topic Re: Cortex XDR Device Control Violation Query in Cortex XDR Discussions

Cortex XDR Device Control Violation Query

Vinothkumar_SBA — Thu, 05 Jun 2025 12:35:01 GMT

Hi Team,

How can I check device control violations using an XQL query? I have tried the query preset = device_controlbut I am only seeing details for USB device violations. I am expecting to see Bluetooth violations as well. Is this possible? If yes, please guide me.

Re: Cortex XDR Device Control Violation Query

nsinghvirk — Mon, 09 Jun 2025 18:27:46 GMT

Hello @Vinothkumar_SBA

Thanks for reaching out to us.

You may test with Bluetooth devices GUIDs (Globally Unique Identifiers) (action_device_class_guid) which are used to uniquely identify Bluetooth devices and are commonly used in Bluetooth device pairing and communication protocols or Vendor ID, Product ID and Serial using the field schema in the device control preset or xdr_data.

Re: Cortex XDR Device Control Violation Query

A.Elzedy — Tue, 10 Jun 2025 15:49:09 GMT

I agree with @nsinghvirk 's recommendation. The preset = device_control has limited coverage and primarily captures USB mount/unmount events, which explains why @Vinothkumar_SBA isn't seeing Bluetooth violations.

I've developed a query against xdr_data that addresses some potential security violations. The query aggregates findings by violation type, making it easy to prioritize investigations and track device activity across your environment.

@Vinothkumar_SBA , this query should give you the Bluetooth violation visibility you're looking for, along with some enhanced USB device monitoring capabilities.

dataset = xdr_data | filter _time > to_timestamp(subtract(to_epoch(current_time()), 604800), "SECONDS") //7 days // Comprehensive device control event detection | filter ( // USB Device detection using actual USB fields action_device_usb_vendor_name != null or action_device_usb_product_name != null or action_device_usb_vendor_id != null or // Bluetooth Registry Violations (event_type = 4 and event_sub_type = 4 and action_registry_key_name contains "BTHLEDevice") or // Process events involving device drivers (event_type = 1 and action_process_image_name in ( "pnputil.exe", "devcon.exe", "driverquery.exe" )) or // Registry events for device policies (event_type = 4 and action_registry_key_name contains "DeviceInstall") ) // Device violation classification | alter violation_type = if( action_device_usb_vendor_name != null, "🔌 USB_DEVICE_CONNECTED", action_device_usb_vendor_id != null, "🔌 USB_DEVICE_DETECTED", action_registry_key_name contains "BTHLEDevice", "📱 BLUETOOTH_ACTIVITY", action_registry_key_name contains "DeviceInstall", "⚙️ DEVICE_POLICY_CHANGE", action_process_image_name in ("pnputil.exe", "devcon.exe"), "🔧 DEVICE_MANAGEMENT_TOOL", "🔍 OTHER_DEVICE_EVENT" ), risk_level = if( action_device_usb_vendor_name = null and action_device_usb_product_name = null and action_device_usb_vendor_id != null, "🔴 UNKNOWN_USB_DEVICE", actor_effective_username != "NT AUTHORITY\\SYSTEM" and action_registry_key_name contains "BTHLEDevice", "🟠 USER_BLUETOOTH_MODIFICATION", extract_time(_time, "HOUR") >= 18 or extract_time(_time, "HOUR") <= 6, "🟡 AFTER_HOURS_DEVICE_ACTIVITY", "✅ STANDARD_DEVICE_ACTIVITY" ), device_identifier = if( action_device_usb_serial_number != null, action_device_usb_serial_number, action_device_usb_vendor_name != null, concat(action_device_usb_vendor_name, " - ", action_device_usb_product_name), action_registry_key_name contains "BTHLEDevice", "BLUETOOTH_DEVICE", "UNKNOWN_DEVICE" ), user_context = coalesce(actor_effective_username, "SYSTEM"), timestamp = format_timestamp("%Y-%m-%d %H:%M:%S", _time) // Aggregate violations by type and risk | comp count() as violation_events, count_distinct(agent_hostname) as affected_hosts, count_distinct(device_identifier) as unique_devices, count_distinct(user_context) as users_involved, earliest(_time) as first_violation, latest(_time) as last_violation, values(agent_hostname) as hostnames, values(device_identifier) as device_list, values(user_context) as user_accounts by violation_type, risk_level | alter violation_timeframe = concat( format_timestamp("%Y-%m-%d %H:%M", first_violation), " → ", format_timestamp("%Y-%m-%d %H:%M", last_violation) ), violation_summary = concat( to_string(violation_events), " events | ", to_string(affected_hosts), " hosts | ", to_string(unique_devices), " devices | ", to_string(users_involved), " users" ) | fields violation_type, risk_level, violation_timeframe, violation_summary, violation_events, affected_hosts, unique_devices, hostnames, device_list, user_accounts | sort desc violation_events

Query features:

Capture Bluetooth activity through registry modifications (action_registry_key_name contains "BTHLEDevice")
Detect unknown USB devices using vendor/product fields
Monitor device management tool usage (pnputil.exe, devcon.exe) to catch bypass attempts
Track policy modifications and after-hours device activity

Feel free to integrate more features, tune it, or tailor it more for your needs.

Re: Cortex XDR Device Control Violation Query

Vinothkumar_SBA — Wed, 18 Jun 2025 09:49:15 GMT

Hi @A.Elzedy,

Thanks for this query.

I’m seeing multiple results, but at the same time, I’m only seeing 18 results under the Device Control Violations tab in the Cortex XDR management console. I’m expecting the same number of results in the XQL query.

Please note: Device Control policy is only enabled in block mode on 18 machines. The XDR agent has successfully prevented actions on these machines, and the violations are visible in the tab—18 results in total. Therefore, we expect the XQL query to return the same results.

Re: Cortex XDR Device Control Violation Query

A.Elzedy — Wed, 18 Jun 2025 14:51:53 GMT

Thank you @Vinothkumar_SBA, would you please share the configuration details of your policy?

Re: Cortex XDR Device Control Violation Query

Vinothkumar_SBA — Thu, 19 Jun 2025 05:03:14 GMT

Hi @A.Elzedy,

We have configured a specific user group to block access to disk drives, CD-ROM drives, Windows portable devices, floppy disk drives, and Bluetooth devices—while still allowing print jobs—through the Cortex XDR Device Control Policy configuration profiles.

At the same time, for another set of endpoint groups, we blocked disk drives, CD-ROM drives, Windows portable devices, and floppy disk drives, but allowed access to Bluetooth and printer jobs.

The policies were successfully configured. When a user tries to access USB or Bluetooth devices, the XDR agent successfully blocks the attempt. These violations are being recorded and displayed in the Device Control Violation tab in the XDR Management Console.

We expect to see the same results reflected in the XQL queries, as we are using them to generate daily report templates. These reports are meant to show whether any user has violated the XDR Device Control Policy—meaning if they attempted to access USB or Bluetooth devices.