02-08-2026 08:58 PM
Hello,
We have received a request asking whether it is possible for administrators to receive alert emails whenever a USB device is connected to any endpoints.
(*Currently, the USB policy in Exploit – Device Configuration is set to Read Only.)
(* I think the adminster wants to get the log [Inventory-Device Control Violations])
We attempted to configure this under Settings → Configuration → Notifications by selecting Management Audit Logs and setting the Type to Device Control (All). However, the expected alerts were not generated as desired.
ChatGPT suggested using XQL + BIOC, but we are still unable to identify the exact XQL query and the correct configuration steps.
We have created the query below; however, we are not sure whether it is correct.
Could you please review it and let us know if it is properly configured?
At present, the alert flow is configured as Issue Alert → Syslog → Administrator, so it would be sufficient if USB-related alerts could be forwarded via syslog.
Thank you.
02-10-2026 05:35 AM
Hello @Y.SONG464633 ,
Greetings for the day.
It is possible to receive email or syslog notifications whenever a USB device is connected to an endpoint, but the configuration you attempted under Management Audit Logs failed because those logs are designed to track administrative changes (such as an admin modifying a policy), not endpoint security events.
To achieve USB connection notifications, you must create a Correlation Rule based on an XQL query that detects USB connection events and then configure Notification Forwarding for those alerts.
License: A Cortex XDR Pro license is required to access the granular endpoint telemetry needed for these queries.
Data Collection: Ensure that Enhanced Endpoint Data collection is enabled in your Agent Settings Profile.
While monitoring registry keys can work, it is more efficient and reliable to use the dedicated DEVICE event type or the built-in device control telemetry.
Recommended XQL Query:
dataset = xdr_data
| filter event_type = DEVICE and event_sub_type = DEVICE_PLUG
| fields _time, agent_hostname, actor_effective_username, action_device_usb_vendor_name, action_device_usb_product_name, action_device_usb_serial_number
Navigate to Detection Rules → Correlation Rules → + New Rule.
Paste the recommended query into the XQL Search section.
Time Schedule: Configure the rule to run frequently (for example, every 5 or 15 minutes).
Action: Select Generate Alert.
Alert Name: Assign a unique name such as USB_Connection_Detected. This is important for notification filtering.
Alert Fields Mapping (Optional): Map fields such as agent_hostname to standard alert fields for improved visibility.
Save and enable the rule.
Navigate to Settings → Configuration → Notifications → Forwarding Configurations.
Click + Add Forwarding Configuration.
Alert Source: Select Cortex XDR Analytics & Correlation.
Filtering: Filter on the Alert Name created earlier (for example, USB_Connection_Detected).
Target: Choose Email or Syslog (ensure the syslog server is already configured under Settings → Configurations → Integrations → Syslog).
Save the configuration.
BIOC (Behavioral Indicators of Compromise) rules are primarily designed for real-time detection and prevention of malicious activity. While they can technically detect USB-related events, Correlation Rules are better suited for monitoring environmental or operational events such as hardware connections. They allow scheduled searches across historical raw data and provide simpler alerting and notification workflows.
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".
Thanks & Regards,
S. Subashkar Sekar
02-10-2026 05:35 AM
Hello @Y.SONG464633 ,
Greetings for the day.
It is possible to receive email or syslog notifications whenever a USB device is connected to an endpoint, but the configuration you attempted under Management Audit Logs failed because those logs are designed to track administrative changes (such as an admin modifying a policy), not endpoint security events.
To achieve USB connection notifications, you must create a Correlation Rule based on an XQL query that detects USB connection events and then configure Notification Forwarding for those alerts.
License: A Cortex XDR Pro license is required to access the granular endpoint telemetry needed for these queries.
Data Collection: Ensure that Enhanced Endpoint Data collection is enabled in your Agent Settings Profile.
While monitoring registry keys can work, it is more efficient and reliable to use the dedicated DEVICE event type or the built-in device control telemetry.
Recommended XQL Query:
dataset = xdr_data
| filter event_type = DEVICE and event_sub_type = DEVICE_PLUG
| fields _time, agent_hostname, actor_effective_username, action_device_usb_vendor_name, action_device_usb_product_name, action_device_usb_serial_number
Navigate to Detection Rules → Correlation Rules → + New Rule.
Paste the recommended query into the XQL Search section.
Time Schedule: Configure the rule to run frequently (for example, every 5 or 15 minutes).
Action: Select Generate Alert.
Alert Name: Assign a unique name such as USB_Connection_Detected. This is important for notification filtering.
Alert Fields Mapping (Optional): Map fields such as agent_hostname to standard alert fields for improved visibility.
Save and enable the rule.
Navigate to Settings → Configuration → Notifications → Forwarding Configurations.
Click + Add Forwarding Configuration.
Alert Source: Select Cortex XDR Analytics & Correlation.
Filtering: Filter on the Alert Name created earlier (for example, USB_Connection_Detected).
Target: Choose Email or Syslog (ensure the syslog server is already configured under Settings → Configurations → Integrations → Syslog).
Save the configuration.
BIOC (Behavioral Indicators of Compromise) rules are primarily designed for real-time detection and prevention of malicious activity. While they can technically detect USB-related events, Correlation Rules are better suited for monitoring environmental or operational events such as hardware connections. They allow scheduled searches across historical raw data and provide simpler alerting and notification workflows.
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".
Thanks & Regards,
S. Subashkar Sekar
02-10-2026 06:18 PM
Thank you Veeeeeeeeeeeeeeeeeeeeeeeeeeeeery Much!!
You save my life! 😭😭😭😭😭😭 😘
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
