06-22-2020 10:08 AM
06-22-2020 10:08 AM
Is there a way to determine if a user saved a file or folder from say OneDrive or SharePoint Online to a local drive (like USB Drive) ? I cannot seem to find that information in the audit logs or Cloud security info.
06-22-2020 11:43 AM
Hi, the closest thing I could find that may be kind of similar to what you want is the Downloaded File option in the audit log search in the Security and Compliance Center as shown below.
You could setup an alert policy based on this.
06-22-2020 11:55 AM
@PeterRising Yeah, sadly, that just means it was downloaded. That happens a lot these days. Need a way to determine if they downloaded it to a different folder or drive. I am guessing this will require some form of audit logging on the actual device and probably a third-party solution. Since at that point it is no longer a cloud reaction. Would love to hear if anyone knows of such things... This is more for compliance and legal. Like when a user is terminated, did they attempt to save a file(s) prior to leaving...
06-25-2020 10:40 AM
@Jeff Harlow Do you currently have MDATP deployed? Using Advanced Hunting, you're able to do some investigations on if a file was downloaded to a USB. It may not be what you're looking to do but could be a good workaround or at least, provide more information than you originally had.
06-25-2020 10:57 AM
In addition, my colleague @Jacques van Zijl authored the the following query:
Files saved to USB:
| where FolderPath !contains @"c:\" and
FolderPath !contains @"\\" and
FolderPath !contains "HarddiskVolume" and
FolderPath !contains @"sms\pkg" and
FolderPath !contains @"sms\bin" and
FolderPath !contains @"SCCM_Deployments"and
DeviceName !contains "arcade" and
FileName !contains ".mui"
| project Timestamp, InitiatingProcessAccountName, DeviceName, ActionType, FileName, FolderPath,InitiatingProcessFolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc