Box Solution
Solution: Box
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
| Attribute | Value |
|---|---|
| Publisher | Microsoft Corporation |
| Support Tier | Microsoft |
| Support Link | https://support.microsoft.com |
| Categories | domains |
| Version | 3.1.4 |
| Author | Microsoft - support@microsoft.com |
| First Published | 2022-05-20 |
| Solution Folder | Box |
| Marketplace | Azure Marketplace · Rating: ★☆☆☆☆ 1.0/5 (1 ratings) · Popularity: 🔵 Medium (59%) |
The Box solution connector provides the capability to ingest Box enterprise's events into Microsoft Sentinel using the Box REST API
Underlying Microsoft Technologies used:
This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:
a. Azure Monitor HTTP Data Collector API
Contents
Data Connectors
This solution provides 2 data connector(s):
🔶 CLv1: This connector ingests into a table that uses the legacy Custom Log V1 schema format with type-suffixed column names (e.g.
_s,_d,_b,_t,_g). Note: identification is based on column name suffixes which are also permitted in CLv2, so this classification may not always be accurate.
Tables Used
This solution uses 2 table(s):
| Table | Used By Connectors | Used By Content |
|---|---|---|
BoxEventsV2_CL |
Box Events (via Codeless Connector Framework), [DEPRECATED] Box Events (using Azure Function) | Analytics, Hunting, Workbooks |
BoxEvents_CL 🔶 |
Box Events (via Codeless Connector Framework), [DEPRECATED] Box Events (using Azure Function) | Analytics, Hunting, Workbooks |
🔶 CLv1: This table uses the legacy Custom Log V1 schema format with type-suffixed column names (e.g.
_s,_d,_b,_t,_g). Note: identification is based on column name suffixes which are also permitted in CLv2, so this classification may not always be accurate.
Content Items
This solution includes 22 content item(s):
| Content Type | Count |
|---|---|
| Analytic Rules | 10 |
| Hunting Queries | 10 |
| Workbooks | 1 |
| Parsers | 1 |
Analytic Rules
| Name | Severity | Tactics | Tables Used |
|---|---|---|---|
| Box - Abmormal user activity | Medium | Collection | BoxEventsV2_CLBoxEvents_CL |
| Box - Executable file in folder | Medium | InitialAccess | BoxEventsV2_CLBoxEvents_CL |
| Box - File containing sensitive data | Medium | Exfiltration | BoxEventsV2_CLBoxEvents_CL |
| Box - Forbidden file type downloaded | Medium | InitialAccess | BoxEventsV2_CLBoxEvents_CL |
| Box - Inactive user login | Medium | InitialAccess | BoxEventsV2_CLBoxEvents_CL |
| Box - Item shared to external entity | Medium | Exfiltration | BoxEventsV2_CLBoxEvents_CL |
| Box - Many items deleted by user | Medium | Impact | BoxEventsV2_CLBoxEvents_CL |
| Box - New external user | Medium | InitialAccess, Persistence | BoxEventsV2_CLBoxEvents_CL |
| Box - User logged in as admin | Medium | PrivilegeEscalation | BoxEventsV2_CLBoxEvents_CL |
| Box - User role changed to owner | Medium | PrivilegeEscalation | BoxEventsV2_CLBoxEvents_CL |
Hunting Queries
| Name | Tactics | Tables Used |
|---|---|---|
| Box - Deleted users | Impact | BoxEventsV2_CLBoxEvents_CL |
| Box - Downloaded data volume per user | Exfiltration, Collection | BoxEventsV2_CLBoxEvents_CL |
| Box - IP list for admin users | InitialAccess, PrivilegeEscalation | BoxEventsV2_CLBoxEvents_CL |
| Box - Inactive admin users | PrivilegeEscalation | BoxEventsV2_CLBoxEvents_CL |
| Box - Inactive users | InitialAccess | BoxEventsV2_CLBoxEvents_CL |
| Box - New users | PrivilegeEscalation, Persistence | BoxEventsV2_CLBoxEvents_CL |
| Box - New users | PrivilegeEscalation | BoxEventsV2_CLBoxEvents_CL |
| Box - Suspicious or sensitive files | Exfiltration | BoxEventsV2_CLBoxEvents_CL |
| Box - Uploaded data volume per user | Exfiltration, Collection | BoxEventsV2_CLBoxEvents_CL |
| Box - Users with owner permissions | PrivilegeEscalation | BoxEventsV2_CLBoxEvents_CL |
Workbooks
| Name | Tables Used |
|---|---|
| Box | BoxEventsV2_CLBoxEvents_CL |
Parsers
| Name | Description | Tables Used |
|---|---|---|
| BoxEvents | - | BoxEventsV2_CL (read)BoxEvents_CL (read) |
Release Notes
| Version | Date Modified (DD-MM-YYYY) | Change History |
|---|---|---|
| 3.1.4 | 13-04-2026 | Deprecate Box Events (using Azure Function) |
| 3.1.3 | 24-03-2026 | Rename to Box Events (via Codeless Connector Framework) |
| 3.1.2 | 29-10-2025 | Updated KQL queries in Workbook to use EventEndTime instead of TimeGenerated for time-based filtering |
| 3.1.1 | 10-02-2025 | Advancing CCP Data Connector from Public preview to Global Availability. |
| 3.1.0 | 06-12-2024 | Added new CCP Data Connector and modified Parser. |
| 3.0.1 | 18-08-2023 | Added text 'using Azure Functions' in Data Connector page. |
| 3.0.0 | 19-07-2023 | Manual deployment instructions updated for Data Connector. |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊