KQL Search

Query Details

HomeAI ToolsDevice Query

Device Files Copiedto USB Certain Groups

Query

//Lookup members of a specific group and find any USB file copies completed by those users

//Data connector required for this query - M365 Defender - Device* tables
//Data connector required for this query - Microsoft Sentinel UEBA

let id=
    IdentityInfo
    | where GroupMembership has "Group Name"
    | where TimeGenerated > ago (21d)
    | summarize arg_max(TimeGenerated, *) by AccountName
    | extend LoggedOnUser = AccountName
    | project LoggedOnUser, AccountUPN, JobTitle, EmployeeId, Country, City
    | join kind=inner (
        DeviceInfo
        | where TimeGenerated > ago (21d)
        | summarize arg_max(TimeGenerated, *) by DeviceName
        | extend LoggedOnUser = tostring(LoggedOnUsers[0].UserName)
        )
        on LoggedOnUser
    | project LoggedOnUser, AccountUPN, JobTitle, Country, DeviceName, EmployeeId;
DeviceEvents
| where TimeGenerated > ago(30d)
| join kind=inner id on DeviceName
| where ActionType == "UsbDriveMounted"
| extend DriveLetter = tostring(todynamic(AdditionalFields).DriveLetter)
| join kind=inner (DeviceFileEvents
    | where TimeGenerated > ago(30d)
    | extend FileCopyTime = TimeGenerated
    | where ActionType == "FileCreated"
    | parse FolderPath with DriveLetter '\\' *
    | extend DriveLetter = tostring(DriveLetter)
    )
    on DeviceId, DriveLetter
| distinct
    TimeGenerated,
    DeviceName,
    DriveLetter,
    FileName1,
    LoggedOnUser,
    AccountUPN,
    JobTitle,
    EmployeeId,
    Country

Explanation

This query looks for members of a specific group and checks if they have completed any USB file copies. It uses data connectors for M365 Defender - Device* tables and Microsoft Sentinel UEBA. The query retrieves information about the logged-on users, including their account name, UPN, job title, employee ID, country, and city. It then joins this information with device information to get the device name associated with each user. The query filters device events to only include USB drive mounts and joins them with device file events to find file creations within the specified time range. The final result includes the timestamp, device name, drive letter, file name, logged-on user information, and country.

Details

Matt Zorich profile picture

Matt Zorich

Released: June 17, 2022

Tables

IdentityInfoDeviceInfoDeviceEventsDeviceFileEvents

Keywords

Devices,Intune,User

Operators

wherehas>agosummarizearg_maxbyextendprojectjoinkindon==todynamicparsewithdistinct

Actions