User Profile
Sohel68
Copper Contributor
Joined Oct 02, 2020
User Widgets
Recent Discussions
Re: Content Explorer in Insider Risk: Upload files to cloud
We do have a DLP policy to block uploads to any external site like Google Drive\DropBox - which currently applied only on 'leavers'. However, if someone uploads the file and then submits the resignation then it will bypass the DLP rule. I believe something like below may work. https://learn.microsoft.com/en-us/purview/dlp-copy-matched-items-get-started?tabs=purview-portal%2Cpurview82Views0likes0CommentsContent Explorer in Insider Risk: Upload files to cloud
I can see file content in IRM content explorer as long they are within M365: however, when file has been uploaded to Google Drive and/or Dropbox I can the activity such as file name, destination domain but not the content. Is this even supported?129Views1like2CommentsRe: Looking for KQL query when high volume of USB writes happens by a user
Query seems to return lot less this time; however, number doesn't match when I go to "Microsoft Purview -> DLP -> Activity Explorer", where I set a filter to show all activities related to "FileCopiedtoRemovableMedia". I got below query from online searching, it fails with "'summarize' operator: Failed to resolve scalar expression named 'UserId'"...any idea how to fix it? sorry, I'm not a KQL expert. thanks again. ==== DeviceFileEvents | where ActionType == "FileCopiedToRemovableMedia" | summarize FileCount = count() by DeviceId, UserId | where FileCount >= 20 | join kind = inner ( DeviceInfo | project DeviceId, DeviceName ) on DeviceId | join kind = inner ( DeviceUser | project UserId, UserDisplayName ) on UserId | project DeviceName, UserDisplayName, FileCount =============3.6KViews0likes0CommentsRe: Looking for KQL query when high volume of USB writes happens by a user
ok, this seems to return some values, so thank you again. Do you know if this goes back to last 24 hours? curious since I'm seeing huge file modified action by number of users, for example over 4K files by 30+ users.3.7KViews0likes2CommentsRe: Looking for KQL query when high volume of USB writes happens by a user
thank you again. so that seems to do the trick but I'm not getting any results, even when I changed the value to "1" file. I'm looking to see if someone copies more than 20 files in last 24 hrs. ========================== DeviceFileEvents | where ActionType == "FileWrite" and InitiatingProcessFileName == "explorer.exe" and FileName contains ".usb" | summarize USBWriteCount = count() by InitiatingProcessAccountName | where USBWriteCount > 1 | order by USBWriteCount desc =====================3.7KViews0likes4CommentsRe: Looking for KQL query when high volume of USB writes happens by a user
Thank you for quick response. I just ran the query got error on "Account Name" - see below "The name 'AccountName' does not refer to any known column, table, variable or function" --------------- DeviceFileEvents | where ActionType == "FileWrite" and InitiatingProcessFileName == "explorer.exe" and FileName contains ".usb" | summarize USBWriteCount = count() by AccountName | where USBWriteCount > 20 // if someone copies more than 20 files | order by USBWriteCount desc ------------ any idea?4.1KViews0likes6CommentsLooking for KQL query when high volume of USB writes happens by a user
Hello, I did some online search, but I couldn't find any working one yet. I'm looking for query which I can use in Advance threat hunting in MDE to generate an alert when a user copies huge number of data to an external USB drive. your help is much appreciated. thanks.4.5KViews0likes8CommentsRe: How can I de-duplicate systems in Intune
Windows 10 devices. I have device (security) group in Intune\MEM, I'm seeing same machine listed multiple times when I click the group. I'm already using the steps which is included in link which you have provided, but it deletes systems beyond 90 days.7.3KViews0likes3CommentsHow to import bulk indicators to Microsoft defender security center
Hello, I'm new in Microsoft, I'm trying to import IoC's using a CSV file to "Microsoft Defender Security Center -> Indicators". I know how to do a single hash, but I'm looking for bulk import. sample file is not very hlepful. Any suggestions!! Thanks.9.3KViews0likes1CommentMigrating to Bitlocker
Hello all, I'm new to Microsoft, we have been a McAfee shop for a long time and now moving to Microsoft world. I have configured and created policies for Bitlocker in Intune, however, when I move systems to device group in Intune Bitlocker is not becoming active. Systems are hybrid joined. anyone migrated from McAfee encryption to bitlocker? and if so, can you share your experience? also, is it better to manage bitlocker policies from SCCM (configuration manager)?523Views0likes0Comments
Recent Blog Articles
No content to show