Box Logs
Panther supports pulling logs directly from Box

Overview

Panther can pull audit events from the Box Events API every 60 seconds for real-time detection.
For Panther to access the Box API, you will need to create a new Box App and provide its credentials to Panther.

How to onboard Box logs to Panther

Prerequisites

  • To read events from the entire enterprise account, the Box user performing the following steps must have full admin priviledges on the account (not co-admin).
  • For security and availability reasons, we recommend creating a new Box App solely for Panther. Make sure to copy the redirect URL from this page.

Step 1: Create a new Box source in Panther

  1. 1.
    Log in to your Panther Console.
  2. 2.
    In the left sidebar menu, click Integrations > Log Sources.
  3. 3.
    Click Create New.
  4. 4.
    Select Box from the list of available log sources. Click Start Source Setup.
  5. 5.
    On the next screen, enter a memorable name for the source e.g., My Box logs.
  6. 6.
    Click Continue Setup.
  7. 7.
    On the Set Credentials page, click Copy under Step 1 to copy your redirect URL.
  8. 8.
    Note: Before you continue the setup process in your Panther Console, you must create a new app in your Box Developer Console and retrieve the Client ID and Client Secret.

Step 2: Create a new Box app in your Box Developer Console

  1. 1.
    In a separate browser tab or window, log in to the Box Developer Console.
  2. 2.
    Click Create New App.
  3. 3.
    Select Custom App for the app type then click Next.
  4. 4.
    Select User Authentication (OAuth 2.0), enter a memorable name for your app (e.g. Panther), then click Create App.
  5. 5.
    In your new app's Configuration tab, scroll down to the OAuth 2.0 Redirect URI section and paste the redirect URL you copied from your Panther console.
  6. 6.
    On the Application Scopes section make sure Manage enterprise properties is selected (it is not selected by default).
  7. 7.
    Click Save Changes.

Step 3: Finalize Box onboarding in Panther

  1. 1.
    In the Box Developer console, navigate to the new app you created for Panther. In the Configuration tab, scroll down to the OAuth 2.0 Credentials section.
  2. 2.
    Copy the Client ID and Client Secret credentials and paste them into the Set Credentials page in your Panther Console.
  3. 3.
    Click Continue Setup.
  4. 4.
    Click Grant Access.
    • You will be redirected to Box.
  5. 5.
    Click Grant Access to Box.
    • You will be redirected back to Panther.
  6. 6.
    Click Continue Setup.
  7. 7.
    You will be directed to a confirmation screen where you can set up a log drop-off alarm.
    • This feature sends an error message if logs aren't received within a specified time interval.
  8. 8.
    Click Finish Setup.

Panther-Built Detections

The following detections are available for use immediately:
  • Access Granted
  • Anomalous Download
  • Brute Force Login
  • Event Triggered Externally
  • Item Shared Externally
  • Malicious Content
  • New Login
  • Policy Violation
  • Suspicious Login or Session
  • Untrusted Device
  • User Downloads
  • User Permission Updates
Please look at the code and corresponding metadata in the box_rules repository to see how these are built.

Supported log types

Required fields in the schema are listed as "required: true" just below the "name" field.

Box.Event

Contains events for the entire enterprise.
1
schema: Box.Event
2
parser:
3
native:
4
name: Box.Event
5
description: Contains events for the entire enterprise
6
referenceURL: https://developer.box.com/reference/get-events
7
version: 0
8
fields:
9
- name: additional_details
10
description: This object provides additional information about the event if available.
11
type: json
12
- name: created_at
13
description: The timestamp of the event
14
type: timestamp
15
timeFormat: rfc3339
16
isEventTime: true
17
- name: created_by
18
description: The user that performed the action represented by the event.
19
type: object
20
fields:
21
- name: id
22
description: The unique identifier for this object
23
type: string
24
- name: type
25
description: The object type
26
type: string
27
- name: login
28
description: The primary email address of this user
29
type: string
30
indicators:
31
- email
32
- name: name
33
description: The display name of this user
34
type: string
35
- name: event_id
36
required: true
37
description: The ID of the event object. You can use this to detect duplicate events
38
type: string
39
- name: event_type
40
required: true
41
description: The event type that triggered this event
42
type: string
43
- name: type
44
required: true
45
description: The object type (always 'event')
46
type: string
47
- name: source
48
required: true
49
description: The item that triggered this event
50
type: object
51
fields:
52
- name: id
53
description: The unique identifier for this object
54
type: string
55
- name: type
56
description: The object type
57
type: string
58
- name: login
59
description: The primary email address of this user
60
type: string
61
indicators:
62
- email
63
- name: name
64
description: The display name of this user
65
type: string
66
- name: item_id
67
description: The unique identifier that represents the item.
68
type: string
69
- name: item_name
70
description: The name of the item.
71
type: string
72
- name: item_type
73
description: The type of the item that the event represents. Can be file or folder.
74
type: string
75
- name: owned_by
76
description: The user who owns this item.
77
type: object
78
fields:
79
- name: id
80
description: The unique identifier for this object
81
type: string
82
- name: type
83
description: The object type
84
type: string
85
- name: login
86
description: The primary email address of this user
87
type: string
88
indicators:
89
- email
90
- name: name
91
description: The display name of this user
92
type: string
93
- name: parent
94
description: The optional folder that this folder is located within.
95
type: object
96
fields:
97
- name: etag
98
description: The HTTP etag of this folder.
99
type: string
100
- name: id
101
description: The unique identifier that represent a folder.
102
type: string
103
- name: type
104
required: true
105
description: The type of the object (always 'folder')
106
type: string
107
- name: name
108
description: The name of the folder
109
type: string
110
- name: sequence_id
111
description: A numeric identifier that represents the most recent user event that has been applied to this item.
112
type: string
113
- name: api_key
114
description: The API key used for this action
115
type: string
116
- name: session_id
117
description: The event type that triggered this event
118
type: string
119
- name: ip_address
120
description: The IP address the request was made from.
121
type: string
122
indicators:
123
- ip
Copied!