Query Details
Find New Usb Mount
Query
// quick and dirty detection for USB Drive Mounted which exlcudes some common VM events
DeviceEvents
| where Timestamp > ago (1h)
| where ActionType == "UsbDriveMounted"
|extend ParsedFields=parse_json(AdditionalFields)
| project DeviceName, Timestamp,AdditionalFields, ParsedFields.DriveLetter, ParsedFields.ProductName, ParsedFields.ProductRevision, ParsedFields.SerialNumber, ParsedFields.Volume, ParsedFields.Manufacturer
//| where ParsedFields_ProductName !contains "VMware"
| where ParsedFields_ProductName != "Virtual DVD-ROM"
| where ParsedFields_ProductName != "VMware SATA CD00"
| where ParsedFields_ProductName != "Virtual DVD-ROM"
| where ParsedFields_ProductName != "Virtual DVD-ROM "
| where ParsedFields_ProductName != "DVDRAM GUD0N "
//| where ParsedFields_Manufacturer !contains "Msft"
| sort by Timestamp desc
//| summarize count() by DeviceName
//| sort by count_ desc
Explanation
This query looks for USB drives that have been mounted, excluding some common events related to virtual machines. It retrieves information such as the device name, timestamp, additional fields, drive letter, product name, product revision, serial number, volume, and manufacturer. It filters out specific product names related to virtual machines. The results are sorted by timestamp in descending order.
Details
Daniel Card
Released: September 30, 2023
Tables
DeviceEvents
Keywords
DeviceEvents,Timestamp,ActionType,UsbDriveMounted,AdditionalFields,ParsedFields,DeviceName,DriveLetter,ProductName,ProductRevision,SerialNumber,Volume,Manufacturer
Operators
whereago|==|extendparse_jsonproject!=containssort bysummarizecount()