Monitorgin copied files on External drive - USB

Occasional Contributor

Hello Guys,


i struggle to find a way in Defender for EPP or other solutions to monitor when a user copied files on an external peripheral such as hard drive and USB.


Some one have the procedure or documentation ?

NOTE : Defender timeline could see when a user is plugging a USB stick. but that's...


Thanks !

2 Replies

@EtienneFiset Try this from Hunting-Queries-Community Queries-Exfiltration- Files Copied to USB devices.


In case you couldn't find it, here's the query:


// This query lists files copied to USB external drives with USB drive information based on FileCreated events associated with most recent USBDriveMount events befor file creations. But be aware that Advanced Hunting is not monitoring all the file types.
let UsbDriveMount = DeviceEvents
| where ActionType=="UsbDriveMounted"
| extend ParsedFields=parse_json(AdditionalFields)
| project DeviceId, DeviceName, DriveLetter=ParsedFields.DriveLetter, MountTime=Timestamp,
| order by DeviceId asc, MountTime desc;
let FileCreation = DeviceFileEvents
| where InitiatingProcessAccountName != "system"
| where ActionType == "FileCreated"
| where FolderPath !startswith "C:\\"
| where FolderPath !startswith "\\"
| project ReportId,DeviceId,InitiatingProcessAccountDomain,
FileName, FolderPath, SHA256, Timestamp, SensitivityLabel, IsAzureInfoProtectionApplied
| order by DeviceId asc, Timestamp desc;
FileCreation | lookup kind=inner (UsbDriveMount) on DeviceId
| where FolderPath startswith DriveLetter
| where Timestamp >= MountTime
| partition by ReportId ( top 1 by MountTime )
| order by DeviceId asc, Timestamp desc
best response confirmed by EtienneFiset (Occasional Contributor)
Thanks for that ! For the ultimate goals of this, here's what I found: The goal of monitoring this kind of activity obviously relates to a DLP strategy. So in our case, we are managing devices in Intune and have Defender E3/E5 licenses. So, for other people who have the same type of IT setting, you can use Microsoft Purview->Insider Risk management to be more efficient in this type of use case. But, for a temporary solution you can use the Advanced hunting section to investigation with the query above and in the TimeLine for Plug and play device/USB/External/thunderbolt log event type.