Box Logs

Panther supports pulling logs directly from Box

Overview

Panther can pull audit events from the Box Events API every 60 seconds for real-time detection.

For Panther to access the Box API, you will need to create a new Box App and provide its credentials to Panther.

How to onboard Box logs to Panther

Prerequisites

  • To read events from the entire enterprise account, the Box user performing the following steps must have full admin priviledges on the account (not co-admin).

  • For security and availability reasons, we recommend creating a new Box App solely for Panther. Make sure to copy the redirect URL from this page.

Step 1: Create a new Box source in Panther

  1. In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.

  2. Click Create New.

  3. Search for “Box,” then click its tile.

  4. On the slide-out panel, click Start Setup.

  5. On the next screen, enter a memorable name for the source e.g., My Box logs.

  6. Click Setup.

  7. Note: Before you continue the setup process in your Panther Console, you must create a new app in your Box Developer Console and retrieve the Client ID and Client Secret.

Step 2: Create a new Box app in your Box Developer Console

  1. In a separate browser tab or window, log in to the Box Developer Console.

  2. Select Custom App for the app type then click Next.

  3. Click Save Changes.

Step 3: Finalize Box onboarding in Panther

  1. Copy the Client ID and Client Secret credentials and paste them into the Credentials page in your Panther Console.

  2. Click Setup.

  3. Click Grant Access.

    • You will be redirected to Box.

  4. Click Grant Access to Box.

    • You will be redirected back to Panther.

  5. You will be directed to a success screen:

    • You can optionally enable one or more Detection Packs.

    • The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.

Panther-Built Detections

See Panther's built in rules for Box in panther-analysis on Github.

Supported log types

Box.Event

Contains events for the entire enterprise.

Reference: Box Documentation on List User and Enterprise Events.

schema: Box.Event
parser:
    native:
        name: Box.Event
description: Contains events for the entire enterprise
referenceURL: https://developer.box.com/reference/get-events
fields:
    - name: additional_details
      description: This object provides additional information about the event if available.
      type: json
    - name: created_at
      description: The timestamp of the event
      type: timestamp
      timeFormat: rfc3339
      isEventTime: true
    - name: created_by
      description: The user that performed the action represented by the event.
      type: object
      fields:
        - name: id
          description: The unique identifier for this object
          type: string
        - name: type
          description: The object type
          type: string
        - name: login
          description: The primary email address of this user
          type: string
          indicators:
            - email
        - name: name
          description: The display name of this user
          type: string
    - name: event_id
      required: true
      description: The ID of the event object. You can use this to detect duplicate events
      type: string
    - name: event_type
      required: true
      description: The event type that triggered this event
      type: string
    - name: type
      required: true
      description: The object type (always 'event')
      type: string
    - name: source
      required: true
      description: The item that triggered this event
      type: object
      fields:
        - name: id
          description: The unique identifier for this object
          type: string
        - name: type
          description: The object type
          type: string
        - name: login
          description: The primary email address of this user
          type: string
          indicators:
            - email
        - name: name
          description: The display name of this user
          type: string
        - name: item_id
          description: The unique identifier that represents the item.
          type: string
        - name: item_name
          description: The name of the item.
          type: string
        - name: item_type
          description: The type of the item that the event represents. Can be file or folder.
          type: string
        - name: owned_by
          description: The user who owns this item.
          type: object
          fields:
            - name: id
              description: The unique identifier for this object
              type: string
            - name: type
              description: The object type
              type: string
            - name: login
              description: The primary email address of this user
              type: string
              indicators:
                - email
            - name: name
              description: The display name of this user
              type: string
        - name: parent
          description: The optional folder that this folder is located within.
          type: object
          fields:
            - name: etag
              description: The HTTP etag of this folder.
              type: string
            - name: id
              description: The unique identifier that represent a folder.
              type: string
            - name: type
              required: true
              description: The type of the object (always 'folder')
              type: string
            - name: name
              description: The name of the folder
              type: string
            - name: sequence_id
              description: A numeric identifier that represents the most recent user event that has been applied to this item.
              type: string
        - name: api_key
          description: The API key used for this action
          type: string
    - name: session_id
      description: The event type that triggered this event
      type: string
    - name: ip_address
      description: The IP address the request was made from.
      type: string
      indicators:
        - ip

Last updated