Forum Discussion

JMSHW0420's avatar
JMSHW0420
Iron Contributor
Jul 27, 2021
Solved

RE: How do you verify a file 'UPLOAD' action from 'Box' App when the payload is greater than 'x' MB?

Hello,   I am currently testing a query to validate ONLY those 'Authorised' users who should have access (using a watchlist) AND when they commit an FILE 'UPLOAD' action from the 'Box' App, whether...
  • JMSHW0420's avatar
    JMSHW0420
    Jul 28, 2021

    This has been resolved now by looking at this from a different angle.

     

    The query used is:

     

    find in (DeviceNetworkEvents, DeviceEvents, DeviceFileEvents)
    where RemoteUrl has_any ("box.com", "boxcloud.com", "boxlocalhost.com", "box.net", "boxcdn.net", "box.org", "boxenterprise.net")
    | where MachineGroup has "Box Users"
    | join kind=inner (
    DeviceFileEvents
    | extend FileSizeMBytes = FileSize/1000000
    | where FileSizeMBytes >= 50
    | project InitiatingProcessAccountUpn, FileSizeMBytes
    ) on InitiatingProcessAccountUpn
    | extend
    UserID = InitiatingProcessAccountUpn,
    FileSizeMB = FileSizeMBytes
    | project UserID, FileSizeMB

     

    This update is for m_zorich as well

JMSHW0420's avatar
JMSHW0420
Iron Contributor
Jul 28, 2021

This has been resolved now by looking at this from a different angle.

 

The query used is:

 

find in (DeviceNetworkEvents, DeviceEvents, DeviceFileEvents)
where RemoteUrl has_any ("box.com", "boxcloud.com", "boxlocalhost.com", "box.net", "boxcdn.net", "box.org", "boxenterprise.net")
| where MachineGroup has "Box Users"
| join kind=inner (
DeviceFileEvents
| extend FileSizeMBytes = FileSize/1000000
| where FileSizeMBytes >= 50
| project InitiatingProcessAccountUpn, FileSizeMBytes
) on InitiatingProcessAccountUpn
| extend
UserID = InitiatingProcessAccountUpn,
FileSizeMB = FileSizeMBytes
| project UserID, FileSizeMB

 

This update is for m_zorich as well

m_zorich's avatar
m_zorich
Iron Contributor
Jul 28, 2021
Great job!

Resources