Box Logs

Overview

Panther can pull audit events from the Box Events API every 60 seconds for real-time detection.

For Panther to access the Box API, you will need to create a new Box App and provide its credentials to Panther.

How to onboard Box logs to Panther

Prerequisites

• To read events from the entire enterprise account, the Box user performing the following steps must have full admin priviledges on the account (not co-admin).

• For security and availability reasons, we recommend creating a new Box App solely for Panther. Make sure to copy the redirect URL from this page.

Step 1: Create a new Box source in Panther

1. In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.

2. Click Create New.

3. Search for “Box,” then click its tile.

4. On the slide-out panel, click Start Setup.

5. On the next screen, enter a memorable name for the source e.g., My Box logs.

6. Click Setup.

7. On the Credentials page, click Copy under Step 1 to copy your redirect URL.

8. Note: Before you continue the setup process in your Panther Console, you must create a new app in your Box Developer Console and retrieve the Client ID and Client Secret.

Step 2: Create a new Box app in your Box Developer Console

1. In a separate browser tab or window, log in to the Box Developer Console.

2. Click Create New App.

3. Select Custom App for the app type then click Next.

4. Select User Authentication (OAuth 2.0), enter a memorable name for your app (e.g. Panther), then click Create App.

5. In your new app's Configuration tab, scroll down to the OAuth 2.0 Redirect URI section and paste the redirect URL you copied from your Panther console.

6. On the Application Scopes section make sure Manage enterprise properties is selected (it is not selected by default).

7. Click Save Changes.

Step 3: Finalize Box onboarding in Panther

1. In the Box Developer console, navigate to the new app you created for Panther. In the Configuration tab, scroll down to the OAuth 2.0 Credentials section.

2. Copy the Client ID and Client Secret credentials and paste them into the Credentials page in your Panther Console.

3. Click Setup.

4. Click Grant Access.

   • You will be redirected to Box.

5. Click Grant Access to Box.

   • You will be redirected back to Panther.

6. You will be directed to a success screen:

   

   • You can optionally enable one or more Detection Packs.

   • The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.

     

Panther-Built Detections

See Panther's built in rules for Box in panther-analysis on Github.

Supported log types

Box.Event

Contains events for the entire enterprise.

Reference: Box Documentation on List User and Enterprise Events.