KQL Search

Query Details

HomeAI ToolsDevice Query

Device File Downloadedfrom O365then Copiedto USB

Query

//Detects a user that downloaded a file from O365 and then wrote the same file to USB, matches on both filename and the user

//Data connector required for this query - M365 Defender - Device* tables
//Data connector required for this query - Office 365

let filedownloads=
    OfficeActivity
    | where TimeGenerated > ago(1d)
    | extend DownloadTime = TimeGenerated
    | where Operation in ('FileSyncDownloadedFull', 'FileDownloaded')
    | project DownloadTime, UserId, SourceFileName
    | join kind=inner
        (
        IdentityInfo
        | where TimeGenerated > ago (21d)
        | summarize arg_max(TimeGenerated, *) by AccountUPN) 
        on $left.UserId == $right.AccountUPN
    | project DownloadTime, SourceFileName, UserId, AccountName
;
DeviceEvents
| where TimeGenerated > ago(1d)
| where ActionType == "UsbDriveMounted"
| extend DriveLetter = tostring(todynamic(AdditionalFields).DriveLetter)
| join kind=inner 
    (
    DeviceFileEvents
    | where TimeGenerated > ago(1d)
    | extend FileCopyTime = TimeGenerated
    | where ActionType == "FileCreated"
    | join kind=inner filedownloads
        on
        $left.FileName == $right.SourceFileName,
        $left.RequestAccountName == $right.AccountName
    | parse FolderPath with DriveLetter '\\' *
    | extend DriveLetter = tostring(DriveLetter)
    ) 
    on DeviceId, DriveLetter
| extend FileCopied = FileName1
| extend User = AccountName1
| distinct DeviceName, DriveLetter, FileCopied, User

Explanation

This query is looking for a user who downloaded a file from Office 365 and then wrote the same file to a USB drive. It matches the user and the filename of the downloaded file. It uses data connectors for M365 Defender - Device* tables and Office 365. The query retrieves the download time, source filename, user ID, and account name of the downloaded file. It also retrieves device events where a USB drive was mounted and device file events where a file was created. It joins these events with the downloaded file information based on the filename and user account. It then parses the folder path to extract the drive letter and extends it as a separate column. Finally, it returns the distinct device name, drive letter, copied file name, and user account.

Details

Matt Zorich profile picture

Matt Zorich

Released: June 17, 2022

Tables

OfficeActivityIdentityInfoDeviceEventsDeviceFileEvents

Keywords

Devices,Intune,User,O365,USB,File,Downloaded,Filename,AccountUPN,AccountName,DriveLetter,ActionType,TimeGenerated,FolderPath,DeviceId,FileName1,AccountName1,DeviceName

Operators

| whereextendjoinonprojectsummarizearg_maxbywhereextendjoinonprojectwhereextendjoinonparsewithextenddistinct

Actions