Hi All,

I'm stuck trying to turn my advanced hunting query into a detection rule. I want to set up an alert when someone moves over 100 MB of data or 50 files. The advanced query works fine, but I'm getting an error about missing fields (ReportId, Timestamp, DeviceID) when I try to create the detection rule.

I'm specifically looking to catch data exfiltration via USB or similar methods. Any help, advice, or tips on making this work would be awesome.

let UsbDriveMount = DeviceEvents
| where ActionType=="UsbDriveMounted"
| extend ParsedFields=parse_json(AdditionalFields)
| project DeviceId, DeviceName, DriveLetter=ParsedFields.DriveLetter, MountTime=Timestamp,
ProductName=ParsedFields.ProductName,SerialNumber=ParsedFields.SerialNumber,Manufacturer=ParsedFields.Manufacturer
| order by DeviceName asc, MountTime desc;
let FileCreation = DeviceFileEvents
| where ActionType == "FileCreated"
| where FolderPath !startswith "C:\\"
| where FolderPath !startswith "\\"
| project ReportId, DeviceId, Timestamp, FolderPath, FileSize, InitiatingProcessAccountName
| order by DeviceId asc, Timestamp desc;
FileCreation | lookup kind=inner (UsbDriveMount) on DeviceId
| join kind=inner (FileCreation) on DeviceId
| where FolderPath startswith DriveLetter and Timestamp >= MountTime
| partition hint.strategy=native by ReportId ( top 1 by MountTime )
| summarize file_count=count(), total_size=sum(FileSize), Usernames=makeset(InitiatingProcessAccountName) by DeviceName
| where file_count > 50 or total_size > (100 * 1024 * 1024)
| order by DeviceName asc