Box Log Monitoring

Integration Overview

Box develops cloud-based content management, collaboration, and sharing tools and provides businesses with a single place to manage, secure, share, and govern content. Panther can collect, normalize, and monitor Box logs to help you identify any suspicious activity within your organization in real time. Your normalized data is then retained to conduct future security investigations in a serverless security data lake powered by Snowflake.

Use Cases for Box Logs

Box event logs show various types of activity in an organization's Box account, such as permission changes, login activity, or files uploaded, shared, or downloaded. Common security use cases for Box logs include monitoring for:

  • New, untrusted, or anomalous login attempts
  • Malicious content uploads or transfers
  • Excessive folder permission changes or downloads
  • Box Shield triggers and alerts

Onboarding Box Logs in Panther

Panther’s integration for Box is simple to configure, allowing you to onboard logs in just a few minutes. Simply select Box from the list of log sources within the Panther console, create a new Box App within the Box Developer Console, and enter your Box credentials into Panther.

Panther can pull audit events from the Box Events API every 60 seconds for real-time detection. For more details on onboarding Box logs or for supported log schema, you can view our Box documentation here.

Parsing, Normalizing, & Analyzing

As Panther ingests Box event logs, they are parsed, normalized, and stored in a Snowflake security data lake. This allows you to write detections, identify anomalies, and conduct investigations in the context of days, weeks, or months of data.

Panther applies normalization fields to all log records, which standardizes names for attributes and empowers users to correlate data across all of your log sources - not just Box. You can then use Panther’s various search tools - such as Query Builder, Data Explorer, and Indicator Search - to investigate your normalized logs for suspicious activity or vulnerabilities. For more information on searching log data, check out our documentation on Investigations & Search.

Built-in and Easily Customizable Detections

A number of pre-built detections for Box are available by default in Panther, offering users immediate value for monitoring common IoCs and threats. You can explore our built-in detection coverage for Box logs here.

With Panther, you aren’t confined to restrictive detections or proprietary languages as seen in many SIEM platforms. Panther is architected around detection-as-code principles, giving you the ability to write Python to define detection logic and to integrate external systems like version control and CI/CD pipelines into your detection engineering processes. This results in powerful, flexible, and reusable scripting of detections for your security team.

Configuring Alerts

Panther generates alerts when your detection rules or policies are triggered, and integrates with a variety of alert destinations to allow for easy access and management of alerts. Alerts can also be sent to alert context or SOAR platforms for more remediation options.

Alerts are grouped into five different severity levels: Info, Low, Medium, High, and Critical. Your team has the ability to dynamically assign severity based on specific log event attributes.

Customer Support

If you have any questions about configuring or monitoring Box logs in Panther, our customer support team is here to help. All customers have access to support via a dedicated Slack channel, email, or in-app messenger.

You can view our documentation on configuring and monitoring Box logs here, or customers can sign up for the Panther Community to share best practices or custom detections for Box logs.

Replacing Traditional SIEM for Box Logs

With Panther, your team doesn’t have to pay excessive costs to keep up with the growth of cloud app data, struggle with rigid detection logic, or waste time and resources on operational overhead. Panther was founded by a team of security engineers who struggled with today’s SIEM challenges first-hand, and built an intuitive, cloud-native platform to solve them.

Panther is a cloud-native SIEM built for security operations at scale, offering flexible detection-as-code, intuitive security workflows, and actionable real-time alerts. If you’re searching for a seamless SIEM platform for Box logs, request a demo today.

Escape Cloud Noise. Detect Security Signal.
Request a Demo