https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/usb-drive-alert/m-p/1000224#M7669 <P class="lia-align-justify">kindly we need your support, I want to get alert when a USB drive<SPAN>&nbsp;is connected to workstation and not blocked by Symantec AV.</SPAN></P> <P class="lia-align-justify">I have tried several times with correlation rule, I found XQL query very effective, and it is as follows:</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-SPOILER>config case_sensitive = false<BR />| preset = device_control <BR />| filter event_sub_type = ENUM.MOUNT_DRIVE_MOUNT<BR />| fields agent_hostname, _time as mount_time, action_device_bus_type, action_device_class_name<BR />| filter action_device_bus_type = 1 and action_device_class_name = "disk"<BR />| sort desc mount_time<BR />| join (<BR />config case_sensitive = false<BR />| preset = device_control<BR />| filter event_sub_type = ENUM.MOUNT_DRIVE_UNMOUNT<BR />| fields agent_hostname, _time as unmount_time, action_device_bus_type, action_device_class_name<BR />| filter action_device_bus_type = 1 and action_device_class_name = "disk"<BR />| sort desc unmount_time<BR />) as F F.agent_hostname = agent_hostname<BR />| filter unmount_time &gt; mount_time<BR />| alter time_diff_Second = timestamp_diff( unmount_time , mount_time, "SECOND") , time_diff_Minute = timestamp_diff( unmount_time , mount_time, "MINUTE")<BR />|filter <FONT color="#FF0000">time_diff_Second &gt;= 20 //because the <SPAN class="jCAhz ChMk0b"><SPAN class="ryNqvb">Symantec</SPAN></SPAN> blocks the devices before 20s i want alert who have the privilege to use it</FONT><BR />| fields agent_hostname, mount_time, unmount_time as unmount_time, time_diff_Second, time_diff_Minute</LI-SPOILER> <P><SPAN class="jCAhz ChMk0b"><SPAN class="ryNqvb">This code is effective because I found that Symantec AV blocks the USB between about 2 to 20 seconds, and I was able to show almost correct results. It works on XQL Search but when I save it as correlation rule does not give an alert and does not accept to be added in BIOC because it uses (Config).</SPAN></SPAN></P> <P><SPAN class="jCAhz ChMk0b"><SPAN class="ryNqvb"> Is there a way by changing the code that I can get alerts ether on correlation or BIOC rule?</SPAN></SPAN> <SPAN class="jCAhz"><SPAN class="ryNqvb">Or if there another code please support us.</SPAN></SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><SPAN><LI-PRODUCT title="Cortex XDR" id="Cortex_XDR"></LI-PRODUCT>&nbsp;</SPAN></P> Tue, 07 Jan 2025 07:31:03 GMT F.Alsalem 2025-01-07T07:31:03Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/usb-drive-alert/m-p/1000224#M7669 <P class="lia-align-justify">kindly we need your support, I want to get alert when a USB drive<SPAN>&nbsp;is connected to workstation and not blocked by Symantec AV.</SPAN></P> <P class="lia-align-justify">I have tried several times with correlation rule, I found XQL query very effective, and it is as follows:</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-SPOILER>config case_sensitive = false<BR />| preset = device_control <BR />| filter event_sub_type = ENUM.MOUNT_DRIVE_MOUNT<BR />| fields agent_hostname, _time as mount_time, action_device_bus_type, action_device_class_name<BR />| filter action_device_bus_type = 1 and action_device_class_name = "disk"<BR />| sort desc mount_time<BR />| join (<BR />config case_sensitive = false<BR />| preset = device_control<BR />| filter event_sub_type = ENUM.MOUNT_DRIVE_UNMOUNT<BR />| fields agent_hostname, _time as unmount_time, action_device_bus_type, action_device_class_name<BR />| filter action_device_bus_type = 1 and action_device_class_name = "disk"<BR />| sort desc unmount_time<BR />) as F F.agent_hostname = agent_hostname<BR />| filter unmount_time &gt; mount_time<BR />| alter time_diff_Second = timestamp_diff( unmount_time , mount_time, "SECOND") , time_diff_Minute = timestamp_diff( unmount_time , mount_time, "MINUTE")<BR />|filter <FONT color="#FF0000">time_diff_Second &gt;= 20 //because the <SPAN class="jCAhz ChMk0b"><SPAN class="ryNqvb">Symantec</SPAN></SPAN> blocks the devices before 20s i want alert who have the privilege to use it</FONT><BR />| fields agent_hostname, mount_time, unmount_time as unmount_time, time_diff_Second, time_diff_Minute</LI-SPOILER> <P><SPAN class="jCAhz ChMk0b"><SPAN class="ryNqvb">This code is effective because I found that Symantec AV blocks the USB between about 2 to 20 seconds, and I was able to show almost correct results. It works on XQL Search but when I save it as correlation rule does not give an alert and does not accept to be added in BIOC because it uses (Config).</SPAN></SPAN></P> <P><SPAN class="jCAhz ChMk0b"><SPAN class="ryNqvb"> Is there a way by changing the code that I can get alerts ether on correlation or BIOC rule?</SPAN></SPAN> <SPAN class="jCAhz"><SPAN class="ryNqvb">Or if there another code please support us.</SPAN></SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><SPAN><LI-PRODUCT title="Cortex XDR" id="Cortex_XDR"></LI-PRODUCT>&nbsp;</SPAN></P> Tue, 07 Jan 2025 07:31:03 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/usb-drive-alert/m-p/1000224#M7669 F.Alsalem 2025-01-07T07:31:03Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/usb-drive-alert/m-p/1085865#M7746 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/245441137">@F.Alsalem</a>&nbsp;</P> <P>&nbsp;</P> <P>Thanks for reaching on LiveCommunity!</P> <P>The XQL query must at a minimum filter on the event_type field in order for it to be a valid BIOC rule. In addition, you can create BIOC rules using the xdr_data and cloud_audit_log datasets and presets for these datasets. Currently, you cannot create a BIOC rule on customized datasets and only the filter stage, alter stage, and functions without any aggregations are supported for XQL queries that define a BIOC.&nbsp;</P> <P>&nbsp;</P> <P>Please c<SPAN>lick&nbsp;</SPAN><STRONG>Accept as Solution</STRONG><SPAN>&nbsp;to acknowledge that the answer to your question has been provided.</SPAN></P> Wed, 15 Jan 2025 17:46:54 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/usb-drive-alert/m-p/1085865#M7746 nsinghvirk 2025-01-15T17:46:54Z