Query Details
Device Top20departments Copying Datato US Bby Count
Query
//Top 20 departments copying file data to USB drives by file count //Data connector required for this query - M365 Defender - Device* tables //Data connector required for this query - Microsoft Sentinel UEBA let id= IdentityInfo | where TimeGenerated > ago (21d) | summarize arg_max(TimeGenerated, *) by AccountName | extend LoggedOnUser = AccountName | project LoggedOnUser, AccountUPN, JobTitle, EmployeeId, Country, City, Department, AccountDisplayName | join kind=inner ( DeviceInfo | where TimeGenerated > ago (21d) | summarize arg_max(TimeGenerated, *) by DeviceName | extend LoggedOnUser = tostring(LoggedOnUsers[0].UserName) ) on LoggedOnUser | project LoggedOnUser, AccountUPN, JobTitle, Country, DeviceName, EmployeeId, Department, AccountDisplayName; DeviceEvents | where TimeGenerated > ago(7d) | join kind=inner id on DeviceName | where ActionType == "UsbDriveMounted" | extend Type = tostring(AdditionalFields.Manufacturer) | extend DriveLetter = tostring(todynamic(AdditionalFields).DriveLetter) | join kind=inner (DeviceFileEvents | where TimeGenerated > ago(7d) | extend FileCopyTime = TimeGenerated | where ActionType == "FileCreated" | parse FolderPath with DriveLetter '\\' * | extend DriveLetter = tostring(DriveLetter) ) on DeviceId, DriveLetter | extend FileSizeGB = FileSize/1024/1024/1000 | project TimeGenerated, DeviceName, DriveLetter, FileName1, FileSizeGB, LoggedOnUser, AccountUPN, JobTitle,EmployeeId, Country, Department, Type, AccountDisplayName | summarize CopyCount=count()by Department | order by CopyCount | take 20 | render columnchart
Explanation
This query analyzes data from M365 Defender and Microsoft Sentinel UEBA to identify the top 20 departments that have copied the most files to USB drives. It retrieves information about logged-on users, device information, and device events related to USB drive mounting. It also includes file events such as file creation and calculates the file size in gigabytes. The final result is a column chart showing the count of file copies for each department.
Details
Matt Zorich
Released: June 17, 2022
Tables
IdentityInfoDeviceInfoDeviceEventsDeviceFileEvents
Keywords
Devices,Intune,User,Department,FileCreated,FileSize,FileCopyTime,DriveLetter,ActionType,Manufacturer,AccountName,AccountUPN,JobTitle,EmployeeId,Country,City,AccountDisplayName,DeviceName,DeviceId,TimeGenerated,FileName1,CopyCount
Operators
wheresummarizearg_maxbyextendprojectjoinonwhereextendextendjoinonextendprojectsummarizeorder bytakerender