Forum Discussion
Looking for KQL query when high volume of USB writes happens by a user
Hello,
I did some online search, but I couldn't find any working one yet.
I'm looking for query which I can use in Advance threat hunting in MDE to generate an alert when a user copies huge number of data to an external USB drive.
your help is much appreciated.
thanks.
- Rod_Trent
Microsoft
In Microsoft Defender for Endpoint, you can use the following KQL query to show a high volume of USB writes by a single user. Modify the Threshold value to define what you consider a "high volume" of USB writes.
DeviceFileEvents
| where ActionType == "FileWrite" and InitiatingProcessFileName == "explorer.exe" and FileName contains ".usb"
| summarize USBWriteCount = count() by AccountName
| where USBWriteCount > Threshold // Replace Threshold with a specific value to define "high volume"
| order by USBWriteCount desc- Thank you for quick response.
I just ran the query got error on "Account Name" - see below
"The name 'AccountName' does not refer to any known column, table, variable or function"
---------------
DeviceFileEvents
| where ActionType == "FileWrite" and InitiatingProcessFileName == "explorer.exe" and FileName contains ".usb"
| summarize USBWriteCount = count() by AccountName
| where USBWriteCount > 20 // if someone copies more than 20 files
| order by USBWriteCount desc
------------
any idea?- Rod_TrentReplace that with InitiatingProcessAccountName.
Here's the schema for that table: https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-devicefileevents-table?view=o365-worldwide
