Requestor upn is missing in azure file share event data

Naija R C 0 Reputation points
2023-01-23T13:42:02.7733333+00:00

Hi,

I am looking for retrieving user information from the REST API azure file share event's JSON object.

The required user details can be found using the Requestor/UPN value.

Reference link: documentation for Azure Files monitoring data reference

But while getting the REST API azure file share event's JSON object , I am not getting the Requestor/UPN value. So, What is the way to get Requestor/UPN parameter value in my event details? How to do that?

I have given the sample event details which I got for create file share event:

Create REST API event:

{
  "time": "2023-01-19T06:43:07.2821147Z",
  "resourceId": "XXXXX",
  "category": "StorageWrite",
  "operationName": "CreateFile",
  "operationVersion": "2015-02-21",
  "schemaVersion": "1.0",
  "statusCode": 201,
  "statusText": "Success",
  "durationMs": 76,
  "callerIpAddress": "XXXXX",
  "correlationId": "XXXXX",
  "identity": {
    "type": "SAS",
    "tokenHash": "key1(XXXXX),SasSignature(XXXXX)"
  },
  "location": "East US",
  "properties": {
    "accountName": "testaccount",
    "userAgentHeader": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36",
    "referrerHeader": "XXXXX",
    "clientRequestId": "XXXXX",
    "etag": "XXXXX",
    "serviceType": "file",
    "objectKey": "/testaccount",
    "lastModifiedTime": "1/19/2023 6:43:07 AM",
    "metricResponseType": "Success",
    "serverLatencyMs": 66,
    "requestHeaderSize": 932,
    "responseHeaderSize": 330,
    "tlsVersion": "TLS 1.2",
    "accessTier": "TransactionOptimized"
  },
  "uri": "XXXXX",
  "protocol": "HTTPS",
  "resourceType": "Microsoft.Storage/storageAccounts/fileServices"
}
Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
2,682 questions
Azure Files
Azure Files
An Azure service that offers file shares in the cloud.
1,105 questions
Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,533 questions
Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,278 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
18,689 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. SaiKishor-MSFT 17,141 Reputation points
    2023-01-23T23:10:13.3333333+00:00

    @Naija R C we will only gather the UPN in certain criteria. In general, you should use callerip to track back down to a specific workstation. "

      "callerIpAddress": "XXXXX",
    
    

    If the user used SAS, they'll see an IP address. You'd get a UPN if using a supported Authentication type that pulls UPN like ADDS or AADDS, etc. If you connect via storageaccount/key or SAS then you'll get the Caller IP address.

    Hope this helps. Please let us know if you have any more questions and we will be glad to assist you further. Thank you!

    Remember:

    Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

    Want a reminder to come back and check responses? Here is how to subscribe to a notification.