I have set up Defender for Endpoint on our 365 tenant and I can see our devices within the O365 security portal. I want to now report on USB activity on our devices but when I run the following under advanced hunting I get no results but I know there must be some data. I am starting to think I don't have the correct licence? I have O365 E3 with Defender for End Point. Do I need an E5 for advanced hunting:
//Get the list the USB devices attached to a device in the past week.
let myDevice = "<insert your device ID>";
| where ActionType == "UsbDriveMount" and Timestamp > ago(7d) and DeviceId == myDevice