Forum Discussion

HKN's avatar
HKN
Copper Contributor
Dec 23, 2024
Solved

Advanced Hunting Data Schema

Hello everyone, I have a question regarding the use of schema for Advanced Hunting queries. We are an organization with several companies under our holding.  I need to recover the USB connections ...
automation
investigation
microsoft defender for endpoint
  • HKN's avatar
    HKN
    Jan 13, 2025

    Hello everyone,
    Thank you for your precious answers. Since I can't search on the CompanyName which doesn't exist in the Advanced Hunting schema and I didn't have a different email address for my users I looked for a different solution and found this:
    I created an Admin Unit from Microsoft Defender Admin Center in the Identity Groups - AdminUnit section. I made a query and a dynamic group so that my users fall into it according to their Company name. Then, instead of using Advanced Hunting, I went to the Defender Audit portal and performed a search on the copied file to removable file activity on the admin unit I had created.

    Best regards,

    HKN

Clive_Watson's avatar
Clive_Watson
Bronze Contributor
Jan 06, 2025

Do you use different machine groups for each company, do the users have different email names?

If so, add this code to the end (moving the summarize to the final line)

| join

(

DeviceNetworkEvents

| extend domainName = tostring(split(InitiatingProcessAccountUpn,'@').[1])

) on DeviceName

| where isnotempty( InitiatingProcessAccountUpn)

| summarize UsbFirstSeen=min(Timestamp), UsbLastSeen=max(Timestamp) by DeviceId, DeviceName, InitiatingProcessAccountUpn, domainName, MachineGroup



  • Tim Beer's avatar
    Tim Beer
    Copper Contributor
    Jan 07, 2025

    Really great and correct answer from Clive_Watson tested in my environment and it works well with this, I've slightly modified to filter as you search.

    DeviceEvents
| where ActionType == "PnpDeviceConnected"
| extend parsed = parse_json(AdditionalFields)
| project Timestamp, DeviceName, DeviceId = tostring(parsed.DeviceId), ClassName = tostring(parsed.ClassName)
| where ClassName == "DiskDrive"
| summarize UsbFirstSeen = min(Timestamp), UsbLastSeen = max(Timestamp) by DeviceId, DeviceName
| join
(
DeviceNetworkEvents
| extend domainName = tostring(split(InitiatingProcessAccountUpn,'@').[1])
) on DeviceName
| where isnotempty(InitiatingProcessAccountUpn) and InitiatingProcessAccountUpn contains "@corpa.com"
| summarize UsbFirstSeen=min(Timestamp), UsbLastSeen=max(Timestamp) by DeviceId, DeviceName, InitiatingProcessAccountUpn, domainName

    This will then bring only users that plugged USB and have email addresses containing 'corpa.com'

Resources