KQL For Transferring to USB Assistance
Hi all,
I'm modifying a built in KQL query for detecting USB Activity (From PC -> USB) focus specifically on users who are leaving the company to detect potential insider threats.
Below, is my KQL that works, however, my issue with it is that I am unable to target a specific group of users. See working query below. Essentially, what it does is lets me know the user, their device, and the drive letter of the mounted drive. Then, it lets me know what file they transferred and where it landed on the drive.
let UsbDriveMount = DeviceEvents
| where ActionType == "UsbDriveMounted"
| extend ParsedFields = parse_json(AdditionalFields)
| project DeviceId, DeviceName, MountedDriveLetter = ParsedFields.DriveLetter, MountTime = TimeGenerated,
ProductName = ParsedFields.ProductName, SerialNumber = ParsedFields.SerialNumber, Manufacturer = ParsedFields.Manufacturer
| order by DeviceId asc, MountTime desc;
let FileCreation = DeviceFileEvents
| where InitiatingProcessAccountName != "system"
| where ActionType == "FileCreated"
| where FolderPath !startswith "C:\\"
| where FolderPath !startswith "\\"
| project InitiatingProcessAccountUpn, FileTransferred = FileName, FileTransferredTo = FolderPath, SHA256, TimeGenerated, SensitivityLabel, IsAzureInfoProtectionApplied, DeviceId, InitiatingProcessAccountName
| order by DeviceId asc, TimeGenerated desc;
FileCreation
| lookup kind=inner (UsbDriveMount) on DeviceId
| where FileTransferredTo startswith MountedDriveLetter
| where TimeGenerated >= MountTime
| partition hint.strategy=native by FileTransferred (top 1 by MountTime)
| project DeviceName, InitiatingProcessAccountUpn, FileTransferred, MountedDriveLetter, FileTransferredTo, SHA256, TimeGenerated, SensitivityLabel, IsAzureInfoProtectionApplied, DeviceId, InitiatingProcessAccountName,
ProductName, SerialNumber, Manufacturer
| order by TimeGenerated desc
My issue is that it is letting me know ALL user USB activity. I only want to see a specific group of users. Could anyone assist with this? I have been attempting for a while, but the modified query is consuming excessive resources. As a result, it's not running.
See below for the modified version.
// Define the target users
let targetUsers = datatable (InitiatingProcessAccountUpn: string)
[
"[email protected]",
"[email protected]"
];
// Filter and project relevant columns early in the UsbDriveMount
let UsbDriveMount = DeviceEvents
| where ActionType == "UsbDriveMounted"
| extend ParsedFields = parse_json(AdditionalFields)
| project DeviceId, DeviceName, MountedDriveLetter = ParsedFields.DriveLetter, MountTime = TimeGenerated,
ProductName = ParsedFields.ProductName, SerialNumber = ParsedFields.SerialNumber, Manufacturer = ParsedFields.Manufacturer;
// Filter and project relevant columns early in the FileCreation
let FileCreation = DeviceFileEvents
| where InitiatingProcessAccountName != "system"
| where ActionType == "FileCreated"
| where FolderPath !startswith "C:\\"
| where FolderPath !startswith "\\"
| project InitiatingProcessAccountUpn, FileTransferred = FileName, FileTransferredTo = FolderPath, SHA256, TimeGenerated, SensitivityLabel, IsAzureInfoProtectionApplied, DeviceId, InitiatingProcessAccountName;
// Join UsbDriveMount and FileCreation using relevant filters
FileCreation
| lookup kind=inner (UsbDriveMount) on DeviceId
| where FileTransferredTo startswith MountedDriveLetter
| where TimeGenerated >= MountTime
| where InitiatingProcessAccountUpn in (targetUsers)
| project DeviceName, InitiatingProcessAccountUpn, FileTransferred, MountedDriveLetter, FileTransferredTo, SHA256, TimeGenerated, SensitivityLabel, IsAzureInfoProtectionApplied, DeviceId, InitiatingProcessAccountName,
ProductName, SerialNumber, Manufacturer
| order by TimeGenerated desc;
Any assistance or advice would be greatly appreciated.