![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(64, 28.000000000000004%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMA%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Defender | Other
Additional Microsoft Defender tools and services that provide security across various platforms and environments
The file creation events (action type: FileCreated) recorded in the DeviceFileEvents table under the USB folder path can indicate either of the following scenarios:
- Files Moved or Copied to USB: These events may represent files that were actively moved or copied from the device to the USB drive. In this case, the action would be logged as a new file creation event on the USB drive.
- Existing Files on USB: Alternatively, these events could also indicate files that were already present on the USB drive and were detected by Microsoft Defender when the USB was plugged in. In this scenario, the Defender may log the event as it scans the USB for existing files.
To determine the exact nature of the events, additional context or details about the specific actions taken prior to the logging of these events may be required.