KQL Search

Query Details

HomeAI ToolsDevice Query

IP Label Downgrade Then Copyto USB

Query

// Detects when a user downgrades a label on a file and that file is then copied to USB

//Data connector required for this query - Azure Information Protection
//Data connector required for this query - M365 Defender - Device* tables

// Timeframe = the time between the label downgrade and file copy event
let timeframe=4h;
InformationProtectionEvents
| where Time > ago(1d)
| where Activity == "DowngradeLabel"
| project LabelChangeTime=Time, User, FileDowngraded=ItemName
| join kind=inner (
    DeviceEvents
    | where TimeGenerated > ago(1d)
    | where ActionType == "UsbDriveMounted"
    | extend DriveLetter = tostring(todynamic(AdditionalFields).DriveLetter)
    | join kind=inner (DeviceFileEvents
        | where TimeGenerated > ago(1d)
        | project TimeGenerated, ActionType, FileName, FolderPath, DeviceId, DeviceName
        | extend FileCopyTime = TimeGenerated
        | where ActionType == "FileCreated"
        | extend FileCopyName = FileName
        | parse FolderPath with DriveLetter '\\' *
        | extend DriveLetter = tostring(DriveLetter)
        )
        on DeviceId, DriveLetter) 
    on $left.FileDowngraded == $right.FileCopyName
| project LabelChangeTime, FileCopyTime, FileDowngraded, DeviceName, AccountName
| where (FileCopyTime - LabelChangeTime) between (0min .. timeframe)

Explanation

This query detects when a user downgrades a label on a file and then copies that file to a USB drive. It uses data connectors for Azure Information Protection and M365 Defender - Device* tables. The timeframe for this query is set to 4 hours. It retrieves information about the label downgrade event, the user, and the file that was downgraded. It then joins this information with device events to find instances where a USB drive was mounted and device file events to find instances where a file was created. It matches the downgraded file with the copied file based on the device ID and drive letter. The final result includes the timestamp of the label change, file copy, the downgraded file name, the device name, and the account name. It filters the results based on the timeframe between the label change and file copy event.

Details

Matt Zorich profile picture

Matt Zorich

Released: June 17, 2022

Tables

InformationProtectionEventsDeviceEventsDeviceFileEvents

Keywords

Keywords:Devices,Intune,User,USB,Label,File,Time,Dataconnector,AzureInformationProtection,M365Defender

Operators

whereletInformationProtectionEventsagowherewhereprojectjoinkindDeviceEventswherewhereextendtostringtodynamicjoinkindDeviceFileEventswhereprojectextendwhereextendparseextendononprojectwherebetween

Actions