{ "name": "box_events", "title": "Box Events", "version": "3.1.2", "release": "ga", "description": "Collect logs from Box with Elastic Agent", "type": "integration", "download": "/epr/box_events/box_events-3.1.2.zip", "path": "/package/box_events/3.1.2", "icons": [ { "src": "/img/box.svg", "path": "/package/box_events/3.1.2/img/box.svg", "title": "Box Blue Logo", "size": "60x32", "type": "image/svg+xml" } ], "conditions": { "kibana": { "version": "^8.19.4 || ~9.0.7 || ^9.1.4" } }, "owner": { "type": "elastic", "github": "elastic/security-service-integrations" }, "categories": [ "security", "productivity_security" ], "signature_path": "/epr/box_events/box_events-3.1.2.zip.sig", "format_version": "3.0.3", "readme": "/package/box_events/3.1.2/docs/README.md", "license": "basic", "screenshots": [ { "src": "/img/box_screenshot.png", "path": "/package/box_events/3.1.2/img/box_screenshot.png", "title": "[Logs Box Events Integration] Events Dashboard", "size": "3036x1342", "type": "image/png" }, { "src": "/img/box_screenshot_histogram.png", "path": "/package/box_events/3.1.2/img/box_screenshot_histogram.png", "title": "Box Events over Time by Event Type", "size": "2201x752", "type": "image/png" }, { "src": "/img/box_screenshot_type.png", "path": "/package/box_events/3.1.2/img/box_screenshot_type.png", "title": "All Box Events by Event Type", "size": "828x842", "type": "image/png" }, { "src": "/img/box_screenshot_ecs_event_classification.png", "path": "/package/box_events/3.1.2/img/box_screenshot_ecs_event_classification.png", "title": "Box Events by ECS Event Classification", "size": "1520x670", "type": "image/png" }, { "src": "/img/box_screenshot_name.png", "path": "/package/box_events/3.1.2/img/box_screenshot_name.png", "title": "All Box Events by File Name", "size": "826x830", "type": "image/png" }, { "src": "/img/box_screenshot_upload.png", "path": "/package/box_events/3.1.2/img/box_screenshot_upload.png", "title": "Total Upload Bytes", "size": "440x240", "type": "image/png" }, { "src": "/img/box_screenshot_download.png", "path": "/package/box_events/3.1.2/img/box_screenshot_download.png", "title": "Total Download Bytes", "size": "428x243", "type": "image/png" }, { "src": "/img/box_screenshot_trash.png", "path": "/package/box_events/3.1.2/img/box_screenshot_trash.png", "title": "Total Trash Bytes", "size": "428x249", "type": "image/png" }, { "src": "/img/box_screenshot_actions.png", "path": "/package/box_events/3.1.2/img/box_screenshot_actions.png", "title": "Top 10 Users x Number of Events associated with the user", "size": "888x750", "type": "image/png" }, { "src": "/img/box_screenshot_failed_logins.png", "path": "/package/box_events/3.1.2/img/box_screenshot_failed_logins.png", "title": "Top 10 Users x number of Failed Logins", "size": "872x740", "type": "image/png" }, { "src": "/img/box_screenshot_shield_alerts.png", "path": "/package/box_events/3.1.2/img/box_screenshot_shield_alerts.png", "title": "[Logs Box Events Integration] Box Shield Alerts Dashboard", "size": "3040x1346", "type": "image/png" }, { "src": "/img/box_screenshot_shield_alerts_threat_histogram.png", "path": "/package/box_events/3.1.2/img/box_screenshot_shield_alerts_threat_histogram.png", "title": "Box Shield Threat Histogram", "size": "1516x670", "type": "image/png" }, { "src": "/img/box_screenshot_shield_alerts_threat_locations.png", "path": "/package/box_events/3.1.2/img/box_screenshot_shield_alerts_threat_locations.png", "title": "Box Shield Threat Locations", "size": "1526x672", "type": "image/png" }, { "src": "/img/box_screenshot_shield_ecs_event_classification.png", "path": "/package/box_events/3.1.2/img/box_screenshot_shield_ecs_event_classification.png", "title": "Box Shield Alerts By ECS Threat Classification", "size": "1518x670", "type": "image/png" }, { "src": "/img/box_screenshot_shield_top_threats.png", "path": "/package/box_events/3.1.2/img/box_screenshot_shield_top_threats.png", "title": "Top Threats", "size": "1518x674", "type": "image/png" }, { "src": "/img/box_screenshot_shield_alerts_anomalous_downloads.png", "path": "/package/box_events/3.1.2/img/box_screenshot_shield_alerts_anomalous_downloads.png", "title": "Box Shield Anomalous Downloads", "size": "3036x676", "type": "image/png" }, { "src": "/img/box_screenshot_shield_alerts_malware.png", "path": "/package/box_events/3.1.2/img/box_screenshot_shield_alerts_malware.png", "title": "Box Shield Malware", "size": "3032x674", "type": "image/png" }, { "src": "/img/box_screenshot_shield_alerts_suspicious_locations.png", "path": "/package/box_events/3.1.2/img/box_screenshot_shield_alerts_suspicious_locations.png", "title": "Box Shield Suspicious Locations", "size": "3034x682", "type": "image/png" }, { "src": "/img/box_screenshot_shield_alerts_suspicious_sessions.png", "path": "/package/box_events/3.1.2/img/box_screenshot_shield_alerts_suspicious_sessions.png", "title": "Box Shield Suspicious Sessions", "size": "3034x672", "type": "image/png" } ], "assets": [ "/package/box_events/3.1.2/LICENSE.txt", "/package/box_events/3.1.2/changelog.yml", "/package/box_events/3.1.2/manifest.yml", "/package/box_events/3.1.2/validation.yml", "/package/box_events/3.1.2/docs/README.md", "/package/box_events/3.1.2/img/box.svg", "/package/box_events/3.1.2/img/box_screenshot.png", "/package/box_events/3.1.2/img/box_screenshot_actions.png", "/package/box_events/3.1.2/img/box_screenshot_download.png", "/package/box_events/3.1.2/img/box_screenshot_ecs_event_classification.png", "/package/box_events/3.1.2/img/box_screenshot_failed_logins.png", "/package/box_events/3.1.2/img/box_screenshot_histogram.png", "/package/box_events/3.1.2/img/box_screenshot_name.png", "/package/box_events/3.1.2/img/box_screenshot_shield_alerts.png", "/package/box_events/3.1.2/img/box_screenshot_shield_alerts_anomalous_downloads.png", "/package/box_events/3.1.2/img/box_screenshot_shield_alerts_malware.png", "/package/box_events/3.1.2/img/box_screenshot_shield_alerts_suspicious_locations.png", "/package/box_events/3.1.2/img/box_screenshot_shield_alerts_suspicious_sessions.png", "/package/box_events/3.1.2/img/box_screenshot_shield_alerts_threat_histogram.png", "/package/box_events/3.1.2/img/box_screenshot_shield_alerts_threat_locations.png", "/package/box_events/3.1.2/img/box_screenshot_shield_ecs_event_classification.png", "/package/box_events/3.1.2/img/box_screenshot_shield_top_threats.png", "/package/box_events/3.1.2/img/box_screenshot_size.png", "/package/box_events/3.1.2/img/box_screenshot_trash.png", "/package/box_events/3.1.2/img/box_screenshot_type.png", "/package/box_events/3.1.2/img/box_screenshot_upload.png", "/package/box_events/3.1.2/kibana/tags.yml", "/package/box_events/3.1.2/data_stream/events/manifest.yml", "/package/box_events/3.1.2/data_stream/events/sample_event.json", "/package/box_events/3.1.2/kibana/dashboard/box_events-ce6fbf50-2df9-11ed-8003-6d5721603181.json", "/package/box_events/3.1.2/kibana/dashboard/box_events-ff3d9940-2e03-11ed-8003-6d5721603181.json", "/package/box_events/3.1.2/data_stream/events/fields/agent.yml", "/package/box_events/3.1.2/data_stream/events/fields/base-fields.yml", "/package/box_events/3.1.2/data_stream/events/fields/ecs.yml", "/package/box_events/3.1.2/data_stream/events/fields/fields.yml", "/package/box_events/3.1.2/data_stream/events/agent/stream/httpjson.yml.hbs", "/package/box_events/3.1.2/data_stream/events/elasticsearch/ingest_pipeline/default.yml" ], "policy_templates": [ { "name": "box_events", "title": "Box Events", "description": "Collect Events from BOX", "inputs": [ { "type": "httpjson", "vars": [ { "name": "client_id", "type": "password", "title": "Client ID", "description": "Click on your App in the [Box Developer Console](https://app.box.com/developers/console), under the `Configuration` tab, scroll down to `OAuth 2.0 Credentials` and copy the `Client ID`", "multi": false, "required": true, "show_user": true }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#_request_tracer_filename) for details.", "multi": false, "required": false, "show_user": false }, { "name": "client_secret", "type": "password", "title": "Client Secret", "description": "Have your 2FA device prepared and to hand. Click on your App in the [Box Developer Console](https://app.box.com/developers/console), under the `Configuration` tab, scroll down to `OAuth 2.0 Credentials` and click on `Fetch Client Secret`. Complete the 2FA challenge to copy the `Client Secret`", "multi": false, "required": true, "show_user": true }, { "name": "api_url", "type": "text", "title": "API URL", "description": "URL to interact with the BOX api.", "multi": false, "required": true, "show_user": false, "default": "https://api.box.com" }, { "name": "box_subject_id", "type": "password", "title": "Box Subject ID", "description": "To retrieve events for the `admin` user only, provide the `User ID`. Click on your App in the [Box Developer Console](https://app.box.com/developers/console), under the `General Settings` tab, scroll down to `App Info` to locate these values", "multi": false, "required": true, "show_user": true }, { "name": "box_subject_type", "type": "text", "title": "Box Subject Type", "description": "If you intend to retrieve events solely for the `admin` user set this to `user` otherwise set to `enterprise`", "multi": false, "required": true, "show_user": false, "default": "user" }, { "name": "grant_type", "type": "text", "title": "Grant Type", "description": "Grant Type, use `client_credentials`", "multi": false, "required": true, "show_user": false, "default": "client_credentials" } ], "title": "Collect BOX Events via API", "description": "Collecting events from BOX via API" } ], "multiple": true } ], "data_streams": [ { "type": "logs", "dataset": "box_events.events", "title": "List user and enterprise events", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "httpjson", "vars": [ { "name": "interval", "type": "text", "title": "Interval", "description": "This sets the interval between requests to the Target Service, for example `300s` will send a request every 300 seconds. Events will be returned in batches, with the batch size determined by the `limit` variable. The integration will paginate through all available events before waiting for the next interval. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "300s" }, { "name": "stream_type", "type": "text", "title": "Stream Type", "description": "To retrieve events for a single user, set stream type to `all` (default). To select only events that may cause file tree changes such as file updates or collaborations, use `changes`. To select a subset of `changes` for synced folders, use `sync`. To retrieve events for the entire enterprise, set the stream_type to `admin_logs_streaming` for live monitoring of new events, or `admin_logs` for querying across historical events.", "multi": false, "required": true, "show_user": true, "default": "all" }, { "name": "limit", "type": "integer", "title": "Limit", "description": "Number of events to fetch on each request. Maximum allowed value is 500.", "multi": false, "required": true, "show_user": true, "default": 500 }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": true, "show_user": true, "default": false } ], "template_path": "httpjson.yml.hbs", "title": "Box user and enterprise events", "description": "Collect user and enterprise events from the Box API", "enabled": true, "ingestion_method": "API" } ], "package": "box_events", "path": "events" } ] }