Box.com

Overview

Box.com is a cloud storage service for enterprises. You can configure a Box event source for an enterprise subscription only, not for an individual or business subscription.

Box.com uses Open Authentication (OAuth) to authorize InsightOps to collect activity logs from their servers. In order to read Box.com logs, the collector needs to be able to connect to https://api.box.com

Collected Data

In the Box.com integration, InsightOps polls on a regular basis for the following information:

  • Box.com "users" to map them back to domain users and tie ActiveDirectory and Box.com activity together
  • Recent Box.com "events" to pull authentication and administrative activity

InsightOps Activity

In InsightOps, you will see:

  • Ingress activity to Box.com on your "Locations" map as if the users were logging into your internal network
  • Admin activity on your "Administrators" page (typically account change activity--new account created, account deleted, etc)
  • Users who are seen doing Admin activity get a "Box admin" tag in InsightOps
  • Several incidents might get generated:
  • Ingress from disabled account (the user is no longer part of the company but still logging into Box)
  • Harvested credentials
  • Multiple country authentications
  • Ingress from threat

Note: If you are running InsightOps in Firefox, be sure to enable pop-up windows before configuring a Box.com event source.

Configuring Box.com Integration

You must log on with credentials that provide you admin privileges.

  1. Enter the e-mail address of your Box Admin account in the E-mail field.
  2. Enter your password in the Password field.
  3. Click the Authorize button.

Configuring This Event Source in InsightOps

In order to collect data from Box.com, you will need to authorize InsightOps to access your Box.com administrator account

  1. From InsightOps, click Data Collection.
  2. Select Add Data in the top right corner.
  3. Select the Cloud Service icons from the Security Data section.
  4. Select Box.com from the list of event sources in the dropdown.
  5. Optionally name your event source, and choose whether or not to send unfiltered logs.
  6. Optionally configure a fallback domain.
  7. Select Begin.

Connect Apps to Box

Applications use OAuth, an open source authentication standard, to connect to Box. There are also Box SDKs that include implementations of the OAuth2 grants used by Box, or client libraries available in a number of languages that you might find useful.

Click here for more information.