Forum Discussion
Defender is missing logs for files copied to USB device on Mac devices
Hello, I am currently facing an issue with Defender not logging files copied to USBs. Using the KQL below, I can only see .exe files copied, but nothing when it comes to .pdf, .docx. .zip and other standard file extensions. Has someone come across this issue before? Any help is greatly appreciated
let UsbDriveMount = DeviceEvents
| where ActionType=="UsbDriveMounted"
| extend ParsedFields=parse_json(AdditionalFields)
| project DeviceId, DeviceName, DriveLetter=ParsedFields.DriveLetter, MountTime=TimeGenerated,
ProductName=ParsedFields.ProductName,SerialNumber=ParsedFields.SerialNumber,Manufacturer=ParsedFields.Manufacturer
| order by DeviceId asc, MountTime desc;
let FileCreation = DeviceFileEvents
| where InitiatingProcessAccountName != "system"
| where ActionType == "FileCreated"
| where FolderPath !startswith "C:\\"
| where FolderPath !startswith "\\"
| project ReportId,DeviceId,InitiatingProcessAccountDomain,
InitiatingProcessAccountName,InitiatingProcessAccountUpn,
FileName, FolderPath, SHA256, TimeGenerated, SensitivityLabel, IsAzureInfoProtectionApplied
| order by DeviceId asc, TimeGenerated desc;
FileCreation | lookup kind=inner (UsbDriveMount) on DeviceId
| where FolderPath startswith DriveLetter
| where TimeGenerated >= MountTime
| partition hint.strategy=native by ReportId ( top 1 by MountTime )
| order by DeviceId asc, TimeGenerated desc
| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")
| extend FileHashAlgorithm = 'SHA256'
This is a very common and often confusing issue that many security professionals run into when they first start trying to monitor file movements to removable media in Microsoft Defender for Endpoint.
You have done an excellent job with your KQL query. It's logical, well-structured, and the join between DeviceEvents and DeviceFileEvents is exactly the right approach.
The problem is not with your query. The issue is with the default telemetry level of Microsoft Defender for Endpoint.
The Root Cause: Why You Only See .exe Files
By default, to balance performance and data volume, Defender for Endpoint does not log every single file creation event on a device. Instead, it prioritizes logging events that are more likely to be associated with malicious activity. This includes:
- Executable Files: The creation of .exe, .dll, .scr, etc., is almost always logged because these are primary vectors for malware execution.
- Files Dropped by Malicious Processes: If a process is flagged as suspicious or malicious by Defender's behavioral engine, Defender will then start logging all file creations made by that process, regardless of the file type.
- Files with a "Mark of the Web": Files downloaded from the internet often have a special attribute. Defender pays closer attention to these.
Your query is working perfectly, but the DeviceFileEvents table simply does not contain the records for the .pdf, .docx, or .zip files being created on the USB drive because Defender, by default, did not consider those events important enough to send to the cloud.
The Solution: Enable Full File Auditing via Device Control
To get the rich telemetry you're looking for, you need to explicitly tell Defender to monitor all file creations on removable storage. The modern and correct way to do this is by creating a Device Control Policy in the Microsoft 365 Defender portal.
This policy will create an "Audit" entry for file-level activities on removable storage devices.
Here is the step-by-step guide to create this policy.
Step 1: Navigate to Device Control Policies
- Go to the Microsoft 365 Defender portal (security.microsoft.com).
- In the navigation pane, go to Endpoints > Device control.
Step 2: Create Reusable Settings (Best Practice)
Device Control policies use reusable groups and settings. It's best to define these first.
- Create a "Removable Storage" Media Group:
- Go to the Reusable settings tab.
- Click Add group.
- Give it a name like All Removable Storage Devices.
- Under Media type, select Removable storage.
- Click Create.
- Create an "Audit All Files" Setting:
- Go back to the Reusable settings tab.
- Click Add setting.
- Give it a name like Audit All File Write & Execute.
- Under Actions, select the following:
- File write: Set the toggle to Audit.
- File execute: Set the toggle to Audit.
- Click Create.
Step 3: Create the Device Control Policy
Now, you will create the policy that ties these settings together.
- Go to the Policies tab and click Add policy.
- Policy Name: Give it a clear name, like Audit USB File Writes.
- Policy Scope: Choose the device groups you want to apply this to (e.g., "All devices" or a specific group).
- Policy Rule:
- Click Add rule.
- Rule Name: Audit All Removable Storage.
- Included media: Select the All Removable Storage Devices group you created earlier.
- Settings: Select the Audit All File Write & Execute setting you created.
- Click Save.
- Review your policy and click Create.
What Happens Next?
- Policy Deployment: The policy will be deployed to your endpoints. This can take some time (up to a few hours in some cases, but often much faster).
- Increased Telemetry: Once a device receives the policy, its Defender for Endpoint sensor will begin generating DeviceFileEvents for every file written to a USB drive, including .pdf, .docx, .zip, etc. These events will have an ActionType of FileCreated.
- Your KQL Query Will Work: Now, when you run your existing KQL query, it will find and display these newly logged events. You will see the non-executable files you were looking for.
Important Considerations
- Data Volume: Be aware that enabling this level of auditing will increase the volume of data ingested from your endpoints. For most organizations, this is a manageable and worthwhile trade-off for the increased visibility, but it's something to be mindful of.
- Alternative (Older) Method: Before the modern Device Control interface, this was often done using custom OMA-URI profiles in Intune to configure the RemovableMediaPolicy CSP. The method described above is the current, recommended best practice.
- Beyond Auditing: Device Control is incredibly powerful. Once you are comfortable with auditing, you can use the same framework to create "Block" policies (e.g., block all USB drives except for specific, encrypted models) to move from visibility to prevention.
By implementing this Device Control audit policy, you will be providing Defender for Endpoint with the explicit instruction to capture the exact telemetry you need, and your excellent KQL query will then be able to give you the results you expect.
2 Replies
This is a very common and often confusing issue that many security professionals run into when they first start trying to monitor file movements to removable media in Microsoft Defender for Endpoint.
You have done an excellent job with your KQL query. It's logical, well-structured, and the join between DeviceEvents and DeviceFileEvents is exactly the right approach.
The problem is not with your query. The issue is with the default telemetry level of Microsoft Defender for Endpoint.
The Root Cause: Why You Only See .exe Files
By default, to balance performance and data volume, Defender for Endpoint does not log every single file creation event on a device. Instead, it prioritizes logging events that are more likely to be associated with malicious activity. This includes:
- Executable Files: The creation of .exe, .dll, .scr, etc., is almost always logged because these are primary vectors for malware execution.
- Files Dropped by Malicious Processes: If a process is flagged as suspicious or malicious by Defender's behavioral engine, Defender will then start logging all file creations made by that process, regardless of the file type.
- Files with a "Mark of the Web": Files downloaded from the internet often have a special attribute. Defender pays closer attention to these.
Your query is working perfectly, but the DeviceFileEvents table simply does not contain the records for the .pdf, .docx, or .zip files being created on the USB drive because Defender, by default, did not consider those events important enough to send to the cloud.
The Solution: Enable Full File Auditing via Device Control
To get the rich telemetry you're looking for, you need to explicitly tell Defender to monitor all file creations on removable storage. The modern and correct way to do this is by creating a Device Control Policy in the Microsoft 365 Defender portal.
This policy will create an "Audit" entry for file-level activities on removable storage devices.
Here is the step-by-step guide to create this policy.
Step 1: Navigate to Device Control Policies
- Go to the Microsoft 365 Defender portal (security.microsoft.com).
- In the navigation pane, go to Endpoints > Device control.
Step 2: Create Reusable Settings (Best Practice)
Device Control policies use reusable groups and settings. It's best to define these first.
- Create a "Removable Storage" Media Group:
- Go to the Reusable settings tab.
- Click Add group.
- Give it a name like All Removable Storage Devices.
- Under Media type, select Removable storage.
- Click Create.
- Create an "Audit All Files" Setting:
- Go back to the Reusable settings tab.
- Click Add setting.
- Give it a name like Audit All File Write & Execute.
- Under Actions, select the following:
- File write: Set the toggle to Audit.
- File execute: Set the toggle to Audit.
- Click Create.
Step 3: Create the Device Control Policy
Now, you will create the policy that ties these settings together.
- Go to the Policies tab and click Add policy.
- Policy Name: Give it a clear name, like Audit USB File Writes.
- Policy Scope: Choose the device groups you want to apply this to (e.g., "All devices" or a specific group).
- Policy Rule:
- Click Add rule.
- Rule Name: Audit All Removable Storage.
- Included media: Select the All Removable Storage Devices group you created earlier.
- Settings: Select the Audit All File Write & Execute setting you created.
- Click Save.
- Review your policy and click Create.
What Happens Next?
- Policy Deployment: The policy will be deployed to your endpoints. This can take some time (up to a few hours in some cases, but often much faster).
- Increased Telemetry: Once a device receives the policy, its Defender for Endpoint sensor will begin generating DeviceFileEvents for every file written to a USB drive, including .pdf, .docx, .zip, etc. These events will have an ActionType of FileCreated.
- Your KQL Query Will Work: Now, when you run your existing KQL query, it will find and display these newly logged events. You will see the non-executable files you were looking for.
Important Considerations
- Data Volume: Be aware that enabling this level of auditing will increase the volume of data ingested from your endpoints. For most organizations, this is a manageable and worthwhile trade-off for the increased visibility, but it's something to be mindful of.
- Alternative (Older) Method: Before the modern Device Control interface, this was often done using custom OMA-URI profiles in Intune to configure the RemovableMediaPolicy CSP. The method described above is the current, recommended best practice.
- Beyond Auditing: Device Control is incredibly powerful. Once you are comfortable with auditing, you can use the same framework to create "Block" policies (e.g., block all USB drives except for specific, encrypted models) to move from visibility to prevention.
By implementing this Device Control audit policy, you will be providing Defender for Endpoint with the explicit instruction to capture the exact telemetry you need, and your excellent KQL query will then be able to give you the results you expect.
Thank you for the detailed solution, much appreciated
