0

I am trying to find if a user has copied some files from the shared folder to the local desktop. The Microsoft Defender (Advanced Hunting) only shows FileDeleted, FileCreated, FileRenamed, and Filemodified. What are other filters I should apply to see if the file has been copied from the shared folder?

Thank you!

CuriousDataExplorer
  • 1
  • 1

1 Answers1

0

If you have not find the answer here is what I use

DeviceFileEvents | where FileName contains "name of file"

This will show u the file and Timestamp related to it whereth it was copied or opened and so on..

Cheers!

Ani
  • 61
  • 1
  • 7