Ingest logs and data from Dropbox Business accounts via the Dropbox Business API.
Cortex XSIAM can ingest different types of data from Dropbox Business accounts using the Dropbox data collector. To receive logs and data from Dropbox Business accounts via the Dropbox Business API, you must configure the Data Sources settings in Cortex XSIAM based on your Dropbox Business Account credentials. After you set up data collection, Cortex XSIAM begins receiving new logs and data from the source.
When Cortex XSIAM begins receiving logs, the app creates a new dataset for the different types of data that you are collecting, which you can use to initiate XQL Search queries. For example queries, refer to the in-app XQL Library. For all logs, Cortex XSIAM can raise Cortex XSIAM alerts (Analytics, Correlation Rules, IOC, and BIOC), when relevant from Dropbox Business logs. While Correlation Rules alerts are raised on non-normalized and normalized logs, Analytics, IOC, and BIOC alerts are only raised on normalized logs.
The following table provides a brief description of the different types of data you can collect, the collection method and fetch interval for new data collected, the name of the dataset to use in Cortex XSIAM to query the data using XQL Search, and whether the data is normalized.
Note
The Fetch Interval is non-configurable.
Type of data | Description | Collection method | Fetch interval | Dataset name | Normalized data |
---|---|---|---|---|---|
Log collection | |||||
Events | Retrieves team events, including access events, administrative events, file/folders events, security settings events, and more. | Appends data | 60 seconds |
| When relevant, Cortex XSIAM normalizes SaaS audit event logs into stories, which are collected in a dataset called |
Directory and metadata | |||||
Member Devices | Lists all device sessions of a team. | Overwrites data | 10 minutes |
| — |
Users | Lists members of a group. | Overwrites data | 10 minutes |
| — |
Groups | Lists groups on a team. | Overwrites data | 10 minutes |
| — |
Danger
Set up an Advanced Dropbox plan.
Create a Dropbox Business admin account with Security admin permissions, which is required to authorize Cortex XSIAM to access the Dropbox Business account and generate the OAuth 2.0 access token.
Configure Cortex XSIAM to receive logs and data from Dropbox.
Complete the prerequisite steps mentioned above for your Dropbox Business account.
Log in to Dropbox using an admin account designated with Security admin level permissions.
In the Dropbox App console, ensure that you either create a new app, or your existing app is created, with the following settings:
Choose an API: Select Scoped access.
Choose the type of access you need: Select Full dropbox for access to all files and folders in a user's Dropbox.
In the Permissions tab of your app, ensure that the applicable permissions are selected under the relevant section heading for the type of data you want to collect:
Section heading
Permission
Data to collect
Account Info
account_info.read
All types of data
Team Data
team_data.member
All types of data
Members
members.read
Users
groups.read
Groups
Sessions
sessions.list
Member Devices
events.read
Events
In the Settings tab of your app, copy the App key and App secret , where you must click Show to see the App secret and record them somewhere safe. You will need to provide these keys when you configure the Dropbox data collector in Cortex XSIAM.
In Cortex XSIAM, select → .
On the Data Sources page, click Add Data Source, search for and select Dropbox and click Connect.
Set the following parameters:
Name: Specify a descriptive name for this Dropbox instance.
App Key: Specify the App key, which is taken from the Settings tab of your Dropbox app.
App Secret: Specify the App secret, which is taken from the Settings tab of your Dropbox app.
Access Code: After specifying an App Key, you can obtain the access code by hovering over the Access Code tooltip, clicking the here link, and signing in with your Dropbox Business account credentials. The URL link is
https://www.dropbox.com/oauth2/authorize?client_id=%APP_KEY%&token_access_type=offline&response_type=code
, where the%APP_KEY%
is replaced with the App Key value specified.Note
When the App Key field is empty, the here link in the tooltip is disabled. When an incorrect App Key is entered, clicking the link results in a 404 error.
To obtain the Access Code complete the following steps in the page that opens in your browser:
Read the disclaimer and click Continue.
Review the permissions listed, which should match the permissions you configured in your Dropbox app in the Permissions tab according to the type of data you want to collect, and click Allow.
Copy the Access Code Generated and paste it in the Access Code field in Cortex XSIAM. The access code is valid for around four minutes from when it is generated.
Note
Whenever you change the permissions of the Dropbox app, we recommend that you generate a new Access Code for the Dropbox data collector instance so that the permissions match the updates.
Collect: Select the types of data you want to collect from Dropbox. All the options are selected by default.
Log collection
Events (get_events}: Retrieves team events, including access events, administrative events, file/folders events, security settings events and more.
Note
Event data is collected every 60 seconds with a 10 minute lag time.
Directory and metadata
Member Devices: Collects all device sessions of a team.
Users: Collects all members of a group.
Groups: Collects all groups on a team.
Note
Inventory data snapshots are collected every 10 minutes.
Test the connection settings.
If successful, Enable Dropbox log collection.
Once events start to come in, a green check mark appears underneath the Dropbox configuration.