02-04-2026 11:51 AM
Hi All,
We enabled device configurations to block external devices connecting to endpoints in the organization and its work fine. In the Cortex XDR console, I can see the device control violations.
We want to create alerts to detect the Device Control Violation based on a BIOC rule, as this is the only available option.
I tried several different queries. I realized I’m spending a lot of time on this without success. Does anyone have a ready XQL query for this?
Regards and thanks,
David.
02-05-2026 06:37 AM
Hello @D.Bengian ,
Greetings for the day.
It is important to clarify that Device Control Violations (the specific events where the agent blocks a device) are currently not included in the xdr_data dataset. Because BIOC rules operate on the xdr_data dataset, you cannot create a BIOC rule that triggers specifically based on the “Blocked” action of the Device Control module.
These violations are currently only visible in the Device Control Violations page of the console or accessible via the Public API.
However, you can create a BIOC rule to alert on the activity of a USB or removable device being connected (plugged in or mounted). While this does not differentiate between allowed and blocked devices, it allows you to generate alerts for any external device connection attempt.
You can use either of the following queries to create a BIOC rule for detecting removable device connections:
This approach monitors USB plug activity:
dataset = xdr_data
| filter event_type = DEVICE and event_sub_type = DEVICE_PLUG
This query identifies when a storage drive is successfully recognized and mounted by the operating system:
dataset = xdr_data
| filter event_type = MOUNT AND event_sub_type = MOUNT_DRIVE_MOUNT
| alter
vendor_id = json_extract_scalar(action_mount_device_info , "$.storage_device_vendor_id"),
product_id = json_extract_scalar(action_mount_device_info , "$.storage_device_product_id"),
serial_number = json_extract_scalar(action_mount_device_info , "$.storage_device_serial_number")
If you strictly require alerts for Device Control Violations (blocks), consider these alternatives:
You can configure notification forwarding to send emails or syslog messages when a violation is logged.
Navigate to Settings → Configurations → General → Notifications
Select Management Audit Logs as the log type
Apply a filter for Device Control Violations to capture policy breach events
Use the Get-Violations API endpoint to programmatically retrieve violation data and integrate it with your SIEM or alerting platform.
In your Restrictions Profile, you can enable notifications for Removable Media to report when files are executed from external drives.
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".
Thanks & Regards,
S. Subashkar Sekar
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
