Learn practical AI for business and earn your AI Professional certification. — Learn More

Box Status
Print

Suspicious Session Detection Rule

Threat Detection Rule , Suspicious session

The Suspicious Session detection rule is a feature within Box Shield. It seeks to detect suspicious sessions through a rapid change in a user’s location coupled with additional signals such as:

  • Recency of use of the user’s IP address for a given enterprise
  • User agent strings
  • Uncommon application types
  • Context about IP addresses

The Suspicious Session detection rule monitors activity from managed, external, and anonymous users.

Create, edit, and delete Suspicious Session detection rules

To create or change this detection rule, you need admin rights (or co-admin rights with the Create, edit, and delete Shield configuration for your company permission enabled) in an account with the Box Shield add-on enabled.  

See our dedicated page for creating, editing, and deleting threat detection rules for a step-by-step guide. 

Note: Only one Suspicious Session detection rule can be created for each Box account.

Suspicious Session specific settings

Filter criteria

Determines what activity is excluded from detection. You can choose to: 

  • Exclude IP addresses: Defines IP addresses that will be ignored by the rule. Enter IP addresses that you know are trustworthy. Enter one or more valid IP addresses, CIDRs (classless inter-domain routing blocks), separated by commas. The default state is cleared.
  • Exclude integrations: Defines integrations that will be ignored by the rule. Enter one or more integration names. When you start typing a name in the field, all valid integration names appear in a drop-down list, and you can then select from the list. The default state is cleared.

Suspicious Session alerts

An alert will display in the Shield Dashboard when suspicious session activity is detected. 

Alerts include the Alert ID, date, the name and email address of the account holder whose activity triggered the alert, the risk score, and the IP address whose access triggered the alert. 

To view an alert's details:

  1. Go to Admin Console > Shield.
  2. Click the Dashboard tab.
  3. (Optional) Filter the alerts for Suspicious Session.
  4. In the alert list table, click an alert.
  5. Box displays the alert detail page.

The alert detail page displays the following:

  • Alert Summary: overview of the alert including alert name, alert ID, alert type, risk score, alert created date, distance between related sessions, time between related sessions, and the target user.
  • Session Details: information regarding the user activity that triggered the alert, including a comparison between the "suspicious" and typical sessions. Additional information such as the IP addresses, IP registrants, and any available device information will be shown.
  • Geolocation Activity: information regarding the locations identified for the sessions that triggered the alert, including IP address, IP registrant, any available region/country data, and associated user events per session. 
  • User Activities: summarizes the account's activities, by activity type, at the time of the alert.

Note: You can view the number of alerts in the past week from the Detection Rules page. For longer timeframes, check the Shield Dashboard.

A feedback box is displayed on the dashboard after an alert. This enables you to provide suggestions and comments to Box which helps to improve functionality.

End user implications

  • If suspicious session activity is detected from a user’s account, the end user is not notified – only Shield admins are alerted of the activity.
  • No user restrictions will be applied when a Suspicious Session alert is triggered.

Related articles