Box Monitoring

Updated Sep 27, 2023

Configure Box monitoring

This document describes how to configure a Box application with the necessary permissions for Arctic Wolf® to monitor security information in your Box® environment.

Note: Box API endpoints may experience reporting latency between when a user or administrator takes an action, such as creating or deleting a file, and when the logs are available for Arctic Wolf to analyze. See the Limitations documentation on the Box website for more information.

After you complete this process, you must provide the .json file containing the credential information for the Box application to Arctic Wolf through the Arctic Wolf Portal.

Note: To complete the steps below, you must have administrator credentials for the Box environment that you wish to monitor.

Box API request impact

This configuration may impact the number of API requests that your Box plan allows. Box imposes a strict limit on the number of API requests that across all users and applications can perform per month on a given Box plan. For example, a Business plan is normally limited to 50,000 API calls per month. If this request limit is exceeded, further API calls are denied until the number of API requests in the last month falls below the limit. The Arctic Wolf sensor typically makes between 150 and 200 API calls per day, corresponding to a range of 4200 to 6200 API requests per month.

Caution: Before proceeding with the instructions below, confirm with your Box administrator that the Arctic Wolf API request rates will not cause your API request limit for your organization to be exceeded. For more information, see Box pricing on the Box website.

Enable two-factor authentication on the administrator account

After creating the Box application, you need to generate a public and private keypair for the application. If you do not have single sign on (SSO) enabled, Box requires that you enable two-factor authentication (2FA) on the administrator account before generating a keypair. See Setting Up Single Sign On in the Box documentation for more information about SSO.

  1. Determine if you need to complete this process:

  2. Sign in to Box using the credentials of an administrator for the enterprise that you wish to monitor.

  3. From your profile menu, select Account Settings.

  4. In the Account tab, under 2-step Verification, click Set up.

  5. Follow the prompts to configure 2FA.

    Tip: You may need to sign back into your account if you are logged out as part of this process.

  6. On the Account Settings page, under 2-step Verification, verify that:

    • The method you chose says Enabled.
    • The information you provided is correct.

    Note: If desired, after you submit credentials to Arctic Wolf, you can return to the Account Settings page and disable 2FA. However, Arctic Wolf recommends using 2FA for all accounts with administrator privileges.

  7. Proceed to Create a new Box application for security monitoring.

Create a new Box application for security monitoring

  1. Sign in to the Box Developer Console using the credentials of an administrator for the enterprise that you wish to monitor.

  2. On the landing page, click Create New App.

  3. On the Create New App page, select Custom App.

  4. In the Create a Custom App dialog, enter a name for the app, select a purpose from the dropdown list, fill out the new fields related to the purpose, and then click Next.

  5. Select Server Authentication (with JWT), and then click Create App.

    The app Configuration page opens, and you can review the information you provided.

  6. Proceed to Configure the application with the required credentials and scopes.

Configure the application with the required credentials and scopes

To configure the application appropriately and generate a public and private keypair to serve as credentials for the application:

  1. On the Configuration page for the new application, under App Access Level, select App + Enterprise Access.

  2. Under Application Scopes:

    1. Uncheck Write all files and folders stored in Box. This should automatically uncheck Read all files and folders stored in Box.
    2. Verify that the Manage users, Manage groups, and Manage enterprise properties checkboxes are selected.
  3. Under Add and Manage Public Keys, click Generate a Public/Private Keypair to generate the .json file.

    Note: You may need to click Generate a Public/Private Keypair a second time to download the file.

    You are prompted to download the .json file containing the application configuration, including the private key. You need to provide this file to Arctic Wolf on the Arctic Wolf Portal later.

  4. Under OAuth 2.0 Credentials, copy the value in the Client ID field to a safe place for later use.

  5. Click Save Changes to complete the application configuration.

  6. Proceed to Authorize the application with your Box enterprise.

Authorize the application with your Box enterprise

  1. From your profile menu, select Admin Console.

  2. Click the Custom Apps Manager tab.

  3. Click Add App.

    The Add App dialog opens.

  4. In the Add App dialog:

    1. Enter the Client ID value that you obtained in Configure the application with the required credentials and scopes into the Client ID field.
    2. Click Next.

    The Authorize App dialog opens.

  5. Review the information, and then click Authorize to grant the permissions.

  6. Under Server Authentication Apps, ensure that Authorization Status says Authorized and Enablement Status says Enabled. If the statuses are different, click to enable and authorize the app.

  7. Proceed to Provide credentials to Arctic Wolf.

Provide credentials to Arctic Wolf

  1. Sign in to the Arctic Wolf Unified Portal.

  2. In the menu bar, click Telemetry Management > Connected Accounts.

  3. Click Add Account +.

  4. On the Add Account page, from the Account Type list, select Cloud Detection and Response.

  5. From the list of cloud services, select Box.

  6. On the Add Account page, complete these steps:

    1. Account Name — Enter a unique and descriptive name for the account.
    2. In the JSON credential file section, click Choose File, and then upload the .json file that you downloaded earlier.
    3. Credential Expiry — (Optional) Enter the expiration date if the credentials have an expiry date.
  7. Click Test and Submit Credentials.

    After your Concierge Security® Team (CST) enables security monitoring for this account, the connected account status changes to Healthy.