USB Detection for MacOS - Advance Hunting

%3CLINGO-SUB%20id%3D%22lingo-sub-2210738%22%20slang%3D%22en-US%22%3EUSB%20Detection%20for%20MacOS%20-%20Advance%20Hunting%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2210738%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20a%20way%20to%20detect%20USB%20events%20on%20macOS%20devices%20via%20Advance%20Hunting%20-%20ATP%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eapparently%20below%20query%20works%20fine%20with%20me%20but%20for%20Windows%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CSPAN%3EDeviceEvents%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%26nbsp%3Bwhere%26nbsp%3BDeviceName%26nbsp%3Bhas%26nbsp%3B%22COMPUTER_NAME%22%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%26nbsp%3Bwhere%26nbsp%3BActionType%26nbsp%3B%3D%3D%26nbsp%3B%22UsbDriveMounted%22%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%26nbsp%3Bproject%26nbsp%3BUSBMountTime%26nbsp%3B%3D%26nbsp%3BTimestamp%2CReportId%2CInitiatingProcessAccountName%2CDeviceName%2C%26nbsp%3BDeviceId%2C%26nbsp%3BAdditionalFields%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EThanks%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E
New Contributor

Hi,

 

Is there a way to detect USB events on macOS devices via Advance Hunting - ATP?

 

apparently below query works fine with me but for Windows

 

DeviceEvents
| where DeviceName has "COMPUTER_NAME"
| where ActionType == "UsbDriveMounted"
| project USBMountTime = Timestamp,ReportId,InitiatingProcessAccountName,DeviceName, DeviceId, AdditionalFields
 
Thanks
0 Replies