Box Status
Print

Suspicious Location Detection Rule

Threat Detection Rule , Suspicious Location

The Suspicious Location detection rule is a feature within Box Shield. It seeks to identify when users are accessing content from locations deemed “suspicious” by a Box Shield admin.

Box monitors the IP address of actions that occur across the platform. If a user performs an action from a location included (or excluded) in the rule configuration, an alert is generated.

If users have an unusual travel schedule or require special exceptions, admins can create exemptions. These exemptions, either temporary or permanent, can be assigned to individual users or user groups.

The Suspicious Location detection rule monitors activity from managed, external, and anonymous users.

Create, edit, and delete Suspicious Location detection rules

To enable this detection rule, you need admin rights (or co-admin rights with the Create, edit, and delete Shield configuration for your company permission enabled) in an account with the Box Shield add-on enabled.

Note: Up to 25 Suspicious Location detection rules can be created for each Box account.

See our dedicated page for creating, editing, and deleting threat detection rules for a step-by-step guide. Check below for Suspicious Location specific settings: 

Suspicious Location specific settings

Locations to monitor

Determines the locations monitored by the Suspicious Location detection rule. These are locations that:

  • Pose known risks.
  • Your organization does not do business with.
  • Are outside your organization’s travel policy.

Enter one or more valid country names or Shield location lists. When you start typing a name in the field, all valid country names and Shield location lists appear in a drop-down list, and you can then select from the list.

Once the list of locations is complete, you must define the monitoring policy when one of these locations is observed: 

  • Alert (default): An alert will trigger when one of the selected locations is observed.
  • Do not alert: An alert will trigger when any location outside of the selected locations is observed.

Activity to monitor

Determines what user activity the Suspicious Location detection rule monitors. Select:

  • All activity (default): Monitors user activity across Box.
  • Monitor activity only on content with the following Classifications applied: Monitors user activity only on content with the selected Shield classification labels.

Filter criteria

Determines what activity is excluded from detection. You can choose to: 

  • Exclude public shared links (recommended): Defines whether publicly shared links will be ignored by this rule. The default state is selected.
  • Exclude IP addresses: Defines IP addresses that will be ignored by the rule. Enter IP addresses that you know are trustworthy. Enter one or more valid IP addresses, CIDRs (classless inter-domain routing blocks), or Shield Host IP Addresses lists, separated by commas. The default state is cleared.
  • Exclude integrations: Defines integrations that will be ignored by the rule. Enter one or more integration names. When you start typing a name in the field, all valid integration names appear in a drop-down list, and you can then select from the list. The default state is cleared.
  • Exclude users or user groups: Defines users and groups that will be ignored by the rule. Enter one or more users. When you start typing the name of the user, all matching names appear in a drop-down list, and you can then select from the list. The default state is cleared.
  • Exclude domains: Defines the domains that will be ignored by the rule. Enter one or more domains. When you start typing the domain names, all matching names appear in a drop-down list, and you can then select from the list. The default state is cleared.

Restrict target user access

Determines if a managed user who triggers a Suspicious Location rule is restricted from accessing their Box account. More information is available at Restrict Target User Access

Suspicious Location alerts

An alert will display in the Shield Dashboard when suspicious location activity is detected. 

Alerts include the Alert ID, date, the name and email address of the account holder whose activity triggered the alert, the risk score, and the IP address whose access triggered the alert. 

To view an alert's details:

  1. Go to Admin Console > Shield.
  2. Click the Dashboard tab.
  3. (Optional) Filter the alerts for Suspicious Location.
  4. In the alert list table, click an alert.
  5. Box displays the alert detail page.

The alert detail page displays the following:

  • Alert Summary: overview of the alert including alert name, alert ID, alert type, risk score, alert created date, rule configuration info, any enforced restrictions, and the target user.
  • Geolocation Activity: information regarding the location that triggered the alert, including IP address, IP registrant, and any available region/country data.
  • User Activities: summarizes the account's activities, by activity type, at the time of the alert.

Note: You can view the number of alerts in the past week from the Detection Rules page. For longer timeframes, check the Shield Dashboard.

A feedback box is displayed on the dashboard after an alert. This enables you to provide suggestions and comments to Box which helps to improve functionality.

End user implications

  • A user will not be notified that they triggered a Suspicious Location detection alert.
  • When user restrictions are active, end users will be logged out of all their existing Box sessions and restricted from logging back in until they access Box from an approved location. They will receive an email in their inbox alerting them of the restriction.

Alert actions and remediation

This detection rule has the following potential action once users are identified who have accessed content from locations deemed suspicious by an admin:

Restrict target user access

A managed user who triggers this rule with this setting enabled will:

  • No longer be able to log in to Box if they are accessing from a restricted location.
  • Be auto logged out of their Box active sessions by Shield (this includes the web integration, Box Drive, or the mobile integration).
  • Receive an email alerting them of suspicious location activity on their account, and be told to contact their Box admin if they are unsure why they are receiving the message.

The restricted access is maintained until the user attempts to log in from a location that is not defined in this Suspicious Location rule. This restriction does not apply to external users.

Notes:

  • If the Admin wants to allow a user to access content even though they are in a restricted location, they can add the user to the rule's user exemption list and the affected user will immediately be able to log back into Box.
  • If the Admin configures the Suspicious Location rule to only monitor content with a specific classification label, then Shield will not block the user’s login from a restricted country.
  • Enabling the Restrict Target User Access setting will not prevent recipients in restricted locations from completing signature requests sent via Box Sign if accessed through the recipient’s email. However, recipients may be restricted if the signature request requires Box account login.
  • External users are not affected by this setting. They can still trigger the Suspicious Location rule if they access an organization’s content from a restricted location, but Shield will not restrict their access.

Important:

It is recommended that at least one Shield co-admin (a co-admin with the Create, edit, and delete Shield configuration for your company permission enabled) be excluded from the Suspicious Location rule when the Restrict Target User Access setting is enabled. This allows your organization to still access Box if all other admins/co-admins trigger a suspicious location alert with this setting enabled.

Related articles