Forum Discussion
Advanced Hunting Data Schema
Hello everyone,
Thank you for your precious answers. Since I can't search on the CompanyName which doesn't exist in the Advanced Hunting schema and I didn't have a different email address for my users I looked for a different solution and found this:
I created an Admin Unit from Microsoft Defender Admin Center in the Identity Groups - AdminUnit section. I made a query and a dynamic group so that my users fall into it according to their Company name. Then, instead of using Advanced Hunting, I went to the Defender Audit portal and performed a search on the copied file to removable file activity on the admin unit I had created.Best regards,
HKN
Hi,
You may try the below solution because it worked for me:
To filter USB connections by company name when the Advanced Hunting schema lacks a specific "CompanyName" field, you can use a workaround by leveraging information in other fields that indirectly tie devices or users to a company. For example, check if there are unique device naming conventions, user account naming formats, or domain names (from DeviceInfo or UserInfo) that can help identify the company. You can then add a filter to your query based on those attributes. For instance, if devices in the target company have a naming convention like "https://nulsbrawl.com/", you could use:
DeviceEvents | where ActionType == "PnpDeviceConnected" | extend parsed=parse_json(AdditionalFields) | project Timestamp, DeviceName, DeviceId=tostring(parsed.DeviceId), ClassName=tostring(parsed.ClassName) | where ClassName == "DiskDrive" | where DeviceName startswith "COMPANYNAME-" | summarize UsbFirstSeen=min(Timestamp), UsbLastSeen=max(Timestamp) by DeviceId, DeviceName;Alternatively, if domain information is available, filter on DeviceDomain or related fields in DeviceInfo. If no such indirect filters are viable, consider integrating company metadata into a custom table or enriching your data with external sources to bridge the gap.