Query Details
Device Top20departments Copying Datato US Bby Size
Query
//Top 20 departments copying file data to USB drives by file size //Data connector required for this query - M365 Defender - Device* tables //Data connector required for this query - Microsoft Sentinel UEBA let id= IdentityInfo | where TimeGenerated > ago (21d) | summarize arg_max(TimeGenerated, *) by AccountName | extend LoggedOnUser = AccountName | project LoggedOnUser, AccountUPN, JobTitle, EmployeeId, Country, City, Department, AccountDisplayName | join kind=inner ( DeviceInfo | where TimeGenerated > ago (21d) | summarize arg_max(TimeGenerated, *) by DeviceName | extend LoggedOnUser = tostring(LoggedOnUsers[0].UserName) ) on LoggedOnUser | project LoggedOnUser, AccountUPN, JobTitle, Country, DeviceName, EmployeeId, Department, AccountDisplayName; DeviceEvents | where TimeGenerated > ago(7d) | join kind=inner id on DeviceName | where ActionType == "UsbDriveMounted" | extend Type = tostring(AdditionalFields.Manufacturer) | extend DriveLetter = tostring(todynamic(AdditionalFields).DriveLetter) | join kind=inner (DeviceFileEvents | where TimeGenerated > ago(7d) | extend FileCopyTime = TimeGenerated | where ActionType == "FileCreated" | parse FolderPath with DriveLetter '\\' * | extend DriveLetter = tostring(DriveLetter) ) on DeviceId, DriveLetter | extend FileSizeGB = FileSize/1024/1024/1000 | project TimeGenerated, DeviceName, DriveLetter, FileName1, FileSizeGB, LoggedOnUser, AccountUPN, JobTitle,EmployeeId, Country, Department, Type, AccountDisplayName | summarize CopySize=sum(FileSizeGB)by Department | order by CopySize | take 20 | render columnchart
Explanation
This query finds the top 20 departments that have copied file data to USB drives, based on the file size. It uses data from the M365 Defender - Device* tables and Microsoft Sentinel UEBA. It retrieves information about the logged-on users, their devices, and the USB drive events. It then joins the data to get the relevant information and calculates the file size in gigabytes. Finally, it summarizes the total file size for each department, orders the results, and displays them in a column chart.
Details
Matt Zorich
Released: June 17, 2022
Tables
IdentityInfoDeviceInfoDeviceEventsDeviceFileEvents
Keywords
Devices,Intune,User,Department,FileSizeGB,DriveLetter,ActionType,Manufacturer,AdditionalFields,DeviceFileEvents,TimeGenerated,DeviceName,LoggedOnUser,AccountUPN,JobTitle,EmployeeId,Country,AccountDisplayName,CopySize
Operators
wheresummarizearg_maxbyextendprojectjoinonwhereextendextendjoinonextendprojectsummarizeorder bytakerender