topic Re: Find USB mounted storage devices on Windows and macOS in Cortex XDR Discussions

Find USB mounted storage devices on Windows and macOS

Joe_Carissimo — Mon, 23 Jun 2025 20:17:25 GMT

Hi All, looking for some help here. We've been using a query a colleague wrote to find computers with USB's mounted.

This is the query:

// Description: Show drive mount activity

dataset = xdr_data

| filter event_type = ENUM.MOUNT

| alter mount_point = action_mount_device_info -> storage_device_mount_point

| alter storage_device_class_name = action_mount_device_info -> storage_device_class_name

| alter vendor_id = action_mount_device_info -> storage_device_vendor_id

| alter product_id = action_mount_device_info -> storage_device_product_id

| alter storage_device_drive_type = action_mount_device_info -> storage_device_drive_type

| fields _time, agent_hostname, action_mount_device_info, mount_point, storage_device_*, vendor_id, product_id, agent_os_type, agent_os_sub_type

//| filter storage_device_drive_type = "2" or

| FILTER storage_device_drive_type = "DEVICE_REMOVABLE"// 2: Removable

The problem here is that this is only grabbing Windows and no macOS. I've tried a few other queries found here in the Live Community but nothing seems to be working accurately for the macOS.

Any suggestions?

Thank you in advance.

Joe

Re: Find USB mounted storage devices on Windows and macOS

aspatil — Tue, 24 Jun 2025 04:55:05 GMT

Hello,
Try below:
preset = device_control | filter event_sub_type = MOUNT_DRIVE_MOUNT and agent_os_type = AGENT_OS_MAC and action_device_bus_type = USB

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution". Thank you.

Re: Find USB mounted storage devices on Windows and macOS

Joe_Carissimo — Tue, 24 Jun 2025 13:58:41 GMT

Hi @aspatil, thank you for your reply. Unfortunately that only returns one computer and I'm expecting many more. We have almost 1000 Mac endpoints in our environment and I'm certain there are more than one that have USB storage drives mounted.

Regards,
Joe

Re: Find USB mounted storage devices on Windows and macOS

A.Elzedy — Tue, 24 Jun 2025 18:10:59 GMT

Hi @aspatil ,

would you be able to share a sample output of the following query, that would help understanding your env better.

dataset = xdr_data | filter event_type = ENUM.DEVICE and event_sub_type = ENUM.DEVICE_PLUG | alter deviceinfo = to_string(actor_process_device_info) | comp count() by deviceinfo

Re: Find USB mounted storage devices on Windows and macOS

Joe_Carissimo — Tue, 24 Jun 2025 18:27:04 GMT

Thank you, here's a screenshot of the query results.

Regards,

Joe

Re: Find USB mounted storage devices on Windows and macOS

A.Elzedy — Tue, 24 Jun 2025 18:59:01 GMT

I think you may need to expand the timeframe up to 30d if it was not set to it

also try to run this one too

dataset = xdr_data | comp count() by agent_os_type , action_device_usb_vendor_name , action_device_usb_product_name , action_device_usb_vendor_id

Re: Find USB mounted storage devices on Windows and macOS

Joe_Carissimo — Tue, 24 Jun 2025 21:53:01 GMT

Hi @A.Elzedy, thank you again. Attached is a .zip file with the query results of this most recent run. This one is definitely set to 30 days.

Thank you,

Joe

Re: Find USB mounted storage devices on Windows and macOS

Joe_Carissimo — Tue, 24 Jun 2025 21:56:14 GMT

@A.Elzedy, here is the query results with set to 30 days. Thanks, Joe

Re: Find USB mounted storage devices on Windows and macOS

A.Elzedy — Wed, 25 Jun 2025 16:23:45 GMT

Alright, after reviewing the logs, there aren't much activities from MAC devices, there could be a policy in place that's blocking them from connecting usb disks

at the time being I have drafted a query that could help monitor usb activities/changes

dataset = xdr_data | filter event_type in (ENUM.DEVICE, ENUM.MOUNT , ENUM.FILE ) | filter action_device_usb_vendor_id != null | sort asc _time | windowcomp first_value(event_timestamp) by agent_hostname, action_device_usb_serial_number sort asc _time as plug_time | windowcomp last_value(event_timestamp) by agent_hostname, action_device_usb_serial_number sort desc _time as unplug_time | dedup agent_hostname, action_device_usb_vendor_id | alter plug_ts = to_timestamp(plug_time, "MILLIS"), unplug_ts = to_timestamp(unplug_time, "MILLIS") | alter plug_time_readable = format_timestamp("%Y-%m-%d %H:%M:%S", plug_ts, "America/New_York"), unplug_time_readable = format_timestamp("%Y-%m-%d %H:%M:%S", unplug_ts, "America/New_York") | alter session_duration_minutes = timestamp_diff(unplug_ts, plug_ts, "MINUTE") | join type = right ( dataset = xdr_data | filter event_type = ENUM.FILE | filter action_device_usb_vendor_id != null | filter actor_effective_username not in ("NT AUTHORITY\SYSTEM") | filter actor_effective_username not contains "\root" | alter op = if(event_sub_type = 1, "New file creation", event_sub_type = 2, "File access/opening", event_sub_type = 3, "File renaming", event_sub_type = 4, "File linking", event_sub_type = 5, "File deletion", event_sub_type = 6, "File modification", event_sub_type = 7, "File attribute changes", event_sub_type = 8, "Directory creation", event_sub_type = 9, "Directory access", event_sub_type = 10, "Directory renaming", event_sub_type = 11, "Directory linking", event_sub_type = 12, "Directory deletion", event_sub_type = 13, "File reparse operations", event_sub_type = 14, "File security changes", event_sub_type = 15, "File permission changes", event_sub_type = 16, "File ownership changes", to_string(event_sub_type)) | alter sanitized_path = replex(action_file_path, "[^a-zA-Z0-9_./\\-]", "") | alter file_op = to_string(concat(op, " : ", sanitized_path)) | comp count() as file_event_count, values(file_op) as file_operations, values(actor_effective_username) as usernames by agent_hostname, action_device_usb_serial_number | alter file_operations_top_100 = arrayrange(file_operations, 0, 100) | fields file_event_count , file_operations_top_100, usernames , agent_hostname , action_device_usb_serial_number ) as file_activity file_activity.agent_hostname = agent_hostname and file_activity.action_device_usb_serial_number = action_device_usb_serial_number | alter vendor_product = concat( action_device_usb_vendor_name , " ", replace(action_device_usb_product_name,"unknown"," ")) | fields agent_os_type, agent_hostname, usernames, vendor_product, plug_time_readable, unplug_time_readable, session_duration_minutes, file_event_count, file_operations_top_100 | sort asc plug_time_readable

Re: Find USB mounted storage devices on Windows and macOS

Joe_Carissimo — Wed, 25 Jun 2025 16:41:11 GMT

Hi @A.Elzedy, thank you, I'll have a look at this query. As for a policy blocking USB on Mac devices, there are none in place at the moment. Though that is something that we are working towards.

Ideally, what I'm trying to do is determine on both Mac and Windows, how many people are using USB storage devices over a 30 day period. So strange how difficult this is to find on macOS.

Feel free to let me know if you come up with anything else and thank you for your efforts.

Regards,

Joe