- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
09-22-2022 07:51 AM
Hello,
In my last post I was asking if Cortex XDR was able to block USB network connections and the answer was that by default not.
However thanks to the solution I was able to find a settings that lets you add a new device for device control module. This way I connected the smartphone via USB, started USB internet sharing and found the specific device.
Now, to add this device in Cortex you need the GUID and add it as a new device:
However this 4d36e972-e325-11ce-bfc1-08002be10318 GUID is the same for (i suspect) all of the network adapters in windows.
This way there is no ability to block *only* this behavior right? I configured the policy with this device for only "Allow" actions but no events were shown even after tests. Does the "allow" policy in cortex xdr device management works same as a report setting?
If this is not possible, is there any other way to block this kind of connections through smartphones (or even other USB portable network adapters).
Thanks!!
Max
09-26-2022 10:09 AM
Hi Max,
Device Control instances under Endpoints > Device Control Violations monitor all attempts to connect restricted USB-connected devices to Cortex XDR. Because of this, your instances of device allowance will not appear in this output menu.
You are correct that the block would apply to all of the network adapters in Windows. With Device Control exceptions, you are able to create exceptions to this baseline block by adding your trusted network adapter connections.
Permanent/temporary exceptions for your network can be made under Endpoints > Policy Management > Extensions > Device Permanent/Temporary Exceptions. To tune exceptions for particular endpoints, this can be configured to your Device Exceptions profile under Endpoints > Policy Management > Extensions > Profiles.
Add your trusted device types here. Your custom network adapter type should come up under "custom device types". Add the corresponding vendor and product or serial number as well.
After setting your device control policy to block network adapter connections, the configured devices should be exempt from the block.
Further reading:
09-27-2022 10:40 PM
Probably its not going to show in device control as its not considered as portable device or disk drive
First try this XQL query if its shows :
preset = device_control
| fields agent_hostname as hostname, action_device_usb_product_name as product, action_device_usb_vendor_name as vendor, action_device_usb_serial_
| dedup hostname, product, vendor, serial_number
If it doesnt.. try this..then from result, you can explore and try to find the device.
preset = xdr_registry
| filter agent_hostname="Hostname" // add hostname that usb was seen on here
| filter lowercase(action_registry_full_key) ~= "enum.*usb"
09-26-2022 10:09 AM
Hi Max,
Device Control instances under Endpoints > Device Control Violations monitor all attempts to connect restricted USB-connected devices to Cortex XDR. Because of this, your instances of device allowance will not appear in this output menu.
You are correct that the block would apply to all of the network adapters in Windows. With Device Control exceptions, you are able to create exceptions to this baseline block by adding your trusted network adapter connections.
Permanent/temporary exceptions for your network can be made under Endpoints > Policy Management > Extensions > Device Permanent/Temporary Exceptions. To tune exceptions for particular endpoints, this can be configured to your Device Exceptions profile under Endpoints > Policy Management > Extensions > Profiles.
Add your trusted device types here. Your custom network adapter type should come up under "custom device types". Add the corresponding vendor and product or serial number as well.
After setting your device control policy to block network adapter connections, the configured devices should be exempt from the block.
Further reading:
09-27-2022 10:40 PM
Probably its not going to show in device control as its not considered as portable device or disk drive
First try this XQL query if its shows :
preset = device_control
| fields agent_hostname as hostname, action_device_usb_product_name as product, action_device_usb_vendor_name as vendor, action_device_usb_serial_
| dedup hostname, product, vendor, serial_number
If it doesnt.. try this..then from result, you can explore and try to find the device.
preset = xdr_registry
| filter agent_hostname="Hostname" // add hostname that usb was seen on here
| filter lowercase(action_registry_full_key) ~= "enum.*usb"
10-20-2022 04:39 AM
Hey,
Sorry for the late reply but this was a lifesaver as I did not know that XQL will show more events.
Now there are devices like: Galaxy series, misc. (tethering mode) which is just what I was looking for.
Also, just FYI I made this BIOC rule for detecting the activity via registry changes (needs some tuning):
preset = xdr_registry
| filter (action_registry_key_name = """HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\usbrndis*\\Enum""")
| filter (action_registry_data contains """USB\\VID""")
Regards.
05-02-2023 03:38 AM
Is there any device control API endpoint to xdr cortex?
05-02-2023 10:18 PM
Did understood your question or ask, could you share your use case or example for your query? Is your ask for api to get list of device control violations? If yes, we do have api for that you may refer here Get Violations
Hope this helps!
Thanks
05-02-2023 10:22 PM
I want to whitelist USB using API call.
Under device control I can see only get_violations. I can get_violations of device but don't know the exact parameters/API end point to whitelist the device. like serial number /vendor etc to be used in which call?
05-04-2023 03:29 AM
Currently the only way to whitelist the device would be through UI under Device exceptions.
Reference: Device Control
Thanks
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!