USB drive Alert

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

USB drive Alert

L0 Member

kindly we need your support, I want to get alert when a USB drive is connected to workstation and not blocked by Symantec AV.

I have tried several times with correlation rule, I found XQL query very effective, and it is as follows:

 

 

Spoiler
config case_sensitive = false
| preset = device_control
| filter event_sub_type = ENUM.MOUNT_DRIVE_MOUNT
| fields agent_hostname, _time as mount_time, action_device_bus_type, action_device_class_name
| filter action_device_bus_type = 1 and action_device_class_name = "disk"
| sort desc mount_time
| join (
config case_sensitive = false
| preset = device_control
| filter event_sub_type = ENUM.MOUNT_DRIVE_UNMOUNT
| fields agent_hostname, _time as unmount_time, action_device_bus_type, action_device_class_name
| filter action_device_bus_type = 1 and action_device_class_name = "disk"
| sort desc unmount_time
) as F F.agent_hostname = agent_hostname
| filter unmount_time > mount_time
| alter time_diff_Second = timestamp_diff( unmount_time , mount_time, "SECOND") , time_diff_Minute = timestamp_diff( unmount_time , mount_time, "MINUTE")
|filter time_diff_Second >= 20 //because the Symantec blocks the devices before 20s i want alert who have the privilege to use it
| fields agent_hostname, mount_time, unmount_time as unmount_time, time_diff_Second, time_diff_Minute

This code is effective because I found that Symantec AV blocks the USB between about 2 to 20 seconds, and I was able to show almost correct results. It works on XQL Search but when I save it as correlation rule does not give an alert and does not accept to be added in BIOC because it uses (Config).

Is there a way by changing the code that I can get alerts ether on correlation or BIOC rule? Or if there another code please support us.

 

 

Cortex XDR 

1 REPLY 1

L4 Transporter

Hello @F.Alsalem 

 

Thanks for reaching on LiveCommunity!

The XQL query must at a minimum filter on the event_type field in order for it to be a valid BIOC rule. In addition, you can create BIOC rules using the xdr_data and cloud_audit_log datasets and presets for these datasets. Currently, you cannot create a BIOC rule on customized datasets and only the filter stage, alter stage, and functions without any aggregations are supported for XQL queries that define a BIOC. 

 

Please click Accept as Solution to acknowledge that the answer to your question has been provided.

  • 169 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!