Shield Threat Detection rule settings are used to configure detection rules. The types of detection rules have settings that are common to all rules and settings that are specific to each rule type. This topic has the following sections:
- Rule Details
- Specific Threat Detection Rule Settings
Rule Details
Rule Details are settings that are common to all threat detection rule types.
- Rule Name
- Enter a short, unique, and descriptive name. 80 characters maximum.
- Description
- Enter an optional description that provides a summary of the rule purpose and function. 255 characters maximum.
- Default Alert Priority
-
Select an alert priority from:
- Informational
- Low
- Medium (default)
- High
- Critical
Use the alert priority selection to determine which alerts you should prioritize. Alert priority is one facet that you can use to filter your Shield Dashboard view.
Specific Threat Detection Rule Settings
The settings for each rule type can contain criteria, filters, and actions. This section describes the criteria, filter, and action settings for each Threat Detection rule type.
Anomalous Download Rule Settings
Anomalous Download Threat Detection rules are based entirely on machine learning and have no rule-specific user-configurable criteria settings. They also have no filters.
Anomalous Download Rule Actions
- Publish alert to Box Event Stream
-
Enable to allow alerts from this rule to be forwarded to a third-party tool, such as a SIEM or CASB tool, via the Box Event Stream.
The default state is disabled.
- Send Notification
-
Enter one or more email addresses or managed user names to to receive email notifications of alerts.
Note
The only email addresses or managed user names you can enter in this field are Co-Admins who have at least one Shield permission enabled in their user account settings.
Malicious Content Rule Settings
The following settings are specific to Malicious Content Threat Detection rules.
Malicious Content Rule Criteria
- Microsoft Office Deep Scan
-
Enable to allow Box Shield to run deep scan on Microsoft Office file types, such as .docx., .xlsx, and .pptx files, to detect malicious payload.
The default state is disabled.
Malicious Content Rule Actions
- Restrict Download
-
Enable to restrict download of any files identified by this rule to contain malicious content. (Preview and online editing will still be available.)
The default state is disabled.
- Publish alert to Box Event Stream
-
Enable to allow alerts from this rule to be forwarded to a third-party tool, such as a SIEM or CASB tool, via the Box Event Stream.
The default state is disabled.
- Send Notification
-
Enter one or more email addresses or managed user names to to receive email notifications of alerts.
Note
The only email addresses or managed user names you can enter in this field are Co-Admins who have at least one Shield permission enabled in their user account settings.
Suspicious Location Rule Settings
The following settings are specific to Suspicious Location Threat Detection rules.
Suspicious Location Rule Criteria
- Locations to Monitor
-
Required. Determines locations monitored by the Threat Detection rule. These would be locations that:
- Pose known risks
- Your organization does not do business with
- You have not seen before
Enter one or more valid country names or Shield location lists. When you start typing a name in the field, all valid country names and Shield location lists appear in a drop-down list, and you can then select from the list.
You can also set whether or not to send an alert when the rule is triggered.
The default value is Alert when any of the selected locations are observed.
- Activity to Monitor
-
Determines what content activity the rule monitors. Select:
- All activity (default)
- Monitor activity only on content with the following Classifications applied, and then enter one or more Shield classifications. When you start typing a name in the field, all valid classification names appear in a drop-down list, and you can then select from the list.
Suspicious Location Rule Filters
Rule filters allow you to improve rule accuracy by excluding contexts you trust. Alerts that meet any of these filters will be dismissed automatically and will not show up in your dashboard or in the Box Event Stream.
- Exclude public shared links (recommended)
-
Defines whether or not publicly shared links will be ignored by this rule.
The default state is selected.
- Exclude IP addresses
-
Defines IP addresses that will be ignored by the rule. Enter IP addresses that you know are trustworthy.
Enter one or more valid IP addresses, CIDRs (classless inter-domain routing blocks), or Shield Host IP Addresses lists, separated by commas.
The default state is cleared.
- Exclude apps
-
Defines application(s) that will be ignored by the rule.
Enter one or more application names. When you start typing a name in the field, all valid application names appear in a drop-down list, and you can then select from the list.
The default state is cleared.
- Exclude users or user groups
-
Defines users and groups that will be ignored by the rule.
Enter one or more users. When you start typing the name of the user, all matching names appear in a drop-down list, and you can then select from the list.
The default state is cleared.
- Exclude domains
-
Defines the domains that will be ignored by the rule.
Enter one or more domains. When you start typing the domain names, all matching names appear in a drop-down list, and you can then select from the list.
The default state is cleared.
Suspicious Location Rule Actions
- Restrict Target User Access
-
Determines if a managed user who triggers a Suspicious Location rule is restricted from accessing their Box account. A managed user who triggers this rule with this setting enabled:
- Will no longer be able to login to Box if they are accessing from a restricted location.
- If still logged into Box, Shield will auto log them out of all their active sessions (this includes the web application, Box Drive, or the mobile application).
- No error message will display on the web application (Drive and Mobile will display standard logout messaging).
- Will receive an email alerting them of suspicious location activity on their account and to contact their Box admin if they are unsure why they are receiving the message.
The restricted access is maintained until the user attempts to log in from a location that is not defined in this Suspicious Location rule.
Notes
- If the Admin wants to allow a user to access content even though they are in a restricted location, they can add the user to the rule's user exemption list and the affected user will immediately be able to log back into Box.
- If the Admin configures the Suspicious Location rule to only monitor content with a specific classification label, then Shield will not block the user’s login from a restricted country
- Enabling the Restrict Target User Access setting will not prevent recipients in restricted locations from completing signature requests sent via Box Sign if accessed though the recipient’s email. However, recipients may be restricted if the signature request requires Box account login.
- External users are not affected by this setting. They can still trigger the Suspicious Location rule if they access an organization’s content from a restricted location, but Shield will not restrict their access.
Important
It is recommended that at least one Shield Co-Admin (a Co-Admin with the Create, edit, and delete Shield configuration for your company permission enabled) be excluded from the Suspicious Location rule when the Restrict Target User Access setting is enabled. This allows your organization to still access Box in the event that all other Admins/Co-Admins trigger a suspicious location alert with this setting enabled.
- Publish alert to Box Event Stream
-
Enable to allow alerts from this rule to be forwarded to a third-party tool, such as a SIEM or CASB tool, via the Box Event Stream.
The default state is disabled.
- Send Notification
-
Enter one or more email addresses or managed user names to to receive email notifications of alerts.
Note
The only email addresses or managed user names you can enter in this field are Co-Admins who have at least one Shield permission enabled in their user account settings.
Suspicious Session Rule Settings
Suspicious session Threat Detection rules are based entirely on machine learning and have no rule-specific user-configurable criteria settings. You can configure filters for this rule type.
Suspicious Session Rule Filters
- Exclude IP addresses
-
Defines IP addresses that will be ignored by the rule. Enter IP addresses that you know are trustworthy.
Enter one or more valid IP addresses, CIDRs (classless inter-domain routing blocks), or Shield Host IP Addresses lists, separated by commas.
The default state is cleared.
- Exclude apps
-
Defines application(s) that will be ignored by the rule.
Enter one or more application names. When you start typing a name in the field, all valid application names appear in a drop-down list, and you can then select from the list.
The default state is cleared.
Suspicious Session Rule Actions
- Publish alert to Box Event Stream
-
Enable to allow alerts from this rule to be forwarded to a third-party tool, such as a SIEM or CASB tool, via the Box Event Stream.
The default state is disabled.
- Send Notification
-
Enter one or more email addresses or managed user names to to receive email notifications of alerts.
Note
The only email addresses or managed user names you can enter in this field are Co-Admins who have at least one Shield permission enabled in their user account settings.