06-05-2025 05:35 AM
Hi Team,
How can I check device control violations using an XQL query? I have tried the query preset = device_controlbut I am only seeing details for USB device violations. I am expecting to see Bluetooth violations as well. Is this possible? If yes, please guide me.
06-09-2025 11:27 AM
Hello @Vinothkumar_SBA
Thanks for reaching out to us.
You may test with Bluetooth devices GUIDs (Globally Unique Identifiers) (action_device_class_guid) which are used to uniquely identify Bluetooth devices and are commonly used in Bluetooth device pairing and communication protocols or Vendor ID, Product ID and Serial using the field schema in the device control preset or xdr_data.
06-10-2025 08:49 AM
I agree with @nsinghvirk 's recommendation. The preset = device_control has limited coverage and primarily captures USB mount/unmount events, which explains why @Vinothkumar_SBA isn't seeing Bluetooth violations.
I've developed a query against xdr_data that addresses some potential security violations. The query aggregates findings by violation type, making it easy to prioritize investigations and track device activity across your environment.
@Vinothkumar_SBA , this query should give you the Bluetooth violation visibility you're looking for, along with some enhanced USB device monitoring capabilities.
dataset = xdr_data
| filter _time > to_timestamp(subtract(to_epoch(current_time()), 604800), "SECONDS") //7 days
// Comprehensive device control event detection
| filter (
// USB Device detection using actual USB fields
action_device_usb_vendor_name != null or
action_device_usb_product_name != null or
action_device_usb_vendor_id != null or
// Bluetooth Registry Violations
(event_type = 4 and event_sub_type = 4 and
action_registry_key_name contains "BTHLEDevice") or
// Process events involving device drivers
(event_type = 1 and action_process_image_name in (
"pnputil.exe", "devcon.exe", "driverquery.exe"
)) or
// Registry events for device policies
(event_type = 4 and action_registry_key_name contains "DeviceInstall")
)
// Device violation classification
| alter
violation_type = if(
action_device_usb_vendor_name != null, "🔌 USB_DEVICE_CONNECTED",
action_device_usb_vendor_id != null, "🔌 USB_DEVICE_DETECTED",
action_registry_key_name contains "BTHLEDevice", "📱 BLUETOOTH_ACTIVITY",
action_registry_key_name contains "DeviceInstall", "⚙️ DEVICE_POLICY_CHANGE",
action_process_image_name in ("pnputil.exe", "devcon.exe"), "🔧 DEVICE_MANAGEMENT_TOOL",
"🔍 OTHER_DEVICE_EVENT"
),
risk_level = if(
action_device_usb_vendor_name = null and action_device_usb_product_name = null and action_device_usb_vendor_id != null, "🔴 UNKNOWN_USB_DEVICE",
actor_effective_username != "NT AUTHORITY\\SYSTEM" and action_registry_key_name contains "BTHLEDevice", "🟠 USER_BLUETOOTH_MODIFICATION",
extract_time(_time, "HOUR") >= 18 or extract_time(_time, "HOUR") <= 6, "🟡 AFTER_HOURS_DEVICE_ACTIVITY",
"✅ STANDARD_DEVICE_ACTIVITY"
),
device_identifier = if(
action_device_usb_serial_number != null, action_device_usb_serial_number,
action_device_usb_vendor_name != null, concat(action_device_usb_vendor_name, " - ", action_device_usb_product_name),
action_registry_key_name contains "BTHLEDevice", "BLUETOOTH_DEVICE",
"UNKNOWN_DEVICE"
),
user_context = coalesce(actor_effective_username, "SYSTEM"),
timestamp = format_timestamp("%Y-%m-%d %H:%M:%S", _time)
// Aggregate violations by type and risk
| comp
count() as violation_events,
count_distinct(agent_hostname) as affected_hosts,
count_distinct(device_identifier) as unique_devices,
count_distinct(user_context) as users_involved,
earliest(_time) as first_violation,
latest(_time) as last_violation,
values(agent_hostname) as hostnames,
values(device_identifier) as device_list,
values(user_context) as user_accounts
by violation_type, risk_level
| alter
violation_timeframe = concat(
format_timestamp("%Y-%m-%d %H:%M", first_violation),
" → ",
format_timestamp("%Y-%m-%d %H:%M", last_violation)
),
violation_summary = concat(
to_string(violation_events), " events | ",
to_string(affected_hosts), " hosts | ",
to_string(unique_devices), " devices | ",
to_string(users_involved), " users"
)
| fields
violation_type,
risk_level,
violation_timeframe,
violation_summary,
violation_events,
affected_hosts,
unique_devices,
hostnames,
device_list,
user_accounts
| sort desc violation_events
Query features:
action_registry_key_name contains "BTHLEDevice")pnputil.exe, devcon.exe) to catch bypass attemptsFeel free to integrate more features, tune it, or tailor it more for your needs.
06-18-2025 02:49 AM
Hi @A.Elzedy,
Thanks for this query.
I’m seeing multiple results, but at the same time, I’m only seeing 18 results under the Device Control Violations tab in the Cortex XDR management console. I’m expecting the same number of results in the XQL query.
Please note: Device Control policy is only enabled in block mode on 18 machines. The XDR agent has successfully prevented actions on these machines, and the violations are visible in the tab—18 results in total. Therefore, we expect the XQL query to return the same results.
06-18-2025 07:51 AM
Thank you @Vinothkumar_SBA, would you please share the configuration details of your policy?
06-18-2025 10:03 PM
Hi @A.Elzedy,
We have configured a specific user group to block access to disk drives, CD-ROM drives, Windows portable devices, floppy disk drives, and Bluetooth devices—while still allowing print jobs—through the Cortex XDR Device Control Policy configuration profiles.
At the same time, for another set of endpoint groups, we blocked disk drives, CD-ROM drives, Windows portable devices, and floppy disk drives, but allowed access to Bluetooth and printer jobs.
The policies were successfully configured. When a user tries to access USB or Bluetooth devices, the XDR agent successfully blocks the attempt. These violations are being recorded and displayed in the Device Control Violation tab in the XDR Management Console.
We expect to see the same results reflected in the XQL queries, as we are using them to generate daily report templates. These reports are meant to show whether any user has violated the XDR Device Control Policy—meaning if they attempted to access USB or Bluetooth devices.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
