Panther has the ability to fetch Dropbox events by querying the Dropbox Business API. Panther will specifically monitor the following Dropbox team events:
User logging in or out of Dropbox (including device information)
Changing a user's role in Dropbox
Adding, editing, viewing, and sharing files and folders and by whom
Creating and sharing links within your team
Prerequisites
The Dropbox user authorizing this integration must have the "Team Admin" role credentials.
How to onboard Dropbox logs to Panther
Step 1: Create a new Dropbox log source in Panther
In the left-hand navigation bar of your Panther Console, click Configure > LogSources.
Click Create New.
Select Dropbox from the list of available log sources.
Click Start Source Setup.
Enter a name for the source e.g., My Dropbox logs.
Click Setup.
On the "Set Credentials" page, copy the URL provided and store it in a secure location. You will need this in the next steps.
Step 2: Create a new app in Dropbox
In a separate browser tab or window, log in to your business Dropbox account and navigate to the Dropbox app console.
Click Create App.
On the "Create a new app on the DBX Platform" page, fill out the fields:
Choose an API:Select Scoped Access.
Choose the type of access you need: Select Full Dropbox.
Name your app: Enter a descriptive name for your application.
When you are redirected to the app Settings panel, paste in the Redirect URI that you copied from the Panther Console earlier in this documentation, and click Add next to it.
Navigate to the Permissions tabat the top of the page.
Click Submit in the bar at the bottom of the page.
Navigate back to the Settings tab at the top of the page.
On the Settings tab, copy the App Key and App Secret values and store them in a secure location. You will need these in the next steps.
Step 3: Finalize the log source in Panther
Navigate back to the Panther Console on the "Set Credentials" page where you left off in the earlier steps.
Paste your App Key from Dropbox into the Client ID field.
Paste your App Secret from Dropbox into the Client Secret field.
Click Setup.
On the "Verify Setup" page, click Grant Access.
You will be redirected to a Dropbox page to install your app.
Click Allow.
In Panther, you will be directed to a success screen:
The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.
Supported log types
Required fields in the schema are listed as "required: true" just below the "name" field.
Dropbox.TeamEvent
Contains events for an entire team's activity and provides information about how your team is using Dropbox.
schema:Dropbox.TeamEventparser:native:name:Dropbox.TeamEventdescription:Dropbox events help you monitor what is going on with you files and Dropbox environment as a whole.referenceURL:https://www.dropbox.com/developers/documentation/http/teams#team_log-get_eventsfields: - name:timestamprequired:truedescription:Timestamp for the eventtype:timestamptimeFormat:rfc3339isEventTime:true - name:event_categoryrequired:truedescription:The category that this type of action belongs totype:objectfields: - name:.tagrequired:truedescription:Tag of the categorytype:string - name:event_typerequired:truedescription:The particular type of action takentype:objectfields: - name:.tagrequired:truedescription:Tag of the actiontype:string - name:descriptiondescription:Description of the actiontype:string - name:detailsrequired:true description: The variable event schema applicable to this type of action, instantiated with respect to this particular action
type:json - name:actordescription:The entity who actually performed the actiontype:objectfields: - name:.tagdescription:Tag of the actortype:string - name:admindescription:The admin who did the actiontype:objectfields: - name:.tagdescription:Tag of the member typetype:string - name:account_iddescription:User unique IDtype:string - name:display_namedescription:User display nametype:stringindicators: - username - name:emaildescription:User email addresstype:stringindicators: - email - name:team_member_iddescription:Team member IDtype:string - name:member_external_iddescription:Team member external IDtype:string - name:teamdescription:Details about this user's team for enterprise eventtype:objectfields: - name:display_namedescription:Team display nametype:string - name:trusted_non_team_member_typedescription:Users that are not part of the Dropbox team but are trusted i.e. enterprise adminstype:objectfields: - name:.tagdescription:Tag of the typetype:string - name:appdescription:The application who did the actiontype:objectfields: - name:app_iddescription:App unique IDtype:string - name:display_namedescription:App display nametype:string - name:resellerdescription:Action done by resellertype:objectfields: - name:reseller_namedescription:Reseller nametype:stringindicators: - username - name:reseller_emaildescription:Reseller emailtype:stringindicators: - email - name:userdescription:The user who did the actiontype:objectfields: - name:.tagdescription:Tag of the member typetype:string - name:account_iddescription:User unique IDtype:string - name:display_namedescription:User display nametype:stringindicators: - username - name:emaildescription:User email addresstype:stringindicators: - email - name:team_member_iddescription:Team member IDtype:string - name:member_external_iddescription:Team member external IDtype:string - name:teamdescription:Details about this user's team for enterprise eventtype:objectfields: - name:display_namedescription:Team display nametype:string - name:trusted_non_team_member_typedescription:Users that are not part of the Dropbox team but are trusted i.e. enterprise adminstype:objectfields: - name:.tagdescription:Tag of the typetype:string - name:origindescription:The origin from which the actor performed the actiontype:objectfields: - name:access_methoddescription:Indicates the method in which the action was performedtype:json - name:geo_locationdescription:Geographic location detailstype:objectfields: - name:ip_addressdescription:IP addresstype:stringindicators: - ip - name:citydescription:City nmetype:string - name:regiondescription:Region nametype:string - name:countrydescription:Country codetype:string - name:involve_non_team_memberdescription:True if the action involved a non team member either as the actor or as one of the affected userstype:boolean - name:contextdescription:The user or team on whose behalf the actor performed the actiontype:objectfields: - name:.tagdescription:Tag of the member typetype:string - name:account_iddescription:User unique IDtype:string - name:display_namedescription:User display nametype:stringindicators: - username - name:emaildescription:User email addresstype:stringindicators: - email - name:team_member_iddescription:Team member IDtype:string - name:member_external_iddescription:Team member external IDtype:string - name:teamdescription:Details about this user's team for enterprise eventtype:objectfields: - name:display_namedescription:Team display nametype:string - name:trusted_non_team_member_typedescription:Users that are not part of the Dropbox team but are trusted i.e. enterprise adminstype:objectfields: - name:.tagdescription:Tag of the typetype:string - name:participants description: Zero or more users and/or groups that are affected by the action. Note that this list doesn't include any actors or users in context
type:arrayelement:type:objectfields: - name:groupdescription:Group detailstype:objectfields: - name:display_namedescription:The name of this grouptype:string - name:group_iddescription:The unique ID of this grouptype:string - name:external_iddescription:External group IDtype:string - name:userdescription:A user with a Dropbox accounttype:objectfields: - name:.tagdescription:Tag of the member typetype:string - name:account_iddescription:User unique IDtype:string - name:display_namedescription:User display nametype:stringindicators: - username - name:emaildescription:User email addresstype:stringindicators: - email - name:team_member_iddescription:Team member IDtype:string - name:member_external_iddescription:Team member external IDtype:string - name:teamdescription:Details about this user's team for enterprise eventtype:objectfields: - name:display_namedescription:Team display nametype:string - name:trusted_non_team_member_typedescription:Users that are not part of the Dropbox team but are trusted i.e. enterprise adminstype:objectfields: - name:.tagdescription:Tag of the typetype:string - name:assetsdescription:Zero or more content assets involved in the actiontype:arrayelement:type:json