https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/sending-usb-alerts-via-syslog-cortex-xdr/m-p/1247866#M9115 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1184632661">@Y.SONG464633</a>&nbsp;,</P> <P>&nbsp;</P> <P>Greetings for the day.</P> <P>&nbsp;</P> <P>It is possible to receive email or syslog notifications whenever a USB device is connected to an endpoint, but the configuration you attempted under <STRONG>Management Audit Logs</STRONG> failed because those logs are designed to track administrative changes (such as an admin modifying a policy), not endpoint security events.</P> <P>&nbsp;</P> <P>To achieve USB connection notifications, you must create a <STRONG>Correlation Rule</STRONG> based on an XQL query that detects USB connection events and then configure <STRONG>Notification Forwarding</STRONG> for those alerts.</P> <H4>1. Verify Prerequisites</H4> <UL> <LI> <P><STRONG>License:</STRONG> A Cortex XDR <STRONG>Pro</STRONG> license is required to access the granular endpoint telemetry needed for these queries.</P> </LI> <LI> <P><STRONG>Data Collection:</STRONG> Ensure that <STRONG>Enhanced Endpoint Data</STRONG> collection is enabled in your <STRONG>Agent Settings Profile</STRONG>.</P> </LI> </UL> <H4>2. Configure the XQL Query</H4> <P>While monitoring registry keys can work, it is more efficient and reliable to use the dedicated <STRONG>DEVICE</STRONG> event type or the built-in device control telemetry.</P> <P>&nbsp;</P> <P><STRONG>Recommended XQL Query:</STRONG></P> <PRE><CODE class="language-xql">dataset = xdr_data | filter event_type = DEVICE and event_sub_type = DEVICE_PLUG | fields _time, agent_hostname, actor_effective_username, action_device_usb_vendor_name, action_device_usb_product_name, action_device_usb_serial_number </CODE></PRE> <H4>3. Create a Correlation Rule</H4> <OL> <LI> <P>Navigate to <STRONG>Detection Rules → Correlation Rules → + New Rule</STRONG>.</P> </LI> <LI> <P>Paste the recommended query into the <STRONG>XQL Search</STRONG> section.</P> </LI> <LI> <P><STRONG>Time Schedule:</STRONG> Configure the rule to run frequently (for example, every 5 or 15 minutes).</P> </LI> <LI> <P><STRONG>Action:</STRONG> Select <STRONG>Generate Alert</STRONG>.</P> </LI> <LI> <P><STRONG>Alert Name:</STRONG> Assign a unique name such as <CODE>USB_Connection_Detected</CODE>. This is important for notification filtering.</P> </LI> <LI> <P><STRONG>Alert Fields Mapping (Optional):</STRONG> Map fields such as <CODE>agent_hostname</CODE> to standard alert fields for improved visibility.</P> </LI> <LI> <P>Save and enable the rule.</P> </LI> </OL> <P>&nbsp;</P> <H4>4. Configure Notification Forwarding (Email or Syslog)</H4> <OL> <LI> <P>Navigate to <STRONG>Settings → Configuration → Notifications → Forwarding Configurations</STRONG>.</P> </LI> <LI> <P>Click <STRONG>+ Add Forwarding Configuration</STRONG>.</P> </LI> <LI> <P><STRONG>Alert Source:</STRONG> Select <STRONG>Cortex XDR Analytics &amp; Correlation</STRONG>.</P> </LI> <LI> <P><STRONG>Filtering:</STRONG> Filter on the <STRONG>Alert Name</STRONG> created earlier (for example, <CODE>USB_Connection_Detected</CODE>).</P> </LI> <LI> <P><STRONG>Target:</STRONG> Choose <STRONG>Email</STRONG> or <STRONG>Syslog</STRONG> (ensure the syslog server is already configured under <STRONG>Settings → Configurations → Integrations → Syslog</STRONG>).</P> </LI> <LI> <P>Save the configuration.</P> </LI> </OL> <P>&nbsp;</P> <H4>Why BIOC Did Not Work</H4> <P>BIOC (Behavioral Indicators of Compromise) rules are primarily designed for real-time detection and prevention of malicious activity. While they can technically detect USB-related events, <STRONG>Correlation Rules</STRONG> are better suited for monitoring environmental or operational events such as hardware connections. They allow scheduled searches across historical raw data and provide simpler alerting and notification workflows.</P> <P>&nbsp;</P> <P>If you feel this has answered your query, please let us know by clicking like and on&nbsp;<STRONG>"mark this as a Solution".</STRONG></P> <P>&nbsp;</P> <P>Thanks &amp; Regards,<BR />S. Subashkar Sekar</P> Tue, 10 Feb 2026 13:35:20 GMT susekar 2026-02-10T13:35:20Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/sending-usb-alerts-via-syslog-cortex-xdr/m-p/1247681#M9108 <P data-start="93" data-end="113">Hello,</P> <P data-start="115" data-end="392">We have received a request asking whether it is possible for administrators to receive alert emails whenever a USB device is connected to any endpoints.<BR data-start="299" data-end="302" />(*Currently, the USB policy in <STRONG data-start="332" data-end="366">Exploit – Device Configuration</STRONG> is set to <STRONG data-start="377" data-end="390">Read Only</STRONG>.)</P> <P data-start="115" data-end="392">(* I think the adminster wants to get the log <STRONG>[Inventory-Device Control Violations]</STRONG>)</P> <P data-start="115" data-end="392">&nbsp;</P> <P data-start="394" data-end="628">We attempted to configure this under <STRONG data-start="431" data-end="475">Settings → Configuration → Notifications</STRONG> by selecting <STRONG data-start="489" data-end="514">Management Audit Logs</STRONG> and setting the <STRONG data-start="531" data-end="539">Type</STRONG> to <STRONG data-start="543" data-end="567">Device Control (All)</STRONG>. However, the expected alerts were not generated as desired.</P> <P data-start="630" data-end="762">ChatGPT suggested using <STRONG data-start="654" data-end="668">XQL + BIOC</STRONG>, but we are still unable to identify the exact XQL query and the correct configuration steps.</P> <P data-start="630" data-end="762">&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="YSONG464633_0-1770612974843.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/70601iD5B4895EC46C38FA/image-size/medium?v=v2&amp;px=400" role="button" title="YSONG464633_0-1770612974843.png" alt="YSONG464633_0-1770612974843.png" /></span></P> <P data-start="630" data-end="762">&nbsp;</P> <P data-start="86" data-end="166">We have created the query below; however, we are not sure whether it is correct.</P> <P data-start="168" data-end="240">Could you please review it and let us know if it is properly configured?</P> <P data-start="764" data-end="801">&nbsp;</P> <P data-start="803" data-end="967">At present, the alert flow is configured as <STRONG data-start="847" data-end="887">Issue Alert → Syslog → Administrator</STRONG>, so it would be sufficient if USB-related alerts could be forwarded via syslog.</P> <P data-start="803" data-end="967">&nbsp;</P> <P data-start="969" data-end="979">Thank you.</P> <P data-start="969" data-end="979">&nbsp;</P> <P data-start="969" data-end="979"><LI-PRODUCT title="코텍스 XDR" id="Cortex_XDR"></LI-PRODUCT>&nbsp;</P> Mon, 09 Feb 2026 04:58:03 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/sending-usb-alerts-via-syslog-cortex-xdr/m-p/1247681#M9108 Y.SONG464633 2026-02-09T04:58:03Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/sending-usb-alerts-via-syslog-cortex-xdr/m-p/1247866#M9115 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1184632661">@Y.SONG464633</a>&nbsp;,</P> <P>&nbsp;</P> <P>Greetings for the day.</P> <P>&nbsp;</P> <P>It is possible to receive email or syslog notifications whenever a USB device is connected to an endpoint, but the configuration you attempted under <STRONG>Management Audit Logs</STRONG> failed because those logs are designed to track administrative changes (such as an admin modifying a policy), not endpoint security events.</P> <P>&nbsp;</P> <P>To achieve USB connection notifications, you must create a <STRONG>Correlation Rule</STRONG> based on an XQL query that detects USB connection events and then configure <STRONG>Notification Forwarding</STRONG> for those alerts.</P> <H4>1. Verify Prerequisites</H4> <UL> <LI> <P><STRONG>License:</STRONG> A Cortex XDR <STRONG>Pro</STRONG> license is required to access the granular endpoint telemetry needed for these queries.</P> </LI> <LI> <P><STRONG>Data Collection:</STRONG> Ensure that <STRONG>Enhanced Endpoint Data</STRONG> collection is enabled in your <STRONG>Agent Settings Profile</STRONG>.</P> </LI> </UL> <H4>2. Configure the XQL Query</H4> <P>While monitoring registry keys can work, it is more efficient and reliable to use the dedicated <STRONG>DEVICE</STRONG> event type or the built-in device control telemetry.</P> <P>&nbsp;</P> <P><STRONG>Recommended XQL Query:</STRONG></P> <PRE><CODE class="language-xql">dataset = xdr_data | filter event_type = DEVICE and event_sub_type = DEVICE_PLUG | fields _time, agent_hostname, actor_effective_username, action_device_usb_vendor_name, action_device_usb_product_name, action_device_usb_serial_number </CODE></PRE> <H4>3. Create a Correlation Rule</H4> <OL> <LI> <P>Navigate to <STRONG>Detection Rules → Correlation Rules → + New Rule</STRONG>.</P> </LI> <LI> <P>Paste the recommended query into the <STRONG>XQL Search</STRONG> section.</P> </LI> <LI> <P><STRONG>Time Schedule:</STRONG> Configure the rule to run frequently (for example, every 5 or 15 minutes).</P> </LI> <LI> <P><STRONG>Action:</STRONG> Select <STRONG>Generate Alert</STRONG>.</P> </LI> <LI> <P><STRONG>Alert Name:</STRONG> Assign a unique name such as <CODE>USB_Connection_Detected</CODE>. This is important for notification filtering.</P> </LI> <LI> <P><STRONG>Alert Fields Mapping (Optional):</STRONG> Map fields such as <CODE>agent_hostname</CODE> to standard alert fields for improved visibility.</P> </LI> <LI> <P>Save and enable the rule.</P> </LI> </OL> <P>&nbsp;</P> <H4>4. Configure Notification Forwarding (Email or Syslog)</H4> <OL> <LI> <P>Navigate to <STRONG>Settings → Configuration → Notifications → Forwarding Configurations</STRONG>.</P> </LI> <LI> <P>Click <STRONG>+ Add Forwarding Configuration</STRONG>.</P> </LI> <LI> <P><STRONG>Alert Source:</STRONG> Select <STRONG>Cortex XDR Analytics &amp; Correlation</STRONG>.</P> </LI> <LI> <P><STRONG>Filtering:</STRONG> Filter on the <STRONG>Alert Name</STRONG> created earlier (for example, <CODE>USB_Connection_Detected</CODE>).</P> </LI> <LI> <P><STRONG>Target:</STRONG> Choose <STRONG>Email</STRONG> or <STRONG>Syslog</STRONG> (ensure the syslog server is already configured under <STRONG>Settings → Configurations → Integrations → Syslog</STRONG>).</P> </LI> <LI> <P>Save the configuration.</P> </LI> </OL> <P>&nbsp;</P> <H4>Why BIOC Did Not Work</H4> <P>BIOC (Behavioral Indicators of Compromise) rules are primarily designed for real-time detection and prevention of malicious activity. While they can technically detect USB-related events, <STRONG>Correlation Rules</STRONG> are better suited for monitoring environmental or operational events such as hardware connections. They allow scheduled searches across historical raw data and provide simpler alerting and notification workflows.</P> <P>&nbsp;</P> <P>If you feel this has answered your query, please let us know by clicking like and on&nbsp;<STRONG>"mark this as a Solution".</STRONG></P> <P>&nbsp;</P> <P>Thanks &amp; Regards,<BR />S. Subashkar Sekar</P> Tue, 10 Feb 2026 13:35:20 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/sending-usb-alerts-via-syslog-cortex-xdr/m-p/1247866#M9115 susekar 2026-02-10T13:35:20Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/sending-usb-alerts-via-syslog-cortex-xdr/m-p/1247906#M9121 <P>Thank you Veeeeeeeeeeeeeeeeeeeeeeeeeeeeery Much!!</P> <P>You save my life! <span class="lia-unicode-emoji" title=":loudly_crying_face:">😭</span><span class="lia-unicode-emoji" title=":loudly_crying_face:">😭</span><span class="lia-unicode-emoji" title=":loudly_crying_face:">😭</span><span class="lia-unicode-emoji" title=":loudly_crying_face:">😭</span><span class="lia-unicode-emoji" title=":loudly_crying_face:">😭</span><span class="lia-unicode-emoji" title=":loudly_crying_face:">😭</span>&nbsp;<span class="lia-unicode-emoji" title=":face_blowing_a_kiss:">😘</span></P> Wed, 11 Feb 2026 02:18:22 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/sending-usb-alerts-via-syslog-cortex-xdr/m-p/1247906#M9121 Y.SONG464633 2026-02-11T02:18:22Z