cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Monitorgin copied files on External drive - USB

EtienneFiset
Brass Contributor

‎Mar 10 2023 07:56 AM

‎Mar 10 2023 07:56 AM

Monitorgin copied files on External drive - USB

Hello Guys,

 

i struggle to find a way in Defender for EPP or other solutions to monitor when a user copied files on an external peripheral such as hard drive and USB.

 

Some one have the procedure or documentation ?

NOTE : Defender timeline could see when a user is plugging a USB stick. but that's...

 

Thanks !

7,037 Views
0 Likes
2 Replies
Reply
2 Replies
Ambarish RH

‎Mar 12 2023 09:28 AM

‎Mar 12 2023 09:28 AM

Re: Monitorgin copied files on External drive - USB

@EtienneFiset Try this from security.microsoft.com-Hunting-Advanced Hunting-Queries-Community Queries-Exfiltration- Files Copied to USB devices.

 

In case you couldn't find it, here's the query:

 

// This query lists files copied to USB external drives with USB drive information based on FileCreated events associated with most recent USBDriveMount events befor file creations. But be aware that Advanced Hunting is not monitoring all the file types.
let UsbDriveMount = DeviceEvents
| where ActionType=="UsbDriveMounted"
| extend ParsedFields=parse_json(AdditionalFields)
| project DeviceId, DeviceName, DriveLetter=ParsedFields.DriveLetter, MountTime=Timestamp,
ProductName=ParsedFields.ProductName,SerialNumber=ParsedFields.SerialNumber,Manufacturer=ParsedFields.Manufacturer
| order by DeviceId asc, MountTime desc;
let FileCreation = DeviceFileEvents
| where InitiatingProcessAccountName != "system"
| where ActionType == "FileCreated"
| where FolderPath !startswith "C:\\"
| where FolderPath !startswith "\\"
| project ReportId,DeviceId,InitiatingProcessAccountDomain,
InitiatingProcessAccountName,InitiatingProcessAccountUpn,
FileName, FolderPath, SHA256, Timestamp, SensitivityLabel, IsAzureInfoProtectionApplied
| order by DeviceId asc, Timestamp desc;
FileCreation | lookup kind=inner (UsbDriveMount) on DeviceId
| where FolderPath startswith DriveLetter
| where Timestamp >= MountTime
| partition by ReportId ( top 1 by MountTime )
| order by DeviceId asc, Timestamp desc
2 Likes
Reply
best response confirmed by EtienneFiset (Brass Contributor)
EtienneFiset

‎Mar 15 2023 08:32 AM

‎Mar 15 2023 08:32 AM

Solution

Re: Monitorgin copied files on External drive - USB

Thanks for that ! For the ultimate goals of this, here's what I found: The goal of monitoring this kind of activity obviously relates to a DLP strategy. So in our case, we are managing devices in Intune and have Defender E3/E5 licenses. So, for other people who have the same type of IT setting, you can use Microsoft Purview->Insider Risk management to be more efficient in this type of use case. But, for a temporary solution you can use the Advanced hunting section to investigation with the query above and in the TimeLine for Plug and play device/USB/External/thunderbolt log event type.
2 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by EtienneFiset (Brass Contributor)
EtienneFiset

‎Mar 15 2023 08:32 AM

‎Mar 15 2023 08:32 AM

Solution

Re: Monitorgin copied files on External drive - USB

Thanks for that ! For the ultimate goals of this, here's what I found: The goal of monitoring this kind of activity obviously relates to a DLP strategy. So in our case, we are managing devices in Intune and have Defender E3/E5 licenses. So, for other people who have the same type of IT setting, you can use Microsoft Purview->Insider Risk management to be more efficient in this type of use case. But, for a temporary solution you can use the Advanced hunting section to investigation with the query above and in the TimeLine for Plug and play device/USB/External/thunderbolt log event type.

View solution in original post

2 Likes
Reply