Volver al hub

Files Written to Removable Media

This query tracks files written to removable media (USB drives, external drives) across all platforms, aggregating the total data volume and file count per computer. It's useful for detecting potential data exfiltration attempts or monitoring removable media usage for compliance.

EDRhunting
FDR intermediatepor CrowdStrike (cql-hub.com) 1 min read

Query

#event_simpleName=/Written/ IsOnRemovableDisk=1 
| FileSizeMB:=unit:convert(Size, to=M) 
| groupBy([ComputerName], function=([sum(Size, as=SizeBytes), sum(FileSizeMB, as=FileSizeMB), count(TargetFileName, as="File Count"), collect([TargetFileName])]))

Explicación

Importado desde cql-hub.com. Agrega explicación de pipes aquí.

Variables a ajustar

Revisa y ajusta los valores según tu entorno.