Forum Discussion
Advanced Hunting Data Schema
Hello everyone,
Thank you for your precious answers. Since I can't search on the CompanyName which doesn't exist in the Advanced Hunting schema and I didn't have a different email address for my users I looked for a different solution and found this:
I created an Admin Unit from Microsoft Defender Admin Center in the Identity Groups - AdminUnit section. I made a query and a dynamic group so that my users fall into it according to their Company name. Then, instead of using Advanced Hunting, I went to the Defender Audit portal and performed a search on the copied file to removable file activity on the admin unit I had created.Best regards,
HKN
I don't suppose you are lucky enough that the different companies under the one holding company have named their devices with a naming standard for each?
i.e Corporation a has CORPA-Laptopname, and Corporation B has CORPB-Laptopnane
then you could use DeviceName startswith as below which will just find those devices named CORPA-
DeviceEvents
| where ActionType == "PnpDeviceConnected"
| extend parsed = parse_json(AdditionalFields)
| project Timestamp, DeviceName, DeviceId = tostring(parsed.DeviceId), ClassName = tostring(parsed.ClassName)
| where ClassName == "DiskDrive" and DeviceName startswith "CORPA-"
| summarize UsbFirstSeen = min(Timestamp), UsbLastSeen = max(Timestamp) by DeviceId, DeviceName
Unfortunately, we use the same nomenclature for the devices.
did my solution help, or so you need something else?
ignore...I missed the reply from Jan 6th, glad it worked Tim Beer
