Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Box

 

The JSA DSM for Box collects enterprise events from a Box enterprise account.

The following table describes the specifications for the Box DSM:

Table 1: Box DSM Specifications

Specification

Value

Manufacturer

Box

DSM name

Box

RPM file name

DSM-BoxBox-JSA_version-build_number.noarch.rpm

Supported versions

N/A

Protocol

Box REST API

Event format

JSON

Recorded event types

Administrator and enterprise events

Automatically discovered?

No

Includes identity?

Yes

Includes custom properties?

No

More information

Box website (https://www.box.com/)

To integrate Box with JSA, complete the following steps:

  1. If automatic updates are not enabled, download and install the most recent version of the following RPMs on your JSA console in the order that they are listed:

    • Protocol Common RPM

    • Box REST API Protocol RPM

    • Box DSM RPM

  2. Configure your Box enterprise account for API access.

  3. The following table describes the parameters that require specific values for Box event collection:

    Table 2: Box Log Source Parameters

    Parameter

    Value

    Log Source type

    Box

    Protocol Configuration

    Box REST API

    Client ID

    Generated in the OAuth2 parameters pane of the Box administrator configuration.

    Client Secret

    Generated in the OAuth2 parameters pane of the Box administrator configuration.

    Key ID

    Generated in the Public Key Management pane after you submit the public key.

    Enterprise ID

    Used for access token request.

    Private Key File Name

    The private key file name in the /opt/qradar/conf/trusted_certificates/box/ directory in JSA.

    Use Proxy

    If JSA accesses the Box API, by using a proxy, select the Use Proxy check box.

    If the proxy requires authentication, configure the Proxy Server, Proxy Port, Proxy Username, and Proxy Password fields.

    If the proxy does not require authentication, configure the Proxy Server and Proxy Port fields.

    Automatically Acquire Server Certificate(s)

    Select Yes for JSA to automatically download the server certificate and begin trusting the target server.

    EPS Throttle

    The maximum number of events per second.

    The default is 5000.

    Recurrence

    The time interval between log source queries to the Box API for new events. The time interval can be in hours (H), minutes (M), or days (D).

    The default is 10 minutes.

The following table shows a sample event message for Box:

Table 3: Box Enterprise Sample Event Message

Event name

Low level category

Sample log message

LOGIN

User Login Success

{"source":{"type":"user","id": "<UserID>","name":"UserName", "login":"username@example.com"}, "created_by":{"type":"user", "id":"<UserID>","name": "UserName","login": "username@example.com"}, "created_at":"2016-01-07T10 :54:30-08:00","event_id": "363714450","event_type":"LOGIN", "ip_address":"<IP_address>","type" :"event","session_id":null, "additional_details":null}