Forum Discussion

Iron Contributor

Jun 22, 2020

Saved a File to a local drive

Is there a way to determine if a user saved a file or folder from say OneDrive or SharePoint Online to a local drive (like USB Drive) ? I cannot seem to find that information in the audit logs or Cl...

Cloud Discovery

Data Protection

Sarahzin_Shane

Microsoft

Jun 25, 2020

Jeff Harlow Do you currently have MDATP deployed? Using Advanced Hunting, you're able to do some investigations on if a file was downloaded to a USB. It may not be what you're looking to do but could be a good workaround or at least, provide more information than you originally had.

https://techcommunity.microsoft.com/t5/microsoft-defender-atp/advanced-hunting-updates-usb-events-machine-level-actions-and/ba-p/824152

Sarahzin_Shane

Microsoft

Jun 25, 2020

Jeff Harlow

In addition, my colleague Jacques van Zijl authored the the following query:

Files saved to USB:

DeviceFileEvents

| where FolderPath !contains @"c:\" and

FolderPath !contains @"\\" and

FolderPath !contains "HarddiskVolume" and

FolderPath !contains @"sms\pkg" and

FolderPath !contains @"sms\bin" and

FolderPath !contains @"SCCM_Deployments"and

DeviceName !contains "arcade" and

FileName !contains ".mui"

| project Timestamp, InitiatingProcessAccountName, DeviceName, ActionType, FileName, FolderPath,InitiatingProcessFolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine

| sort by Timestamp desc

PeterRising
MVP
Jun 25, 2020
Sarahzin_Shane

Really great shout, I never thought of that. Definitely going to give that a try myself.