Azure · v-dvedak · Nov 3, 2025 · Oct 29, 2025 · Oct 29, 2025 · Oct 30, 2025
@@ -20,11 +20,11 @@ query: |
   let lbperiod_start = 14d;
   let lbperiod_end = 24h;
   let user_actions_1 = BoxEvents
-  | where TimeGenerated between (ago(lbperiod_start) .. ago(lbperiod_end))
+  | where EventEndTime between (ago(lbperiod_start) .. ago(lbperiod_end))
   | summarize TotalEvents = count() by SourceName
   | project TotalEvents, User = SourceName;
   let user_actions_2 = BoxEvents
-  | where TimeGenerated between (ago(lbperiod_start) .. ago(lbperiod_end))
+  | where EventEndTime between (ago(lbperiod_start) .. ago(lbperiod_end))
   | summarize TotalEvents = count() by SrcUserName
   | project TotalEvents, User = SrcUserName;
   let TotalActions = (union user_actions_1, user_actions_2)
@@ -50,5 +50,5 @@ entityMappings:
     fieldMappings:
       - identifier: FullName
         columnName: AccountCustomEntity
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled
@@ -21,11 +21,11 @@ query: |
   let lbperiod_end = 7d;
   let lbtime = 1h;
   let active_users = BoxEvents
-  | where TimeGenerated between (ago(lbperiod_end) .. ago(lbtime))
+  | where EventEndTime between (ago(lbperiod_end) .. ago(lbtime))
   | where EventType =~ 'LOGIN'
   | summarize makeset(SourceName);
   let inactive_users = BoxEvents
-  | where TimeGenerated between (ago(lbperiod_start) .. ago(lbperiod_end))
+  | where EventEndTime between (ago(lbperiod_start) .. ago(lbperiod_end))
   | where EventType =~ 'LOGIN'
   | where SourceName !in (active_users)
   | summarize makeset(SourceName);
@@ -38,5 +38,5 @@ entityMappings:
     fieldMappings:
       - identifier: FullName
         columnName: AccountCustomEntity
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled
@@ -20,13 +20,13 @@ query: |
   let threshold = 100;
   BoxEvents
   | where EventType =~ 'DELETE'
-  | summarize deleted_items = dcount(SourceItemName) by SrcUserName, bin(TimeGenerated, 5m)
+  | summarize deleted_items = dcount(SourceItemName) by SrcUserName, bin(EventEndTime, 5m)
   | where deleted_items > threshold
   | extend AccountCustomEntity = SrcUserName
 entityMappings:
   - entityType: Account
     fieldMappings:
       - identifier: FullName
         columnName: AccountCustomEntity
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled
@@ -20,7 +20,7 @@ query: |
   let lbperiod_start = 14d;
   let lbperiod_end = 1d;
   let admins = BoxEvents
-  | where TimeGenerated between (ago(lbperiod_start) .. ago(lbperiod_end))
+  | where EventEndTime between (ago(lbperiod_start) .. ago(lbperiod_end))
   | where EventType =~ 'ADMIN_LOGIN'
   | summarize makeset(SourceLogin);
   BoxEvents
@@ -37,5 +37,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled
@@ -20,14 +20,14 @@ query: |
   let lbperiod = 14d;
   let lbtime = 1h;
   BoxEvents
-  | where TimeGenerated between (ago(lbperiod) .. ago(lbtime))
+  | where EventEndTime between (ago(lbperiod) .. ago(lbtime))
   | where EventType =~ 'COLLABORATION_INVITE'
   | where AdditionalDetailsRole !~ 'Owner'
-  | summarize min(TimeGenerated) by AccessibleByName, FileDirectory, AdditionalDetailsRole
+  | summarize min(EventEndTime) by AccessibleByName, FileDirectory, AdditionalDetailsRole
   | project AccessibleByName, FileDirectory, InitialRole = AdditionalDetailsRole
   |join (BoxEvents
             | where EventType =~ 'COLLABORATION_ROLE_CHANGE'
-            | summarize max(TimeGenerated) by AccessibleByName, FileDirectory, AdditionalDetailsRole
+            | summarize max(EventEndTime) by AccessibleByName, FileDirectory, AdditionalDetailsRole
             | project AccessibleByName, FileDirectory, NewRole = AdditionalDetailsRole
             ) on FileDirectory, AccessibleByName
   | where NewRole =~ 'Owner'
@@ -38,5 +38,5 @@ entityMappings:
     fieldMappings:
       - identifier: FullName
         columnName: AccountCustomEntity
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled
@@ -38,7 +38,7 @@
 	"Analytic Rules/BoxUserRoleChangedToOwner.yaml"
   ],
   "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Box",
-  "Version": "3.1.0",
+  "Version": "3.1.2",
   "Metadata": "SolutionMetadata.json",
    "TemplateSpec": true,
   "Is1PConnector": false

@@ -14,7 +14,7 @@ relevantTechniques:
   - T1078
 query: |
   BoxEvents
-  | where TimeGenerated > ago(30d)
+  | where EventEndTime > ago(30d)
   | where EventType =~ 'ADMIN_LOGIN'
   | summarize makeset(SrcIpAddr) by SourceLogin
   | extend AccountCustomEntity = SourceLogin

@@ -13,9 +13,9 @@ relevantTechniques:
   - T1531
 query: |
   BoxEvents
-  | where TimeGenerated > ago(24h)
+  | where EventEndTime > ago(24h)
   | where EventType =~ 'DELETE_USER'
-  | project TimeGenerated, SourceName, SourceLogin
+  | project EventEndTime, SourceName, SourceLogin
   | extend AccountCustomEntity = SourceLogin
 entityMappings:
   - entityType: Account

@@ -13,20 +13,20 @@ relevantTechniques:
   - T1078
 query: |
   let active_admins = BoxEvents
-  | where TimeGenerated between (ago(7d) .. ago(1d))
+  | where EventEndTime between (ago(7d) .. ago(1d))
   | where EventType =~ 'ADMIN_LOGIN'
   | summarize makeset(SourceLogin);
   let inactive_admins = BoxEvents
-  | where TimeGenerated between (ago(30d) .. ago(7d))
+  | where EventEndTime between (ago(30d) .. ago(7d))
   | where EventType =~ 'ADMIN_LOGIN'
   | where SourceLogin !in (active_admins)
   | summarize makeset(SourceLogin);
   BoxEvents
-  | where TimeGenerated > ago(7d)
+  | where EventEndTime > ago(7d)
   | where EventType =~ 'ADMIN_LOGIN'
   | where SourceLogin !in (active_admins)
   | where SourceLogin in (inactive_admins)
-  | summarize LastLoginTime = max(TimeGenerated) by SourceLogin
+  | summarize LastLoginTime = max(EventEndTime) by SourceLogin
   | project LastLoginTime, SourceLogin
   | extend AccountCustomEntity = SourceLogin
 entityMappings:

@@ -13,20 +13,20 @@ relevantTechniques:
   - T1078
 query: |
   let active_admins = BoxEvents
-  | where TimeGenerated between (ago(7d) .. ago(1d))
+  | where EventEndTime between (ago(7d) .. ago(1d))
   | where EventType =~ 'LOGIN'
   | summarize makeset(SourceLogin);
   let inactive_admins = BoxEvents
-  | where TimeGenerated between (ago(30d) .. ago(7d))
+  | where EventEndTime between (ago(30d) .. ago(7d))
   | where EventType =~ 'LOGIN'
   | where SourceLogin !in (active_admins)
   | summarize makeset(SourceLogin);
   BoxEvents
-  | where TimeGenerated > ago(7d)
+  | where EventEndTime > ago(7d)
   | where EventType =~ 'LOGIN'
   | where SourceLogin !in (active_admins)
   | where SourceLogin in (inactive_admins)
-  | summarize LastLoginTime = max(TimeGenerated) by SourceLogin
+  | summarize LastLoginTime = max(EventEndTime) by SourceLogin
   | project LastLoginTime, SourceLogin
   | extend AccountCustomEntity = SourceLogin
 entityMappings:

@@ -14,9 +14,9 @@ relevantTechniques:
   - T1078
 query: |
   BoxEvents
-  | where TimeGenerated > ago(24h)
+  | where EventEndTime > ago(24h)
   | where EventType =~ 'NEW_USER'
-  | project TimeGenerated, SourceName, SourceLogin
+  | project EventEndTime, SourceName, SourceLogin
   | extend AccountCustomEntity = SourceLogin
 entityMappings:
   - entityType: Account

@@ -13,9 +13,9 @@ relevantTechniques:
   - T1048
 query: |
   BoxEvents
-  | where TimeGenerated > ago(24h)
+  | where EventEndTime > ago(24h)
   | where SourceItemName =~ 'id_rsa' or SourceItemName contains 'password' or SourceItemName contains 'key' or SourceItemName contains '_key' or SourceItemName contains '.ssh' or SourceItemName endswith '.npmrc' or SourceItemName endswith '.muttrc' or SourceItemName contains 'config.json' or SourceItemName contains '.gitconfig' or SourceItemName endswith '.netrc' or SourceItemName endswith 'package.json' or SourceItemName endswith 'Gemfile' or SourceItemName endswith 'bower.json' or SourceItemName endswith 'config.gypi' or SourceItemName endswith 'travis.yml' or SourceItemName endswith '.ps1' or SourceItemName endswith '.bat' or SourceItemName endswith '.scr' or SourceItemName endswith '.sh' or SourceItemName endswith '.exe' or SourceFileName =~ 'id_rsa' or SourceFileName contains 'password' or SourceFileName contains 'key' or SourceFileName contains '_key' or SourceFileName contains '.ssh' or SourceFileName endswith '.npmrc' or SourceFileName endswith '.muttrc' or SourceFileName contains 'config.json' or SourceFileName contains '.gitconfig' or SourceFileName endswith '.netrc' or SourceFileName endswith 'package.json' or SourceFileName endswith 'Gemfile' or SourceFileName contains 'bower.json' or SourceFileName contains 'config.gypi' or SourceFileName contains 'travis.yml' or SourceFileName endswith '.ps1' or SourceFileName endswith '.bat' or SourceFileName endswith '.scr' or SourceFileName endswith '.sh' or SourceFileName endswith '.exe'
-  | project TimeGenerated, SourceName, SourceLogin
+  | project EventEndTime, SourceName, SourceLogin
   | extend AccountCustomEntity = SourceLogin
 entityMappings:
   - entityType: Account

@@ -16,7 +16,7 @@ relevantTechniques:
   - T1530
 query: |
   BoxEvents
-  | where TimeGenerated > ago(24h)
+  | where EventEndTime > ago(24h)
   | where EventType =~ 'DOWNLOAD'
   | summarize ['DataVolume(Bytes)'] = sum(FileSize) by SrcUserName
   | project SrcUserName, ['DataVolume(Bytes)']

@@ -13,9 +13,9 @@ relevantTechniques:
   - T1078
 query: |
   BoxEvents
-  | where TimeGenerated > ago(24h)
+  | where EventEndTime > ago(24h)
   | where EventType =~ 'GROUP_ADD_USER'
-  | project TimeGenerated, SourceName, SourceLogin, AdditionalDetailsGroupName
+  | project EventEndTime, SourceName, SourceLogin, AdditionalDetailsGroupName
   | extend AccountCustomEntity = SourceLogin
 entityMappings:
   - entityType: Account

@@ -15,7 +15,7 @@ relevantTechniques:
   - T1537
 query: |
   BoxEvents
-  | where TimeGenerated > ago(24h)
+  | where EventEndTime > ago(24h)
   | where EventType =~ 'UPLOAD'
   | summarize ['DataVolume(Bytes)'] = sum(FileSize) by SrcUserName
   | project SrcUserName, ['DataVolume(Bytes)']

@@ -13,10 +13,10 @@ relevantTechniques:
   - T1078
 query: |
   BoxEvents
-  | where TimeGenerated > ago(24h)
+  | where EventEndTime > ago(24h)
   | where EventType =~ 'COLLABORATION_ROLE_CHANGE'
   | where AdditionalDetailsRole =~ 'Owner'
-  | project TimeGenerated, AccessibleByLogin, FileDirectory
+  | project EventEndTime, AccessibleByLogin, FileDirectory
   | extend AccountCustomEntity = AccessibleByLogin
 entityMappings:
   - entityType: Account

@@ -67,7 +67,7 @@
             "name": "dataconnectors2-text",
             "type": "Microsoft.Common.TextBlock",
             "options": {
-              "text": "This Solution installs the data connector for Box. You can get Box data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+              "text": "This Solution installs the data connector for Box Events (CCP). You can get Box Events (CCP) data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
             }
           },
           {

@@ -1,5 +1,6 @@
 | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History**                                                 |
 |-------------|--------------------------------|--------------------------------------------------------------------|
+| 3.1.2       | 29-10-2025                     | Updated KQL queries in Workbook to use EventEndTime instead of TimeGenerated for time-based filtering |
 | 3.1.1       | 10-02-2025                     | Advancing CCP **Data Connector** from Public preview to Global Availability.|
 | 3.1.0       | 06-12-2024                     | Added new CCP **Data Connector** and modified **Parser**.           |
 | 3.0.1       | 18-08-2023                     | Added text 'using Azure Functions' in **Data Connector** page.      |