Requestor upn is missing in azure file share event data

Naija R C 0 Reputation points
2023-01-23T13:42:02.7733333+00:00

Hi,

I am looking for retrieving user information from the REST API azure file share event's JSON object.

The required user details can be found using the Requestor/UPN value.

Reference link: documentation for Azure Files monitoring data reference

But while getting the REST API azure file share event's JSON object , I am not getting the Requestor/UPN value. So, What is the way to get Requestor/UPN parameter value in my event details? How to do that?

I have given the sample event details which I got for create file share event:

Create REST API event:

{
  "time": "2023-01-19T06:43:07.2821147Z",
  "resourceId": "XXXXX",
  "category": "StorageWrite",
  "operationName": "CreateFile",
  "operationVersion": "2015-02-21",
  "schemaVersion": "1.0",
  "statusCode": 201,
  "statusText": "Success",
  "durationMs": 76,
  "callerIpAddress": "XXXXX",
  "correlationId": "XXXXX",
  "identity": {
    "type": "SAS",
    "tokenHash": "key1(XXXXX),SasSignature(XXXXX)"
  },
  "location": "East US",
  "properties": {
    "accountName": "testaccount",
    "userAgentHeader": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36",
    "referrerHeader": "XXXXX",
    "clientRequestId": "XXXXX",
    "etag": "XXXXX",
    "serviceType": "file",
    "objectKey": "/testaccount",
    "lastModifiedTime": "1/19/2023 6:43:07 AM",
    "metricResponseType": "Success",
    "serverLatencyMs": 66,
    "requestHeaderSize": 932,
    "responseHeaderSize": 330,
    "tlsVersion": "TLS 1.2",
    "accessTier": "TransactionOptimized"
  },
  "uri": "XXXXX",
  "protocol": "HTTPS",
  "resourceType": "Microsoft.Storage/storageAccounts/fileServices"
}
Azure Files
Azure Files
An Azure service that offers file shares in the cloud.
774 questions
Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
1,549 questions
Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
12,642 questions
Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
1,399 questions
Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
1,825 questions
No comments
{count} votes

1 answer

Sort by: Most helpful
  1. SaiKishor-MSFT 15,001 Reputation points Microsoft Employee
    2023-01-23T23:10:13.3333333+00:00

    @Naija R C we will only gather the UPN in certain criteria. In general, you should use callerip to track back down to a specific workstation. "

      "callerIpAddress": "XXXXX",
    
    

    If the user used SAS, they'll see an IP address. You'd get a UPN if using a supported Authentication type that pulls UPN like ADDS or AADDS, etc. If you connect via storageaccount/key or SAS then you'll get the Caller IP address.

    Hope this helps. Please let us know if you have any more questions and we will be glad to assist you further. Thank you!

    Remember:

    Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

    Want a reminder to come back and check responses? Here is how to subscribe to a notification.