Forum Discussion
Looking for KQL query when high volume of USB writes happens by a user
Hello, I did some online search, but I couldn't find any working one yet. I'm looking for query which I can use in Advance threat hunting in MDE to generate an alert when a user copies huge number...
Thank you for quick response.
I just ran the query got error on "Account Name" - see below
"The name 'AccountName' does not refer to any known column, table, variable or function"
---------------
DeviceFileEvents
| where ActionType == "FileWrite" and InitiatingProcessFileName == "explorer.exe" and FileName contains ".usb"
| summarize USBWriteCount = count() by AccountName
| where USBWriteCount > 20 // if someone copies more than 20 files
| order by USBWriteCount desc
------------
any idea?
I just ran the query got error on "Account Name" - see below
"The name 'AccountName' does not refer to any known column, table, variable or function"
---------------
DeviceFileEvents
| where ActionType == "FileWrite" and InitiatingProcessFileName == "explorer.exe" and FileName contains ".usb"
| summarize USBWriteCount = count() by AccountName
| where USBWriteCount > 20 // if someone copies more than 20 files
| order by USBWriteCount desc
------------
any idea?
Rod_Trent
Microsoft
MicrosoftReplace that with InitiatingProcessAccountName.
Here's the schema for that table: https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-devicefileevents-table?view=o365-worldwide
Here's the schema for that table: https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-devicefileevents-table?view=o365-worldwide
- thank you again. so that seems to do the trick but I'm not getting any results, even when I changed the value to "1" file.
I'm looking to see if someone copies more than 20 files in last 24 hrs.
==========================
DeviceFileEvents
| where ActionType == "FileWrite" and InitiatingProcessFileName == "explorer.exe" and FileName contains ".usb"
| summarize USBWriteCount = count() by InitiatingProcessAccountName
| where USBWriteCount > 1
| order by USBWriteCount desc
=====================- Rod_TrentI don't have a lot of USB data in my tenant and KQLSearch.com doesn't have much for this. Try the following (filemodified instead of filewrite):
DeviceFileEvents
| where ActionType == "FileModified"
| summarize USBWriteCount = count() by InitiatingProcessAccountName
| where USBWriteCount > 1
| order by USBWriteCount desc- ok, this seems to return some values, so thank you again.
Do you know if this goes back to last 24 hours? curious since I'm seeing huge file modified action by number of users, for example over 4K files by 30+ users.