SOLVED

RE: How do you verify a file 'UPLOAD' action from 'Box' App when the payload is greater than 'x' MB?

%3CLINGO-SUB%20id%3D%22lingo-sub-2592379%22%20slang%3D%22en-US%22%3ERE%3A%20How%20do%20you%20verify%20a%20file%20'UPLOAD'%20action%20from%20'Box'%20App%20when%20the%20payload%20is%20greater%20than%20'x'%20MB%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2592379%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20currently%20testing%20a%20query%20to%20validate%20ONLY%20those%20'Authorised'%20users%20who%20should%20have%20access%20(using%20a%20watchlist)%20AND%20when%20they%20commit%20an%20FILE%20'UPLOAD'%20action%20from%20the%20'Box'%20App%2C%20whether%20the%20payload%20is%20greater%20than%20'x'%20MB.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20understand%20when%20file%20upload%20actions%20are%20performed%2C%20a%20log%20entry%20is%20created.%20That%20for%26nbsp%3BBlob%20storage%20the%20operation%20name%20PutBlob%2C%20indicates%20a%20file%20upload%20action.%20That%20file%20uploads%20are%20logged%20differently%2C%20where%20a%20file%20container%20is%20created%20and%20then%20the%20bytes%20are%20written%20to%20the%20file.%20That%26nbsp%3Bthe%20PutRange%20operation%20can%20be%20used%20as%20an%20equivalent%20to%20PutBlob%2C%20to%20indicate%20the%20files%20bytes%20were%20written%20to%20the%20storage%20account.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBeen%20able%20to%20run%20this%20query%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eunion%3CBR%20%2F%3EStorageFileLogs%2C%3CBR%20%2F%3EStorageBlobLogs%3CBR%20%2F%3E%7C%20where%20OperationName%20%3D~%20%22PutBlob%22%20or%20OperationName%20%3D~%20%22PutRange%22%3CBR%20%2F%3E%7C%20extend%20FileName%20%3D%20extract(%40%22%5C%2F(%5B%5Cw%5C-.%20%5D%2B)%5C%3F%22%2C%201%2C%20Uri)%3CBR%20%2F%3E%7C%20project%20TimeGenerated%2C%20AccountName%2C%20Uri%2C%20ResponseMd5%2C%20Protocol%2C%20StatusText%2C%20DurationMs%2C%20CallerIpAddress%2C%20UserAgentHeader%2C%20Type%2C%20FileName%3CBR%20%2F%3E%7C%20take%2010%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20I%20am%20unsure%20of%20is%20checking%20the%20'size'%20of%20bytes%20relating%20to%20the%20uploaded%20file.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20hints%20to%20this%20would%20be%20extremely%20grateful.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20thoughts%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1085960%22%20target%3D%22_blank%22%3E%40m_zorich%3C%2FA%3E%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hello,

 

I am currently testing a query to validate ONLY those 'Authorised' users who should have access (using a watchlist) AND when they commit an FILE 'UPLOAD' action from the 'Box' App, whether the payload is greater than 'x' MB.

 

I understand when file upload actions are performed, a log entry is created. That for Blob storage the operation name PutBlob, indicates a file upload action. That file uploads are logged differently, where a file container is created and then the bytes are written to the file. That the PutRange operation can be used as an equivalent to PutBlob, to indicate the files bytes were written to the storage account.

 

Been able to run this query:

 

union
StorageFileLogs,
StorageBlobLogs
| where OperationName =~ "PutBlob" or OperationName =~ "PutRange"
| extend FileName = extract(@"\/([\w\-. ]+)\?", 1, Uri)
| project TimeGenerated, AccountName, Uri, ResponseMd5, Protocol, StatusText, DurationMs, CallerIpAddress, UserAgentHeader, Type, FileName
| take 10

 

What I am unsure of is checking the 'size' of bytes relating to the uploaded file.

 

Any hints to this would be extremely grateful.

 

Any thoughts @m_zorich ?

2 Replies
best response confirmed by JMSHW0420 (Occasional Contributor)
Solution

This has been resolved now by looking at this from a different angle.

 

The query used is:

 

find in (DeviceNetworkEvents, DeviceEvents, DeviceFileEvents)
where RemoteUrl has_any ("box.com", "boxcloud.com", "boxlocalhost.com", "box.net", "boxcdn.net", "box.org", "boxenterprise.net")
| where MachineGroup has "Box Users"
| join kind=inner (
DeviceFileEvents
| extend FileSizeMBytes = FileSize/1000000
| where FileSizeMBytes >= 50
| project InitiatingProcessAccountUpn, FileSizeMBytes
) on InitiatingProcessAccountUpn
| extend
UserID = InitiatingProcessAccountUpn,
FileSizeMB = FileSizeMBytes
| project UserID, FileSizeMB

 

This update is for @m_zorich as well