06-23-2025 01:17 PM
Hi All, looking for some help here. We've been using a query a colleague wrote to find computers with USB's mounted.
This is the query:
// Description: Show drive mount activity
dataset = xdr_data
| filter event_type = ENUM.MOUNT
| alter mount_point = action_mount_device_info -> storage_device_mount_point
| alter storage_device_class_name = action_mount_device_info -> storage_device_class_name
| alter vendor_id = action_mount_device_info -> storage_device_vendor_id
| alter product_id = action_mount_device_info -> storage_device_product_id
| alter storage_device_drive_type = action_mount_device_info -> storage_device_drive_type
| fields _time, agent_hostname, action_mount_device_info, mount_point, storage_device_*, vendor_id, product_id, agent_os_type, agent_os_sub_type
//| filter storage_device_drive_type = "2" or
| FILTER storage_device_drive_type = "DEVICE_REMOVABLE"// 2: Removable
The problem here is that this is only grabbing Windows and no macOS. I've tried a few other queries found here in the Live Community but nothing seems to be working accurately for the macOS.
Any suggestions?
Thank you in advance.
Joe
06-23-2025 09:55 PM
Hello,
Try below:
preset = device_control | filter event_sub_type = MOUNT_DRIVE_MOUNT and agent_os_type = AGENT_OS_MAC and action_device_bus_type = USB
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution". Thank you.
06-24-2025 06:58 AM
Hi @aspatil, thank you for your reply. Unfortunately that only returns one computer and I'm expecting many more. We have almost 1000 Mac endpoints in our environment and I'm certain there are more than one that have USB storage drives mounted.
Regards,
Joe
06-24-2025 11:10 AM
Hi @aspatil ,
would you be able to share a sample output of the following query, that would help understanding your env better.
dataset = xdr_data
| filter event_type = ENUM.DEVICE and event_sub_type = ENUM.DEVICE_PLUG
| alter deviceinfo = to_string(actor_process_device_info)
| comp count() by deviceinfo
06-24-2025 11:59 AM
I think you may need to expand the timeframe up to 30d if it was not set to it
also try to run this one too
dataset = xdr_data
| comp count() by agent_os_type , action_device_usb_vendor_name , action_device_usb_product_name , action_device_usb_vendor_id 06-24-2025 02:53 PM
Hi @A.Elzedy, thank you again. Attached is a .zip file with the query results of this most recent run. This one is definitely set to 30 days.
Thank you,
Joe
06-24-2025 02:56 PM
@A.Elzedy, here is the query results with set to 30 days. Thanks, Joe
06-25-2025 09:23 AM
Alright, after reviewing the logs, there aren't much activities from MAC devices, there could be a policy in place that's blocking them from connecting usb disks
at the time being I have drafted a query that could help monitor usb activities/changes
dataset = xdr_data
| filter event_type in (ENUM.DEVICE, ENUM.MOUNT , ENUM.FILE )
| filter action_device_usb_vendor_id != null
| sort asc _time
| windowcomp first_value(event_timestamp) by agent_hostname, action_device_usb_serial_number sort asc _time as plug_time
| windowcomp last_value(event_timestamp) by agent_hostname, action_device_usb_serial_number sort desc _time as unplug_time
| dedup agent_hostname, action_device_usb_vendor_id
| alter plug_ts = to_timestamp(plug_time, "MILLIS"),
unplug_ts = to_timestamp(unplug_time, "MILLIS")
| alter
plug_time_readable = format_timestamp("%Y-%m-%d %H:%M:%S", plug_ts, "America/New_York"),
unplug_time_readable = format_timestamp("%Y-%m-%d %H:%M:%S", unplug_ts, "America/New_York")
| alter session_duration_minutes = timestamp_diff(unplug_ts, plug_ts, "MINUTE")
| join type = right (
dataset = xdr_data
| filter event_type = ENUM.FILE
| filter action_device_usb_vendor_id != null
| filter actor_effective_username not in ("NT AUTHORITY\SYSTEM")
| filter actor_effective_username not contains "\root"
| alter op = if(event_sub_type = 1, "New file creation",
event_sub_type = 2, "File access/opening",
event_sub_type = 3, "File renaming",
event_sub_type = 4, "File linking",
event_sub_type = 5, "File deletion",
event_sub_type = 6, "File modification",
event_sub_type = 7, "File attribute changes",
event_sub_type = 8, "Directory creation",
event_sub_type = 9, "Directory access",
event_sub_type = 10, "Directory renaming",
event_sub_type = 11, "Directory linking",
event_sub_type = 12, "Directory deletion",
event_sub_type = 13, "File reparse operations",
event_sub_type = 14, "File security changes",
event_sub_type = 15, "File permission changes",
event_sub_type = 16, "File ownership changes",
to_string(event_sub_type))
| alter sanitized_path = replex(action_file_path, "[^a-zA-Z0-9_./\\-]", "")
| alter file_op = to_string(concat(op, " : ", sanitized_path))
| comp
count() as file_event_count,
values(file_op) as file_operations,
values(actor_effective_username) as usernames
by agent_hostname, action_device_usb_serial_number
| alter file_operations_top_100 = arrayrange(file_operations, 0, 100)
| fields file_event_count , file_operations_top_100, usernames , agent_hostname , action_device_usb_serial_number
) as file_activity
file_activity.agent_hostname = agent_hostname and
file_activity.action_device_usb_serial_number = action_device_usb_serial_number
| alter vendor_product = concat( action_device_usb_vendor_name , " ", replace(action_device_usb_product_name,"unknown"," "))
| fields agent_os_type, agent_hostname, usernames, vendor_product,
plug_time_readable, unplug_time_readable, session_duration_minutes,
file_event_count, file_operations_top_100
| sort asc plug_time_readable
06-25-2025 09:41 AM
Hi @A.Elzedy, thank you, I'll have a look at this query. As for a policy blocking USB on Mac devices, there are none in place at the moment. Though that is something that we are working towards.
Ideally, what I'm trying to do is determine on both Mac and Windows, how many people are using USB storage devices over a 30 day period. So strange how difficult this is to find on macOS.
Feel free to let me know if you come up with anything else and thank you for your efforts.
Regards,
Joe
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
