https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-device-control-violation-alerts/m-p/1247529#M9100 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/120320991">@D.Bengian</a>&nbsp;,</P> <P>&nbsp;</P> <P>Greetings for the day.</P> <P>&nbsp;</P> <P>It is important to clarify that <STRONG>Device Control Violations</STRONG> (the specific events where the agent blocks a device) are currently <STRONG>not included</STRONG> in the <CODE>xdr_data</CODE> dataset. Because BIOC rules operate on the <CODE>xdr_data</CODE> dataset, you <STRONG>cannot create a BIOC rule</STRONG> that triggers specifically based on the <STRONG>“Blocked”</STRONG> action of the Device Control module.</P> <P>&nbsp;</P> <P>These violations are currently only visible in the <STRONG>Device Control Violations</STRONG> page of the console or accessible via the <STRONG>Public API</STRONG>.</P> <P>&nbsp;</P> <P>However, you <EM>can</EM> create a BIOC rule to alert on the <STRONG>activity of a USB or removable device being connected</STRONG> (plugged in or mounted). While this does <STRONG>not differentiate between allowed and blocked devices</STRONG>, it allows you to generate alerts for <STRONG>any external device connection attempt</STRONG>.</P> <H4>&nbsp;</H4> <H5>XQL Queries for BIOC Rules:</H5> <P>You can use either of the following queries to create a BIOC rule for detecting removable device connections:</P> <H5>Option 1: Detecting Device Plug Events</H5> <P>This approach monitors USB plug activity:</P> <PRE><CODE>dataset = xdr_data | filter event_type = DEVICE and event_sub_type = DEVICE_PLUG </CODE></PRE> <H5>Option 2: Detecting Device Mount Events</H5> <P>This query identifies when a storage drive is successfully recognized and mounted by the operating system:</P> <PRE><CODE>dataset = xdr_data | filter event_type = MOUNT AND event_sub_type = MOUNT_DRIVE_MOUNT | alter vendor_id = json_extract_scalar(action_mount_device_info , "$.storage_device_vendor_id"), product_id = json_extract_scalar(action_mount_device_info , "$.storage_device_product_id"), serial_number = json_extract_scalar(action_mount_device_info , "$.storage_device_serial_number") </CODE></PRE> <HR /> <H5>Alternative Methods for Violation Alerts</H5> <P>If you strictly require alerts for <STRONG>Device Control Violations (blocks)</STRONG>, consider these alternatives:</P> <H5>Management Audit Log Forwarding</H5> <P>You can configure notification forwarding to send emails or syslog messages when a violation is logged.</P> <UL> <LI> <P>Navigate to <STRONG>Settings → Configurations → General → Notifications</STRONG></P> </LI> <LI> <P>Select <STRONG>Management Audit Logs</STRONG> as the log type</P> </LI> <LI> <P>Apply a filter for <STRONG>Device Control Violations</STRONG> to capture policy breach events</P> </LI> </UL> <H5>Cortex XDR Public API</H5> <P>Use the <STRONG>Get-Violations</STRONG> API endpoint to programmatically retrieve violation data and integrate it with your SIEM or alerting platform.</P> <H5>Removable Media File Execution Alerts</H5> <P>In your <STRONG>Restrictions Profile</STRONG>, you can enable notifications for <STRONG>Removable Media</STRONG> to report when files are executed from external drives.</P> <P>&nbsp;</P> <P>If you feel this has answered your query, please let us know by clicking like and on&nbsp;<STRONG>"mark this as a Solution".</STRONG></P> <P>&nbsp;</P> <P>Thanks &amp; Regards,<BR />S. Subashkar Sekar</P> <P>&nbsp;</P> Thu, 05 Feb 2026 14:37:48 GMT susekar 2026-02-05T14:37:48Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-device-control-violation-alerts/m-p/1247458#M9096 <P>Hi All,</P> <P>&nbsp;</P> <P>We enabled device configurations to block external devices connecting to endpoints in the organization and its work fine. In the Cortex XDR console, I can see the device control violations.</P> <P data-start="0" data-end="161">&nbsp;</P> <P data-start="163" data-end="294" data-is-last-node="" data-is-only-node="">We want to create alerts to detect the&nbsp;Device Control Violation based on a BIOC rule, as this is the only available option.</P> <DIV class="text-base my-auto mx-auto pb-10 [--thread-content-margin:--spacing(4)] @w-sm/main:[--thread-content-margin:--spacing(6)] @w-lg/main:[--thread-content-margin:--spacing(16)] px-(--thread-content-margin)"> <DIV class="[--thread-content-max-width:40rem] @w-lg/main:[--thread-content-max-width:48rem] mx-auto max-w-(--thread-content-max-width) flex-1 group/turn-messages focus-visible:outline-hidden relative flex w-full min-w-0 flex-col agent-turn" tabindex="-1"> <DIV class="flex max-w-full flex-col grow"> <DIV class="min-h-8 text-message relative flex w-full flex-col items-end gap-2 text-start break-words whitespace-normal [.text-message+&amp;]:mt-1" dir="auto" data-message-author-role="assistant" data-message-id="9dfb5429-51e0-4860-83b3-a93771c52d6d" data-message-model-slug="gpt-5-2"> <DIV class="flex w-full flex-col gap-1 empty:hidden first:pt-[1px]"> <DIV class="markdown prose dark:prose-invert w-full wrap-break-word dark markdown-new-styling"> <P data-start="0" data-end="97" data-is-last-node="" data-is-only-node="">I tried several different queries. I realized I’m spending a lot of time on this without success.&nbsp;<SPAN>Does anyone have a ready XQL query for this?</SPAN></P> <P data-start="0" data-end="97" data-is-last-node="" data-is-only-node="">&nbsp;</P> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> <P>&nbsp;</P> <P>Regards and thanks,</P> <P>David.</P> Wed, 04 Feb 2026 19:51:54 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-device-control-violation-alerts/m-p/1247458#M9096 D.Bengian 2026-02-04T19:51:54Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-device-control-violation-alerts/m-p/1247529#M9100 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/120320991">@D.Bengian</a>&nbsp;,</P> <P>&nbsp;</P> <P>Greetings for the day.</P> <P>&nbsp;</P> <P>It is important to clarify that <STRONG>Device Control Violations</STRONG> (the specific events where the agent blocks a device) are currently <STRONG>not included</STRONG> in the <CODE>xdr_data</CODE> dataset. Because BIOC rules operate on the <CODE>xdr_data</CODE> dataset, you <STRONG>cannot create a BIOC rule</STRONG> that triggers specifically based on the <STRONG>“Blocked”</STRONG> action of the Device Control module.</P> <P>&nbsp;</P> <P>These violations are currently only visible in the <STRONG>Device Control Violations</STRONG> page of the console or accessible via the <STRONG>Public API</STRONG>.</P> <P>&nbsp;</P> <P>However, you <EM>can</EM> create a BIOC rule to alert on the <STRONG>activity of a USB or removable device being connected</STRONG> (plugged in or mounted). While this does <STRONG>not differentiate between allowed and blocked devices</STRONG>, it allows you to generate alerts for <STRONG>any external device connection attempt</STRONG>.</P> <H4>&nbsp;</H4> <H5>XQL Queries for BIOC Rules:</H5> <P>You can use either of the following queries to create a BIOC rule for detecting removable device connections:</P> <H5>Option 1: Detecting Device Plug Events</H5> <P>This approach monitors USB plug activity:</P> <PRE><CODE>dataset = xdr_data | filter event_type = DEVICE and event_sub_type = DEVICE_PLUG </CODE></PRE> <H5>Option 2: Detecting Device Mount Events</H5> <P>This query identifies when a storage drive is successfully recognized and mounted by the operating system:</P> <PRE><CODE>dataset = xdr_data | filter event_type = MOUNT AND event_sub_type = MOUNT_DRIVE_MOUNT | alter vendor_id = json_extract_scalar(action_mount_device_info , "$.storage_device_vendor_id"), product_id = json_extract_scalar(action_mount_device_info , "$.storage_device_product_id"), serial_number = json_extract_scalar(action_mount_device_info , "$.storage_device_serial_number") </CODE></PRE> <HR /> <H5>Alternative Methods for Violation Alerts</H5> <P>If you strictly require alerts for <STRONG>Device Control Violations (blocks)</STRONG>, consider these alternatives:</P> <H5>Management Audit Log Forwarding</H5> <P>You can configure notification forwarding to send emails or syslog messages when a violation is logged.</P> <UL> <LI> <P>Navigate to <STRONG>Settings → Configurations → General → Notifications</STRONG></P> </LI> <LI> <P>Select <STRONG>Management Audit Logs</STRONG> as the log type</P> </LI> <LI> <P>Apply a filter for <STRONG>Device Control Violations</STRONG> to capture policy breach events</P> </LI> </UL> <H5>Cortex XDR Public API</H5> <P>Use the <STRONG>Get-Violations</STRONG> API endpoint to programmatically retrieve violation data and integrate it with your SIEM or alerting platform.</P> <H5>Removable Media File Execution Alerts</H5> <P>In your <STRONG>Restrictions Profile</STRONG>, you can enable notifications for <STRONG>Removable Media</STRONG> to report when files are executed from external drives.</P> <P>&nbsp;</P> <P>If you feel this has answered your query, please let us know by clicking like and on&nbsp;<STRONG>"mark this as a Solution".</STRONG></P> <P>&nbsp;</P> <P>Thanks &amp; Regards,<BR />S. Subashkar Sekar</P> <P>&nbsp;</P> Thu, 05 Feb 2026 14:37:48 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-device-control-violation-alerts/m-p/1247529#M9100 susekar 2026-02-05T14:37:48Z