Skip to content

Replace TimeGenerated with EventEndTime in KQL queries for Box workbook #13037

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
v-dvedak merged 4 commits into from
Nov 3, 2025
Merged

Replace TimeGenerated with EventEndTime in KQL queries for Box workbook #13037

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
db7d41a
Replace TimeGenerated with EventEndTime in KQL queries
v-sabiraj Oct 29, 2025
e3bdf94
Fix boxEnterpriseId parameter reference in template
v-sabiraj Oct 29, 2025
28f4040
Replace TimeGenerated with EventEndTime in Box queries
v-sabiraj Oct 30, 2025
95ac1b9
Update Box analytics rule versions and queries
v-sabiraj Oct 30, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion Solutions/Box/Data/Solution_Box.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@
"Analytic Rules/BoxUserRoleChangedToOwner.yaml"
],
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Box",
"Version": "3.1.0",
"Version": "3.1.2",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1PConnector": false
Expand Down
Binary file added Solutions/Box/Package/3.1.2.zip
View file
Open in desktop
Binary file not shown.
2 changes: 1 addition & 1 deletion Solutions/Box/Package/createUiDefinition.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,7 @@
"name": "dataconnectors2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Solution installs the data connector for Box. You can get Box data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
"text": "This Solution installs the data connector for Box Events (CCP). You can get Box Events (CCP) data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
}
},
{
Expand Down
94 changes: 51 additions & 43 deletions Solutions/Box/Package/mainTemplate.json
View file
Open in desktop

Large diffs are not rendered by default.

1 change: 1 addition & 0 deletions Solutions/Box/ReleaseNotes.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|--------------------------------------------------------------------|
| 3.1.2 | 29-10-2025 | Updated KQL queries in Workbook to use EventEndTime instead of TimeGenerated for time-based filtering |
| 3.1.1 | 10-02-2025 | Advancing CCP **Data Connector** from Public preview to Global Availability.|
| 3.1.0 | 06-12-2024 | Added new CCP **Data Connector** and modified **Parser**. |
| 3.0.1 | 18-08-2023 | Added text 'using Azure Functions' in **Data Connector** page. |
Expand Down
24 changes: 12 additions & 12 deletions Solutions/Box/Workbooks/Box.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -72,7 +72,7 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "BoxEvents\r\n| make-series TotalEvents = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain};",
"query": "BoxEvents\r\n| make-series TotalEvents = count() default = 0 on EventEndTime from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain};",
"size": 0,
"title": "Events over time",
"timeContext": {
Expand Down Expand Up @@ -315,7 +315,7 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let files_1 = BoxEvents\r\n| where TimeGenerated > ago(90d)\r\n| where isnotempty(SourceFileName)\r\n| summarize TotalItems = dcount(SourceFileName) by SourceFileName\r\n| project TotalItems, FileName = SourceFileName;\r\nlet files_2 = BoxEvents\r\n| where TimeGenerated > ago(90d)\r\n| where isnotempty(SourceItemName)\r\n| summarize TotalItems = dcount(SourceItemName) by SourceItemName\r\n| project TotalItems, FileName = SourceItemName;\r\nlet known_files = (union files_1, files_2)\r\n| summarize makeset(FileName);\r\nBoxEvents\r\n| where TimeGenerated between (ago(24h) .. now())\r\n| where isnotempty(SourceFileName) \r\n| project FileName = SourceFileName\r\n| union (BoxEvents\r\n | where TimeGenerated between (ago(24h) .. now())\r\n | where isnotempty(SourceItemName)\r\n | project FileName = SourceItemName)\r\n| where FileName !in (known_files)\r\n| summarize dcount(FileName)\r\n\r\n",
"query": "let files_1 = BoxEvents\r\n| where EventEndTime > ago(90d)\r\n| where isnotempty(SourceFileName)\r\n| summarize TotalItems = dcount(SourceFileName) by SourceFileName\r\n| project TotalItems, FileName = SourceFileName;\r\nlet files_2 = BoxEvents\r\n| where EventEndTime > ago(90d)\r\n| where isnotempty(SourceItemName)\r\n| summarize TotalItems = dcount(SourceItemName) by SourceItemName\r\n| project TotalItems, FileName = SourceItemName;\r\nlet known_files = (union files_1, files_2)\r\n| summarize makeset(FileName);\r\nBoxEvents\r\n| where EventEndTime between (ago(24h) .. now())\r\n| where isnotempty(SourceFileName) \r\n| project FileName = SourceFileName\r\n| union (BoxEvents\r\n | where EventEndTime between (ago(24h) .. now())\r\n | where isnotempty(SourceItemName)\r\n | project FileName = SourceItemName)\r\n| where FileName !in (known_files)\r\n| summarize dcount(FileName)\r\n\r\n",
"size": 3,
"title": "New files (last 24h)",
"noDataMessage": "No new files during last 24h",
Expand Down Expand Up @@ -344,7 +344,7 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "BoxEvents\r\n| where TimeGenerated > ago(90d)\r\n| where EventType == 'ADMIN_LOGIN'\r\n| summarize Username = dcount(SourceName) by SourceName\r\n| project SourceName\r\n",
"query": "BoxEvents\r\n| where EventEndTime > ago(90d)\r\n| where EventType == 'ADMIN_LOGIN'\r\n| summarize Username = dcount(SourceName) by SourceName\r\n| project SourceName\r\n",
"size": 3,
"title": "Admin users",
"queryType": 0,
Expand Down Expand Up @@ -400,7 +400,7 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let admins = BoxEvents\r\n| where TimeGenerated > ago(90d)\r\n| where EventType == 'ADMIN_LOGIN'\r\n| summarize makeset(SourceName);\r\nlet adm_type1 = BoxEvents\r\n| where SourceName in (admins)\r\n| summarize TotalActions = count() by SourceName;\r\nlet adm_type2 = BoxEvents\r\n| where SrcUserName in (admins)\r\n| summarize TotalActions = count() by SrcUserName\r\n| project TotalActions, SourceName = SrcUserName; \r\nlet adm_activity = (union adm_type1, adm_type2);\r\nadm_activity\r\n| summarize TotalActions = sum(TotalActions) by SourceName\r\n| join kind = inner (BoxEvents\r\n | where SourceName in (admins) or SrcUserName in (admins)\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SourceName)\r\n on SourceName\r\n| project SourceName, TotalActions, Trend\r\n| order by TotalActions\r\n",
"query": "let admins = BoxEvents\r\n| where EventEndTime > ago(90d)\r\n| where EventType == 'ADMIN_LOGIN'\r\n| summarize makeset(SourceName);\r\nlet adm_type1 = BoxEvents\r\n| where SourceName in (admins)\r\n| summarize TotalActions = count() by SourceName;\r\nlet adm_type2 = BoxEvents\r\n| where SrcUserName in (admins)\r\n| summarize TotalActions = count() by SrcUserName\r\n| project TotalActions, SourceName = SrcUserName; \r\nlet adm_activity = (union adm_type1, adm_type2);\r\nadm_activity\r\n| summarize TotalActions = sum(TotalActions) by SourceName\r\n| join kind = inner (BoxEvents\r\n | where SourceName in (admins) or SrcUserName in (admins)\r\n | make-series Trend = count() default = 0 on EventEndTime from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SourceName)\r\n on SourceName\r\n| project SourceName, TotalActions, Trend\r\n| order by TotalActions\r\n",
"size": 3,
"title": "Admin users activity",
"timeContext": {
Expand Down Expand Up @@ -464,7 +464,7 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let admins = BoxEvents\r\n| where TimeGenerated > ago(90d)\r\n| where EventType == 'ADMIN_LOGIN'\r\n| summarize makeset(SourceName);\r\nlet adm_type1 = BoxEvents\r\n| where SourceName in (admins)\r\n| summarize by EventType, SourceName\r\n| project Action = EventType, SourceName;\r\nlet adm_type2 = BoxEvents\r\n| where SrcUserName in (admins)\r\n| summarize max(TimeGenerated) by EventType, SrcUserName\r\n| project Action = EventType, SourceName = SrcUserName; \r\nlet adm_activity = (union adm_type1, adm_type2);\r\nadm_activity\r\n",
"query": "let admins = BoxEvents\r\n| where EventEndTime > ago(90d)\r\n| where EventType == 'ADMIN_LOGIN'\r\n| summarize makeset(SourceName);\r\nlet adm_type1 = BoxEvents\r\n| where SourceName in (admins)\r\n| summarize by EventType, SourceName\r\n| project Action = EventType, SourceName;\r\nlet adm_type2 = BoxEvents\r\n| where SrcUserName in (admins)\r\n| summarize max(EventEndTime) by EventType, SrcUserName\r\n| project Action = EventType, SourceName = SrcUserName; \r\nlet adm_activity = (union adm_type1, adm_type2);\r\nadm_activity\r\n",
"size": 1,
"title": "Latest admin activity",
"timeContext": {
Expand Down Expand Up @@ -604,7 +604,7 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "BoxEvents\r\n| where EventType == 'LOGIN'\r\n| summarize LastLoginTime = max(TimeGenerated) by SourceName\r\n| where LastLoginTime > ago(90d)",
"query": "BoxEvents\r\n| where EventType == 'LOGIN'\r\n| summarize LastLoginTime = max(EventEndTime) by SourceName\r\n| where LastLoginTime > ago(90d)",
"size": 0,
"title": "Inactive users",
"timeContext": {
Expand All @@ -625,7 +625,7 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let user_act1 = BoxEvents\r\n| where isnotempty(SourceName)\r\n| summarize TotalActions = count() by SourceName;\r\nlet user_act2 = BoxEvents\r\n| where isnotempty(SrcUserName)\r\n| summarize TotalActions = count() by SrcUserName\r\n| project TotalActions, SourceName = SrcUserName; \r\nlet user_activity = (union user_act1, user_act2);\r\nuser_activity\r\n| join kind = inner (BoxEvents\r\n | where isnotempty(SourceName) or isnotempty(SrcUserName)\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SourceName)\r\n on SourceName\r\n| project SourceName, TotalActions, Trend\r\n| order by TotalActions",
"query": "let user_act1 = BoxEvents\r\n| where isnotempty(SourceName)\r\n| summarize TotalActions = count() by SourceName;\r\nlet user_act2 = BoxEvents\r\n| where isnotempty(SrcUserName)\r\n| summarize TotalActions = count() by SrcUserName\r\n| project TotalActions, SourceName = SrcUserName; \r\nlet user_activity = (union user_act1, user_act2);\r\nuser_activity\r\n| join kind = inner (BoxEvents\r\n | where isnotempty(SourceName) or isnotempty(SrcUserName)\r\n | make-series Trend = count() default = 0 on EventEndTime from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SourceName)\r\n on SourceName\r\n| project SourceName, TotalActions, Trend\r\n| order by TotalActions",
"size": 0,
"title": "Users activity over time",
"timeContext": {
Expand Down Expand Up @@ -693,7 +693,7 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "BoxEvents\r\n| summarize Downloads = countif(EventType == \"DOWNLOAD\"), Uploads = countif(EventType == \"UPLOAD\") by bin_at(TimeGenerated, 1h, now())",
"query": "BoxEvents\r\n| summarize Downloads = countif(EventType == \"DOWNLOAD\"), Uploads = countif(EventType == \"UPLOAD\") by bin_at(EventEndTime, 1h, now())",
"size": 3,
"title": "Downloads/Uploads comparison",
"timeContext": {
Expand All @@ -713,7 +713,7 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "BoxEvents\r\n| where EventType == 'DOWNLOAD'\r\n| where isnotempty(SourceItemName)\r\n| project FileName = SourceItemName, SrcUserName, TimeGenerated\r\n| top 100 by TimeGenerated desc",
"query": "BoxEvents\r\n| where EventType == 'DOWNLOAD'\r\n| where isnotempty(SourceItemName)\r\n| project FileName = SourceItemName, SrcUserName, EventEndTime\r\n| top 100 by EventEndTime desc",
"size": 0,
"title": "Latest downloaded items",
"timeContext": {
Expand All @@ -740,7 +740,7 @@
}
},
{
"columnMatch": "TimeGenerated",
"columnMatch": "EventEndTime",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "25ch"
Expand All @@ -760,7 +760,7 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "BoxEvents\r\n| where EventType == 'UPLOAD'\r\n| where isnotempty(SourceItemName)\r\n| project FileName = SourceItemName, SrcUserName, TimeGenerated\r\n| top 100 by TimeGenerated desc",
"query": "BoxEvents\r\n| where EventType == 'UPLOAD'\r\n| where isnotempty(SourceItemName)\r\n| project FileName = SourceItemName, SrcUserName, EventEndTime\r\n| top 100 by EventEndTime desc",
"size": 0,
"title": "Latest uploaded items",
"timeContext": {
Expand All @@ -786,7 +786,7 @@
}
},
{
"columnMatch": "TimeGenerated",
"columnMatch": "EventEndTime",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "25ch"
Expand Down
6 changes: 3 additions & 3 deletions Workbooks/WorkbooksMetadata.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4676,18 +4676,18 @@
"logoFileName": "box.svg",
"description": "Sets the time name for analysis",
"dataTypesDependencies": [
"BoxEvents_CL"
"BoxEvents"
],
"dataConnectorsDependencies": [
"BoxDataConnector"
"BoxEventsCCPDefinition"
],
"previewImagesFileNames": [
"BoxBlack1.png",
"BoxWhite1.png",
"BoxBlack2.png",
"BoxWhite2.png"
],
"version": "1.0.0",
"version": "1.0.1",
"title": "Box",
"templateRelativePath": "Box.json",
"subtitle": "",
Expand Down