Forum Discussion
Looking for KQL query when high volume of USB writes happens by a user
Hello, I did some online search, but I couldn't find any working one yet. I'm looking for query which I can use in Advance threat hunting in MDE to generate an alert when a user copies huge number...
thank you again. so that seems to do the trick but I'm not getting any results, even when I changed the value to "1" file.
I'm looking to see if someone copies more than 20 files in last 24 hrs.
==========================
DeviceFileEvents
| where ActionType == "FileWrite" and InitiatingProcessFileName == "explorer.exe" and FileName contains ".usb"
| summarize USBWriteCount = count() by InitiatingProcessAccountName
| where USBWriteCount > 1
| order by USBWriteCount desc
=====================
I'm looking to see if someone copies more than 20 files in last 24 hrs.
==========================
DeviceFileEvents
| where ActionType == "FileWrite" and InitiatingProcessFileName == "explorer.exe" and FileName contains ".usb"
| summarize USBWriteCount = count() by InitiatingProcessAccountName
| where USBWriteCount > 1
| order by USBWriteCount desc
=====================
Rod_Trent
Microsoft
MicrosoftI don't have a lot of USB data in my tenant and KQLSearch.com doesn't have much for this. Try the following (filemodified instead of filewrite):
DeviceFileEvents
| where ActionType == "FileModified"
| summarize USBWriteCount = count() by InitiatingProcessAccountName
| where USBWriteCount > 1
| order by USBWriteCount desc
DeviceFileEvents
| where ActionType == "FileModified"
| summarize USBWriteCount = count() by InitiatingProcessAccountName
| where USBWriteCount > 1
| order by USBWriteCount desc