Introduction
If you are utilizing Windows Defender for Endpoint and Microsoft Sentinel and are in search of a query that can effectively display files copied to removable media, you've come to the right place. In this blog post, we will provide you with the necessary information and tools to track and monitor such activities.
Microsoft Sentinel Query
To successfully execute this query, you will need Microsoft Defender for Endpoint in an E5 or a security add-on subscription. Additionally, ensure that you have configured log exports to Microsoft Sentinel. By implementing this query, you will gain access to valuable details such as device name, file name, the process responsible for the file copy, and the associated username. However, please note that the username may not always be consistently populated. You can also find the query uploaded to my
Github repository.
DeviceEvents
| where ActionType == "UsbDriveMounted"
| extend DriveLetter = tostring(todynamic(AdditionalFields).DriveLetter)
| join kind=inner (DeviceFileEvents
| extend FileCopyTime = TimeGenerated
| where ActionType == "FileCreated"
| parse FolderPath with DriveLetter '\' *
| extend DriveLetter = tostring(DriveLetter)
)
on DeviceId, DriveLetter
| project TimeGenerated, DriveLetter, DeviceName, InitiatingProcessAccountUpn, FileName1, FolderPath1, InitiatingProcessCommandLine1
Microsoft Sentinel Workbook: To simplify the process of filtering for user files or devices, I have also created a workbook that you can use. This workbook provides an organized and user-friendly interface for managing and analyzing the gathered data. You can access the workbook by following this link.
Conclusion
While many businesses impose restrictions on the usage of removable media, certain industries require the flexibility to allow its use. In such cases, it is crucial to enforce measures like encrypting the removable media with BitLocker. By leveraging the simple query and workbook provided in this blog post, you can effectively monitor and identify individuals who are utilizing removable media, as well as gain insights into their specific activities.