Cortex XDR Query for USB/External Drive Usage

Prashanta — Sun, 02 Mar 2025 02:59:31 GMT

Hi Family

Good morning.

I am trying to filter the timeframe when a user last connected a USB flash drive or external hard drive using a Cortex XDR query. However, the following query did not return the expected results:

I would like to retrieve details such as the user, vendor, timestamp, and device name. Could you please assist me in refining the query to achieve the desired output?

Re: Cortex XDR Query for USB/External Drive Usage

SeanDeHarris — Mon, 03 Mar 2025 03:01:56 GMT

FYI, I used this to retrive filename from USB drive

Hope this helps

dataset = xdr_data // Using the xdr dataset
| filter event_type = ENUM.FILE and event_sub_type = ENUM.FILE_CREATE_NEW // Looking for file creation events
| alter Drive_Type = json_extract(to_json_string(action_file_device_info),"$.storage_device_drive_type"), Filesystem = json_extract_scalar(to_json_string(action_file_device_info),"$.storage_device_filesystem"), Drive_Letter = json_extract_scalar(to_json_string(action_file_device_info),"$.storage_device_mount_point"), Device_Serial_Number = json_extract_scalar(to_json_string(action_file_device_info),"$.storage_device_serial_number") // Getting details about the device a file was created on
| filter drive_type = "2" // Filtering by drive type 2 which is 'Removable Media'
| fields action_file_path as File_Path, actor_effective_username as Username, Filesystem, Drive_Letter, Device_Serial_Number, event_type, event_sub_type // Selecting the relevant fields

topic Cortex XDR Query for USB/External Drive Usage in Cortex XDR Discussions

Cortex XDR Query for USB/External Drive Usage

Re: Cortex XDR Query for USB/External Drive Usage