Box.com is a cloud storage service for enterprises. You can configure a Box event source for an enterprise subscription only, not for an individual or business subscription.
Box.com uses Open Authentication (OAuth) to authorize InsightIDR to collect activity logs from their servers. In order to read Box.com logs, the collector needs to be able to connect to https://api.box.com
In the Box.com integration, InsightIDR polls on a regular basis for the following information:
- Box.com "users" to map them back to domain users and tie ActiveDirectory and Box.com activity together
- Recent Box.com "events" to pull authentication and administrative activity
In InsightIDR, you will see:
- Ingress activity to Box.com on your "Locations" map as if the users were logging into your internal network
- Admin activity on your "Administrators" page (typically account change activity--new account created, account deleted, etc)
- Users who are seen doing Admin activity get a "Box admin" tag in InsightIDR
- Several incidents might get generated:
- Ingress from disabled account (the user is no longer part of the company but still logging into Box)
- Harvested credentials
- Multiple country authentications
- Ingress from threat
If you are running InsightIDR in Firefox, be sure to enable pop-up windows before configuring a Box.com event source.
How to Configure This Event Source
In order to collect data from Box.com, you will need to authorize InsightIDR to access your Box.com administrator account during this one time set up.
To configure this event source:
- From your dashboard, select Data Collection on the left hand menu.
- When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.
- From the “Security Data” section, click the Cloud Service icon. The “Add Event Source” panel appears.
- Choose your collector and event source. You can also name your event source if you want.
- Optionally choose to send unfiltered logs.
- Click the "Begin" button to start the OAUTH authorization process.
- A new window or tab will open for you to perform an authorization grant with Box.
- Login to Box.com and click Allow.
- Close the window/tab to return to InsightIDR.
- Configure your default domain.
- Click Save.
Connect Apps to Box
Applications use OAuth, an open source authentication standard, to connect to Box. There are also Box SDKs that include implementations of the OAuth2 grants used by Box, or client libraries available in a number of languages that you might find useful.
Read this link for more information: https://developer.box.com/reference#oauth-2-overview.
If you experience issues with Box.com, see below for troubleshooting information.
Error: App Disabled by Administrator
If you attempt to connect InsightIDR to Box.com but encounter an error message, you may need to whitelist InsightIDR as an application.
Before you begin, you must have a Rapid7 [API key].
To whitelist InsightIDR:
- As a Box administrator, log in to your Admin console and go to Enterprise Settings > Apps > Third Party Applications.
- Under the “Unpublished Applications” checkbox, go to the exceptions window. This box allows you to whitelist specific applications.
- Find your account region in the start of the InsightIDR URL.
- For example,
https://us.idr.insight.rapid7.comindicates your region is the US.
- For example,
- Paste in the following URL:
[CLIENT_ID_of_App]with the corresponding region client ID:
- US - uqsuj6rhwxz7ia3ucjrn8xb0px4l84i8
- EU - crtn5kpjd9zc2vl28avyptne9oif42r5
- AP - jagp21q41s40x5bvo5larljhnjwphdj6
- CA - esik4v7swbos3c19zyydw9o7rgzaz79q
- AU - y0bdup7juwzqtoyda0axbmhsnt087m32
- Click the Save button.
Read https://community.box.com/t5/Integrations-Troubleshooting/Disabled-by-Administrator-Cannot-Use-Application/ta-p/50075 for more information on this solution.