Forum Discussion

Alistair Trigg's avatar
Alistair Trigg
Copper Contributor
Apr 29, 2021

Advanced Hunting

Hi 

I have set up Defender for Endpoint on our 365 tenant and I can see our devices within the O365 security portal. I want to now report on USB activity on our devices but when I run the following under advanced hunting I get no results but I know there must be some data. I am starting to think I don't have the correct licence? I have O365 E3 with Defender for End Point. Do I need an E5 for advanced hunting:

 

Alistair

 

//Get the list the USB devices attached to a device in the past week. 
let myDevice = "<insert your device ID>";
DeviceEvents 
| where ActionType == "UsbDriveMount" and Timestamp > ago(7d) and DeviceId == myDevice
| extend ProductName = todynamic(AdditionalFields)["ProductName"], SerialNumber = todynamic(AdditionalFields)["SerialNumber"], 
Manufacturer = todynamic(AdditionalFields)["Manufacturer"], Volume = todynamic(AdditionalFields)["Volume"]
| summarize lastInsert = max(Timestamp) by tostring(ProductName), tostring(SerialNumber), tostring(Manufacturer), tostring(Volume)  
No RepliesBe the first to reply

Resources