- Cloud Collectors Overview
- Administration
- Administrative Access
- Shareable Service Accounts
- Add Accounts for AWS Cloud Collectors
- Add Accounts for Cisco Duo Cloud Collector
- Add Accounts for Google Cloud Collectors
- Add Accounts for Microsoft Cloud Collectors
- Add Accounts for Okta Cloud Collectors
- Add Accounts for Salesforce Cloud Collectors
- Add Accounts for Splunk Cloud Collectors
- Add Accounts for Trend Micro Cloud Collectors
- Add Accounts for Wiz
- Define a Unique Site Name
- Sign Up for the Early Access Program
- Onboard Cloud Collectors
- Abnormal Security Cloud Collector
- AWS CloudTrail Cloud Collectors
- AWS CloudWatch Cloud Collector
- AWS S3 Cloud Collector
- AWS SQS Cloud Collector
- Azure Activity Logs Cloud Collector
- Azure Log Analytics Cloud Collector
- Azure Event Hub Cloud Collector
- Azure Storage Analytics Cloud Collector
- Box Cloud Collector
- Cato Networks Cloud Collector
- Cisco Duo Cloud Collector
- Cisco Umbrella Cloud Collector
- Cribl Cloud Collector
- CrowdStrike Cloud Collectors
- GCP Pub/Sub Cloud Collector
- Microsoft Defender XDR (via Azure Event Hub) Cloud Collector
- Microsoft Entra ID Context Cloud Collector
- Microsoft Entra ID Logs Cloud Collector
- Microsoft 365 Exchange Admin Reports Cloud Collector
- Supported Sources from Microsoft 365 Exchange Admin Reports
- Migrate to the Microsoft 365 Exchange Admin Reports Cloud Collector
- Prerequisites to Configure the Microsoft 365 Exchange Admin Reports Cloud Collector
- Configure the Microsoft 365 Exchange Admin Reports Cloud Collector
- Troubleshooting the Microsoft 365 Exchange Admin Reports Cloud Collector
- Microsoft 365 Management Activity Cloud Collector
- Microsoft Security Alerts Cloud Collector
- Microsoft Sentinel (via Event Hub) Cloud Collector
- Netskope Alerts Cloud Collector
- Netskope Events Cloud Collector
- Okta Cloud Collector
- Okta Context Cloud Collector
- Palo Alto Networks Cortex Data Lake Cloud Collector
- Proofpoint On-Demand Cloud Collector
- Proofpoint Targeted Attack Protection Cloud Collector
- Recorded Future Cloud Collector
- Salesforce Cloud Collector
- SentinelOne Alerts Cloud Collector
- SentinelOne Cloud Funnel Cloud Collector
- SentinelOne Threats Cloud Collector
- SentinelOne Cloud Collector
- Splunk Cloud Collector
- Symantec Endpoint Security Cloud Collector
- Trend Vision One Cloud Collector
- Zscaler ZIA Cloud Collector
- Webhook Cloud Collectors
- Wiz Issues Cloud Collector
- Wiz API Cloud Collector
- Troubleshooting Cloud Collectors
Prerequisites to Configure the Box Cloud Collector
Before you configure the Box Cloud Collector you must complete the following prerequisites:
Ensure that the https://*.box.com service is open for communication with the Exabeam Security Operations Platform.
Enable two-factor authentication.
Obtain the application key by creating a Box app.
(Optional) Enable the Box shield events to collect data.
Enable Two-factor Authentication
Before you configure the Box cloud collector, you must enable two-factor authentication for the Box account. To enable two-factor authentication:
Log in to the Box account by accessing https://app.box.com/account.
Navigate to Account Settings > Account > Authentication.
Select Require 2-step verification to protect your account. For more information, see the Box Documentation.
Enter a mobile phone number to enable the two-factor authentication and click Continue.
Obtain the Application Key by Creating a Box App
Box APIs are authenticated via application keys using JSON Web Tokens (JWT) to allow server-to-server authentication. JWT uses a public key pair to verify the application's permissions. You must create a Box app to obtain the public key to use while configuring the Box cloud collector.
To create a Box app:
Log in to the Box developer console.
Click Create New App.
Click Enterprise Integration.
Select OAuth 2.0 with JWT (Server Authentication) and click Next.
Specify the name
SkyFormation Integrationfor the app and click Create App.Note
Make sure to specify the app name to prevent any additional costs associated with API calls.
Click View Your App.
In the Application Access section, select Enterprise.
To define the permissions for the application to access data: in the Application Scopes section, select the check boxes for Manage Users, Manage Groups, and Manage enterprise properties.
Make sure that the options in the Advanced Features section are disabled. If enabled, these options would interfere with the authentication process.
Click Save Changes.
In the Add and Manage Public Keys section, click Generate a Public/Private Keypair and download a JSON configuration file.
Save the JSON configuration file and copy the data. You will use this data to configure the Box cloud collector.
Check that the Box Account Admin user has granted the permissions that you requested for the Box Enterprise App. The Box admin user must have the Account Admin role to grant the requested access permissions. To ensure that the user has the Account Admin role, log in to the Box account by accessing https://app.box.com/account, and navigate to the Account Details section and check the username in the Admin Contact section.
Note
To avoid test connection failure, ensure that you create a request to authorize the app via App Settings, and get the request approved by accessing admin console, using the Box administrator account.
Enable Box Shield Events
The Box Shield alert events provide security incident alerts such as suspicious locations, suspicious sessions, anomalous download, and malicious content. The shield alert events are produced within the enterprise event stream.
The Cloud Collector for Box consumes the enterprise event stream to collect the data from Box Shield notifications. You can configure the Box account to include shield alerts if your Box enterprise account has the Box shield events enabled. To collect this data, enable the Publish alert to Box Event Stream option while configuring the Box shield rules in the Box portal. For more information see the Box documentation.