Configuring Box to communicate with QRadar

To retrieve administrator logs from your Box enterprise account, configure Box and your IBM QRadar Console. You must have a Box developer account.

Before you begin

Generate a private and public RSAkey pair for the JSON Web Token (JWT) assertion.
Tip: If you are a QRadar on Cloud user and the Target Collector is either Console or Events Processor, you must open a case and upload the Private Key (in DER format). DevOps then adds that Private Key to /opt/qradar/conf/trusted_certificates/box.
  1. Log in to the Console or Linux® server that has an openssl command.
    • For a private key, type the following command:
      openssl genrsa -out box_private_key.pem 2048
    • For a public key, type the following command:
      openssl rsa -pubout -in box_private_key.pem -out box_public_key.pem
  2. Save a copy of the public key. You paste the contents of the public key into the Add Public Key text box when you configure Box for API access.
  3. Convert the private key to DER by typing the following command on one line:
    openssl pkcs8 -topk8 -inform PEM -outform DER -in box_private_key.pem -out box_private_key.der -nocrypt
  4. Store the private key on your managed host in QRadar.
    1. Create a directory called "box" in the /opt/qradar/conf/trusted_certificates/ directory in QRadar.
    2. Copy the private key .DER file to the /opt/qradar/conf/trusted_certificates/box directory that you created. Do not store the private key in any other location.
    3. Configure the log source by using only the file name of the private key file in the /opt/qradar/conf/trusted_certificates/box directory. Ensure that you type the file name correctly in the Private Key File Name field when you configure the log source.
  5. Copy the private key to the /opt/qradar/conf/trusted_certificates/box directory.
    Tip: If you configure the log source before you store the private key, an error message is displayed.

Procedure

  1. Create and configure an application for your QRadar appliance.
    1. Log in to the Box Developers portal (http://developers.box.com/). You now have access to the Admin and Box Consoles.
    2. Click Create New App > Custom App.
    3. In the Custom App window, select Server Authentication (with JWT).
    4. In the App Name field, type a name for the app, and then click Create App.
    5. On the Configuration tab, from the OAuth2 Credentials row, record the Client ID and the Client Secret. You need the Client ID and the Client Secret when you add a log source in QRadar.
    6. In the App Access Level row, select App + Enterprise Access.
    7. In the Application Scopes row, configure the following parameters.
      Table 1. Application Scopes parameters
      Parameter Value
      Content Actions Ensure that the Read all files and folders stored in Box and Write all files and folders stored in Box checkboxes are selected.
      Administrative Actions Ensure that the Manage enterprise properties checkbox is selected.

      Ensure that the Manage users, Manage groups, and Manage retention policies checkboxes are cleared.

      Developer Actions Ensure that all the checkboxes are cleared.
    8. In the Add and Manage Public Keys row, click Add a Public Key.
    9. Open the public key file that you copied from QRadar. In the Add a new Public Key window, paste the contents of the public key file in the Public Key field.
    10. Click Verify and Save, and then record the Key ID. You need the Key ID when you add the log source in QRadar.
    11. To ensure that the properties are stored on the server, click Save Changes.
      A Successfully updated the app. message is displayed.
  2. To submit the app, on the Authorization tab, click Review and Submit.
  3. In the Review App Authorization Submission window, click Submit.
  4. Locate your Box Enterprise ID.
    1. Log in to the Admin Console, and then click Account & Billing > Enterprise ID.
    2. Click the Account Info tab and record your Box Enterprise ID.
  5. Authorize your application.
    1. Log in to the Box Console.
    2. From the navigation menu, click Apps.
    3. On the Custom Apps Manager tab, find your app and click More (...).
    4. In the Authorize App window, verify that the Application Access level is All Users and that the API key is the Client ID that you recorded, and then click Authorize.
      If your app is configured correctly, the Authorization Status displays as Authorized and the Enablement Status displays as Enabled.
    For more information about configuring Box, see Applications (https://developer.box.com/guides/applications/).

What to do next

Verify that QRadar is configured to receive events from your Box DSM. If QRadar is configured correctly, no error messages appear in the Edit a log source window.