cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

RE: How do you verify a file 'UPLOAD' action from 'Box' App when the payload is greater than 'x' MB?

JMSHW0420
Brass Contributor

‎Jul 27 2021 10:21 AM

‎Jul 27 2021 10:21 AM

RE: How do you verify a file 'UPLOAD' action from 'Box' App when the payload is greater than 'x' MB?

Hello,

 

I am currently testing a query to validate ONLY those 'Authorised' users who should have access (using a watchlist) AND when they commit an FILE 'UPLOAD' action from the 'Box' App, whether the payload is greater than 'x' MB.

 

I understand when file upload actions are performed, a log entry is created. That for Blob storage the operation name PutBlob, indicates a file upload action. That file uploads are logged differently, where a file container is created and then the bytes are written to the file. That the PutRange operation can be used as an equivalent to PutBlob, to indicate the files bytes were written to the storage account.

 

Been able to run this query:

 

union
StorageFileLogs,
StorageBlobLogs
| where OperationName =~ "PutBlob" or OperationName =~ "PutRange"
| extend FileName = extract(@"\/([\w\-. ]+)\?", 1, Uri)
| project TimeGenerated, AccountName, Uri, ResponseMd5, Protocol, StatusText, DurationMs, CallerIpAddress, UserAgentHeader, Type, FileName
| take 10

 

What I am unsure of is checking the 'size' of bytes relating to the uploaded file.

 

Any hints to this would be extremely grateful.

 

Any thoughts @m_zorich ?

929 Views
0 Likes
2 Replies
Reply
2 Replies
best response confirmed by JMSHW0420 (Brass Contributor)
JMSHW0420

‎Jul 28 2021 07:02 AM

‎Jul 28 2021 07:02 AM

Solution

RE: How do you verify a file 'UPLOAD' action from 'Box' App when the payload is greater than 'x' MB?

This has been resolved now by looking at this from a different angle.

 

The query used is:

 

find in (DeviceNetworkEvents, DeviceEvents, DeviceFileEvents)
where RemoteUrl has_any ("box.com", "boxcloud.com", "boxlocalhost.com", "box.net", "boxcdn.net", "box.org", "boxenterprise.net")
| where MachineGroup has "Box Users"
| join kind=inner (
DeviceFileEvents
| extend FileSizeMBytes = FileSize/1000000
| where FileSizeMBytes >= 50
| project InitiatingProcessAccountUpn, FileSizeMBytes
) on InitiatingProcessAccountUpn
| extend
UserID = InitiatingProcessAccountUpn,
FileSizeMB = FileSizeMBytes
| project UserID, FileSizeMB

 

This update is for @m_zorich as well

0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by JMSHW0420 (Brass Contributor)
JMSHW0420

‎Jul 28 2021 07:02 AM

‎Jul 28 2021 07:02 AM

Solution

RE: How do you verify a file 'UPLOAD' action from 'Box' App when the payload is greater than 'x' MB?

This has been resolved now by looking at this from a different angle.

 

The query used is:

 

find in (DeviceNetworkEvents, DeviceEvents, DeviceFileEvents)
where RemoteUrl has_any ("box.com", "boxcloud.com", "boxlocalhost.com", "box.net", "boxcdn.net", "box.org", "boxenterprise.net")
| where MachineGroup has "Box Users"
| join kind=inner (
DeviceFileEvents
| extend FileSizeMBytes = FileSize/1000000
| where FileSizeMBytes >= 50
| project InitiatingProcessAccountUpn, FileSizeMBytes
) on InitiatingProcessAccountUpn
| extend
UserID = InitiatingProcessAccountUpn,
FileSizeMB = FileSizeMBytes
| project UserID, FileSizeMB

 

This update is for @m_zorich as well

View solution in original post

0 Likes
Reply