Forum Discussion
Saved a File to a local drive
PeterRising Yeah, sadly, that just means it was downloaded. That happens a lot these days. Need a way to determine if they downloaded it to a different folder or drive. I am guessing this will require some form of audit logging on the actual device and probably a third-party solution. Since at that point it is no longer a cloud reaction. Would love to hear if anyone knows of such things... This is more for compliance and legal. Like when a user is terminated, did they attempt to save a file(s) prior to leaving...
MicrosoftJeff Harlow Do you currently have MDATP deployed? Using Advanced Hunting, you're able to do some investigations on if a file was downloaded to a USB. It may not be what you're looking to do but could be a good workaround or at least, provide more information than you originally had.
- Sarahzin_Shane
In addition, my colleague Jacques van Zijl authored the the following query:
Files saved to USB:
DeviceFileEvents
| where FolderPath !contains @"c:\" and
FolderPath !contains @"\\" and
FolderPath !contains "HarddiskVolume" and
FolderPath !contains @"sms\pkg" and
FolderPath !contains @"sms\bin" and
FolderPath !contains @"SCCM_Deployments"and
DeviceName !contains "arcade" and
FileName !contains ".mui"
| project Timestamp, InitiatingProcessAccountName, DeviceName, ActionType, FileName, FolderPath,InitiatingProcessFolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc
Really great shout, I never thought of that. Definitely going to give that a try myself.
