Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Alert USB activity

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Alert USB activity

L1 Bithead

Hi community,

 

Can I check is there any one create a alert if a user copied more than a certain number of files into a USB drive?

Thank You, Cheers!

1 REPLY 1

L3 Networker

Hi @BoonHwee Cortex XDR analytics offers the ability to detect and alert anomalies with USB storage activity. The following are just two XDR analytics alert references:

 

  • Possible data exfiltration over a USB storage device
  • Possible internal data exfiltration over a USB storage device

Please note,  Cortex XDR analytics requires an XDR Pro license, and the USB Storage Device alerts have required data sources (Palo Alto Networks Firewall Logs and XDR agent), and a required detection module with the Identity Analytics.

 

In terms of XDR Device Control, the feature is designed to block or allow USB-connected removable devices depending on how you have configured your Device Configuration - Extensions profile.  If I understand the scope of your question correctly, then the device control configuration option is not available at this time. If you would like to request feature enhancements to device control / alerting, then please coordinate with your XDR SE or Customer Success POCs where applicable. 

  • 2720 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!