Forum Discussion
Alistair Trigg
Apr 29, 2021Copper Contributor
Advanced Hunting
Hi
I have set up Defender for Endpoint on our 365 tenant and I can see our devices within the O365 security portal. I want to now report on USB activity on our devices but when I run the following under advanced hunting I get no results but I know there must be some data. I am starting to think I don't have the correct licence? I have O365 E3 with Defender for End Point. Do I need an E5 for advanced hunting:
Alistair
//Get the list the USB devices attached to a device in the past week.
let myDevice = "<insert your device ID>";
DeviceEvents
| where ActionType == "UsbDriveMount" and Timestamp > ago(7d) and DeviceId == myDevice
| extend ProductName = todynamic(AdditionalFields)["ProductName"], SerialNumber = todynamic(AdditionalFields)["SerialNumber"],
Manufacturer = todynamic(AdditionalFields)["Manufacturer"], Volume = todynamic(AdditionalFields)["Volume"]
| summarize lastInsert = max(Timestamp) by tostring(ProductName), tostring(SerialNumber), tostring(Manufacturer), tostring(Volume)
No RepliesBe the first to reply