USB-related security events can be particularly valuable for threat detection.

For instance, Microsoft Defender for Endpoint can monitor and report on USB drive mount and unmount events, providing context such as drive letter, bus type, product name, serial number, and manufacturer.

This data can be crucial in detecting and responding to incidents involving potentially malicious use of USB drives, such as attempts to copy sensitive data to removable storage devices​

Tactics

• Exfiltration
• Insider threat

Problems with the query

• Running more than 1 day data may result in error
• Query runs well on daily basis

Query Code

let UsbDriveMount = DeviceEvents
    | where ActionType == "UsbDriveMounted"
    | extend ParsedFields = parse_json(AdditionalFields)
    | project
        DeviceId,
        USB_DeviceName = DeviceName,
        DriveLetter = ParsedFields.DriveLetter,
        MountTime = Timestamp,
        ProductName = ParsedFields.ProductName,
        SerialNumber = ParsedFields.SerialNumber,
        Manufacturer = ParsedFields.Manufacturer
    | order by DeviceId asc, MountTime desc;
let FileCreation = DeviceFileEvents
    | where InitiatingProcessAccountName != "system"
    | where ActionType == "FileCreated"
    | where FolderPath !startswith "C:\\"
    | where FolderPath !startswith "\\"
    | project
        ReportId,
        DeviceId,
        InitiatingProcessAccountDomain,
        InitiatingProcessAccountName,
        InitiatingProcessAccountUpn,
        FileName,
        FolderPath,
        SHA256,
        FileCreationTime = Timestamp,
        SensitivityLabel,
        IsAzureInfoProtectionApplied
    | order by DeviceId asc, FileCreationTime desc;
let SharePointFileDownloads = OfficeActivity
    | where Operation contains "File"
    | project 
        SourceFileName, 
        ClientIP, 
        IsManagedDevice, 
        UserId, 
        SharePointOperation = Operation, 
        OfficeWorkload,
        SharePointTimestamp = TimeGenerated;
FileCreation
| lookup kind=inner (UsbDriveMount) on DeviceId
| where FolderPath startswith DriveLetter
| where FileCreationTime >= MountTime
| partition by ReportId (top 1 by MountTime desc)
| join kind=inner (
    SharePointFileDownloads
    | project 
        SourceFileName, 
        SharePointUserId = UserId,
        SharePointTimestamp,
        SharePointOperation
) on $left.FileName == $right.SourceFileName
| extend FileMovementDirection = iif(FileCreationTime < SharePointTimestamp, "USB to SharePoint", "SharePoint to USB")
| project 
    FileMovementDirection,
    SharePointUserId,
    FileName,
    SharePointFile = SourceFileName,
    FolderPath,
    USB_DeviceName,
    USB_FileCreationTime = FileCreationTime, // Adding USB file creation timestamp
    SharePointOperationTimestamp = SharePointTimestamp // Adding SharePoint operation timestamp
| order by USB_DeviceName asc, FileName asc