Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
This query looks for any mass download by a single user with possible file copy activity to a new USB drive. Malicious insiders may perform such activities that may cause harm to the organization. This query could also reveal unintentional insider that had no intention of malicious activity but their actions may impact an organizations security posture. Reference:https://docs.microsoft.com/defender-cloud-apps/policy-template-reference
| Attribute | Value |
|---|---|
| Type | Analytic Rule |
| Solution | Standalone Content |
| ID | 6267ce44-1e9d-471b-9f1e-ae76a6b7aa84 |
| Severity | Medium |
| Kind | Scheduled |
| Tactics | Exfiltration |
| Techniques | T1052 |
| Required Connectors | MicrosoftCloudAppSecurity, MicrosoftThreatProtection |
| Source | View on GitHub |
This content item queries data from the following tables:
| Table | Selection Criteria | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|---|
CloudAppEvents |
✓ | ✗ | ? | |
DeviceEvents |
ActionType in "FileCreated,FileDownloaded,FileRenamed,UsbDriveMounted" |
✓ | ✗ | ? |
DeviceFileEvents |
✓ | ✗ | ? | |
SecurityAlert |
✓ | ✗ | ? |
The following connectors provide data for this content item:
Solutions: IoTOTThreatMonitoringwithDefenderforIoT, Microsoft Defender for Cloud, Microsoft Defender for Cloud Apps, Microsoft Defender for Identity, Microsoft Defender for Office 365, Microsoft Entra ID Protection, MicrosoftDefenderForEndpoint, MicrosoftPurviewInsiderRiskManagement
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊