Links

Box Logs

Panther supports pulling logs directly from Box

Overview

Panther can pull audit events from the Box Events API every 60 seconds for real-time detection.
For Panther to access the Box API, you will need to create a new Box App and provide its credentials to Panther.

How to onboard Box logs to Panther

Prerequisites

  • To read events from the entire enterprise account, the Box user performing the following steps must have full admin priviledges on the account (not co-admin).
  • For security and availability reasons, we recommend creating a new Box App solely for Panther. Make sure to copy the redirect URL from this page.

Step 1: Create a new Box source in Panther

  1. 1.
    In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
  2. 2.
    Click Create New.
  3. 3.
    Search for “Box,” then click its tile.
  4. 4.
    On the slide-out panel, click Start Setup.
  5. 5.
    On the next screen, enter a memorable name for the source e.g., My Box logs.
  6. 6.
    Click Setup.
  7. 7.
    On the Credentials page, click Copy under Step 1 to copy your redirect URL.
    On the Credentials page of the Box source setup flow, there are two steps: 1. Use the link below as the redirect URL in your App settings (there is a URL below), and 2. Fill in the credentials below (Client ID and Client Secret)
  8. 8.
    Note: Before you continue the setup process in your Panther Console, you must create a new app in your Box Developer Console and retrieve the Client ID and Client Secret.

Step 2: Create a new Box app in your Box Developer Console

  1. 1.
    In a separate browser tab or window, log in to the Box Developer Console.
  2. 2.
    Click Create New App.
    In the Box Developer Console's left sidebar, "My Apps" is highlighted. On the right, there is a red square around the "Create New App" link.
  3. 3.
    Select Custom App for the app type then click Next.
  4. 4.
    Select User Authentication (OAuth 2.0), enter a memorable name for your app (e.g. Panther), then click Create App.
    In the Box Developer Console, a popup dialog labeled "Custom App" is on the screen. There is a red square around the option "User Authentication (OAuth 2.0)".
  5. 5.
    In your new app's Configuration tab, scroll down to the OAuth 2.0 Redirect URI section and paste the redirect URL you copied from your Panther console.
    In the Box Developer Console, the Configuration tab is selected. There is a red square around the "OAuth 2 Redirect URI" section.
  6. 6.
    On the Application Scopes section make sure Manage enterprise properties is selected (it is not selected by default).
    In the Box Developer Console's "Application Scopes" section, the possible scopes are displayed. There boxes are checked next to "Read all files and folders stored in Box," "Read and write all files and folders stored in Box," and "Manage enterprise properties."
  7. 7.
    Click Save Changes.

Step 3: Finalize Box onboarding in Panther

  1. 1.
    In the Box Developer console, navigate to the new app you created for Panther. In the Configuration tab, scroll down to the OAuth 2.0 Credentials section.
    On the "Configuration" page in the Box Developer Console, there is a red square around "OAuth 2 Credentials" and the fields "Client ID" and "Client Secret"
  2. 2.
    Copy the Client ID and Client Secret credentials and paste them into the Credentials page in your Panther Console.
  3. 3.
    Click Setup.
  4. 4.
    Click Grant Access.
    • You will be redirected to Box.
  5. 5.
    Click Grant Access to Box.
    • You will be redirected back to Panther.
  6. 6.
    You will be directed to a success screen:
    The success screen reads, "Everything looks good! Panther will now automatically pull & process logs from your account"
    • You can optionally enable one or more Detection Packs.
    • The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.
      The "Trigger an alert when no events are processed" toggle is set to YES. The "How long should Panther wait before it sends you an alert that no events have been processed" setting is set to 1 Day

Panther-Built Detections

Supported log types

Required fields in the schema are listed as "required: true" just below the "name" field.

Box.Event

Contains events for the entire enterprise.
schema: Box.Event
parser:
native:
name: Box.Event
description: Contains events for the entire enterprise
referenceURL: https://developer.box.com/reference/get-events
fields:
- name: additional_details
description: This object provides additional information about the event if available.
type: json
- name: created_at
description: The timestamp of the event
type: timestamp
timeFormat: rfc3339
isEventTime: true
- name: created_by
description: The user that performed the action represented by the event.
type: object
fields:
- name: id
description: The unique identifier for this object
type: string
- name: type
description: The object type
type: string
- name: login
description: The primary email address of this user
type: string
indicators:
- email
- name: name
description: The display name of this user
type: string
- name: event_id
required: true
description: The ID of the event object. You can use this to detect duplicate events
type: string
- name: event_type
required: true
description: The event type that triggered this event
type: string
- name: type
required: true
description: The object type (always 'event')
type: string
- name: source
required: true
description: The item that triggered this event
type: object
fields:
- name: id
description: The unique identifier for this object
type: string
- name: type
description: The object type
type: string
- name: login
description: The primary email address of this user
type: string
indicators:
- email
- name: name
description: The display name of this user
type: string
- name: item_id
description: The unique identifier that represents the item.
type: string
- name: item_name
description: The name of the item.
type: string
- name: item_type
description: The type of the item that the event represents. Can be file or folder.
type: string
- name: owned_by
description: The user who owns this item.
type: object
fields:
- name: id
description: The unique identifier for this object
type: string
- name: type
description: The object type
type: string
- name: login
description: The primary email address of this user
type: string
indicators:
- email
- name: name
description: The display name of this user
type: string
- name: parent
description: The optional folder that this folder is located within.
type: object
fields:
- name: etag
description: The HTTP etag of this folder.
type: string
- name: id
description: The unique identifier that represent a folder.
type: string
- name: type
required: true
description: The type of the object (always 'folder')
type: string
- name: name
description: The name of the folder
type: string
- name: sequence_id
description: A numeric identifier that represents the most recent user event that has been applied to this item.
type: string
- name: api_key
description: The API key used for this action
type: string
- name: session_id
description: The event type that triggered this event
type: string
- name: ip_address
description: The IP address the request was made from.
type: string
indicators:
- ip