Panther has the ability to fetch Dropbox events by querying the . Panther will specifically monitor the following Dropbox team events:
User logging in or out of Dropbox (including device information)
Changing a user's role in Dropbox
Adding, editing, viewing, and sharing files and folders and by whom
Creating and sharing links within your team
Prerequisites
The Dropbox user authorizing this integration must have the "Team Admin" role credentials.
How to onboard Dropbox logs to Panther
Step 1: Create a new Dropbox log source in Panther
In the left-hand navigation bar of your Panther Console, click Configure > LogSources.
Click Create New.
Select Dropbox from the list of available log sources.
Click Start Source Setup.
Enter a name for the source e.g., My Dropbox logs.
Click Setup.
On the "Set Credentials" page, copy the URL provided and store it in a secure location. You will need this in the next steps.
Step 2: Create a new app in Dropbox
Click Create App.
On the "Create a new app on the DBX Platform" page, fill out the fields:
Choose an API:Select Scoped Access.
Choose the type of access you need: Select Full Dropbox.
Name your app: Enter a descriptive name for your application.
When you are redirected to the app Settings panel, paste in the Redirect URI that you copied from the Panther Console earlier in this documentation, and click Add next to it.
Navigate to the Permissions tabat the top of the page.
Click Submit in the bar at the bottom of the page.
Navigate back to the Settings tab at the top of the page.
On the Settings tab, copy the App Key and App Secret values and store them in a secure location. You will need these in the next steps.
Step 3: Finalize the log source in Panther
Navigate back to the Panther Console on the "Set Credentials" page where you left off in the earlier steps.
Paste your App Key from Dropbox into the Client ID field.
Paste your App Secret from Dropbox into the Client Secret field.
Click Setup.
On the "Verify Setup" page, click Grant Access.
You will be redirected to a Dropbox page to install your app.
Click Allow.
In Panther, you will be directed to a success screen:
The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.
Supported log types
Dropbox.TeamEvent
Contains events for an entire team's activity and provides information about how your team is using Dropbox.
schema: Dropbox.TeamEvent
parser:
native:
name: Dropbox.TeamEvent
description: Dropbox events help you monitor what is going on with you files and Dropbox environment as a whole.
referenceURL: https://www.dropbox.com/developers/documentation/http/teams#team_log-get_events
fields:
- name: timestamp
required: true
description: Timestamp for the event
type: timestamp
timeFormat: rfc3339
isEventTime: true
- name: event_category
required: true
description: The category that this type of action belongs to
type: object
fields:
- name: .tag
required: true
description: Tag of the category
type: string
- name: event_type
required: true
description: The particular type of action taken
type: object
fields:
- name: .tag
required: true
description: Tag of the action
type: string
- name: description
description: Description of the action
type: string
- name: details
required: true
description: The variable event schema applicable to this type of action, instantiated with respect to this particular action
type: json
- name: actor
description: The entity who actually performed the action
type: object
fields:
- name: .tag
description: Tag of the actor
type: string
- name: admin
description: The admin who did the action
type: object
fields:
- name: .tag
description: Tag of the member type
type: string
- name: account_id
description: User unique ID
type: string
- name: display_name
description: User display name
type: string
indicators:
- username
- name: email
description: User email address
type: string
indicators:
- email
- name: team_member_id
description: Team member ID
type: string
- name: member_external_id
description: Team member external ID
type: string
- name: team
description: Details about this user's team for enterprise event
type: object
fields:
- name: display_name
description: Team display name
type: string
- name: trusted_non_team_member_type
description: Users that are not part of the Dropbox team but are trusted i.e. enterprise admins
type: object
fields:
- name: .tag
description: Tag of the type
type: string
- name: app
description: The application who did the action
type: object
fields:
- name: app_id
description: App unique ID
type: string
- name: display_name
description: App display name
type: string
- name: reseller
description: Action done by reseller
type: object
fields:
- name: reseller_name
description: Reseller name
type: string
indicators:
- username
- name: reseller_email
description: Reseller email
type: string
indicators:
- email
- name: user
description: The user who did the action
type: object
fields:
- name: .tag
description: Tag of the member type
type: string
- name: account_id
description: User unique ID
type: string
- name: display_name
description: User display name
type: string
indicators:
- username
- name: email
description: User email address
type: string
indicators:
- email
- name: team_member_id
description: Team member ID
type: string
- name: member_external_id
description: Team member external ID
type: string
- name: team
description: Details about this user's team for enterprise event
type: object
fields:
- name: display_name
description: Team display name
type: string
- name: trusted_non_team_member_type
description: Users that are not part of the Dropbox team but are trusted i.e. enterprise admins
type: object
fields:
- name: .tag
description: Tag of the type
type: string
- name: origin
description: The origin from which the actor performed the action
type: object
fields:
- name: access_method
description: Indicates the method in which the action was performed
type: json
- name: geo_location
description: Geographic location details
type: object
fields:
- name: ip_address
description: IP address
type: string
indicators:
- ip
- name: city
description: City nme
type: string
- name: region
description: Region name
type: string
- name: country
description: Country code
type: string
- name: involve_non_team_member
description: True if the action involved a non team member either as the actor or as one of the affected users
type: boolean
- name: context
description: The user or team on whose behalf the actor performed the action
type: object
fields:
- name: .tag
description: Tag of the member type
type: string
- name: account_id
description: User unique ID
type: string
- name: display_name
description: User display name
type: string
indicators:
- username
- name: email
description: User email address
type: string
indicators:
- email
- name: team_member_id
description: Team member ID
type: string
- name: member_external_id
description: Team member external ID
type: string
- name: team
description: Details about this user's team for enterprise event
type: object
fields:
- name: display_name
description: Team display name
type: string
- name: trusted_non_team_member_type
description: Users that are not part of the Dropbox team but are trusted i.e. enterprise admins
type: object
fields:
- name: .tag
description: Tag of the type
type: string
- name: participants
description: Zero or more users and/or groups that are affected by the action. Note that this list doesn't include any actors or users in context
type: array
element:
type: object
fields:
- name: group
description: Group details
type: object
fields:
- name: display_name
description: The name of this group
type: string
- name: group_id
description: The unique ID of this group
type: string
- name: external_id
description: External group ID
type: string
- name: user
description: A user with a Dropbox account
type: object
fields:
- name: .tag
description: Tag of the member type
type: string
- name: account_id
description: User unique ID
type: string
- name: display_name
description: User display name
type: string
indicators:
- username
- name: email
description: User email address
type: string
indicators:
- email
- name: team_member_id
description: Team member ID
type: string
- name: member_external_id
description: Team member external ID
type: string
- name: team
description: Details about this user's team for enterprise event
type: object
fields:
- name: display_name
description: Team display name
type: string
- name: trusted_non_team_member_type
description: Users that are not part of the Dropbox team but are trusted i.e. enterprise admins
type: object
fields:
- name: .tag
description: Tag of the type
type: string
- name: assets
description: Zero or more content assets involved in the action
type: array
element:
type: json
In a separate browser tab or window, log in to your business Dropbox account and navigate to the .
Click Create app.
Under the "Team Scopes" section, check the boxes next to team_data.member and events.read.
