Box Sample Event Messages
Use this sample event message to verify a successful integration with JSA.
Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.
Box sample messages when you use the Box REST protocol
Sample 1: The following sample event message shows that the user User Name, from IP address 10.0.0.1, added an application key to Box.
{"source":
{"type":"application","name":"QRadarBox","api_key":"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"},"created_
by":{"type":"user","id":"262196057","name":"User
Name","login":"user.name@domain.test"},"created_at":"2016-02-10T07:49:07-08:00","event_id":"4037
02014","event_type":"APPLICATION_PUBLIC_KEY_ADDED","ip_address":"10.0.0.1","type":"event","sessi
on_id":null,"additional_details":null}JSA Field Name |
Highlighted payload field name |
|---|---|
Username |
name |
Device Time |
created_at |
Event ID |
event_type |
Source IP Address |
ip_address |
Sample 2: The following sample event message shows that a Suspicious Location alert was generated based on Download activity by the user Some name.
{"source":null,"created_by":{"type":"user","id":"2","name":"Unknown
User","login":""},"action_by":null,"created_at":"2019-12-20T11:38:56-08:00","event_id":"97f1b31f
-f143-4777-81f8-1b557b39ca33","event_type":"SHIELD_ALERT","ip_address":"10.1.2.3","type":"event"
,"session_id":null,"additional_details":{"shield_alert":{"rule_category":"Suspicious
Locations","rule_id":"123","rule_name":"Suspicious Location","risk_score":60,"alert_summary":
{"alert_activities":
[{"occurred_at":"2019-12-20T11:37:05-08:00","event_type":"Download","item_name":"xyz.txt","item_
type":"file","item_id":"127","item_path":"ABC/DEF","ip_info":
{"ip":"10.2.3.4","latitude":"44.9727","longitude":"-65.8609","registrant":"Registrant Company
Name","country_code":"CA","city_name":"Saint John","region_name":"New
Brunswick"},"service_name":"Box Excel Online
Previewer"}]},"alert_id":2398,"priority":"medium","user":{"id":2320,"name":"Some
name","email":"some@domain.test"},"link":"https://app.box.com/master/shield/alerts/
123412341234","created_at":"2019-12-20T11:37:15-08:00"}}}JSA Field Name |
Highlighted payload field name |
|---|---|
Device Time |
created_at |
Source IP Address |
ip_address |
Event ID |
rule_category When the event_type value is SHIELD_ALERT , a Box Shield alert is indicated and the rule_category field is used for the Event ID. |
Severity |
risk_score The risk_score field severity value range is 1 - 100. In JSA, the severity value range is 1 - 10. JSA divides the risk_score field severity value by 10, and then rounds it to the nearest integer. |
Username |
name |