Print

Using Threat Detection

  • Posted Updated

In this article:

 

Box Shield enables you to configure and apply a variety of threat detection rules that alert you to deviations in a person's usual work activities.

To configure threat detection rules, Shield enables you to create lists of alert criteria, such as blocked countries or domains, that you can add to these rules. You can also specify where you want Shield alerts to be sent for evaluation.

When you apply a threat detection rule, Box Shield monitors your account holders' activities and uses machine learning to predict which potentially sensitive documents each monitored account holder would download under normal circumstances. When an account holder’s download activity significantly deviates from prediction, Shield alerts you.

 

With Threat Detection, you can

  • detect malicious account holders who use their access to steal data or access content.
  • detect compromised accounts based on context such as locations, activities, and access patterns.
  • detect potential malware in content uploading to your enterprise's Box account, and enforce downloading restrictions.
  • make important security decisions based on rules and behaviors.

 

Here's a video showing how to save a threat detection rule and view Shield alerts.

Threat Detection Rule Limits

The following table describes the limits in threat detection rules.

Item Limit
Name 80 characters
Description 255 characters
# of rules

25, consisting of:

  • 1 suspicious session rule
  • 1 anomalous download rule
  • 1 malware detection rule
  • 22 suspicious location rules

Setting up Shield Threat Detection

Setting up Shield's threat detection is easy; here's the outline of how to do it:

  1. Create a Shield list containing the names of locations or other information that you want to either monitor or exclude from monitoring.
  2. Select a detection rule. You can choose to monitor for 
    • anomalous downloads,
    • potential malware in content being uploaded to Box,
    • content access from suspicious locations,
    • content access through suspicious online sessions.
  3. Configure the detection rule:
    • add the Shield list to the rule, and select either to include or exclude the list from the rule,
    • select how you'd like Shield to alert you.
  4. Start the rule.

That's it! When you start a configured rule, Shield uses it while learning and monitoring patterns of account activity in your enterprise.

 

 

 

Using Shield Detection Rules

Understanding detection rules

Box Shield provides a set of detection rules you can select, configure, and apply. A detection rule watches for a specific type of anomalous event in account holders' activity, and triggers a Shield notification when the rule detects the event. Detection rules include:

  • Anomalous Download, which detects an account holder who may be stealing sensitive content.
  • Malware Detection, which detects potential malware in content uploading to your enterprise's Box account.  When Shield detects potential malware, Box
    • displays a warning banner to all users accessing malicious content from the Box Web app,
    • displays an alert on your Shield Dashboard, and
    • enforces downloading restrictions you selected when you configured this rule. 
      • On Box Drive for MacOS or Windows, download restrictions prevent people from opening, moving, or copying a malicious file.  Instead, a warning notification displays.
  • Suspicious Location, which detects someone apparently accessing content from an unusual or excluded geographic location or host IP address.
  • Suspicious Session which detects someone apparently accessing content in a session characterized by unusual user-agent strings, unusual IDs, uncommon types of applications, new IP addresses, and an improbably rapid change in the person's log-in location.

 

Selecting a detection rule

To select a detection rule:

  1. Go to Admin Console > Shield.
  2. Click the Detection Rules tab.
  3. Click Create Rule (button_Create_Rule.png).
  4. Click the detection rule you want to use. Box displays the Step 1 Rule Details section.
  5. In Rule Name, type a name for the rule.
  6. In Description, type the purpose of the rule.
  7. Click Alert Priority Level and select a priority.
  8. Now you can configure and start the rule as detailed in the following section.

 

Configuring and starting a detection rule

After selecting a Shield detection rule, you can configure and enable it. Configuration choices vary based on the detection rule you select, and can include

  • adding Shield lists to define domains or applications to monitor, or to exclude from monitoring,
  • adding Shield lists to define allowed and disallowed countries, and host IP addresses.
  • selecting actions you want Shield to perform when it detects anomalous behavior.

 

To configure an Anomalous Download rule:

  1. In Step 3 Select Actions, select how you want Shield to send alerts:
    • To forward alerts to a third-party tool, click Publish alert to Box Event Stream.  
    • To alert specific users, under Notify Users, type a comma-separated list of users' account names.
  2. In the top-right corner of the window, click Next.
  3. To enable the rule, click Start Rule.

 

To configure a Malicious Content rule:

  1. In Step 2 Select Actions, select how you want Shield to send alerts:
    • To forward alerts to a third-party tool, click Publish alert to Box Event Stream.  
    • To alert specific users, under Notify Users, type a comma-separated list of users' account names
  2. To restrict downloads, click Restrict download of content.  This prevent any user from downloading the file from any Box app; preview and online editing remain available, 
  3. In the top-right corner of the window, click Next.
  4. To enable the rule, click Start Rule.

 

To configure a Suspicious Location rule:

  1. In Step 2 Select Criteria:
    • Go to Locations to Monitor and
      • click Alert when any of the selected locations are observed, and type a list of countries or Shield lists of countries, or
      • click Do not Alert when any of the selected locations are observed countries, and type a list of countries or Shield lists of countries.
    • Go to Content to Monitor, then select the classification labels to monitor.
  2. In Step 3 Select Filters (Optional), select one or more of the following:
    • Exclude public shared links.
    • Exclude IP addresses, then type a comma-separated list of IP addresses or Shield lists of IP addresses you want to exclude from the rule.
    • Exclude apps, then type a comma-separated list of application names you want to exclude from the rule.
  3.  In Step 4 Select Actions, select how you want Shield to send alerts:
    • To forward alerts to a third-party tool, click Publish Alert to Box Event Stream.
    • To alert specific users, under Notify Users type a comma-separated list of users' account names.
  4. In the top-right corner of the window, click Next.
  5. To enable the rule, click Start Rule.

 

To configure a Suspicious Session rule:

  1. In Step 2 Select Criteria, review the rule's description.
  2. In Step 3 Select Filters (Optional), select the context type to exclude from this rule.  Select one or more of the following:
    • Exclude IP addresses, then type a comma-separated list of IP addresses you want to exclude from the rule.
    • Exclude apps, then type a list of application names you want to exclude from the rule.
  3. In Step 4 Select Actions, select how you want Shield to send alerts:
    • To forward alerts to a third-party tool, click Publish alert to Box Event Stream.
    • To alert specific users, under Notify Users, type a comma-separated list of users' account names.
  4. In the top-right corner of the window, click Next.
  5. To enable the rule, click Start Rule.

 

After you click Start Rule, Shield uses the rule to monitor account activities in your enterprise.

 

Modifying a configured rule

To modify a configured rule:

  1. In the Admin Console's left pane, click Shield.
  2. In the top of the Shield window, click Detection Rules.
  3. Click the rule's name.
  4. Next to Detection Rule Details, click Edit.
  5. After editing the list, in the top-right corner of the window click Update Rule.

 

Deleting a configured rule

To delete a configured rule:

  1. In the Admin Console's left pane, click Shield.
  2. In the top of the Shield window, click Detection Rules.
  3. Click the rule's name.
  4. In the top-right corner of the window click Delete.

 

 

Using the Shield Dashboard

Viewing Shield alerts

After you've started one or more detection rules, Shield Dashboard displays alerts for account activities that meet detection criteria.

Alerts include

  • alert ID,
  • date of the alert,
  • the name and type of the related detection rule,
  • the name and email address of the account holder whose activity triggered the alert,
  • risk score, and
  • the IP address whose access triggered the alert.

 

Viewing the list of Shield alerts

To view Shield alerts:

  1. In the Admin Console's left pane, click Shield.
  2. In the top of the Shield window, click Dashboard. Box displays the alert list table.

 

Filtering Shield alerts

To filter the alert list table:

  1. In the Admin Console's left pane, click Shield.
  2. At the top of the window, click Dashboard.
  3. In the Dashboard tab, in the upper-right corner you can select to filter by:
    • Rule type
    • Priority
    • Time span
  4. Box displays the alert list table according to your selected filtering criteria.

 

Viewing a Shield alert's details

To view an alert's details:

  1. In the Admin Console's left pane, click Shield.
  2. At the top of the window, click Dashboard.
  3. In the alert list table, click an alert.
  4. Box displays the alert detail page.

The alert detail page displays the following:

  • Alert Summary provides a summary of the alert including alert name, alert ID, alert type, risk score, and information about the criteria defined in the detection rule that triggered this alert.
  • User Summary summarizes the target account for this alert, including email address, last login time, and group membership (as defined in Box). If group membership information is not populated in Box, this field can be empty.
  • Geographic Activities summarizes on a geographical map the location of the account's activity at the time of the alert.
  • Content Accessed summarizes statistics for content accessed by the account at the time of the alert.
  • User Activities summarizes the account's activities, by activity type, at the time of the alert.
  • Client Activities displays information about the clients that accessed content at the time of the alert. This information helps you delineate access from a corporate network as opposed to home or public networks.
  • Alert Timeline displays a chronological list of the individual account activity that caused the alert.

 

Excluding apps and IP addresses from Shield alerts

When you review the Alert Details page and see an application or IP address that you want to exclude from Suspicious Location and Suspicious Session alerts, next to the application's name or the IP address click Exclude.

 

 

Interpreting Shield risk scores

An alert's risk score ranges from 1 to 100, indicating the alert's urgency and its need for your attention. The larger the alert's risk score is, the greater the likelihood of a detected threat.

 

Risk scores from the Anomalous Download rule

The Anomalous Download rule identifies account holders who download potentially sensitive content for unusual work purposes. Shield machine learning predicts what content people may need this week for work purposes. When someone downloads much more potentially sensitive content than predicted by the model, Shield sends you alerts with high risk scores.

 

Risk scores from the Suspicious Location rule

The Suspicious Location rule generates a risk score based on your configured priority. The priority you define in the Suspicious Location rule determines the risk score as follows:

 

Priority Risk Score
LOW 20
INFO 40
MED 60
HIGH 80
CRITICAL 100

 

Risk scores from the Suspicious Session rule

The Suspicious Session rule finds potentially compromised user accounts by detecting concurrent sessions originating from different geographical locations. The reported risk score reflects Shield's confidence in the account being compromised.

 

Risk scores from the Malicious Content rule

The Malicious Content rule helps detect malware uploaded to Box and the risk score reflects Shield confidence that the file is indeed malware and not a clean file.

 

 

Providing feedback for Anomalous Download Alert

As an admin, you can provide granular feedback on individual folders that were deemed as anomalous in the Anomalous Download alert to improve our detection accuracy for your enterprise. To do so you need to the following:

  1. Go to the Anomalous Content Downloaded section of the alert.
  2. Click on any folder
  3. In the Overview section, you can see the owner, Sensitivity level of the file and other download statistics.
  4. Based on what you can give following feedback:
    • Is the folder expected to contain sensitive data?
      • Yes
      • No
      • Not sure
    • Is this user expected to download this content?
      • Yes
      • No
      • Not sure

 

admin_swarm_kb

Related articles