Forum Discussion

Sohel68's avatar
Sohel68
Copper Contributor
Jul 12, 2023

Looking for KQL query when high volume of USB writes happens by a user

Hello, I did some online search, but I couldn't find any working one yet.  I'm looking for query which I can use in Advance threat hunting in MDE to generate an alert when a user copies huge number...
Rod_Trent's avatar
Rod_Trent
Icon for Microsoft rankMicrosoft
Jul 12, 2023
The default is usually 24 hours, but you can set it in the query. Here it is for the past 2 days...

DeviceFileEvents
| where Timestamp > ago(2d)
| where ActionType == "FileModified"
| summarize USBWriteCount = count() by InitiatingProcessAccountName
| where USBWriteCount > 1
| order by USBWriteCount desc
Sohel68's avatar
Sohel68
Copper Contributor
Jul 12, 2023
Query seems to return lot less this time; however, number doesn't match when I go to "Microsoft Purview -> DLP -> Activity Explorer", where I set a filter to show all activities related to "FileCopiedtoRemovableMedia".

I got below query from online searching, it fails with "'summarize' operator: Failed to resolve scalar expression named 'UserId'"...any idea how to fix it? sorry, I'm not a KQL expert.
thanks again.


====
DeviceFileEvents
| where ActionType == "FileCopiedToRemovableMedia"
| summarize FileCount = count() by DeviceId, UserId
| where FileCount >= 20
| join kind = inner (
DeviceInfo
| project DeviceId, DeviceName
) on DeviceId
| join kind = inner (
DeviceUser
| project UserId, UserDisplayName
) on UserId
| project DeviceName, UserDisplayName, FileCount
=============