Forum Discussion
Saved a File to a local drive
Hi, the closest thing I could find that may be kind of similar to what you want is the Downloaded File option in the audit log search in the Security and Compliance Center as shown below.
You could setup an alert policy based on this.
PeterRising Yeah, sadly, that just means it was downloaded. That happens a lot these days. Need a way to determine if they downloaded it to a different folder or drive. I am guessing this will require some form of audit logging on the actual device and probably a third-party solution. Since at that point it is no longer a cloud reaction. Would love to hear if anyone knows of such things... This is more for compliance and legal. Like when a user is terminated, did they attempt to save a file(s) prior to leaving...
- Sarahzin_Shane
Microsoft
Jeff Harlow Do you currently have MDATP deployed? Using Advanced Hunting, you're able to do some investigations on if a file was downloaded to a USB. It may not be what you're looking to do but could be a good workaround or at least, provide more information than you originally had.
- Sarahzin_Shane
In addition, my colleague Jacques van Zijl authored the the following query:
Files saved to USB:
DeviceFileEvents
| where FolderPath !contains @"c:\" and
FolderPath !contains @"\\" and
FolderPath !contains "HarddiskVolume" and
FolderPath !contains @"sms\pkg" and
FolderPath !contains @"sms\bin" and
FolderPath !contains @"SCCM_Deployments"and
DeviceName !contains "arcade" and
FileName !contains ".mui"
| project Timestamp, InitiatingProcessAccountName, DeviceName, ActionType, FileName, FolderPath,InitiatingProcessFolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc
