07-18-2023 07:52 PM - edited 07-18-2023 07:53 PM
Hi @indy47
Thank you for writing to live community!
You may start with the following XQL query to begin your investigation and tune your query and include relevant fields.
dataset = xdr_data // Using the xdr dataset
|filter event_type=FILE
| alter Drive_Type = json_extract(to_json_string(action_file_device_info),"$.storage_device_drive_type")
| filter drive_type = "2" // filter Storage Device Drive type with value 2 which is for 'Removable Media'
Note: action_file_device_info is the field here which contains storage device info.
Hope this helps!
Please mark the response as "Accept as Solution" if it answers your query.
