Providing Box application credentials to Arctic Wolf

Configuration Guide

Overview

This document describes how to configure a Box application with the necessary permissions for Arctic Wolf® to monitor security information in your Box environment.

Note: Box API endpoints may experience reporting latency between when a user or administrator takes an action, such as creating or deleting a file, and when the logs are available for Arctic Wolf to analyze. See the Limitations documentation on the Box website for more information.

After you complete this process, you need to provide the .json file containing credential information for the Box application to Arctic Wolf on the Arctic Wolf Portal.

Note: To complete the steps below, you must have administrator credentials for the Box environment that you wish to monitor.

Box API request impact

This configuration may impact the number of API requests that your Box plan allows. Box imposes a strict limit on the number of API requests that across all users and applications can perform per month on a given Box plan. For example, a Business plan is normally limited to 50,000 API calls per month. If this request limit is exceeded, further API calls are denied until the number of API requests in the last month falls below the limit. The Arctic Wolf sensor typically makes between 150 and 200 API calls per day, corresponding to a range of 4200 to 6200 API requests per month.

Caution: Before proceeding with the instructions below, confirm with your Box administrator that the Arctic Wolf API request rates will not cause your API request limit for your organization to be exceeded. For more information, see Box pricing on the Box website.

Enabling two-factor authentication on the administrator account

After creating the Box application, you need to generate a public and private keypair for the application. If you do not have single sign on (SSO) enabled, Box requires that you enable two-factor authentication (2FA) on the administrator account before generating a keypair. See Setting Up Single Sign On in the Box documentation for more information about SSO.

Tip: If desired, you can disable 2FA at the conclusion of this setup process, although Arctic Wolf recommends using 2FA for all accounts with administrator privileges.

  1. Determine if you need to complete this process:

  2. Sign in to Box using the credentials of an administrator for the enterprise that you wish to monitor.

  3. From the navigation bar, select your profile menu and then select Account Settings. This screenshot shows the profile menu:

    Account Settings selected

  4. In the Account tab, under Authentication, select the Require 2-step verification for unrecognized logins checkbox.

  5. Follow the prompts to configure 2FA.

    Tip: You may need to sign back into your account if you are logged out as part of this process.

  6. On the Account Settings page, verify that:

    • The Require 2-step verification for unrecognized logins box is now checked.
    • The Send texts to: number is correct.

Note: If desired, after you submit credentials to Arctic Wolf, you can return to the Account Settings page and uncheck Require 2-step verification for unrecognized logins to disable 2FA. However, Arctic Wolf recommends using 2FA for all accounts with administrator privileges.

Creating a new Box application for security monitoring

To create a new Box application of the required type and authentication method:

  1. Sign in to the Box Developer Console using the credentials of an administrator for the enterprise you that wish to monitor.

  2. On the landing page, select My App > Create New App.

  3. On the Create a New Box App page, select Custom App, and then click Next.

  4. On the Authentication Method page, select Server Authentication with JWT, and then click Next.

  5. Enter a name for the new application, and then click Create App.

  6. After the application successfully creates, click View Your App.

Configuring the application with the required credentials and scopes

To configure the application appropriately and generate a public and private keypair to serve as credentials for the application:

  1. On the Configuration page for the new application, under Application Access, select Application Access + Enterprise Access.

  2. Under Application Scopes:

    1. Uncheck Read and write all files and folders stored in Box. This should automatically uncheck Read all files and folders stored in Box.

    2. Verify that Manage users, Manage groups, and Manage enterprise properties checkboxes are selected.

  3. Under Add and Manage Public Keys, click Generate a Public/Private Keypair.

    The .json file containing the application configuration, including the private key, is automatically downloaded to your computer. You need to provide this file to Arctic Wolf on the Arctic Wolf Portal later.

  4. Under OAuth 2.0 Credentials, copy the value of the Client ID to safe place for later use.

  5. Click Save Changes to complete the application configuration.

Authorizing the application with your Box enterprise

Grant access to the application in your enterprise:

  1. From your profile menu, select Admin Console. This screenshot shows the profile menu:

    Admin Console selected

  2. Select the Apps tab.

  3. Under Custom Applications, select Authorize New App. This opens the App Authorization dialog box.

  4. In the App Authorization dialog box:

    1. Enter the Client ID value that you obtained in Configuring the application with the required credentials and scopes into the API Key field.
    2. Click Next.
  5. In the permissions dialog box that opens, click Authorize to grant the permissions.

Providing credentials to Arctic Wolf

To provide your cloud credentials to Arctic Wolf:

  1. Sign in to the Arctic Wolf Portal.

  2. Select Connected Accounts in the banner menu to open the Connected Accounts page.

    Connected Accounts menu

  3. Select + Add Account to open the Add Account form.

  4. Select Cloud Threat Detection as the Account Type.

  5. Select Box from the list of cloud services, and fill in the form:

    1. Specify a descriptive name for the credentials.

    2. Upload the .json that you downloaded earlier under JSON credential file.

  6. Click Submit to CST.

  7. When prompted with the confirmation message, review your submission and then click Done. This returns you to the Connected Accounts page.

  8. Verify that the newly-submitted credential entry appears in the cloud services list with the status Connection Pending.

After your Concierge Security® Team provisions security monitoring for your Box account, the status of your Box credentials changes to Connected.