top of page
Search

(49) Microsoft Defender for Endpoint Device Control Removable Storage Audit

  • Writer: Mr B SOE way
    Mr B SOE way
  • Apr 9, 2023
  • 2 min read

As part of a recent project, you could use https://endpoint.microsoft.com/#view/Microsoft_Intune_Workflows/SecurityManagementMenu/~/asr then Policy type is Device control policy to create and deploy to your devices for auditing to see types of removable storage as file copy or insert/remove usb drives or execution of scripts from a USB. With this setup I was only able to see the insert/remove usb drivers and execution of scripts BUT I couldn't see the file copy executions.


What I did to resolve this was:

1. Navigate to https://endpoint.microsoft.com/, then create a profile as Custom.


2. With the following OMA-URI settings. Select Add.


Name: AllowAllMediaGroup

OMA-URI: ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7b9b28fae8-72f7-4267-a1a5-685f747a7146%7d/GroupData


Data Type: String File (XML)


Custom XML:

<Group Id="{9b28fae8-72f7-4267-a1a5-685f747a7146}"> <!-- ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7b9b28fae8-72f7-4267-a1a5-685f747a7146%7d/GroupData --> <MatchType>MatchAny</MatchType> <DescriptorIdList> <PrimaryId>RemovableMediaDevices</PrimaryId> <PrimaryId>CdRomDevices</PrimaryId> <PrimaryId>WpdDevices</PrimaryId> </DescriptorIdList> </Group>


Then click Save. Select Add.


Name: AllowAuditEverything

OMA-URI: ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7bb2061588-029e-427d-8404-6dfec096a571%7d/RuleData


Data Type: String File (XML)


Custom XML:

<PolicyRule Id="{b2061588-029e-427d-8404-6dfec096a571}"> <!-- Allow access and Audit file information --> <!-- ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7bb2061588-029e-427d-8404-6dfec096a571%7d/RuleData --> <Name>Allow access and Audit file information</Name> <IncludedIdList> <GroupId>{9b28fae8-72f7-4267-a1a5-685f747a7146}</GroupId> </IncludedIdList> <ExcludedIdList> </ExcludedIdList> <Entry Id="{3d5a4360-e9b5-4da5-9214-d22f5ea0b893}"> <Type>Allow</Type> <Options>8</Options> <AccessMask>63</AccessMask> </Entry> <Entry Id="{0cee54be-b320-4194-9c28-c780d168e158}"> <Type>AuditAllowed</Type> <Options>2</Options> <AccessMask>63</AccessMask> </Entry> <Entry Id="{5b7657c7-a2f2-4264-9676-198d7bd35e56}"> <Type>Allow</Type> <Options>16</Options> <AccessMask>63</AccessMask> </Entry> </PolicyRule>


Click Save then click Review + Save and assign.


Note: In the XML, you might have noticed <Options>8</Options>, the reason can be found here.














For <AccessMask>63</AccessMask>, the reason can be found here.



3. Once the policy has been applied to your devices, start file copy actions from the usb to the device. Allow it sometime to send the events through, then navigate to https://security.microsoft.com/v2/advanced-hunting


4. Select a new query then run the following:


//RemovableStoragePolicyTriggered: event triggered by Disk and file system level enforcement

DeviceEvents

| where ActionType == "RemovableStoragePolicyTriggered"

| extend parsed=parse_json(AdditionalFields)

| extend RemovableStorageAccess = tostring(parsed.RemovableStorageAccess)

| extend RemovableStoragePolicyVerdict = tostring(parsed.RemovableStoragePolicyVerdict)

| extend MediaBusType = tostring(parsed.BusType)

| extend MediaClassGuid = tostring(parsed.ClassGuid)

| extend MediaClassName = tostring(parsed.ClassName)

| extend MediaDeviceId = tostring(parsed.DeviceId)

| extend MediaInstanceId = tostring(parsed.DeviceInstanceId)

| extend MediaName = tostring(parsed.MediaName)

| extend RemovableStoragePolicy = tostring(parsed.RemovableStoragePolicy)

| extend MediaProductId = tostring(parsed.ProductId)

| extend MediaVendorId = tostring(parsed.VendorId)

| extend MediaSerialNumber = tostring(parsed.SerialNumber)

|project Timestamp, DeviceId, DeviceName, InitiatingProcessAccountName, ActionType, RemovableStorageAccess, RemovableStoragePolicyVerdict, MediaBusType, MediaClassGuid, MediaClassName, MediaDeviceId, MediaInstanceId, MediaName, RemovableStoragePolicy, MediaProductId, MediaVendorId, MediaSerialNumber, FolderPath, FileSize

| order by Timestamp desc


Ensure you can see the results.


5. For the USB auditing as in file copy, you get to see the events.


//information of the evidence file

DeviceEvents

| where ActionType contains "RemovableStorageFileEvent"

| extend parsed=parse_json(AdditionalFields)

| extend Policy = tostring(parsed.Policy)

| extend PolicyRuleId = tostring(parsed.PolicyRuleId)

| extend MediaClassName = tostring(parsed.ClassName)

| extend MediaInstanceId = tostring(parsed.InstanceId)

| extend MediaName = tostring(parsed.MediaName)

| extend MediaProductId = tostring(parsed.ProductId)

| extend MediaVendorId = tostring(parsed.VendorId)

| extend MediaSerialNumber = tostring(parsed.SerialNumber)

| extend FileInformationOperation = tostring(parsed.DuplicatedOperation)

| extend FileEvidenceLocation = tostring(parsed.TargetFileLocation)

| project Timestamp, DeviceId, DeviceName, InitiatingProcessAccountName, ActionType, Policy, PolicyRuleId, FileInformationOperation, MediaClassName, MediaInstanceId, MediaName, MediaProductId, MediaVendorId, MediaSerialNumber, FileName, FolderPath, FileSize, FileEvidenceLocation, AdditionalFields

| order by Timestamp desc


The results will show as highlighted.


By clicking on any of the events.
























 
 
 

Comments

bottom of page