This topic contains the following sections:
- About Box Shield Threat Detection
- Threat Detection Rule Types
- Threat Detection Rule Type Limits
- Using the Shield Dashboard
- Interpreting Shield risk scores
- Providing feedback for Anomalous Download Alert
About Box Shield Threat Detection
Box Shield enables you to configure and apply a variety of threat detection rules that alert you to deviations in a person's usual work activities.
To configure threat detection rules, Shield enables you to create lists of alert criteria, such as blocked countries or domains, that you can add to these rules. You can also specify where you want Shield alerts to be sent for evaluation.
When you apply a threat detection rule, Box Shield monitors your account holders' activities and uses machine learning to predict which potentially sensitive documents each monitored account holder would download under normal circumstances. When an account holder’s download activity significantly deviates from prediction, Shield alerts you.
With Threat Detection, you can
- detect malicious account holders who use their access to steal data or access content.
- detect compromised accounts based on context such as locations, activities, and access patterns.
- detect potential malware in content uploading to your enterprise's Box account, and enforce downloading restrictions.
- make important security decisions based on rules and behaviors.
Threat Detection Rule Types
Box Shield provides several detection rule types that you can configure and apply. A detection rule watches for a specific type of anomalous event in account holders' activity, and triggers a Shield notification when the rule detects the event. Detection rules types include:
- Anomalous Download, which detects an account holder who may be stealing sensitive content.
- Malicious Content, which detects potential malware in content uploading to your enterprise's Box account. Malicious content rules offer multiple types of malware detection:
- Reputation scan of threats by comparing your files to files known to contain malware
- Deep scan of certain file types by evaluating the content of those files
When Shield detects potential malware, Box- Displays a warning banner to all users accessing malicious content from the Box Web app,
- Displays an alert on your Shield Dashboard, and
- Enforces downloading restrictions you selected when you configured this rule.
- On Box Drive for MacOS or Windows, download restrictions prevent people from opening, moving, or copying a malicious file. Instead, a warning notification displays.
- Suspicious Location, which detects someone apparently accessing content from an unusual or excluded geographic location, host IP address, set of users or groups, or domains.
- Suspicious Session which detects instances of impossible travel characterized by rapid changes in user location, combined with unusual user agent strings and new IP addresses.
Threat Detection Rule Type Limits
You can create up to 25 Threat Detection rules, consisting of:
- 1 suspicious session rule
- 1 anomalous download rule
- 1 malware detection rule
- Up to 22 suspicious location rules
You can:
After you click Start Rule, Shield uses the rule to monitor account activities in your enterprise.
Using the Shield Dashboard
Viewing Shield alerts
After you've started one or more detection rules, Shield Dashboard displays alerts for account activities that meet detection criteria.
Alerts include
- alert ID,
- date of the alert,
- the name and type of the related detection rule,
- the name and email address of the account holder whose activity triggered the alert,
- risk score, and
- the IP address whose access triggered the alert.
Viewing the list of Shield alerts
To view Shield alerts:
- Go to Admin Console > Shield.
- Click the Dashboard tab.
Filtering Shield alerts
To filter the alert list table:
- Go to Admin Console > Shield.
- Click the Dashboard tab.
- In the Dashboard tab, in the upper-right corner you can select to filter by:
- Rule type
- Priority
- Time span
- Box displays the alert list table according to your selected filtering criteria.
Viewing a Shield alert's details
To view an alert's details:
- Go to Admin Console > Shield.
- Click the Dashboard tab.
- In the alert list table, click an alert.
- Box displays the alert detail page.
The alert detail page displays the following:
- Alert Summary provides a summary of the alert including alert name, alert ID, alert type, risk score, and information about the criteria defined in the detection rule that triggered this alert.
- User Summary summarizes the target account for this alert, including email address, last login time, and group membership (as defined in Box). If group membership information is not populated in Box, this field can be empty.
- Geographic Activities summarizes on a geographical map the location of the account's activity at the time of the alert.
- Content Accessed summarizes statistics for content accessed by the account at the time of the alert.
- User Activities summarizes the account's activities, by activity type, at the time of the alert.
- Client Activities displays information about the clients that accessed content at the time of the alert. This information helps you delineate access from a corporate network as opposed to home or public networks.
- Alert Timeline displays a chronological list of the individual account activity that caused the alert.
Exclusions from Shield alerts
When you review the Alert Details page and see an application, IP address, user(s), or groups that you want to exclude from Suspicious Location and Suspicious Session alerts, next to the application's name or the IP address click Exclude.
Interpreting Shield risk scores
An alert's risk score ranges from 1 to 100, indicating the alert's urgency and its need for your attention. The larger the alert's risk score is, the greater the likelihood of a detected threat.
Risk scores from the Anomalous Download rule
The Anomalous Download rule identifies account holders who download potentially sensitive content for unusual work purposes. Shield machine learning predicts what content people may need this week for work purposes. When someone downloads much more potentially sensitive content than predicted by the model, Shield sends you alerts with high risk scores.
Risk scores from the Suspicious Location rule
The Suspicious Location rule generates a risk score based on your configured priority. The priority you define in the Suspicious Location rule determines the risk score as follows:
| Priority | Risk Score |
|---|---|
| LOW | 20 |
| INFO | 40 |
| MED | 60 |
| HIGH | 80 |
| CRITICAL | 100 |
Risk scores from the Suspicious Session rule
The Suspicious Session rule finds potentially compromised user accounts by detecting concurrent sessions originating from different geographical locations. The reported risk score reflects Shield's confidence in the account being compromised.
Risk scores from the Malicious Content rule
The Malicious Content rule helps detect malware uploaded to Box and the risk score reflects Shield confidence that the file is indeed malware and not a clean file.
Providing feedback for Anomalous Download Alert
As an admin, you can provide granular feedback on individual folders that were deemed as anomalous in the Anomalous Download alert to improve our detection accuracy for your enterprise.
To give feedback:
- Go to the Anomalous Content Downloaded section of the alert.
- Click on any folder.
- Folders have 2 pieces of information
- Sensitivity level as determined by our Machine Learning algorithm.
- Number of files downloaded from that folder.
- Folders have 2 pieces of information
- Note the statistics on the right hand side menu:
- Percentage of downloads deemed anomalous
- Size of download
- Folder Owner
- Select the feedback based on what you can give:
- Is the folder expected to contain sensitive data?
- Yes
- No
- Not sure
- Is this user expected to download this content?
- Yes
- No
- Not sure
- Is the folder expected to contain sensitive data?