Ingest Logs and Data from Box - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2024-02-26
Last date published
2024-04-16
Category
Administrator Guide
Abstract

Ingest logs and data from Box enterprise accounts via the Box REST APIs.

Cortex XSIAM can ingest different types of data from Box enterprise accounts using the Box data collector. To receive logs and data from Box enterprise accounts via the Box REST APIs, you must configure the Data Sources settings in Cortex XSIAM based on your Box enterprise account credentials. After you set up data collection, Cortex XSIAM begins receiving new logs and data from the source.

When Cortex XSIAM begins receiving logs, the app creates a new dataset for the different types of data that you are collecting, which you can use to initiate XQL Search queries. For example queries, refer to the in-app XQL Library. For all logs, Cortex XSIAM can raise Cortex XSIAM alerts (Analytics, Correlation Rules, IOC, and BIOC), when relevant from Box logs. While Correlation Rules alerts are raised on non-normalized and normalized logs, Analytics, IOC, and BIOC alerts are only raised on normalized logs.

The following table provides a brief description of the different types of data you can collect, the collection method and fetch interval for new data collected, the name of the dataset to use in Cortex XSIAM to query the data using XQL Search, and whether the data is normalized.

Note

The Fetch Intervals are non-configurable.

Type of Data

Description

Collection Method

Fetch Interval

Dataset Name

Normalized Data

Events and security alerts

Events (admin_logs)

Retrieves events related to file/folder management, permission changes, access and login activities, user/groups management, folder collaboration, file/folder sharing, security settings changes, tasks, permission changes on folders, storage expiration and data retention, and workflows.

Appends data

60 seconds

box_admin_logs_raw

When relevant, Cortex XSIAM normalizes SaaS audit event logs into stories, which are collected in a dataset called saas_audit_logs.

Box Shield Alerts

Retrieves security alerts related to suspicious locations, suspicious sessions, anomalous download, and malicious content.

Note

Collecting Box Shield Alerts requires implementing Box Shield,

Appends data

60 seconds

box_shield_alerts_raw

Directory and metadata

Users

Lists user data.

Overwrites data

10 minutes

box_users_raw

Groups

Lists user group data.

Overwrites data

10 minutes

box_groups_raw

Be sure you do the following tasks before you begin configuring data collection from Box to Cortex XSIAM.

  1. Set up an Enterprise Box plan.

    Important

    To collect Box Shield Alerts, you must purchase Box Shield and it must be enabled on Box enterprise.

  2. Create a valid Box account that is assigned to a role with sufficient permissions for the data you want to collect. For example, create an account assigned to an Admin role to enable Cortex XSIAM to collect all metadata for all files, folders, and enterprise events for the entire organization.

  3. Enable two-factor authentication for the Box account. For more information, see the Box documentation.

Configure Cortex XSIAM to receive logs and data from Box.

  1. Complete the prerequisite steps for your Box enterprise account.

  2. Create a new app in your Box account.

    1. Log in to your Box account, and in the Dev Console, click Create New App.

    2. Select Custom App.

    3. Set these settings in the Custom App dialog:

      • Select Server Authentication (Client Credentials Grant).

      • Specify an App Name.

      • Click Create App.

      The new app is created and the opened in the Configuration tab.

    4. In the Configuration tab of the new app, scroll down to the following sections and configure the app.

      • In the App Access Level section, select App + Enterprise Access.

      • In the Application Scopes section, set the following Administrative Action permissions depending on the type of data you want to collect.

        Administrative Action

        Data Type

        Manage users

        Users

        Manage groups

        Groups

        Note

        There is a current bug with the Groups API from Box. If you don't configure the Box app with the proper permissions for managing groups data, the Groups API from Box won't return an error message to Cortex XSIAM indicating that the API failed to receive the data, and the Groups data will not be collected.

        Manage enterprise properties

        • Events (admin_logs)

        • Box Shield Alerts

      Once completed, scroll up in the tab to Save Changes.

    5. In the Authorization tab, click Review and Submit to send your changes to the administrator for approval.

      In the Review App Authorization Submission dialog that is displayed, you can add a Description of the app changes, and then click Submit.

  3. Ensure the new app changes are approved by an administrator in the Admin Console of the Box account.

    1. Select AppsCustomer Apps ManagerServer Authentication Apps.

    2. In the table, look for the Name of the Box app with the changes, where the Authorization Status is set to Pending Authorization, and select the three-dot menuAuthorize App.

    3. Click Authorize.

    Note

    For any future change that you make to your Box app, ensure that you send the changes for approval to the administrator, who will need to approve them as explained above.

  4. In Cortex XSIAM, select SettingsData Sources.

  5. In the Box configuration, click Add Instance to begin a new configuration.

  6. Set the following parameters, where some values require you to log in to your Box account to copy and paste the values to the applicable fields:

    • Name—Specify a descriptive name for this Box instance.

    • Enterprise ID—Specify the unique identifier for your organization's Box instance, which is used to access the token request. This field can't be edited once the Box data collector instance is created.

      You can retrieve this value from your Box account in the the General Settings tab, and scrolling to the App Info section. Copy the Enterprise ID and paste it in this field in Cortex XSIAM.

    • Client ID—Specify the client ID or API key for the Box app you created.

      You can retrieve this value from your Box account in the Configuration tab, and scrolling down to the OAuth 2.0 Credentials section. COPY the Client ID and paste it into this field in Cortex XSIAM.

    • Client Secret—The client secret or API secret fort he Box app you created.

      You can retrieve this value from your Box account in the Configuration tab, and scrolling down to the OAuth 2.0 Credentials section. Click Fetch Client Secret, where you will need to authenticate yourself according to the two-factor authentication method defined in your Box app before the Client Secret is displayed. Copy this value and paste it in this field in Cortex XSIAM.

    • Collect—Select the types of data you want to collect from Box. All the options are selected by default.

      • Events and security alerts

        • Events (admin_logs)—Collects events related to file/folder management, permission changes, access and login activities, user/groups management, folder collaboration, file/folder sharing, security settings changes, tasks, permission changes on folders, storage expiration and data retention, and workflows.

        • Box Shield Alerts—Collects security alerts related to suspicious locations, suspicious sessions, anomalous download, and malicious content.

      • Directory and metadata

        Note

        Inventory data snapshots are collected every 10 minutes.

        • Users—Collects user data.

        • Groups—Collects user group data.

  7. Test the connection settings.

  8. If successful, Enable Box log collection.

    Once events start to come in, a green check mark appears underneath the Box configuration.