Forum Discussion

HKN's avatar
HKN
Copper Contributor
Dec 23, 2024
Solved

Advanced Hunting Data Schema

Hello everyone, I have a question regarding the use of schema for Advanced Hunting queries. We are an organization with several companies under our holding.  I need to recover the USB connections ...
automation
investigation
microsoft defender for endpoint
  • HKN's avatar
    HKN
    Jan 13, 2025

    Hello everyone,
    Thank you for your precious answers. Since I can't search on the CompanyName which doesn't exist in the Advanced Hunting schema and I didn't have a different email address for my users I looked for a different solution and found this:
    I created an Admin Unit from Microsoft Defender Admin Center in the Identity Groups - AdminUnit section. I made a query and a dynamic group so that my users fall into it according to their Company name. Then, instead of using Advanced Hunting, I went to the Defender Audit portal and performed a search on the copied file to removable file activity on the admin unit I had created.

    Best regards,

    HKN

HKN's avatar
HKN
Copper Contributor
Jan 13, 2025

Hello everyone,
Thank you for your precious answers. Since I can't search on the CompanyName which doesn't exist in the Advanced Hunting schema and I didn't have a different email address for my users I looked for a different solution and found this:
I created an Admin Unit from Microsoft Defender Admin Center in the Identity Groups - AdminUnit section. I made a query and a dynamic group so that my users fall into it according to their Company name. Then, instead of using Advanced Hunting, I went to the Defender Audit portal and performed a search on the copied file to removable file activity on the admin unit I had created.

Best regards,

HKN

Resources