Forum Discussion

Sohel68's avatar
Sohel68
Copper Contributor
Oct 02, 2023

Can MDE alert when user uploads data via web browser (Chrome\Edge)

I am looking to see if anyone has a rule set in MDE to send an alert when a user uploads data via a web browser (Chrome\Edge).

 

 

I really appreciate any help you can provide.

 

  • jbmartin6's avatar
    jbmartin6
    Iron Contributor

    This is going to be pretty noisy. Uploads happen all the time, many times you will see entire pages re-POSTed to some analytics or ad server host. You could use a 'bytes greater than' threshold, but this will need to be pretty large to get to an acceptable noise level, large enough that a lot of normal documents would not trigger it.

    That said, you could try something like this. I am still new to  Kusto so perhaps someone will have a better way of doing this and chime in. 

    DeviceNetworkEvents
    | where ActionType == 'HttpConnectionInspected'
    | extend Additional = parse_json(AdditionalFields)
    | extend Host = Additional.host
    | extend Method = Additional.method
    | extend Status = Additional.status_code
    | extend Bytes = Additional.request_body_len
    | where Method matches regex "(?i)POST"
    | where Bytes >= 30000
    //| project Timestamp,RemoteIP,Host,Method,Status,Bytes

     

Resources