This is an automated archive made by the Lemmit Bot.

The original was posted on /r/microsoft by /u/Actual_Evidence_2275 on 2024-12-30 13:55:24+00:00.

I am conducting a DLP investigation and have discovered thousands of FileCreatedOnRemovableMedia lines of log data in Microsoft Purview Audit Logs. I have found matching file names and file paths from OneDrive and SharePoint. But there is no record of the user downloading these files. There are a few hundred records of FileCopiedToRemovableMedia which show they were copied from the device to the removable media. But the FileCreatedOnRemovableMedia have no download history or copy history. These thousands of documents were copied/created on the removable media in a matter of minutes. How is this user exfiltrating this data without downloading it? What am I missing here?