11-16-2021 05:56 AM
Hi all, question - can the XDR block a thunderbolt dock for macs? furthermore - all device control violations logged in the xdr main console, right?
11-17-2021 12:05 AM
Yes. As long as you insert a storing device to the thunderbolt it will detect it and block it (if this is what is configured in the policy).
11-17-2021 08:31 AM
Hi @Daniel_Itenberg, to address the second part of your question, you can monitor device control violations by navigating to Endpoints > Device Control Violations within the XDR App.
11-18-2021 01:03 AM
So if I set up the policy to block all disk drives, then if i connect a disk drive to a dock the dock will be blocked as well?
11-18-2021 01:04 AM
Here's the thing - I see the disk drive violation, however I don't the dock that is reportedly being blocked as well(when it has a disk drive connected) does not show up in the violations screen
11-18-2021 02:23 AM
This is most likely because your Thunderbolt dock is not a disk drive, but a dock/hub.
You can try the following sequence to see if this works for you:
1. Verify if the Thunderbolt dock connect/disconnect action in is being detected via the following XQL query:
|dataset = xdr_data|
| filter event_type = DEVICE and event_sub_type = DEVICE_PLUG
| fields action_device_usb_product_nam
If you're able to verify the dock is getting registered as a USB device, proceed to the following steps:
2. Add the Thunderbolt dock serial number/GUID under Policy Management -> Settings -> Device Management.
3. Add the device your Device Configuration Profile under "Custom Device Type" and Action as "Block".
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!