Does Cortex XDR Device Control blocks mobile hotspots through USB? [PART 2]

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Does Cortex XDR Device Control blocks mobile hotspots through USB? [PART 2]

L1 Bithead

Hello, 

In my last post I was asking if Cortex XDR was able to block USB network connections and the answer was that by default not. 

 

However thanks to the solution I was able to find a settings that lets you add a new device for device control module. This way I connected the smartphone via USB, started USB internet sharing and found the specific device. 

maksymilianjan_0-1663857995892.png

 

Now, to add this device in Cortex you need the GUID and add it as a new device:

 

maksymilianjan_2-1663858118111.png

 

However this 4d36e972-e325-11ce-bfc1-08002be10318 GUID is the same for (i suspect) all of the network adapters in windows. 

 

This way there is no ability to block *only* this behavior right? I configured the policy with this device for only "Allow" actions but no events were shown even after tests. Does the "allow" policy in cortex xdr device management works same as a report setting?

 

If this is not possible, is there any other way to block this kind of connections through smartphones (or even other USB portable network adapters).

Thanks!!

Max

 

 

 

2 accepted solutions

Accepted Solutions

L3 Networker

Hi Max,

 

Device Control instances under Endpoints > Device Control Violations monitor all attempts to connect restricted USB-connected devices to Cortex XDR. Because of this, your instances of device allowance will not appear in this output menu.

 

You are correct that the block would apply to all of the network adapters in Windows. With Device Control exceptions, you are able to create exceptions to this baseline block by adding your trusted network adapter connections.

 

Permanent/temporary exceptions for your network can be made under Endpoints > Policy Management > Extensions > Device Permanent/Temporary Exceptions. To tune exceptions for particular endpoints, this can be configured to your Device Exceptions profile under Endpoints > Policy Management > Extensions > Profiles.

 

 

mfakhouri_0-1664210698831.png

 

Add your trusted device types here. Your custom network adapter type should come up under "custom device types". Add the corresponding vendor and product or serial number as well. 

 

After setting your device control policy to block network adapter connections, the configured devices should be exempt from the block. 

 

Further reading:

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/endpoint-security/hardened-...

View solution in original post

L2 Linker

@maksymilianjan 

 Probably its not going to show in device control as its not considered as portable device or disk drive

 

First try this XQL query if its shows :

preset = device_control
| fields agent_hostname as hostname, action_device_usb_product_name as product,  action_device_usb_vendor_name as vendor, action_device_usb_serial_number as serial_number
| dedup hostname, product, vendor, serial_number 

 

If it doesnt.. try this..then from result, you can explore and try to find the device.

preset = xdr_registry
| filter agent_hostname="Hostname" // add hostname that usb was seen on here
| filter lowercase(action_registry_full_key) ~= "enum.*usb"

View solution in original post

7 REPLIES 7

L3 Networker

Hi Max,

 

Device Control instances under Endpoints > Device Control Violations monitor all attempts to connect restricted USB-connected devices to Cortex XDR. Because of this, your instances of device allowance will not appear in this output menu.

 

You are correct that the block would apply to all of the network adapters in Windows. With Device Control exceptions, you are able to create exceptions to this baseline block by adding your trusted network adapter connections.

 

Permanent/temporary exceptions for your network can be made under Endpoints > Policy Management > Extensions > Device Permanent/Temporary Exceptions. To tune exceptions for particular endpoints, this can be configured to your Device Exceptions profile under Endpoints > Policy Management > Extensions > Profiles.

 

 

mfakhouri_0-1664210698831.png

 

Add your trusted device types here. Your custom network adapter type should come up under "custom device types". Add the corresponding vendor and product or serial number as well. 

 

After setting your device control policy to block network adapter connections, the configured devices should be exempt from the block. 

 

Further reading:

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/endpoint-security/hardened-...

L2 Linker

@maksymilianjan 

 Probably its not going to show in device control as its not considered as portable device or disk drive

 

First try this XQL query if its shows :

preset = device_control
| fields agent_hostname as hostname, action_device_usb_product_name as product,  action_device_usb_vendor_name as vendor, action_device_usb_serial_number as serial_number
| dedup hostname, product, vendor, serial_number 

 

If it doesnt.. try this..then from result, you can explore and try to find the device.

preset = xdr_registry
| filter agent_hostname="Hostname" // add hostname that usb was seen on here
| filter lowercase(action_registry_full_key) ~= "enum.*usb"

Hey, 

 

Sorry for the late reply but this was a lifesaver as I did not know that XQL will show more events.

 

Now there are devices like: Galaxy series, misc. (tethering mode) which is just what I was looking for. 


Also, just FYI I made this BIOC rule for detecting the activity via registry changes (needs some tuning):

 

preset = xdr_registry
| filter (action_registry_key_name = """HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\usbrndis*\\Enum""")
| filter (action_registry_data contains """USB\\VID""")

 

Regards.

Is there any device control API endpoint to xdr cortex?

Hi @aaminahassan 

 

Did understood your question or ask, could you share your use case or example for your query? Is your ask for api to get list of device control violations? If yes, we do have api for that you may refer here Get Violations

 

Hope this helps!

Thanks

 

L1 Bithead

I want to  whitelist USB using  API call.
Under device control I can see only get_violations. I can get_violations of device but don't know the exact parameters/API end point to whitelist the device. like serial number /vendor etc to be used in which call?

L4 Transporter

Hi @aaminahassan 

Currently the only way to whitelist the device would be through UI under Device exceptions. 

Reference: Device Control

Thanks

  • 2 accepted solutions
  • 3719 Views
  • 7 replies
  • 0 Likes
  • 78 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!