Forum Discussion
Monitoring copied files on External drive - USB
Hello Guys, i struggle to find a way in Defender for EPP or other solutions to monitor when a user copied files on an external peripheral such as hard drive and USB. Some one have the procedu...
- Thanks for that ! For the ultimate goals of this, here's what I found: The goal of monitoring this kind of activity obviously relates to a DLP strategy. So in our case, we are managing devices in Intune and have Defender E3/E5 licenses. So, for other people who have the same type of IT setting, you can use Microsoft Purview->Insider Risk management to be more efficient in this type of use case. But, for a temporary solution you can use the Advanced hunting section to investigation with the query above and in the TimeLine for Plug and play device/USB/External/thunderbolt log event type.
Deleted Try this from security.microsoft.com-Hunting-Advanced Hunting-Queries-Community Queries-Exfiltration- Files Copied to USB devices.
In case you couldn't find it, here's the query:
// This query lists files copied to USB external drives with USB drive information based on FileCreated events associated with most recent USBDriveMount events befor file creations. But be aware that Advanced Hunting is not monitoring all the file types.
// This query was updated from https://github.com/Azure/Azure-Sentinel/tree/master/Hunting%20Queries/Microsoft%20365%20Defender/Exfiltration/Files%20copied%20to%20USB%20drives.yaml
let UsbDriveMount = DeviceEvents
| where ActionType=="UsbDriveMounted"
| extend ParsedFields=parse_json(AdditionalFields)
| project DeviceId, DeviceName, DriveLetter=ParsedFields.DriveLetter, MountTime=Timestamp,
ProductName=ParsedFields.ProductName,SerialNumber=ParsedFields.SerialNumber,Manufacturer=ParsedFields.Manufacturer
| order by DeviceId asc, MountTime desc;
let FileCreation = DeviceFileEvents
| where InitiatingProcessAccountName != "system"
| where ActionType == "FileCreated"
| where FolderPath !startswith "C:\\"
| where FolderPath !startswith "\\"
| project ReportId,DeviceId,InitiatingProcessAccountDomain,
InitiatingProcessAccountName,InitiatingProcessAccountUpn,
FileName, FolderPath, SHA256, Timestamp, SensitivityLabel, IsAzureInfoProtectionApplied
| order by DeviceId asc, Timestamp desc;
FileCreation | lookup kind=inner (UsbDriveMount) on DeviceId
| where FolderPath startswith DriveLetter
| where Timestamp >= MountTime
| partition by ReportId ( top 1 by MountTime )
| order by DeviceId asc, Timestamp desc
Thanks for that ! For the ultimate goals of this, here's what I found: The goal of monitoring this kind of activity obviously relates to a DLP strategy. So in our case, we are managing devices in Intune and have Defender E3/E5 licenses. So, for other people who have the same type of IT setting, you can use Microsoft Purview->Insider Risk management to be more efficient in this type of use case. But, for a temporary solution you can use the Advanced hunting section to investigation with the query above and in the TimeLine for Plug and play device/USB/External/thunderbolt log event type.