XDR blocking thunderbolt mac docks

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

XDR blocking thunderbolt mac docks

L2 Linker

Hi all, question - can the XDR block a thunderbolt dock for macs? furthermore - all device control violations logged in the xdr main console, right?

5 REPLIES 5

L1 Bithead

Hi Daniel,

Yes. As long as you insert a storing device to the thunderbolt it will detect it and block it (if this is what is configured in the policy).

Evgeny (Eugene) Palcev | Senior Customer Success Architect, Cortex

L3 Networker

Hi @Daniel_Itenberg, to address the second part of your question, you can monitor device control violations by navigating to Endpoints > Device Control Violations within the XDR App. 

So if I set up the policy to block all disk drives, then if i connect a disk drive to a dock the dock will be blocked as well?

Here's the thing - I see the disk drive violation, however I don't the dock that is reportedly being blocked as well(when it has a disk drive connected) does not show up in the violations screen

This is most likely because your Thunderbolt dock is not a disk drive, but a dock/hub. 

 

You can try the following sequence to see if this works for you:

1. Verify if the Thunderbolt dock connect/disconnect action in is being detected via the following XQL query:

dataset = xdr_data
| filter event_type = DEVICE and event_sub_type = DEVICE_PLUG
| fields action_device_usb_product_nam

 

If you're able to verify the dock is getting registered as a USB device, proceed to the following steps:

2. Add the Thunderbolt dock serial number/GUID under Policy Management -> Settings -> Device Management.

3. Add the device your Device Configuration Profile under "Custom Device Type" and Action as "Block".

 

 

 

Ref: https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/endpoint-security/hardened-...

  • 2990 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!