Smart Access
Can I report on when a user changes a classification, or is restricted by an access policy?
Changes to classification (add, edit, delete) of a file or folder is a reported event in Box. Audit events for policy enforcement is not yet available, but is on our roadmap.
How quickly does Smart Access begin enforcing policies?
After you configure them, Shield immediately begins enforcing your access policies.
Can I configure a set of these access controls as a default for all content across my instance?
Yes. When you create an access policy, for Content Type select Apply to all content without classification, then define a combination of access controls. This may be an option if you want a baseline set of restrictions, and require your users to apply a less restrictive label to a file or folder (for example, "Public") before allowing an action such as externally sharing.
Threat Detection
Does Shield send alerts in real-time?
Most alerts, including Malware Detection and Suspicious Location, are near real-time and triggered as soon as Box detects an anomaly or suspicious behavior. For alerts that leverage machine learning, such as Anomalous Downloads and Suspicious Sessions, notifications are sent within 24 hours
How long does it take for Shield's machine learning to start working?
When you enable Shield for your instance, with existing content and activity Shield takes 24 hours or less to create the machine learning model that enables Shield to generate alerts.
For new users, how much time does Shield need to compile the profile of a person's normal activity?
Shield needs about two weeks to compile a statistically reliable profile.
For the Suspicious Session rule, how do you prevent false positives, such as my VPNs?
For Suspicious Sessions, Shield not only detects the rapid change in a user's location within a short period of time, but also considers additional signals including recency of the IP address for a given enterprise, user agent strings, application types, and context about IP addresses.
Does syncing to Box Drive or Box Sync count as download activity for Threat Detection?
No. But downloading from Box Drive to a local machine counts as download behavior.
Can I adjust the threshold of deviation from normal activity that triggers alerts?
No, Shield does not enable you to adjust deviation thresholds. However, Shield's machine learning creates a dynamic and adaptive threshold that changes with time and activity.
When receiving alerts, can I define alert priorities and filter alerts?
Yes, when you define a detection rule, you can define the rule's Alert Priority Level:
- Informational
- Low
- Medium
- High
- Critical
You can also filter in the Dashboard by priority, rule type, and time span.
Can I specify which user accounts to monitor?
In a future release, Box will enable you to specify the users that you want Shield to monitor in the Anomalous Download detection rule.
Can Shield send alerts to my SIEM for analysis and follow-up?
Yes. All alerts are part of the Box events stream, which can be sent to your SIEM via API. Shield also provides a context-rich summary in our UI that makes it easy to evaluate an alert. We are also working on developing integrations and pre-built connectors with leading SIEM providers.
Can Shield send alerts to my mobile device?
Yes. When you configure a Threat Detection rule, just provide the email address to which you want Shield to send alert notifications.
General
What are the different Shield administration roles?
You can grant co-admins permission to edit the Shield configuration for your company and view Shield lists and alerts, or grant permission to only view Shield lists and alerts.
Will Box automatically push Shield updates to me?
Yes.
Whom do I contact if I need help or have questions?
Please contact either Box Support or your Customer Success Manager.