Forum Discussion
Sohel68
Jul 12, 2023Copper Contributor
Looking for KQL query when high volume of USB writes happens by a user
 Hello,  I did some online search, but I couldn't find any working one yet.   I'm looking for query which I can use in Advance threat hunting in MDE to generate an alert when a user copies huge number...
Rod_Trent Microsoft
Microsoft
Jul 12, 2023In Microsoft Defender for Endpoint, you can use the following KQL query to show a high volume of USB writes by a single user. Modify the Threshold value to define what you consider a "high volume" of USB writes.
DeviceFileEvents
| where ActionType == "FileWrite" and InitiatingProcessFileName == "explorer.exe" and FileName contains ".usb"
| summarize USBWriteCount = count() by AccountName
| where USBWriteCount > Threshold // Replace Threshold with a specific value to define "high volume"
| order by USBWriteCount desc
DeviceFileEvents
| where ActionType == "FileWrite" and InitiatingProcessFileName == "explorer.exe" and FileName contains ".usb"
| summarize USBWriteCount = count() by AccountName
| where USBWriteCount > Threshold // Replace Threshold with a specific value to define "high volume"
| order by USBWriteCount desc
Sohel68
Jul 12, 2023Copper Contributor
Thank you for quick response.
I just ran the query got error on "Account Name" - see below
"The name 'AccountName' does not refer to any known column, table, variable or function"
---------------
DeviceFileEvents
| where ActionType == "FileWrite" and InitiatingProcessFileName == "explorer.exe" and FileName contains ".usb"
| summarize USBWriteCount = count() by AccountName
| where USBWriteCount > 20 // if someone copies more than 20 files
| order by USBWriteCount desc
------------
any idea?
I just ran the query got error on "Account Name" - see below
"The name 'AccountName' does not refer to any known column, table, variable or function"
---------------
DeviceFileEvents
| where ActionType == "FileWrite" and InitiatingProcessFileName == "explorer.exe" and FileName contains ".usb"
| summarize USBWriteCount = count() by AccountName
| where USBWriteCount > 20 // if someone copies more than 20 files
| order by USBWriteCount desc
------------
any idea?
- Rod_TrentJul 12, 2023Microsoft Replace that with InitiatingProcessAccountName.
 Here's the schema for that table: https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-devicefileevents-table?view=o365-worldwide- Sohel68Jul 12, 2023Copper Contributorthank you again. so that seems to do the trick but I'm not getting any results, even when I changed the value to "1" file.
 I'm looking to see if someone copies more than 20 files in last 24 hrs.
 ==========================
 DeviceFileEvents
 | where ActionType == "FileWrite" and InitiatingProcessFileName == "explorer.exe" and FileName contains ".usb"
 | summarize USBWriteCount = count() by InitiatingProcessAccountName
 | where USBWriteCount > 1
 | order by USBWriteCount desc
 =====================- Rod_TrentJul 12, 2023Microsoft I don't have a lot of USB data in my tenant and KQLSearch.com doesn't have much for this. Try the following (filemodified instead of filewrite):
 DeviceFileEvents
 | where ActionType == "FileModified"
 | summarize USBWriteCount = count() by InitiatingProcessAccountName
 | where USBWriteCount > 1
 | order by USBWriteCount desc