Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
This query lists files copied to USB external drives with USB drive information based on FileCreated events associated with most recent USBDriveMount events befor file creations. But be aware that Advanced Hunting is not monitoring all the file types.
| Attribute | Value |
|---|---|
| Type | Analytic Rule |
| Solution | Microsoft Defender XDR |
| ID | 3ab04acf-e0e7-4f7c-8995-748ab4c848c2 |
| Severity | High |
| Status | Available |
| Kind | Scheduled |
| Tactics | Exfiltration |
| Techniques | T1041 |
| Required Connectors | MicrosoftThreatProtection |
| Source | View on GitHub |
This content item queries data from the following tables:
| Table | Selection Criteria | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|---|
DeviceEvents |
ActionType in "FileCreated,UsbDriveMounted" |
✓ | ✗ | ? |
DeviceFileEvents |
✓ | ✗ | ? |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊