Box Logs
Panther supports pulling logs directly from Box
Overview
Panther can pull audit events from the Box Events API every 60 seconds for real-time detection.
For Panther to access the Box API, you will need to create a new Box App and provide its credentials to Panther.
How to onboard Box logs to Panther
Prerequisites
To read events from the entire enterprise account, the Box user performing the following steps must have full admin priviledges on the account (not co-admin).
For security and availability reasons, we recommend creating a new Box App solely for Panther. Make sure to copy the redirect URL from this page.
Step 1: Create a new Box source in Panther
In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for “Box,” then click its tile.
On the slide-out panel, click Start Setup.
On the next screen, enter a memorable name for the source e.g.,
My Box logs.Click Setup.
On the Credentials page, click Copy under Step 1 to copy your redirect URL.
Note: Before you continue the setup process in your Panther Console, you must create a new app in your Box Developer Console and retrieve the Client ID and Client Secret.
Step 2: Create a new Box app in your Box Developer Console
In a separate browser tab or window, log in to the Box Developer Console.
Click Create New App.
Select Custom App for the app type then click Next.
Select User Authentication (OAuth 2.0), enter a memorable name for your app (e.g.
Panther), then click Create App.
In your new app's Configuration tab, scroll down to the OAuth 2.0 Redirect URI section and paste the redirect URL you copied from your Panther console.
On the Application Scopes section make sure Manage enterprise properties is selected (it is not selected by default).
Click Save Changes.
Step 3: Finalize Box onboarding in Panther
In the Box Developer console, navigate to the new app you created for Panther. In the Configuration tab, scroll down to the OAuth 2.0 Credentials section.
Copy the Client ID and Client Secret credentials and paste them into the Credentials page in your Panther Console.
Click Setup.
Click Grant Access.
You will be redirected to Box.
Click Grant Access to Box.
You will be redirected back to Panther.
You will be directed to a success screen:
You can optionally enable one or more Detection Packs.
The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.
Panther-Built Detections
See Panther's built in rules for Box in panther-analysis on Github.
Supported log types
Box.Event
Contains events for the entire enterprise.
Reference: Box Documentation on List User and Enterprise Events.
schema: Box.Event
parser:
native:
name: Box.Event
description: Contains events for the entire enterprise
referenceURL: https://developer.box.com/reference/get-events
fields:
- name: additional_details
description: This object provides additional information about the event if available.
type: json
- name: created_at
description: The timestamp of the event
type: timestamp
timeFormat: rfc3339
isEventTime: true
- name: created_by
description: The user that performed the action represented by the event.
type: object
fields:
- name: id
description: The unique identifier for this object
type: string
- name: type
description: The object type
type: string
- name: login
description: The primary email address of this user
type: string
indicators:
- email
- name: name
description: The display name of this user
type: string
- name: event_id
required: true
description: The ID of the event object. You can use this to detect duplicate events
type: string
- name: event_type
required: true
description: The event type that triggered this event
type: string
- name: type
required: true
description: The object type (always 'event')
type: string
- name: source
required: true
description: The item that triggered this event
type: object
fields:
- name: id
description: The unique identifier for this object
type: string
- name: type
description: The object type
type: string
- name: login
description: The primary email address of this user
type: string
indicators:
- email
- name: name
description: The display name of this user
type: string
- name: item_id
description: The unique identifier that represents the item.
type: string
- name: item_name
description: The name of the item.
type: string
- name: item_type
description: The type of the item that the event represents. Can be file or folder.
type: string
- name: owned_by
description: The user who owns this item.
type: object
fields:
- name: id
description: The unique identifier for this object
type: string
- name: type
description: The object type
type: string
- name: login
description: The primary email address of this user
type: string
indicators:
- email
- name: name
description: The display name of this user
type: string
- name: parent
description: The optional folder that this folder is located within.
type: object
fields:
- name: etag
description: The HTTP etag of this folder.
type: string
- name: id
description: The unique identifier that represent a folder.
type: string
- name: type
required: true
description: The type of the object (always 'folder')
type: string
- name: name
description: The name of the folder
type: string
- name: sequence_id
description: A numeric identifier that represents the most recent user event that has been applied to this item.
type: string
- name: api_key
description: The API key used for this action
type: string
- name: session_id
description: The event type that triggered this event
type: string
- name: ip_address
description: The IP address the request was made from.
type: string
indicators:
- ipLast updated
Was this helpful?