Configure Box for Arctic Wolf monitoring

You can configure Box® to send the necessary logs to Arctic Wolf® for security monitoring.

These resources are required:

  • Administrator permissions for the Box environment that you want Arctic Wolf to monitor.

These actions are required:

  • Verify with your Box administrator that the Arctic Wolf API request rates will not cause your API request limit for your organization to be exceeded. For more information, see Box pricing.
Note:
  • Box configuration could effect the number of API requests that your Box plan allows. Box imposes a strict limit on the number of API requests that all users and applications can do each month on a given Box plan. For example, a Business plan is normally limited to 50,000 API calls each month. If this request limit is exceeded, API calls are denied until the number of API requests in the last month is below the limit. The Arctic Wolf sensor typically makes between 150 and 200 API calls each day, corresponding to a range of 4,200 to 6,200 API requests each month.
  • Box API endpoints can experience reporting latency between when a user or administrator takes an action. For example, between creating or deleting a file and when the logs are available for Arctic Wolf to analyze.

    See Limitations for more information.

Enable two-factor authentication for the administrator account

  1. Do one of these actions:
    Note:

    If you do not have single sign-on (SSO) enabled, Box requires that you enable two-factor authentication (2FA) on the administrator account before generating a key-pair. See Setting Up Single Sign On for more information.

  2. Sign in to Box with administrator permissions for the enterprise you want Arctic Wolf to monitor.
  3. In your profile menu, click Account Settings.
  4. On the Account tab, in the 2-step Verification section, click Set up.
  5. Follow the prompts to configure 2FA.
    Note:

    During this process, sign back into your account if you are logged out.

  6. On the Account Settings page, in the 2-step Verification section, verify that:
    • The method you chose says Enabled.
    • The information you provided is correct.
    Note:

    (Optional) After you provide your Box credentials to Arctic Wolf, you can return to the Account Settings page and disable 2FA. However, Arctic Wolf recommends using 2FA for all accounts with administrator permissions.

Create a new Box application for security monitoring

  1. Sign in to the Box Developer Console with administrator permissions for the enterprise you want Arctic Wolf to monitor.
  2. Click Create New App.
  3. On the Create New App page, click Custom App.
  4. In the Create a Custom App dialog, configure these settings:
    • Name — Enter a name for the app.
    • Purpose — Select a purpose, and then fill out the new fields related to the purpose
  5. Click Next.
  6. Select Server Authentication (with JWT), and then click Create App.

    The app Configuration page opens.

  7. Review the information you provided.

Configure the application scopes and credentials

  1. On the Configuration page for the new application, in the App Access Level section, click App + Enterprise Access.
  2. In the Application Scopes section:
    1. Clear the Write all files and folders stored in Box checkbox. This should automatically clear the Read all files and folders stored in Box checkbox.
    2. Verify that the Manage users, Manage groups, and Manage enterprise properties checkboxes are selected.
  3. In the Add and Manage Public Keys section, click Generate a Public/Private Keypair to generate the JSON file.
  4. Download the JSON file containing the application configuration, including the private key.
  5. Save the JSON file in a safe, encrypted location. You will provide it to Arctic Wolf later.
    Note:

    If required, click Generate a Public/Private Keypair a second time to download the JSON file.

  6. In the OAuth 2.0 Credentials section, copy the Client ID, and then save it in a safe, encrypted location. You will provide it to Arctic Wolf later.
  7. Click Save Changes to complete the application configuration.

Authorize the application

  1. In your profile menu, click Admin Console.
  2. Click the Custom Apps Manager tab.
  3. Click Add App.

    The Add App dialog opens.

  4. In the Add App dialog, in the Client ID field, enter the Client ID value from Configure the application scopes and credentials, and then click Next.

    The Authorize App dialog opens.

  5. Review the information, and then click Authorize to grant the permissions.
  6. In the Server Authentication Apps section, make sure that Authorization Status says Authorized and Enablement Status says Enabled. If your statuses are different, click to enable and authorize the app.

Provide Box credentials to Arctic Wolf

  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Data Collection > Cloud Sensors.
  3. Click Add Account +.
  4. On the Add Account page, click Box.
  5. Configure these settings:

    • Account Name — Enter a unique and descriptive name for the account.

    • JSON credential file section — Click Choose File, and then upload the JSON file downloaded in Configure the application scopes and credentials.

    • Credential Expiry — (Optional) Enter the credential expiration date, if applicable.

  6. Click Test and submit credentials.