Saved a File to a local drive

%3CLINGO-SUB%20id%3D%22lingo-sub-1481484%22%20slang%3D%22en-US%22%3ESaved%20a%20File%20to%20a%20local%20drive%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1481484%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20there%20a%20way%20to%20determine%20if%20a%20user%20saved%20a%20file%20or%20folder%20from%20say%20OneDrive%20or%20SharePoint%20Online%20to%20a%20local%20drive%20(like%20USB%20Drive)%20%3F%20I%20cannot%20seem%20to%20find%20that%20information%20in%20the%20audit%20logs%20or%26nbsp%3B%20Cloud%20security%20info.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1481484%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20Discovery%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EData%20Protection%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1481774%22%20slang%3D%22en-US%22%3ERe%3A%20Saved%20a%20File%20to%20a%20local%20drive%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1481774%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F6398%22%20target%3D%22_blank%22%3E%40Jeff%20Harlow%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%2C%20the%20closest%20thing%20I%20could%20find%20that%20may%20be%20kind%20of%20similar%20to%20what%20you%20want%20is%20the%20Downloaded%20File%20option%20in%20the%20audit%20log%20search%20in%20the%20Security%20and%20Compliance%20Center%20as%20shown%20below.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Screenshot%202020-06-22%20at%2019.40.14.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F200133iC1A3E86FE6109206%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Screenshot%202020-06-22%20at%2019.40.14.png%22%20alt%3D%22Screenshot%202020-06-22%20at%2019.40.14.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EYou%20could%20setup%20an%20alert%20policy%20based%20on%20this.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1481803%22%20slang%3D%22en-US%22%3ERe%3A%20Saved%20a%20File%20to%20a%20local%20drive%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1481803%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F616707%22%20target%3D%22_blank%22%3E%40PeterRising%3C%2FA%3E%26nbsp%3BYeah%2C%20sadly%2C%20that%20just%20means%20it%20was%20downloaded.%20That%20happens%20a%20lot%20these%20days.%20Need%20a%20way%20to%20determine%20if%20they%20downloaded%20it%20to%20a%20different%20folder%20or%20drive.%20I%20am%20guessing%20this%20will%20require%20some%20form%20of%20audit%20logging%20on%20the%20actual%20device%20and%20probably%20a%20third-party%20solution.%20Since%20at%20that%20point%20it%20is%20no%20longer%20a%20cloud%20reaction.%26nbsp%3B%20Would%20love%20to%20hear%20if%20anyone%20knows%20of%20such%20things...%26nbsp%3B%20This%20is%20more%20for%20compliance%20and%20legal.%26nbsp%3B%20Like%20when%20a%20user%20is%20terminated%2C%20did%20they%20attempt%20to%20save%20a%20file(s)%20prior%20to%20leaving...%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1489913%22%20slang%3D%22en-US%22%3ERe%3A%20Saved%20a%20File%20to%20a%20local%20drive%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1489913%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F6398%22%20target%3D%22_blank%22%3E%40Jeff%20Harlow%3C%2FA%3E%26nbsp%3BDo%20you%20currently%20have%20MDATP%20deployed%3F%20Using%20Advanced%20Hunting%2C%20you're%20able%20to%20do%20some%20investigations%20on%20if%20a%20file%20was%20downloaded%20to%20a%20USB.%20It%20may%20not%20be%20what%20you're%20looking%20to%20do%20but%20could%20be%20a%20good%20workaround%20or%20at%20least%2C%20provide%20more%20information%20than%20you%20originally%20had.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fmicrosoft-defender-atp%2Fadvanced-hunting-updates-usb-events-machine-level-actions-and%2Fba-p%2F824152%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fmicrosoft-defender-atp%2Fadvanced-hunting-updates-usb-events-machine-level-actions-and%2Fba-p%2F824152%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1489954%22%20slang%3D%22en-US%22%3ERe%3A%20Saved%20a%20File%20to%20a%20local%20drive%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1489954%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F6398%22%20target%3D%22_blank%22%3E%40Jeff%20Harlow%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20addition%2C%20my%20colleague%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F176309%22%20target%3D%22_blank%22%3E%40Jacques%20van%20Zijl%3C%2FA%3E%26nbsp%3Bauthored%20the%20the%20following%20query%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFiles%20saved%20to%20USB%3A%3C%2FP%3E%0A%3CP%3EDeviceFileEvents%3C%2FP%3E%0A%3CP%3E%7C%20where%20FolderPath%20!contains%20%40%22c%3A%5C%22%20and%3C%2FP%3E%0A%3CP%3EFolderPath%20!contains%20%40%22%5C%5C%22%20and%3C%2FP%3E%0A%3CP%3EFolderPath%20!contains%20%22HarddiskVolume%22%20and%3C%2FP%3E%0A%3CP%3EFolderPath%20!contains%20%40%22sms%5Cpkg%22%20and%3C%2FP%3E%0A%3CP%3EFolderPath%20!contains%20%40%22sms%5Cbin%22%20and%3C%2FP%3E%0A%3CP%3EFolderPath%20!contains%20%40%22SCCM_Deployments%22and%3C%2FP%3E%0A%3CP%3EDeviceName%20!contains%20%22arcade%22%20and%3C%2FP%3E%0A%3CP%3EFileName%20!contains%20%22.mui%22%3C%2FP%3E%0A%3CP%3E%7C%20project%20Timestamp%2C%20InitiatingProcessAccountName%2C%20DeviceName%2C%20ActionType%2C%20FileName%2C%20FolderPath%2CInitiatingProcessFolderPath%2C%20InitiatingProcessFileName%2C%20InitiatingProcessCommandLine%3C%2FP%3E%0A%3CP%3E%7C%20sort%20by%20Timestamp%20desc%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1490065%22%20slang%3D%22en-US%22%3ERe%3A%20Saved%20a%20File%20to%20a%20local%20drive%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1490065%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F708110%22%20target%3D%22_blank%22%3E%40sarahzin%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EReally%20great%20shout%2C%26nbsp%3B%20I%20never%20thought%20of%20that.%26nbsp%3B%20Definitely%20going%20to%20give%20that%20a%20try%20myself.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Super Contributor

Is there a way to determine if a user saved a file or folder from say OneDrive or SharePoint Online to a local drive (like USB Drive) ? I cannot seem to find that information in the audit logs or  Cloud security info. 

5 Replies

@Jeff Harlow 

 

Hi, the closest thing I could find that may be kind of similar to what you want is the Downloaded File option in the audit log search in the Security and Compliance Center as shown below.

 

Screenshot 2020-06-22 at 19.40.14.png

You could setup an alert policy based on this.

@PeterRising Yeah, sadly, that just means it was downloaded. That happens a lot these days. Need a way to determine if they downloaded it to a different folder or drive. I am guessing this will require some form of audit logging on the actual device and probably a third-party solution. Since at that point it is no longer a cloud reaction.  Would love to hear if anyone knows of such things...  This is more for compliance and legal.  Like when a user is terminated, did they attempt to save a file(s) prior to leaving... 

@Jeff Harlow Do you currently have MDATP deployed? Using Advanced Hunting, you're able to do some investigations on if a file was downloaded to a USB. It may not be what you're looking to do but could be a good workaround or at least, provide more information than you originally had. 

 

https://techcommunity.microsoft.com/t5/microsoft-defender-atp/advanced-hunting-updates-usb-events-ma...

@Jeff Harlow 

 

In addition, my colleague @Jacques van Zijl authored the the following query:

 

Files saved to USB:

DeviceFileEvents

| where FolderPath !contains @"c:\" and

FolderPath !contains @"\\" and

FolderPath !contains "HarddiskVolume" and

FolderPath !contains @"sms\pkg" and

FolderPath !contains @"sms\bin" and

FolderPath !contains @"SCCM_Deployments"and

DeviceName !contains "arcade" and

FileName !contains ".mui"

| project Timestamp, InitiatingProcessAccountName, DeviceName, ActionType, FileName, FolderPath,InitiatingProcessFolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine

| sort by Timestamp desc

@Sarahzin 

 

Really great shout,  I never thought of that.  Definitely going to give that a try myself.