Jul 27 2021 10:21 AM
Hello,
I am currently testing a query to validate ONLY those 'Authorised' users who should have access (using a watchlist) AND when they commit an FILE 'UPLOAD' action from the 'Box' App, whether the payload is greater than 'x' MB.
I understand when file upload actions are performed, a log entry is created. That for Blob storage the operation name PutBlob, indicates a file upload action. That file uploads are logged differently, where a file container is created and then the bytes are written to the file. That the PutRange operation can be used as an equivalent to PutBlob, to indicate the files bytes were written to the storage account.
Been able to run this query:
union
StorageFileLogs,
StorageBlobLogs
| where OperationName =~ "PutBlob" or OperationName =~ "PutRange"
| extend FileName = extract(@"\/([\w\-. ]+)\?", 1, Uri)
| project TimeGenerated, AccountName, Uri, ResponseMd5, Protocol, StatusText, DurationMs, CallerIpAddress, UserAgentHeader, Type, FileName
| take 10
What I am unsure of is checking the 'size' of bytes relating to the uploaded file.
Any hints to this would be extremely grateful.
Any thoughts @m_zorich ?
Jul 28 2021 07:02 AM
SolutionThis has been resolved now by looking at this from a different angle.
The query used is:
find in (DeviceNetworkEvents, DeviceEvents, DeviceFileEvents)
where RemoteUrl has_any ("box.com", "boxcloud.com", "boxlocalhost.com", "box.net", "boxcdn.net", "box.org", "boxenterprise.net")
| where MachineGroup has "Box Users"
| join kind=inner (
DeviceFileEvents
| extend FileSizeMBytes = FileSize/1000000
| where FileSizeMBytes >= 50
| project InitiatingProcessAccountUpn, FileSizeMBytes
) on InitiatingProcessAccountUpn
| extend
UserID = InitiatingProcessAccountUpn,
FileSizeMB = FileSizeMBytes
| project UserID, FileSizeMB
This update is for @m_zorich as well
Jul 28 2021 02:32 PM
Jul 28 2021 07:02 AM
SolutionThis has been resolved now by looking at this from a different angle.
The query used is:
find in (DeviceNetworkEvents, DeviceEvents, DeviceFileEvents)
where RemoteUrl has_any ("box.com", "boxcloud.com", "boxlocalhost.com", "box.net", "boxcdn.net", "box.org", "boxenterprise.net")
| where MachineGroup has "Box Users"
| join kind=inner (
DeviceFileEvents
| extend FileSizeMBytes = FileSize/1000000
| where FileSizeMBytes >= 50
| project InitiatingProcessAccountUpn, FileSizeMBytes
) on InitiatingProcessAccountUpn
| extend
UserID = InitiatingProcessAccountUpn,
FileSizeMB = FileSizeMBytes
| project UserID, FileSizeMB
This update is for @m_zorich as well