Using Threat Detection

Box Shield enables you to configure and apply a variety of threat detection rules that alert you to deviations in a person's usual work activities.

To configure threat detection rules, Shield enables you to create lists of alert criteria, such as blocked countries or domains, that you can add to these rules. You can also specify where you want Shield alerts to be sent for evaluation.

When you apply a threat detection rule, Box Shield monitors your account holders' activities and uses machine learning to predict which potentially sensitive documents each monitored account holder would download under normal circumstances. When an account holder’s download activity significantly deviates from prediction, Shield alerts you.

 

With Threat Detection, you can

• detect malicious account holders who use their access to steal data or access content,
• detect compromised accounts based on context such as locations, activities, and access patterns,
• detect potential malware in content uploading to your enterprise's Box account, and enforce downloading restrictions.
• make important security decisions based on rules and behaviors.

 

Here's a video showing how to save a threat detection rule and view Shield alerts.

 

Setting up threat detection

Setting up Shield's threat detection is easy; here's the outline of how to do it:

1. Create a list containing the names of locations or other information that you want to either monitor or exclude from monitoring.
2. Select a detection rule. You can choose to monitor for 
   • anomalous downloads,
   • potential malware in content being uploaded to Box,
   • content access from suspicious locations,
   • content access through suspicious online sessions.
3. Configure the detection rule:
   • add the Shield list to the rule, and select either to include or exclude the list from the rule,
   • select how you'd like Shield to alert you.
4. Start the rule.

That's it! When you start a configured rule, Shield uses it while learning and monitoring patterns of account activity in your enterprise.

 

Using Shield Lists

Creating lists

For customizing threat detection, Box Shield enables you to create Shield lists, which are lists of countries, domains, applications, or host IP addresses that you can later either include in or exclude from your threat detection rules.

 

To create a list of countries:

1. In the Admin Console's left pane, click Shield.
2. In the top of the Shield window, click Lists.
3. In the top-right corner of the list window, click Create Shield List and select Locations.
4. In Shield List Name, type a name for your Shield list.
5. In Description, type a summary of the list's purpose.
6. Click Add Countries.
7. Type a comma-separated list of country names. As you type, Box displays names of countries you can select.
8. In the top-right corner of the window, click Next.
9. Click Create List. You may need to refresh the window to see the updated lists.

 

To create a list of domains:

1. In the Admin Console's left pane, click Shield.
2. In the top of the Shield window, click Lists.
3. In the top-right corner of the list window, click Create Shield List and select Domains.
4. In Shield List Name, type a name for your Shield list.
5. In Description, type a summary of the list's purpose.
6. In Enter Domains, type a comma-separated list of domains.
7. In the top-right corner of the window, click Next.
8. Click Create List. You may need to refresh the window to see the updated lists.

 

 

To create a list of applications:

1. In the Admin Console's left pane, click Shield.
2. In the top of the Shield window, click Lists.
3. In the top-right corner of the list window, click Create Shield List and select Applications.
4. In Shield List Name, type a name for your Shield list.
5. In Description, type a summary of the list's purpose.
6. In Enter Applications, type the name of an application. As you type, Box displays the list of applications currently available to your account. Select an application.
7. In the top-right corner of the window, click Next.
8. Click Create List. You may need to refresh the window to see the updated lists.

 

 

 

To create a list of host IP Addresses:

1. In the Admin Console's left pane, click Shield.
2. In the top of the Shield window, click Lists.
3. In the top-right corner of the list window, click Create Shield List and select Host IP Addresses.
4. In Shield List Name, type a name for your Shield list.
5. In Description, type a summary of the list's purpose.
6. Click Add Host IP Address.
7. Type a comma-separated list of host IP addresses.
8. In the top-right corner of the window, click Next.
9. Click Create List. You may need to refresh the window to see the updated lists.

 

Modifying a list

To modify a list:

1. In the Admin Console's left pane, click Shield.
2. In the top of the Shield window, click Lists.
3. Click a list's name.
4. Next to Shield List Details, click Edit.
5. After editing the list, in the top-right corner of the window click Save.

 

Deleting a list

To delete a list:

1. In the Admin Console's left pane, click Shield.
2. In the top of the Shield window, click Lists.
3. Click a list's name.
4. In the top-right corner of the window click Delete.

 

Using Shield Detection Rules

Understanding detection rules

Box Shield provides a set of detection rules you can select, configure, and apply. A detection rule watches for a specific type of anomalous event in account holders' activity, and triggers a Shield notification when the rule detects the event. Detection rules include:

• Anomalous Download, which detects an account holder who may be stealing sensitive content.
• Malware Detection, which detects potential malware in content uploading to your enterprise's Box account.  When Shield detects potential malware, Box
  • displays a warning banner to all users accessing malicious content,
  • displays an alert on your Shield Dashboard, and
  • enforces downloading restrictions you selected when you configured this rule.  
• Suspicious Location, which detects someone apparently accessing content from an unusual or excluded geographic location or host IP address.
• Suspicious Session which detects someone apparently accessing content in a session characterized by unusual user-agent strings, unusual IDs, uncommon types of applications, new IP addresses, and an improbably rapid change in the person's log-in location.

 

Selecting a detection rule

To select a detection rule:

1. In the Admin Console's left pane, click Shield.
2. In the top of the Shield window, click Detection Rules. Box displays the Shield Rules window.
3. In the top-right corner of the Shield Rules window, click Create Shield Rule.
4. Click the detection rule you want to use. Box displays the Step 1 Rule Details section.
5. In Rule Name, type a name for the rule.
6. In Description, type the purpose of the rule.
7. Click Alert Priority Level and select a priority.
8. Now you can configure and start the rule as detailed in the following section.

 

Configuring and starting a detection rule

After selecting a Shield detection rule, you can configure and enable it. Configuration choices vary based on the detection rule you select, and can include

• adding Shield lists to define domains or applications to monitor, or to exclude from monitoring,
• adding Shield lists to define allowed and disallowed countries, and host IP addresses.
• selecting actions you want Shield to perform when it detects anomalous behavior.

 

To configure an Anomalous Download rule:

1. In Step 2 Select Actions, select how you want Shield to send alerts:
   • To forward alerts to a third-party tool, click Publish alert to Box Event Stream.  
   • To alert specific users, under Notify Users, type the users' account names
2. In the top-right corner of the window, click Next.
3. To enable the rule, click Start Rule.

 

To configure a Malware Detection rule:

1. In Step 2 Select Actions, select how you want Shield to send alerts:
   • To forward alerts to a third-party tool, click Publish alert to Box Event Stream.  
   • To alert specific users, under Notify Users, type the users' account names
2. To restrict downloads, click Restrict download of content.  This prevent any user from downloading the file from any Box app; preview and online editing remain available, 
3. In the top-right corner of the window, click Next.
4. To enable the rule, click Start Rule.

 

To configure a Suspicious Location rule:

1. In Step 2 Select Criteria, go to Locations to Monitor and either
   • click Specify locations to include, or
   • click Specify locations to exclude.
2. In Countries, type the name of the Shield list you want to use.
3. In IP Addresses or CIDR, type the name of the Shield list you want to use.
4. In Specific Content to Monitor, select the content and classification levels to monitor, and whether to monitor shared public links.
5. In Step 3 Select Actions, select how you want Shield to send alerts:
   • To forward alerts to a third-party tool, click Publish alert to Box Event Stream.  
   • To alert specific users, under Notify Users, type the users' account names
6. In the top-right corner of the window, click Next.
7. To enable the rule, click Start Rule.

 

To configure a Suspicious Session rule:

1. In Step 2 Select Actions, select how you want Shield to send alerts:
   • To forward alerts to a third-party tool, click Publish alert to Box Event Stream.  
   • To alert specific users, under Notify Users, type the users' account names
2. In the top-right corner of the window, click Next.
3. To enable the rule, click Start Rule.

After you click Start Rule, Shield uses the rule to monitor account activities in your enterprise.

 

Modifying a configured rule

To modify a configured rule:

1. In the Admin Console's left pane, click Shield.
2. In the top of the Shield window, click Detection Rules.
3. Click the rule's name.
4. Next to Shield Rule Details, click Edit.
5. After editing the list, in the top-right corner of the window click Save.

 

Deleting a configured rule

To delete a configured rule:

1. In the Admin Console's left pane, click Shield.
2. In the top of the Shield window, click Detection Rules.
3. Click the rule's name.
4. In the top-right corner of the window click Delete.

 

Using the Shield Dashboard

Viewing Shield alerts

After you've started one or more detection rules, Shield Dashboard displays alerts for account activities that meet detection criteria.

Alerts include

• alert ID,
• date of the alert,
• the name and type of the related detection rule,
• the name and email address of the account holder whose activity triggered the alert,
• risk score, and
• the IP address whose access triggered the alert.

 

Viewing alerts

To view Shield alerts:

1. In the Admin Console's left pane, click Shield.
2. In the top of the Shield window, click Dashboard. Box displays the alert list table.

 

Filtering alerts

To filter the alert list table:

1. In the Admin Console's left pane, click Shield.
2. At the top of the window, click Dashboard.
3. In the Dashboard tab, in the upper-right corner you can select to filter by:
   • Rule type
   • Priority
   • Time span
4. Box displays the alert list table according to your selected filtering criteria.

 

Viewing an alert's details

To view an alert's details:

1. In the Admin Console's left pane, click Shield.
2. At the top of the window, click Dashboard.
3. In the alert list table, click an alert.
4. Box displays the alert detail page.

The alert detail page displays the following:

• Alert Summary provides a summary of the alert including alert name, alert ID, alert type, risk score, and information about the criteria defined in the detection rule that triggered this alert.
• User Summary summarizes the target account for this alert, including email address, last login time, and group membership (as defined in Box). If group membership information is not populated in Box, this field can be empty.
• Geographic Activities summarizes on a geographical map the location of the account's activity at the time of the alert.
• Content Accessed summarizes statistics for content accessed by the account at the time of the alert.
• User Activities summarizes the account's activities, by activity type, at the time of the alert.
• Client Activities displays information about the clients that accessed content at the time of the alert. This information helps you delineate access from a corporate network as opposed to home or public networks.
• Alert Timeline displays a chronological list of the individual account activity that caused the alert.

 

Interpreting Shield risk scores

An alert's risk score ranges from 1 to 100, indicating the alert's urgency and its need for your attention. The larger the alert's risk score is, the greater the likelihood of a detected threat.

 

Risk scores from the Anomalous Download rule

The Anomalous Download rule identifies account holders who download potentially sensitive content for unusual work purposes. Shield machine learning predicts what content people may need this week for work purposes. When someone downloads much more potentially sensitive content than predicted by the model, Shield sends you alerts with high risk scores.

 

Risk scores from the Suspicious Location rule

The Suspicious Location rule generates a risk score based on your configured priority. The priority you define in the Suspicious Location rule determines the risk score as follows:

 

Priority	Risk Score
LOW	20
INFO	40
MED	60
HIGH	80
CRITICAL	100

 

Risk scores from the Suspicious Session rule

The Suspicious Session rule finds potentially compromised user accounts by detecting concurrent sessions originating from different geographical locations. The reported risk score reflects Shield's confidence in the account being compromised.