Links

Box Logs

Panther supports pulling logs directly from Box

Overview

Panther can pull audit events from the Box Events API every 60 seconds for real-time detection.
For Panther to access the Box API, you will need to create a new Box App and provide its credentials to Panther.

How to onboard Box logs to Panther

Prerequisites

  • To read events from the entire enterprise account, the Box user performing the following steps must have full admin priviledges on the account (not co-admin).
  • For security and availability reasons, we recommend creating a new Box App solely for Panther. Make sure to copy the redirect URL from this page.

Step 1: Create a new Box source in Panther

  1. 1.
    Log in to your Panther Console.
  2. 2.
    In the left sidebar menu, click Configure > Log Sources.
  3. 3.
    Click Create New.
  4. 4.
    Select Box from the list of available log sources. Click Start Source Setup.
  5. 5.
    On the next screen, enter a memorable name for the source e.g., My Box logs.
  6. 6.
    Click Continue Setup.
  7. 7.
    On the Set Credentials page, click Copy under Step 1 to copy your redirect URL.
  8. 8.
    Note: Before you continue the setup process in your Panther Console, you must create a new app in your Box Developer Console and retrieve the Client ID and Client Secret.

Step 2: Create a new Box app in your Box Developer Console

  1. 1.
    In a separate browser tab or window, log in to the Box Developer Console.
  2. 2.
    Click Create New App.
  3. 3.
    Select Custom App for the app type then click Next.
  4. 4.
    Select User Authentication (OAuth 2.0), enter a memorable name for your app (e.g. Panther), then click Create App.
  5. 5.
    In your new app's Configuration tab, scroll down to the OAuth 2.0 Redirect URI section and paste the redirect URL you copied from your Panther console.
  6. 6.
    On the Application Scopes section make sure Manage enterprise properties is selected (it is not selected by default).
  7. 7.
    Click Save Changes.

Step 3: Finalize Box onboarding in Panther

  1. 1.
    In the Box Developer console, navigate to the new app you created for Panther. In the Configuration tab, scroll down to the OAuth 2.0 Credentials section.
  2. 2.
    Copy the Client ID and Client Secret credentials and paste them into the Set Credentials page in your Panther Console.
  3. 3.
    Click Continue Setup.
  4. 4.
    Click Grant Access.
    • You will be redirected to Box.
  5. 5.
    Click Grant Access to Box.
    • You will be redirected back to Panther.
  6. 6.
    Click Continue Setup.
    • You will be directed to a success screen:
  7. 7.
    To finish the source setup:
    1. 1.
      Optionally configure a log drop-off alarm.
      • Before you finish the setup, we recommend that you create a log drop-off alarm to alert you if data stops flowing from the log source. Be sure to set an appropriate time interval for when you would like Panther to alert you that the log source is not sending data.
    2. 2.
      Optionally enable a Detection Pack.
    3. 3.
      Click Finish Setup.

Panther-Built Detections

Supported log types

Required fields in the schema are listed as "required: true" just below the "name" field.

Box.Event

Contains events for the entire enterprise.
schema: Box.Event
parser:
native:
name: Box.Event
description: Contains events for the entire enterprise
referenceURL: https://developer.box.com/reference/get-events
version: 0
fields:
- name: additional_details
description: This object provides additional information about the event if available.
type: json
- name: created_at
description: The timestamp of the event
type: timestamp
timeFormat: rfc3339
isEventTime: true
- name: created_by
description: The user that performed the action represented by the event.
type: object
fields:
- name: id
description: The unique identifier for this object
type: string
- name: type
description: The object type
type: string
- name: login
description: The primary email address of this user
type: string
indicators:
- email
- name: name
description: The display name of this user
type: string
- name: event_id
required: true
description: The ID of the event object. You can use this to detect duplicate events
type: string
- name: event_type
required: true
description: The event type that triggered this event
type: string
- name: type
required: true
description: The object type (always 'event')
type: string
- name: source
required: true
description: The item that triggered this event
type: object
fields:
- name: id
description: The unique identifier for this object
type: string
- name: type
description: The object type
type: string
- name: login
description: The primary email address of this user
type: string
indicators:
- email
- name: name
description: The display name of this user
type: string
- name: item_id
description: The unique identifier that represents the item.
type: string
- name: item_name
description: The name of the item.
type: string
- name: item_type
description: The type of the item that the event represents. Can be file or folder.
type: string
- name: owned_by
description: The user who owns this item.
type: object
fields:
- name: id
description: The unique identifier for this object
type: string
- name: type
description: The object type
type: string
- name: login
description: The primary email address of this user
type: string
indicators:
- email
- name: name
description: The display name of this user
type: string
- name: parent
description: The optional folder that this folder is located within.
type: object
fields:
- name: etag
description: The HTTP etag of this folder.
type: string
- name: id
description: The unique identifier that represent a folder.
type: string
- name: type
required: true
description: The type of the object (always 'folder')
type: string
- name: name
description: The name of the folder
type: string
- name: sequence_id
description: A numeric identifier that represents the most recent user event that has been applied to this item.
type: string
- name: api_key
description: The API key used for this action
type: string
- name: session_id
description: The event type that triggered this event
type: string
- name: ip_address
description: The IP address the request was made from.
type: string
indicators:
- ip