Forum Discussion

HKN's avatar
HKN
Copper Contributor
Dec 23, 2024
Solved

Advanced Hunting Data Schema

Hello everyone, I have a question regarding the use of schema for Advanced Hunting queries. We are an organization with several companies under our holding.  I need to recover the USB connections ...
automation
investigation
microsoft defender for endpoint
  • HKN's avatar
    HKN
    Jan 13, 2025

    Hello everyone,
    Thank you for your precious answers. Since I can't search on the CompanyName which doesn't exist in the Advanced Hunting schema and I didn't have a different email address for my users I looked for a different solution and found this:
    I created an Admin Unit from Microsoft Defender Admin Center in the Identity Groups - AdminUnit section. I made a query and a dynamic group so that my users fall into it according to their Company name. Then, instead of using Advanced Hunting, I went to the Defender Audit portal and performed a search on the copied file to removable file activity on the admin unit I had created.

    Best regards,

    HKN

HKN's avatar
HKN
Copper Contributor
Jan 07, 2025

Unfortunately, we use the same nomenclature for the devices. 

Clive_Watson's avatar
Clive_Watson
Bronze Contributor
Jan 08, 2025

did my solution help, or so you need something else?

  • Clive_Watson_Tech's avatar
    Clive_Watson_Tech
    Copper Contributor
    Jan 08, 2025

    ignore...I missed the reply from Jan 6th, glad it worked Tim Beer 

Resources