Shield Threat Detection rule settings are used to configure detection rules. The types of detection rules have settings that are common to all rules and settings that are specific to each rule type. This topic has the following sections:
Common Threat Detection Rule Settings
The following settings are common to all Threat Detection rule types.
| Setting | Description |
|---|---|
| Rule Details | |
| Rule Name | Enter a short, unique, and descriptive name. 80 characters maximum. |
| Description | Enter an optional description that provides a summary of the rule purpose and function. 255 characters maximum. |
| Default Alert Priority |
Select an alert priority from:
Use the alert priority selection to determine which alerts you should prioritize. Alert priority is one facet that you can use to filter your Shield Dashboard view. |
|
Rule Actions |
|
| Publish alert to Box Event Stream |
Turn on to allow alerts from this rule to be forwarded to a third party tool, such as a SIEM or CASB tool, via the Box Event Stream. The default state is turned off. |
| Send Notification |
Enter one or more email addresses or managed user names to to receive email notifications of alerts. Note The only email addresses or managed user names you can enter in this field are Co-Admins who have at least one Shield permission enabled in their user account settings. |
Specific Threat Detection Rule Settings
The following section describes settings specific to each Threat Detection rule type.
Anomalous Download Rule Settings
Anomalous download Threat Detection rules are based entirely on machine learning and have no rule-specific user-configurable settings.
Malicious Content Rule Settings
The following settings are specific to malicious content Threat Detection rules.
| Setting | Description |
|---|---|
| Rule Criteria | |
| Microsoft Office Deep Scan |
Turn on to enable Box Shield to run deep scan on Microsoft Office file types, such as .docx., .xlsx, and .pptx files, to detect malicious payload. The default state is turned off. |
| Rule Actions | |
| Restrict Download |
Turn on to restrict download of any files identified by this rule to contain malicious content. (Preview and online editing will still be available.) The default state is turned off. |
Suspicious Location Rule Settings
| Setting | Description |
|---|---|
| Rule Criteria | |
| Locations to Monitor |
Required. Determines locations monitored by the Threat Detection rule. These would be locations that:
Enter one or more valid country names or Shield location lists. When you start typing a name in the field, all valid country names and Shield location lists appear in a drop-down list, and you can then select from the list. You can also set whether or not to send an alert when the rule is triggered. The default value is Alert when any of the selected locations are observed. |
| Content to Monitor |
Determines what content the rule monitors. Select:
|
|
Rule Filters Rule filters allow you to improve rule accuracy by excluding contexts you trust. Alerts that meet any of these filters will be dismissed automatically and will not show up in your dashboard or in the Box Event Stream. |
|
| Exclude public shared links (recommended) |
Defines whether or not publicly shared links will be ignored by this rule. The default state is selected. |
| Exclude IP addresses |
Defines IP addresses that will be ignored by the rule. Enter IP addresses that you know are trustworthy. Enter one or more valid IP addresses, CIDRs (classless inter-domain routing blocks), or Shield Host IP Addresses lists, separated by commas. The default state is cleared. |
| Exclude apps |
Defines application(s) that will be ignored by the rule. Enter one or more application names. When you start typing a name in the field, all valid application names appear in a drop-down list, and you can then select from the list. The default state is cleared. |
| Exclude users and groups |
Defines users and groups that will be ignored by the rule. Enter one or more users. When you start typing the name of the user, all matching names appear in a drop-down list, and you can then select from the list. The default state is cleared. |
| Exclude domains |
Defines the domains that will be ignored by the rule. Enter one or more domains. When you start typing the domain names, all matching names appear in a drop-down list, and you can then select from the list. The default state is cleared. |
Suspicious Session Rule Settings
Suspicious session Threat Detection rules are based entirely on machine learning and have no rule-specific user-configurable criteria settings. You can configure filters for this rule type.
| Setting | Description |
|---|---|
| Rule Filters | |
| Exclude IP addresses |
Defines IP addresses that will be ignored by the rule. Enter IP addresses that you know are trustworthy. Enter one or more valid IP addresses, CIDRs (classless inter-domain routing blocks), or Shield Host IP Addresses lists, separated by commas. The default state is cleared. |
| Exclude apps |
Defines application(s) that will be ignored by the rule. Enter one or more application names. When you start typing a name in the field, all valid application names appear in a drop-down list, and you can then select from the list. The default state is cleared. |