Dropbox Logs

Connecting Dropbox logs to your Panther Console

Overview

Panther has the ability to fetch Dropbox events by querying the Dropbox Business API. Panther will specifically monitor the following Dropbox team events:

  • User logging in or out of Dropbox (including device information)

  • Changing a user's role in Dropbox

  • Adding, editing, viewing, and sharing files and folders and by whom

  • Creating and sharing links within your team

Prerequisites

The Dropbox user authorizing this integration must have the "Team Admin" role credentials.

How to onboard Dropbox logs to Panther

Step 1: Create a new Dropbox log source in Panther

  1. In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.

  2. Click Create New.

  3. Select Dropbox from the list of available log sources.

  4. Click Start Source Setup.

  5. Enter a name for the source e.g., My Dropbox logs.

  6. Click Setup.

  7. On the "Set Credentials" page, copy the URL provided and store it in a secure location. You will need this in the next steps.

Step 2: Create a new app in Dropbox

  1. In a separate browser tab or window, log in to your business Dropbox account and navigate to the Dropbox app console.

  2. Click Create App.

  3. On the "Create a new app on the DBX Platform" page, fill out the fields:

    • Choose an API: Select Scoped Access.

    • Choose the type of access you need: Select Full Dropbox.

    • Name your app: Enter a descriptive name for your application.

  4. When you are redirected to the app Settings panel, paste in the Redirect URI that you copied from the Panther Console earlier in this documentation, and click Add next to it.

  5. Navigate to the Permissions tab at the top of the page.

  6. Click Submit in the bar at the bottom of the page.

  7. Navigate back to the Settings tab at the top of the page.

  8. On the Settings tab, copy the App Key and App Secret values and store them in a secure location. You will need these in the next steps.

Step 3: Finalize the log source in Panther

  1. Navigate back to the Panther Console on the "Set Credentials" page where you left off in the earlier steps.

  2. Paste your App Key from Dropbox into the Client ID field.

  3. Paste your App Secret from Dropbox into the Client Secret field.

  4. Click Setup.

  5. On the "Verify Setup" page, click Grant Access.

    • You will be redirected to a Dropbox page to install your app.

  6. Click Allow.

  7. In Panther, you will be directed to a success screen:

    • You can optionally enable one or more Detection Packs.

    • The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.

Supported log types

Required fields in the schema are listed as "required: true" just below the "name" field.

Dropbox.TeamEvent

Contains events for an entire team's activity and provides information about how your team is using Dropbox.

For more information, see Dropbox Documentation on Team Log Events.

schema: Dropbox.TeamEvent
parser:
  native:
    name: Dropbox.TeamEvent
description: Dropbox events help you monitor what is going on with you files and Dropbox environment as a whole.
referenceURL: https://www.dropbox.com/developers/documentation/http/teams#team_log-get_events
fields:
  - name: timestamp
    required: true
    description: Timestamp for the event
    type: timestamp
    timeFormat: rfc3339
    isEventTime: true
  - name: event_category
    required: true
    description: The category that this type of action belongs to
    type: object
    fields:
      - name: .tag
        required: true
        description: Tag of the category
        type: string
  - name: event_type
    required: true
    description: The particular type of action taken
    type: object
    fields:
      - name: .tag
        required: true
        description: Tag of the action
        type: string
      - name: description
        description: Description of the action
        type: string
  - name: details
    required: true
    description: The variable event schema applicable to this type of action, instantiated with respect to this particular action
    type: json
  - name: actor
    description: The entity who actually performed the action
    type: object
    fields:
      - name: .tag
        description: Tag of the actor
        type: string
      - name: admin
        description: The admin who did the action
        type: object
        fields:
          - name: .tag
            description: Tag of the member type
            type: string
          - name: account_id
            description: User unique ID
            type: string
          - name: display_name
            description: User display name
            type: string
            indicators:
              - username
          - name: email
            description: User email address
            type: string
            indicators:
              - email
          - name: team_member_id
            description: Team member ID
            type: string
          - name: member_external_id
            description: Team member external ID
            type: string
          - name: team
            description: Details about this user's team for enterprise event
            type: object
            fields:
              - name: display_name
                description: Team display name
                type: string
          - name: trusted_non_team_member_type
            description: Users that are not part of the Dropbox team but are trusted i.e. enterprise admins
            type: object
            fields:
              - name: .tag
                description: Tag of the type
                type: string
      - name: app
        description: The application who did the action
        type: object
        fields:
          - name: app_id
            description: App unique ID
            type: string
          - name: display_name
            description: App display name
            type: string
      - name: reseller
        description: Action done by reseller
        type: object
        fields:
          - name: reseller_name
            description: Reseller name
            type: string
            indicators:
              - username
          - name: reseller_email
            description: Reseller email
            type: string
            indicators:
              - email
      - name: user
        description: The user who did the action
        type: object
        fields:
          - name: .tag
            description: Tag of the member type
            type: string
          - name: account_id
            description: User unique ID
            type: string
          - name: display_name
            description: User display name
            type: string
            indicators:
              - username
          - name: email
            description: User email address
            type: string
            indicators:
              - email
          - name: team_member_id
            description: Team member ID
            type: string
          - name: member_external_id
            description: Team member external ID
            type: string
          - name: team
            description: Details about this user's team for enterprise event
            type: object
            fields:
              - name: display_name
                description: Team display name
                type: string
          - name: trusted_non_team_member_type
            description: Users that are not part of the Dropbox team but are trusted i.e. enterprise admins
            type: object
            fields:
              - name: .tag
                description: Tag of the type
                type: string
  - name: origin
    description: The origin from which the actor performed the action
    type: object
    fields:
      - name: access_method
        description: Indicates the method in which the action was performed
        type: json
      - name: geo_location
        description: Geographic location details
        type: object
        fields:
          - name: ip_address
            description: IP address
            type: string
            indicators:
              - ip
          - name: city
            description: City nme
            type: string
          - name: region
            description: Region name
            type: string
          - name: country
            description: Country code
            type: string
  - name: involve_non_team_member
    description: True if the action involved a non team member either as the actor or as one of the affected users
    type: boolean
  - name: context
    description: The user or team on whose behalf the actor performed the action
    type: object
    fields:
      - name: .tag
        description: Tag of the member type
        type: string
      - name: account_id
        description: User unique ID
        type: string
      - name: display_name
        description: User display name
        type: string
        indicators:
          - username
      - name: email
        description: User email address
        type: string
        indicators:
          - email
      - name: team_member_id
        description: Team member ID
        type: string
      - name: member_external_id
        description: Team member external ID
        type: string
      - name: team
        description: Details about this user's team for enterprise event
        type: object
        fields:
          - name: display_name
            description: Team display name
            type: string
      - name: trusted_non_team_member_type
        description: Users that are not part of the Dropbox team but are trusted i.e. enterprise admins
        type: object
        fields:
          - name: .tag
            description: Tag of the type
            type: string
  - name: participants
    description: Zero or more users and/or groups that are affected by the action. Note that this list doesn't include any actors or users in context
    type: array
    element:
      type: object
      fields:
        - name: group
          description: Group details
          type: object
          fields:
            - name: display_name
              description: The name of this group
              type: string
            - name: group_id
              description: The unique ID of this group
              type: string
            - name: external_id
              description: External group ID
              type: string
        - name: user
          description: A user with a Dropbox account
          type: object
          fields:
            - name: .tag
              description: Tag of the member type
              type: string
            - name: account_id
              description: User unique ID
              type: string
            - name: display_name
              description: User display name
              type: string
              indicators:
                - username
            - name: email
              description: User email address
              type: string
              indicators:
                - email
            - name: team_member_id
              description: Team member ID
              type: string
            - name: member_external_id
              description: Team member external ID
              type: string
            - name: team
              description: Details about this user's team for enterprise event
              type: object
              fields:
                - name: display_name
                  description: Team display name
                  type: string
            - name: trusted_non_team_member_type
              description: Users that are not part of the Dropbox team but are trusted i.e. enterprise admins
              type: object
              fields:
                - name: .tag
                  description: Tag of the type
                  type: string
  - name: assets
    description: Zero or more content assets involved in the action
    type: array
    element:
      type: json

Last updated

#1924: [don't merge until ~Oct] Notion Logs (Beta)

Change request updated