Using this query you can review file transfers to usb devices
preset = xdr_file
| filter event_sub_type = ENUM.FILE_CREATE_NEW
| filter action_file_device_drive_type = ENUM.DEVICE_REMOVABLE
| alter action_file_extenstion=arrayindex(split(action_file_name,"."),-1)
| filter action_file_extenstion in ("doc","docx","rtf","xls","xlsx","ppt","pptx","pdf","ppsx","csv") and action_file_name != "~$*"
| comp count(action_file_name) as Counter, list(action_file_name) as file_list, min(_time) as StartTime, max(_time) as EndTime by agent_hostname, agent_ip_addresses, actor_effective_username
| filter Counter > 20 // this aggregates cases where a single entity transfered more then 20 files