Make MTP logs using XQL

Y.SONG464633 — Fri, 10 Apr 2026 09:16:10 GMT

Hello, Everyone!

1. An Android device is connected to a computer where XDR is installed.
2. After the connection (Android-Computer), the user accesses the Android device’s folder from the computer and copies file A from the computer to the Android device.
3. On the computer, the copied file A on the Android device is renamed or copied to a different directory in the Android.

In this scenario, I would like to know:

Whether these actions are logged in XDR, and
Whether these logs can be searched using XQL.

I would appreciate insights from experts. Thank you.

#XQL #MTP

Re: Make MTP logs using XQL

susekar — Mon, 13 Apr 2026 13:39:45 GMT

Hello @Y.SONG464633 ,

Greetings for the day.

Based on the internal research and technical support cases, here are the answers to your scenario regarding Android devices and Cortex XDR:

1. Whether these actions are logged in XDR

In the scenario described (Android device connected to a computer), file actions such as copying, renaming, or moving files within the Android device are generally not logged by Cortex XDR.

The Technical Reason:

Protocol Difference:
Most modern Android devices connect to computers using Media Transfer Protocol (MTP) or Windows Portable Device (WPD) drivers rather than standard USB Mass Storage (MSC).
Driver Limitation:
Cortex XDR's EDR driver (tedrdrv) monitors file activity on system-mounted volumes. Because MTP devices are not mapped as standard drive volumes (e.g., they don't get a drive letter like E:) and use different drivers (such as WUDFRd.sys), the EDR component does not currently capture granular file operations performed over MTP.
Device Control vs. File Activity:
While XDR may log the physical connection of the device (a DEVICE_PLUG event), it does not natively track the subsequent file-level modifications (copy/rename) made inside that portable device.

2. Whether these logs can be searched using XQL

Because the agent does not capture these specific MTP-based file operations, they cannot be searched using XQL.

However, if the device were a standard USB Flash Drive (which mounts as a storage volume), you could search for these actions.

For comparison, with a standard removable drive, you could use a query like the one below to find file writes:

dataset = xdr_data 
| filter event_type = FILE and event_sub_type = ENUM.FILE_WRITE 
| alter Drive_Type = action_file_device_info -> storage_device_drive_type{}
| filter Drive_Type = "2" // Value "2" represents Removable Media
| fields _time, agent_hostname, actor_process_image_name, action_file_path, action_file_name

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

Thanks & Regards,
S. Subashkar Sekar

topic Make MTP logs using XQL in Cortex XDR Discussions

Make MTP logs using XQL

Re: Make MTP logs using XQL

The Technical Reason:

2. Whether these logs can be searched using XQL