Azure Sentinel Query—Monitor USB data Exfiltration

This article understands that you already configured Sentinel in your Environment

  • Data exfiltration can be caused intentionally or by mistake
  • Malicious insiders can be considered as trusted actors that can cause damage to your organization to their own gain
  • There are many types of exfiltration ( Email , Sharing Links , USB .. ) In this post, we will configure a query that will monitor USB Actions in your environment

Requirements

Sentinel integration with Defender for Endpoint

https://learn.microsoft.com/en-us/azure/sentinel/microsoft-365-defender-sentinel-integration

  1. Schedule the Query in sentinel

2. Configure the rule name and desired time to look data & Set Rule Logic

Is recommended you map entities as the computer name or username

// This query lists files copied to USB external drives with USB drive information based on FileCreated events associated with most recent USBDriveMount events befor file creations. But be aware that Advanced Hunting is not monitoring all the file types.
// This query was updated from https://github.com/Azure/Azure-Sentinel/tree/master/Hunting%20Queries/Microsoft%20365%20Defender/Exfiltration/Files%20copied%20to%20USB%20drives.yaml
let UsbDriveMount = DeviceEvents
| where ActionType=="UsbDriveMounted"
| extend ParsedFields=parse_json(AdditionalFields)
| project DeviceId, DeviceName, DriveLetter=ParsedFields.DriveLetter, MountTime=Timestamp,
ProductName=ParsedFields.ProductName,SerialNumber=ParsedFields.SerialNumber,Manufacturer=ParsedFields.Manufacturer
| order by DeviceId asc, MountTime desc;
let FileCreation = DeviceFileEvents
| where InitiatingProcessAccountName != "system"
| where ActionType == "FileCreated"
| where FolderPath !startswith "C:\\"
| where FolderPath !startswith "\\"
| project ReportId,DeviceId,InitiatingProcessAccountDomain,
InitiatingProcessAccountName,InitiatingProcessAccountUpn,
FileName, FolderPath, SHA256, Timestamp, SensitivityLabel, IsAzureInfoProtectionApplied
| order by DeviceId asc, Timestamp desc;
FileCreation | lookup kind=inner (UsbDriveMount) on DeviceId
| where FolderPath startswith DriveLetter
| where Timestamp >= MountTime
| partition by ReportId ( top 1 by MountTime )
| order by DeviceId asc, Timestamp desc

3. Monitor The query and correlate incidents

  • Best case scenario is to correlate incidents as “mass download” for Sharepoint or File Servers
  • Tagging files in Sharepoint will certainly help to identify potential threats ( Data classification )
  • Careful Malicious insiders trying to steal information will do on regular basis , Monthly reports can help to identify this
  • Others not that careful will massively copy and download data and will be easy to spot

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.