Box Logs
Panther supports pulling logs directly from Box
Last updated
Panther supports pulling logs directly from Box
Last updated
Panther can pull audit events from the Box Events API every 60 seconds for real-time detection.
For Panther to access the Box API, you will need to create a new Box App and provide its credentials to Panther.
To read events from the entire enterprise account, the Box user performing the following steps must have full admin priviledges on the account (not co-admin).
For security and availability reasons, we recommend creating a new Box App solely for Panther. Make sure to copy the redirect URL from this page.
In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for “Box,” then click its tile.
On the slide-out panel, click Start Setup.
On the next screen, enter a memorable name for the source e.g., My Box logs
.
Click Setup.
On the Credentials page, click Copy under Step 1 to copy your redirect URL.
Note: Before you continue the setup process in your Panther Console, you must create a new app in your Box Developer Console and retrieve the Client ID and Client Secret.
In a separate browser tab or window, log in to the Box Developer Console.
Select Custom App for the app type then click Next.
Click Save Changes.
Copy the Client ID and Client Secret credentials and paste them into the Credentials page in your Panther Console.
Click Setup.
Click Grant Access.
You will be redirected to Box.
Click Grant Access to Box.
You will be redirected back to Panther.
You will be directed to a success screen:
You can optionally enable one or more Detection Packs.
The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.
See Panther's built in rules for Box in panther-analysis on Github.
Required fields in the schema are listed as "required: true" just below the "name" field.
Contains events for the entire enterprise.
Reference: Box Documentation on List User and Enterprise Events.
Click Create New App.
Select User Authentication (OAuth 2.0), enter a memorable name for your app (e.g. Panther
), then click Create App.
In your new app's Configuration tab, scroll down to the OAuth 2.0 Redirect URI section and paste the redirect URL you copied from your Panther console.
On the Application Scopes section make sure Manage enterprise properties is selected (it is not selected by default).
In the Box Developer console, navigate to the new app you created for Panther. In the Configuration tab, scroll down to the OAuth 2.0 Credentials section.