I’m hoping someone can help me here.  I’m using the below very common queries to find USB activity.  It finds FildCreated, FileModified, FileRenamed and FileDeleted.  What I don’t seem to able to find is file reads.  i.e. someone doubles click on a file on the USB and it opens essentially reading the file from the USB.

Anyone know how to find a file read from USB?

​I’m hoping someone can help me here.  I’m using the below very common queries to find USB activity.  It finds FildCreated, FileModified, FileRenamed and FileDeleted.  What I don’t seem to able to find is file reads.  i.e. someone doubles click on a file on the USB and it opens essentially reading the file from the USB. Anyone know how to find a file read from USB?  let DeviceNameToSearch = ”; // DeviceName to search for. Leave blank to search all devices.let TimespanInSeconds = 900; // Period of time between device insertion and file copylet Connections =DeviceEvents| where (isempty(DeviceNameToSearch) or DeviceName =~ DeviceNameToSearch) and ActionType == “PnpDeviceConnected”| extend parsed = parse_json(AdditionalFields)| project DeviceId,ConnectionTime = Timestamp, DriveClass = tostring(parsed.ClassName), UsbDeviceId = tostring(parsed.DeviceId), ClassId = tostring(parsed.DeviceId), DeviceDescription = tostring(parsed.DeviceDescription), VendorIds = tostring(parsed.VendorIds)| where DriveClass == ‘USB’ and DeviceDescription == ‘USB Mass Storage Device’;DeviceFileEvents| where (isempty(DeviceNameToSearch) or DeviceName =~ DeviceNameToSearch) and FolderPath !startswith “c” and FolderPath !startswith @””| join kind=inner Connections on DeviceId| where datetime_diff(‘second’,Timestamp,ConnectionTime) <= TimespanInSeconds  Read More

​