MOUNT_DRIVE_MOUNT | dedup agent_hostname | fields _time, agent_hostname, user, agent_ip_addresses, agent_os_type, action_device_usb_vendor_name, action_device_bus_type, action_device_class_guid, agent_ip_addresses, action_device_class_name, action_device_usb_vendor_id, action_device_usb_product_id, event_type, event_sub_type, active_directory | sort desc _time

This mostly yields good results however I'm a just wondering what these rows with no values and the action_device_bus_type = action_device_bus_type_0

Example output:

If anyone has any idea that would help thank you.

Re: USB Use - empty results table rows

jmazzeo — Thu, 07 Mar 2024 13:44:40 GMT

Hi @PaulThomas00, thanks for reaching us using the Live Community.

I ran the same query in my lab, and found some similar results.

Then I created a new basic XQL Query to search for the same event in the xdr_data dataset, and found that the process creating those mounting events are system itself for the recovery volume:

In Windows shows a similar behavior, but with less details. Probably is the OS mounting the recovery partition and creating a recovery point.

Check it in your end and let us know:

dataset = xdr_data | filter event_sub_type = ENUM.MOUNT_DRIVE_MOUNT | filter (agent_hostname = """HOSTNAME""")

topic Re: USB Use - empty results table rows in Cortex XDR Discussions

USB Use - empty results table rows

Re: USB Use - empty results table rows