Forum Discussion
Sohel68
Oct 02, 2023Copper Contributor
Can MDE alert when user uploads data via web browser (Chrome\Edge)
I am looking to see if anyone has a rule set in MDE to send an alert when a user uploads data via a web browser (Chrome\Edge).
I really appreciate any help you can provide.
- jbmartin6Iron Contributor
This is going to be pretty noisy. Uploads happen all the time, many times you will see entire pages re-POSTed to some analytics or ad server host. You could use a 'bytes greater than' threshold, but this will need to be pretty large to get to an acceptable noise level, large enough that a lot of normal documents would not trigger it.
That said, you could try something like this. I am still new to Kusto so perhaps someone will have a better way of doing this and chime in.
DeviceNetworkEvents | where ActionType == 'HttpConnectionInspected' | extend Additional = parse_json(AdditionalFields) | extend Host = Additional.host | extend Method = Additional.method | extend Status = Additional.status_code | extend Bytes = Additional.request_body_len | where Method matches regex "(?i)POST" | where Bytes >= 30000 //| project Timestamp,RemoteIP,Host,Method,Status,Bytes