Forum Discussion
Defender Removable Storage Audit / Evidence
Hi All,
We have rolled out a policy / group configuration for allowing certain users to write/execute on removable storage.
I can see the evidence / *.dup files being generated (to the nominated path) when someone copied a file to a USB drive but I cannot figure out how to report on these events.
The policy is setup as:
<Entry Id="{GUID REMOVED}">
<Type>Allow</Type>
<Options>8</Options>
<!-- option 8 - save copy as file as evidence -->
<AccessMask>6</AccessMask>
<!-- mask 6 - write and execute -->
<Sid>REMOVED</Sid>
</Entry>
<Entry Id="{GUID REMOVED}">
<Type>AuditAllowed</Type>
<Options>2</Options>
<!-- option 2 - send event -->
<AccessMask>6</AccessMask>
<!-- mask 6 - write and execute -->
<Sid>REMOVED</Sid>
Trying to use the below in advance hunting returns no events.
//information of the evidence file
DeviceEvents
| where ActionType contains "RemovableStorageFileEvent"
| extend parsed=parse_json(AdditionalFields)
| extend Policy = tostring(parsed.Policy)
| extend PolicyRuleId = tostring(parsed.PolicyRuleId)
| extend MediaClassName = tostring(parsed.ClassName)
| extend MediaInstanceId = tostring(parsed.InstanceId)
| extend MediaName = tostring(parsed.MediaName)
| extend MediaProductId = tostring(parsed.ProductId)
| extend MediaVendorId = tostring(parsed.VendorId)
| extend MediaSerialNumber = tostring(parsed.SerialNumber)
| extend FileInformationOperation = tostring(parsed.DuplicatedOperation)
| extend FileEvidenceLocation = tostring(parsed.TargetFileLocation)
| project Timestamp, DeviceId, DeviceName, InitiatingProcessAccountName, ActionType, Policy, PolicyRuleId, FileInformationOperation, MediaClassName, MediaInstanceId, MediaName, MediaProductId, MediaVendorId, MediaSerialNumber, FileName, FolderPath, FileSize, FileEvidenceLocation, AdditionalFields
| order by Timestamp desc
I can however see the Audit Allowed policy being logged with this code:
//RemovableStoragePolicyTriggered: event triggered by Disk and file system level enforcement
DeviceEvents
| where ActionType == "RemovableStoragePolicyTriggered"
| extend parsed=parse_json(AdditionalFields)
| extend RemovableStorageAccess = tostring(parsed.RemovableStorageAccess)
| extend RemovableStoragePolicyVerdict = tostring(parsed.RemovableStoragePolicyVerdict)
| extend MediaBusType = tostring(parsed.BusType)
| extend MediaClassGuid = tostring(parsed.ClassGuid)
| extend MediaClassName = tostring(parsed.ClassName)
| extend MediaDeviceId = tostring(parsed.DeviceId)
| extend MediaInstanceId = tostring(parsed.DeviceInstanceId)
| extend MediaName = tostring(parsed.MediaName)
| extend RemovableStoragePolicy = tostring(parsed.RemovableStoragePolicy)
| extend MediaProductId = tostring(parsed.ProductId)
| extend MediaVendorId = tostring(parsed.VendorId)
| extend MediaSerialNumber = tostring(parsed.SerialNumber)
|project Timestamp, DeviceId, DeviceName, InitiatingProcessAccountName, ActionType, RemovableStorageAccess, RemovableStoragePolicyVerdict, MediaBusType, MediaClassGuid, MediaClassName, MediaDeviceId, MediaInstanceId, MediaName, RemovableStoragePolicy, MediaProductId, MediaVendorId, MediaSerialNumber, FolderPath, FileSize
| order by Timestamp desc
Does anyone have any ideas on how to access these events / evidence files?
(Or if troubleshooting is required?)
Thanks, Matt
- Policies / group configuration is being deployed via Intune.
