Advanced Hunting

%3CLINGO-SUB%20id%3D%22lingo-sub-2306913%22%20slang%3D%22en-US%22%3EAdvanced%20Hunting%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2306913%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20set%20up%20Defender%20for%20Endpoint%20on%20our%20365%20tenant%20and%20I%20can%20see%20our%20devices%20within%20the%20O365%20security%20portal.%20I%20want%20to%20now%20report%20on%20USB%20activity%20on%20our%20devices%20but%20when%20I%20run%20the%20following%20under%20advanced%20hunting%20I%20get%20no%20results%20but%20I%20know%20there%20must%20be%20some%20data.%20I%20am%20starting%20to%20think%20I%20don't%20have%20the%20correct%20licence%3F%20I%20have%20O365%20E3%20with%20Defender%20for%20End%20Point.%20Do%20I%20need%20an%20E5%20for%20advanced%20hunting%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlistair%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CSPAN%3E%2F%2FGet%26nbsp%3Bthe%26nbsp%3Blist%26nbsp%3Bthe%26nbsp%3BUSB%26nbsp%3Bdevices%26nbsp%3Battached%26nbsp%3Bto%26nbsp%3Ba%26nbsp%3Bdevice%26nbsp%3Bin%26nbsp%3Bthe%26nbsp%3Bpast%26nbsp%3Bweek.%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3Elet%26nbsp%3BmyDevice%26nbsp%3B%3D%26nbsp%3B%22%3CINSERT%3E%22%3B%3C%2FINSERT%3E%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EDeviceEvents%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%26nbsp%3Bwhere%26nbsp%3BActionType%26nbsp%3B%3D%3D%26nbsp%3B%22UsbDriveMount%22%26nbsp%3Band%26nbsp%3BTimestamp%26nbsp%3B%26gt%3B%26nbsp%3Bago(7d)%26nbsp%3Band%26nbsp%3BDeviceId%26nbsp%3B%3D%3D%26nbsp%3BmyDevice%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%26nbsp%3Bextend%26nbsp%3BProductName%26nbsp%3B%3D%26nbsp%3Btodynamic(AdditionalFields)%5B%22ProductName%22%5D%2C%26nbsp%3BSerialNumber%26nbsp%3B%3D%26nbsp%3Btodynamic(AdditionalFields)%5B%22SerialNumber%22%5D%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EManufacturer%26nbsp%3B%3D%26nbsp%3Btodynamic(AdditionalFields)%5B%22Manufacturer%22%5D%2C%26nbsp%3BVolume%26nbsp%3B%3D%26nbsp%3Btodynamic(AdditionalFields)%5B%22Volume%22%5D%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%26nbsp%3Bsummarize%26nbsp%3BlastInsert%26nbsp%3B%3D%26nbsp%3Bmax(Timestamp)%26nbsp%3Bby%26nbsp%3Btostring(ProductName)%2C%26nbsp%3Btostring(SerialNumber)%2C%26nbsp%3Btostring(Manufacturer)%2C%26nbsp%3Btostring(Volume)%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2306913%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EDefender%20for%20Endpoint%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EO365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Occasional Visitor

Hi 

I have set up Defender for Endpoint on our 365 tenant and I can see our devices within the O365 security portal. I want to now report on USB activity on our devices but when I run the following under advanced hunting I get no results but I know there must be some data. I am starting to think I don't have the correct licence? I have O365 E3 with Defender for End Point. Do I need an E5 for advanced hunting:

 

Alistair

 

//Get the list the USB devices attached to a device in the past week. 
let myDevice = "<insert your device ID>";
DeviceEvents 
| where ActionType == "UsbDriveMount" and Timestamp > ago(7d) and DeviceId == myDevice
| extend ProductName = todynamic(AdditionalFields)["ProductName"], SerialNumber = todynamic(AdditionalFields)["SerialNumber"], 
Manufacturer = todynamic(AdditionalFields)["Manufacturer"], Volume = todynamic(AdditionalFields)["Volume"]
| summarize lastInsert = max(Timestamp) by tostring(ProductName), tostring(SerialNumber), tostring(Manufacturer), tostring(Volume)  
0 Replies