Microsoft Security Tech Accelerator
Dec 06 2023, 07:00 AM - 12:00 PM (PST)
Microsoft Tech Community

Can MDE alert when user uploads data via web browser (Chrome\Edge)

Copper Contributor

I am looking to see if anyone has a rule set in MDE to send an alert when a user uploads data via a web browser (Chrome\Edge).

 

 

I really appreciate any help you can provide.

 

1 Reply

This is going to be pretty noisy. Uploads happen all the time, many times you will see entire pages re-POSTed to some analytics or ad server host. You could use a 'bytes greater than' threshold, but this will need to be pretty large to get to an acceptable noise level, large enough that a lot of normal documents would not trigger it.

That said, you could try something like this. I am still new to  Kusto so perhaps someone will have a better way of doing this and chime in. 

DeviceNetworkEvents
| where ActionType == 'HttpConnectionInspected'
| extend Additional = parse_json(AdditionalFields)
| extend Host = Additional.host
| extend Method = Additional.method
| extend Status = Additional.status_code
| extend Bytes = Additional.request_body_len
| where Method matches regex "(?i)POST"
| where Bytes >= 30000
//| project Timestamp,RemoteIP,Host,Method,Status,Bytes