I am trying to find if a user has copied some files from the shared folder to the local desktop. The Microsoft Defender (Advanced Hunting) only shows FileDeleted, FileCreated, FileRenamed, and Filemodified. What are other filters I should apply to see if the file has been copied from the shared folder?
Thank you!
If you have not find the answer here is what I use
DeviceFileEvents | where FileName contains "name of file"
This will show u the file and Timestamp related to it whereth it was copied or opened and so on..
Cheers!