Box.com

Box.com is a cloud storage service for enterprises. You can configure a Box event source for an enterprise subscription only, not for an individual or business subscription.

Box.com uses Open Authentication (OAuth) to authorize SIEM (InsightIDR) to collect activity logs from their servers. In order to read Box.com logs, the collector needs to be able to connect to https://api.box.com 

Collected Data

In the Box.com integration, SIEM (InsightIDR) polls on a regular basis for the following information:

• Box.com “users” to map them back to domain users and tie ActiveDirectory and Box.com activity together
• Recent Box.com “events” to pull authentication and administrative activity

In SIEM (InsightIDR), you will see:

• Ingress activity to Box.com on your “Locations” map as if the users were logging into your internal network
• Admin activity on your “Administrators” page (typically account change activity—new account created, account deleted, etc)
• Users who are seen doing Admin activity get a “Box admin” tag in SIEM (InsightIDR)
• Several incidents might get generated:
• Ingress from disabled account (the user is no longer part of the company but still logging into Box)
• Harvested credentials
• Multiple country authentications
• Ingress from threat

If you are running SIEM (InsightIDR) in Firefox, be sure to enable pop-up windows before configuring a Box.com event source.

Configure SIEM (InsightIDR) to collect data from the event source

In order to collect data from Box.com, you will need to authorize SIEM (InsightIDR) to access your Box.com administrator account during this one time set up.

After you complete the prerequisite steps and configure the event source to send data, you must add the event source in SIEM (InsightIDR).

To configure the new event source in SIEM (InsightIDR):

1. From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
2. Do one of the following:
   • Search for Box.com in the event sources search bar.
   • In the Product Type filter, select Cloud Service.
3. Select the Box.com event source tile.
4. Select your collector and select Box.com from the event source dropdown menu.
5. Enter the name of your event source.
6. Optionally choose to send unparsed logs.
7. Click “Begin” to set up OAUTH and start the authorization process.
8. A new window or tab will open for you to perform an authorization grant with Box.
9. Login to Box.com and click Allow.
10. Close the window/tab to return to SIEM (InsightIDR).
11. Configure your default domain .
12. Click Save.

Connect Apps to Box

Applications use OAuth, an open source authentication standard, to connect to Box. There are also Box SDKs that include implementations of the OAuth2 grants used by Box, or client libraries available in a number of languages that you might find useful.

Read this link for more information: https://developer.box.com/reference#oauth-2-overview .

Troubleshooting

If you experience issues with Box.com, refer to these steps to troubleshoot.

Error: App Disabled by Administrator

If you attempt to connect SIEM (InsightIDR) to Box.com but encounter an error message, you may need to allowlist SIEM (InsightIDR) as an application.

How to allowlist SIEM (InsightIDR) in Box

Follow these instructions to allowlist SIEM (InsightIDR) in Box.com: https://support.box.com/hc/en-us/articles/360044195053-Disabled-by-Administrator-Cannot-Use-Application#:~:text=access%20the%20integration.-,Platform%20Apps,-If%20the%20app 

You will be asked to enter a Client ID that is specific to your AWS region. Use the following table to identify the correct Client ID based on the AWS region your environment is hosted in.

To find your AWS region:

• Multi-org users: Open the Org Switcher in the top-left corner of the Command Platform navigation bar. From the dropdown, locate your current organization. The AWS region for that organization is displayed next to the organization name.

• Single-org users: Ask your Platform Administrator to provide your AWS region.