This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

USB drive Alert

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Content translations are temporarily unavailable due to site maintenance. We apologize for any inconvenience. Visit our blog to learn more.

USB drive Alert

F.Alsalem
L0 Member

‎01-06-2025 11:31 PM

kindly we need your support, I want to get alert when a USB drive is connected to workstation and not blocked by Symantec AV.

I have tried several times with correlation rule, I found XQL query very effective, and it is as follows:

 

 

Spoiler
config case_sensitive = false
| preset = device_control
| filter event_sub_type = ENUM.MOUNT_DRIVE_MOUNT
| fields agent_hostname, _time as mount_time, action_device_bus_type, action_device_class_name
| filter action_device_bus_type = 1 and action_device_class_name = "disk"
| sort desc mount_time
| join (
config case_sensitive = false
| preset = device_control
| filter event_sub_type = ENUM.MOUNT_DRIVE_UNMOUNT
| fields agent_hostname, _time as unmount_time, action_device_bus_type, action_device_class_name
| filter action_device_bus_type = 1 and action_device_class_name = "disk"
| sort desc unmount_time
) as F F.agent_hostname = agent_hostname
| filter unmount_time > mount_time
| alter time_diff_Second = timestamp_diff( unmount_time , mount_time, "SECOND") , time_diff_Minute = timestamp_diff( unmount_time , mount_time, "MINUTE")
|filter time_diff_Second >= 20 //because the Symantec blocks the devices before 20s i want alert who have the privilege to use it
| fields agent_hostname, mount_time, unmount_time as unmount_time, time_diff_Second, time_diff_Minute

This code is effective because I found that Symantec AV blocks the USB between about 2 to 20 seconds, and I was able to show almost correct results. It works on XQL Search but when I save it as correlation rule does not give an alert and does not accept to be added in BIOC because it uses (Config).

Is there a way by changing the code that I can get alerts ether on correlation or BIOC rule? Or if there another code please support us.

 

 

Cortex XDR 

Cortex XDR
Thumbnail of Cortex XDR
Palo Alto Networks
Cortex XDR
Security Operations
View on Product Page
0 Likes Likes
0 REPLIES 0
  • 50 Views
  • 0 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks