The Anomalous Download detection rule is a feature within Box Shield. It seeks to track user download behavior to prevent data leakage and theft. It monitors user activity and leverages Box machine learning to identify anomalies in download behavior, generating alerts when users have changed their download behavior, especially in comparison to their peers.
The Anomalous Download detection rule monitors activity from managed users.
Create, edit, and delete Anomalous Download detection rules
To create or change this detection rule, you need admin rights (or co-admin rights with the Create, edit, and delete Shield configuration for your company permission enabled) in an account with the Box Shield add-on enabled.
See our dedicated page for creating, editing, and deleting threat detection rules for a step-by-step guide.
Note: Only one Anomalous Download detection rule can be created for each Box account.
Anomalous Download alerts
An alert will display in the Shield Dashboard when Anomalous Download activity is detected.
Alerts include the Alert ID, date, the name and email address of the account holder whose activity triggered the alert, the risk score, and the IP address whose access triggered the alert.
To view an alert's details:
- Go to Admin Console > Shield.
- Click the Dashboard tab.
- (Optional) Filter the alerts for Anomalous Download.
- In the alert list table, click an alert.
- Box displays the alert detail page.
The alert detail page displays the following:
- Alert Summary: overview of the alert including alert name, alert ID, alert type, risk score, alert created date, anomalous activity date range, anomalous download delta, and the target user.
- Download Details: information regarding the download activity that triggered the alert, including a comparison between the user’s historical activity and the anomalous activity. Additional information such as the IP addresses, IP registrants, and any available device information will be shown.
- Anomalous Content Downloaded: Gives a full breakdown of the files downloaded by the target user during the anomalous period.
Note: You can view the number of alerts in the past week from the Detection Rules page. For longer timeframes, check the Shield Dashboard.
A feedback box is displayed on the dashboard after an alert. This enables you to provide suggestions and comments to Box which helps to improve functionality.
End user implications
- If anomalous download activity is detected from a user’s account, the end user is not notified – only Shield admins are alerted of the activity.
- No user restrictions will be applied when an Anomalous Download alert is triggered.