Become a Box Certified: AI Professional — and score an exclusive t-shirt reserved for the first 100 people who pass. Click here

Box Status
Print

Create, Edit, and Delete a Threat Detection Rule

Create , Edit , Threat Detection Rule

To help keep your organization's content secure, Threat Detection rules need to be configured and enabled.

In some rule types, you can include multiple values, such as of IP addresses, domain, locations, or email addresses. You might therefore want to create a Shield list of those values instead of adding all the individual values to the rule.

Create a threat detection rule

To create a threat detection rule:

  1. Navigate to Admin Console > Shield.
  2. Select the Detection Rules tab.
  3. Select Enable for the detection rule you want to configure and start.
  4. Enter a Rule Name. This should be a short, unique, and descriptive name with a maximum of 80 characters.
  5. Enter a Description (optional). Enter an optional description of a maximum of 255 characters, that provides a summary of the rule purpose and function.
  6. Certain rule configurations vary depending on the rule:
    • Malicious Content, decide if you want to enable deep scan and download restrictions.
    • Suspicious Location, click Add Rule to configure locations and activity to monitor, whether to restrict target user access, and decide which filters to enable.
    • Suspicious Session, decide which filters to enable.
  7. Select a Default Alert Priority. Select from:
    • Low
    • Informational 
    • Medium (default)
    • High
    • Critical
  8. Select whether to enable any rule specific settings, where applicable.
  9. For all rules, decide whether to:
    • Publish alerts to Box Event Stream: Enable this to allow alerts from this rule to be forwarded to a third-party tool, such as a SIEM or CASB tool, via the Box Event Stream. The default state is disabled.
    • Send Notifications: Enter one or more email addresses or managed usernames to receive email notifications of alerts. The only email addresses or managed usernames you can enter in this field are co-admins who have at least one Shield permission enabled in their user account settings.
  10. Once complete, select Next.
  11. Review the rule settings then select Start Rule.

Edit a threat detection rule

To edit your threat detection rule:

  1. Navigate to Admin Console > Shield.
  2. Select the Detection Rules tab.
  3. Select the rule.
  4. Select Edit, then Update Rule after implementing changes.

Delete a threat detection rule

To delete your threat detection rule:

  1. Navigate to Admin Console > Shield.
  2. Select the Detection Rules tab.
  3. Select the rule.
  4. Select Delete.

Note: After selecting Delete, there is no confirmation screen. The detection rule is instantly deleted.

Related articles