03-13-2024 01:33 AM
Hello,
I want to block blueotooth activities on endpoints in Cortex XDR. Is there any way or rule to do this? If yes, can you write rule?
Thanks in advance.
03-13-2024 09:48 AM
Hi @JahidAliyev, thanks for reaching us using the Live Community.
You can run a XQL Query like this, to retrieve all the "device plug" events from your tenant:
preset = device_control
| filter event_sub_type = ENUM.DEVICE_PLUG
Then look at the "action_device_bus_type" field in your results to check how is reported the Bluetooth devices in your endpoint.
Based on that value you can add a filter to that query than can work to create the BIOC rule.
preset = device_control
| filter event_sub_type = ENUM.DEVICE_PLUG
| filter action_device_bus_type = ENUM.YOURVALUE
Please check it and let me know how it goes.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
