Box

The IBM QRadar DSM for Box collects enterprise events from a Box enterprise account.

The following table describes the specifications for the Box DSM:
Table 1. Box DSM specifications
Specification Value
Manufacturer Box
DSM name Box
RPM file name DSM-BoxBox-QRadar_version-build_number.noarch.rpm
Supported versions N/A
Protocol Box REST API
Event format JSON
Recorded event types

Administrator and enterprise events

Box Shield Alerts

Automatically discovered? No
Includes identity? Yes
Includes custom properties? No
More information For more information, see the Box link to the public site website (https://www.box.com/home).
To integrate Box with QRadar, complete the following steps:
  1. If automatic updates are not enabled, download and install the most recent version of the following RPMs from the IBM® Support Website (https://www.ibm.com/support/fixcentral) onto your QRadar Console:
    • Protocol Common RPM
    • Box REST API Protocol RPM
    • Box DSM RPM
  2. Configure your Box Enterprise account for API access. For more information, see your Box documentation ( https://docs.box.com/docs/configuring-box-platform).
  3. The following table describes the parameters that require specific values for Box event collection:
    Table 2. Box log source parameters
    Parameter Value
    Log Source type Box
    Protocol Configuration Box REST API
    Client ID Generated in the OAuth2 parameters pane of the Box administrator configuration.
    Client Secret Generated in the OAuth2 parameters pane of the Box administrator configuration.
    Key ID Generated in the Public Key Management pane after you submit the public key.
    Enterprise ID Used for access token request.
    Private Key File Name The private key file name in the /opt/qradar/conf/trusted_certificates/box/ directory in QRadar.
    Use Proxy If QRadar accesses the Box API by using a proxy, select the Use Proxy checkbox.

    If the proxy requires authentication, configure the Proxy Server, Proxy Port, Proxy Username, and Proxy Password fields.

    If the proxy does not require authentication, configure the Proxy Server and Proxy Port fields.

    EPS Throttle

    The maximum number of events per second that QRadar ingests.

    If your data source exceeds the EPS throttle, data collection is delayed. Data is still collected and then it is ingested when the data source stops exceeding the EPS throttle.

    The default is 5000.

    Recurrence The time interval between log source queries to the Box API for new events. The time interval can be in hours (H), minutes (M), or days (D).

    The default is 10 minutes.