Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Files Copied to USB Drives

Back
Id3ab04acf-e0e7-4f7c-8995-748ab4c848c2
RulenameFiles Copied to USB Drives
DescriptionThis query lists files copied to USB external drives with USB drive information based on FileCreated events associated with most recent USBDriveMount events befor file creations. But be aware that Advanced Hunting is not monitoring all the file types.
SeverityHigh
TacticsExfiltration
TechniquesT1041
Required data connectorsMicrosoftThreatProtection
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Exfiltration/FilesCopiedToUSBDrives.yaml
Version1.0.0
Arm template3ab04acf-e0e7-4f7c-8995-748ab4c848c2.json
Deploy To Azure
let UsbDriveMount = DeviceEvents
| where ActionType=="UsbDriveMounted"
| extend ParsedFields=parse_json(AdditionalFields)
| project DeviceId, DeviceName, DriveLetter=ParsedFields.DriveLetter, MountTime=TimeGenerated,
ProductName=ParsedFields.ProductName,SerialNumber=ParsedFields.SerialNumber,Manufacturer=ParsedFields.Manufacturer
| order by DeviceId asc, MountTime desc;
let FileCreation = DeviceFileEvents
| where InitiatingProcessAccountName != "system"
| where ActionType == "FileCreated"
| where FolderPath !startswith "C:\\"
| where FolderPath !startswith "\\"
| project ReportId,DeviceId,InitiatingProcessAccountDomain,
InitiatingProcessAccountName,InitiatingProcessAccountUpn,
FileName, FolderPath, SHA256, TimeGenerated, SensitivityLabel, IsAzureInfoProtectionApplied
| order by DeviceId asc, TimeGenerated desc;
FileCreation | lookup kind=inner (UsbDriveMount) on DeviceId
| where FolderPath startswith DriveLetter
| where TimeGenerated >= MountTime
| partition hint.strategy=native by ReportId ( top 1 by MountTime )
| order by DeviceId asc, TimeGenerated desc
| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")
| extend FileHashAlgorithm = 'SHA256'
status: Available
id: 3ab04acf-e0e7-4f7c-8995-748ab4c848c2
query: |
  let UsbDriveMount = DeviceEvents
  | where ActionType=="UsbDriveMounted"
  | extend ParsedFields=parse_json(AdditionalFields)
  | project DeviceId, DeviceName, DriveLetter=ParsedFields.DriveLetter, MountTime=TimeGenerated,
  ProductName=ParsedFields.ProductName,SerialNumber=ParsedFields.SerialNumber,Manufacturer=ParsedFields.Manufacturer
  | order by DeviceId asc, MountTime desc;
  let FileCreation = DeviceFileEvents
  | where InitiatingProcessAccountName != "system"
  | where ActionType == "FileCreated"
  | where FolderPath !startswith "C:\\"
  | where FolderPath !startswith "\\"
  | project ReportId,DeviceId,InitiatingProcessAccountDomain,
  InitiatingProcessAccountName,InitiatingProcessAccountUpn,
  FileName, FolderPath, SHA256, TimeGenerated, SensitivityLabel, IsAzureInfoProtectionApplied
  | order by DeviceId asc, TimeGenerated desc;
  FileCreation | lookup kind=inner (UsbDriveMount) on DeviceId
  | where FolderPath startswith DriveLetter
  | where TimeGenerated >= MountTime
  | partition hint.strategy=native by ReportId ( top 1 by MountTime )
  | order by DeviceId asc, TimeGenerated desc
  | extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
  | extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")
  | extend FileHashAlgorithm = 'SHA256'  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Exfiltration/FilesCopiedToUSBDrives.yaml
description: |
    This query lists files copied to USB external drives with USB drive information based on FileCreated events associated with most recent USBDriveMount events befor file creations. But be aware that Advanced Hunting is not monitoring all the file types.
name: Files Copied to USB Drives
relevantTechniques:
- T1041
entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: FullName
    columnName: DeviceName
  - identifier: HostName
    columnName: HostName
  - identifier: DnsDomain
    columnName: DnsDomain
- entityType: File
  fieldMappings:
  - identifier: Name
    columnName: FileName
  - identifier: Directory
    columnName: FolderPath
- entityType: FileHash
  fieldMappings:
  - identifier: Algorithm
    columnName: FileHashAlgorithm
  - identifier: Value
    columnName: SHA256
triggerThreshold: 0
severity: High
requiredDataConnectors:
- dataTypes:
  - DeviceEvents
  - DeviceFileEvents
  connectorId: MicrosoftThreatProtection
queryFrequency: 1h
queryPeriod: 1h
version: 1.0.0
kind: Scheduled
tactics:
- Exfiltration
triggerOperator: gt
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3ab04acf-e0e7-4f7c-8995-748ab4c848c2')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3ab04acf-e0e7-4f7c-8995-748ab4c848c2')]",
      "properties": {
        "alertRuleTemplateName": "3ab04acf-e0e7-4f7c-8995-748ab4c848c2",
        "customDetails": null,
        "description": "This query lists files copied to USB external drives with USB drive information based on FileCreated events associated with most recent USBDriveMount events befor file creations. But be aware that Advanced Hunting is not monitoring all the file types.\n",
        "displayName": "Files Copied to USB Drives",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "DeviceName",
                "identifier": "FullName"
              },
              {
                "columnName": "HostName",
                "identifier": "HostName"
              },
              {
                "columnName": "DnsDomain",
                "identifier": "DnsDomain"
              }
            ]
          },
          {
            "entityType": "File",
            "fieldMappings": [
              {
                "columnName": "FileName",
                "identifier": "Name"
              },
              {
                "columnName": "FolderPath",
                "identifier": "Directory"
              }
            ]
          },
          {
            "entityType": "FileHash",
            "fieldMappings": [
              {
                "columnName": "FileHashAlgorithm",
                "identifier": "Algorithm"
              },
              {
                "columnName": "SHA256",
                "identifier": "Value"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Exfiltration/FilesCopiedToUSBDrives.yaml",
        "query": "let UsbDriveMount = DeviceEvents\n| where ActionType==\"UsbDriveMounted\"\n| extend ParsedFields=parse_json(AdditionalFields)\n| project DeviceId, DeviceName, DriveLetter=ParsedFields.DriveLetter, MountTime=TimeGenerated,\nProductName=ParsedFields.ProductName,SerialNumber=ParsedFields.SerialNumber,Manufacturer=ParsedFields.Manufacturer\n| order by DeviceId asc, MountTime desc;\nlet FileCreation = DeviceFileEvents\n| where InitiatingProcessAccountName != \"system\"\n| where ActionType == \"FileCreated\"\n| where FolderPath !startswith \"C:\\\\\"\n| where FolderPath !startswith \"\\\\\"\n| project ReportId,DeviceId,InitiatingProcessAccountDomain,\nInitiatingProcessAccountName,InitiatingProcessAccountUpn,\nFileName, FolderPath, SHA256, TimeGenerated, SensitivityLabel, IsAzureInfoProtectionApplied\n| order by DeviceId asc, TimeGenerated desc;\nFileCreation | lookup kind=inner (UsbDriveMount) on DeviceId\n| where FolderPath startswith DriveLetter\n| where TimeGenerated >= MountTime\n| partition hint.strategy=native by ReportId ( top 1 by MountTime )\n| order by DeviceId asc, TimeGenerated desc\n| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)\n| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), \"\")\n| extend FileHashAlgorithm = 'SHA256'\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Exfiltration"
        ],
        "techniques": [
          "T1041"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}