Forum Discussion

JMSHW0420's avatar
JMSHW0420
Iron Contributor
Jul 27, 2021
Solved

RE: How do you verify a file 'UPLOAD' action from 'Box' App when the payload is greater than 'x' MB?

Hello,

 

I am currently testing a query to validate ONLY those 'Authorised' users who should have access (using a watchlist) AND when they commit an FILE 'UPLOAD' action from the 'Box' App, whether the payload is greater than 'x' MB.

 

I understand when file upload actions are performed, a log entry is created. That for Blob storage the operation name PutBlob, indicates a file upload action. That file uploads are logged differently, where a file container is created and then the bytes are written to the file. That the PutRange operation can be used as an equivalent to PutBlob, to indicate the files bytes were written to the storage account.

 

Been able to run this query:

 

union
StorageFileLogs,
StorageBlobLogs
| where OperationName =~ "PutBlob" or OperationName =~ "PutRange"
| extend FileName = extract(@"\/([\w\-. ]+)\?", 1, Uri)
| project TimeGenerated, AccountName, Uri, ResponseMd5, Protocol, StatusText, DurationMs, CallerIpAddress, UserAgentHeader, Type, FileName
| take 10

 

What I am unsure of is checking the 'size' of bytes relating to the uploaded file.

 

Any hints to this would be extremely grateful.

 

Any thoughts m_zorich ?

  • JMSHW0420's avatar
    JMSHW0420
    Jul 28, 2021

    This has been resolved now by looking at this from a different angle.

     

    The query used is:

     

    find in (DeviceNetworkEvents, DeviceEvents, DeviceFileEvents)
    where RemoteUrl has_any ("box.com", "boxcloud.com", "boxlocalhost.com", "box.net", "boxcdn.net", "box.org", "boxenterprise.net")
    | where MachineGroup has "Box Users"
    | join kind=inner (
    DeviceFileEvents
    | extend FileSizeMBytes = FileSize/1000000
    | where FileSizeMBytes >= 50
    | project InitiatingProcessAccountUpn, FileSizeMBytes
    ) on InitiatingProcessAccountUpn
    | extend
    UserID = InitiatingProcessAccountUpn,
    FileSizeMB = FileSizeMBytes
    | project UserID, FileSizeMB

     

    This update is for m_zorich as well

  • JMSHW0420's avatar
    JMSHW0420
    Iron Contributor
    Jul 28, 2021

    This has been resolved now by looking at this from a different angle.

     

    The query used is:

     

    find in (DeviceNetworkEvents, DeviceEvents, DeviceFileEvents)
    where RemoteUrl has_any ("box.com", "boxcloud.com", "boxlocalhost.com", "box.net", "boxcdn.net", "box.org", "boxenterprise.net")
    | where MachineGroup has "Box Users"
    | join kind=inner (
    DeviceFileEvents
    | extend FileSizeMBytes = FileSize/1000000
    | where FileSizeMBytes >= 50
    | project InitiatingProcessAccountUpn, FileSizeMBytes
    ) on InitiatingProcessAccountUpn
    | extend
    UserID = InitiatingProcessAccountUpn,
    FileSizeMB = FileSizeMBytes
    | project UserID, FileSizeMB

     

    This update is for m_zorich as well

Resources