To help protect you from data loss, you can use Code42 Forensic File Search to monitor files moving to and from users' Box.
When you add Box as a data source for Forensic File Search, you must authorize Code42 as a custom application. Once connected, Forensic File Search monitors your organization's Box environment to capture when a user:
- Creates a file
- Shares a file
- Deletes a file
- Modifies a file
This article explains how to add Box as a data source for Forensic File Search. It also explains why Code42 needs this level of access to your Box environment.
- To connect Code42 to Box, you must be a Box Admin as well as a Code42 Customer Cloud Admin.
- Once authorized, Code42 Forensic File Search has access to metadata on users, files, and drives.
- If you need to change your Box account information, temporarily deauthorize your Box account, then reauthorize with the new account information.
- You must be licensed for Code42 Forensic File Search. If your license expires, the cloud service is deauthorized within 24 hours. If you need assistance with licensing, contact your Customer Success Manager (CSM). If you're not sure how to reach your CSM, email firstname.lastname@example.org and we will connect you.
- Box allows you to add or remove individuals as collaborators on a file. However, for files that reside at the root of the drive and are not in a folder, these collaboration changes are not recorded for Forensic File Search until a file event occurs (for example, at file creation, modification, renaming, moving, or sharing with a link).
- Box limits API requests made by third-party integrations such as Code42. Throttling these API requests allows Box to better control their resources, but may slow down Code42 file metadata collection, especially after first configuring Forensic File Search access to Box. Consider setting up Forensic File search access to Box when you have decreased activity in your environment.
- If a user's status is set to inactive in Box, Code42 does not monitor file activity on the user's Box account.
Code42 Forensic File Search temporarily streams files from your data source to the Code42 cloud to calculate the file hash. This may be reported as users downloading files.
Code42 never stores file contents or writes them to disk during this process.
Before you begin
Configure Forensic File Search before adding Box as a cloud service data source.
Step 1: Connect Code42 and Box
- Sign in to the Code42 administration console.
- Add a cloud service connection:
- Select Investigation > Data Sources.
- Click Add Data Source.
The Add Data Source dialog displays.
- From Data Source, select Box under Cloud Services.
- Enter a display name. This display name must be unique.
- Copy the API Key. You will enter this in your Box Admin Console.
- Select Investigation > Data Sources.
- Authorize the Code42 app in Box:
- Go to your Box Admin Console and log in using your Box Admin email and password.
- Click Enterprise Settings.
- Click Apps.
- Go to the Custom Applications section.
- Click Authorize New App.
The App Authorization screen displays.
- Paste in the API Key from the Code42 administration console.
- Click Next.
- Review the permissions granted. For more information, see Box permissions below.
- Click Authorize.
Code42 Cloud Service for Box appears in the table of custom applications.
Step 2: Add Users
- Return to the Code42 administration console.
- In the Add Data source dialog, click Continue.
The Add Users panel displays.
- Select one of the following options:
- Specific Users
Monitors only the Box users you designate.
- Specific Groups
Monitors only the users in Box groups you designate.
- Specific Users
Step 3: Verify the setup
- In the Add Data Source dialog, click Continue.
The Verify panel displays.
- Enter your Box Enterprise ID:
- Return to the Box Admin Console and select Account & Billing.
- Copy the Enterprise ID.
- In the Code42 administration console, paste the Box enterprise ID into Box Enterprise ID.
- Enter your Box Account ID:
- Return to the Box Admin Console, click Back to my Account.
- In the upper-right, select your profile.
- Click Account Settings.
- Under the Account tab, scroll to the Account Details section.
- Copy your Account ID.
- In the Code42 administration console, paste the Account ID into Box Account ID.
- Click Authorize.
Box is added as a cloud service for Forensic File Search, and Code42 begins the initial extraction of information. For details, see Initial extraction below.
Upload a .csv file
In Step 2, if you select Specific Users or Specific Groups and click Upload .CSV file, you must upload a .csv file that lists Box users or groups you want to monitor.
General considerations for uploading a .csv file:
- The .csv file is limited to 1,000 entries.
- Uploading a new .csv replaces the existing list of people or groups being monitored.
- The maximum number of drives allowed for monitoring in Box connections is 5,500.
Upload a .csv file listing Box users
See the Box documentation to export a list of all Box users to an Excel file. Convert the Excel file to .csv format, and create a .csv file from this list that contains only the users you want to monitor.
Code42 reads usernames from the column headers labeled Email or Email Address in the .csv file. If these columns contain any entries that aren't email addresses, the upload produces an error.
Upload a .csv file listing Box groups
See the Box documentation for information about Box groups. Create a .csv file that contains only the groups you want to monitor.
Code42 reads the names of groups from the column header labeled Group Name or Groups in the .csv file. If neither of these column headers are specified, the upload produces an error.
When a group name is provided, Code42 attempts to look up users with the specified group name from the .csv file. If the group name cannot be found, Code42 proceeds to the next group. Code42 looks for that group again every 24 hours.
As users are added and removed from the monitored groups, Code42 automatically detects changes and adjusts monitoring of users accordingly. Users that are removed from monitored groups have their event history preserved so that it remains searchable in Forensic File Search. When an unmonitored user in your Code42 organization shares a file with a monitored user, the events associated with that file are not captured because the unmonitored user is the owner of the file.
Once you complete authorization, Code42 begins the initial extraction of user activity data from your cloud service. During this process, Code42 discovers the drives and indexes all their files one drive at a time. The time to complete initial extraction on a drive is directly related to the number of files within the drive, not the size of the files.
As Code42 progresses through initial extraction, the Status column in the Data Sources panel shows the number of drives that have completed initial extraction compared to the number of drives remaining (for example, "Initializing 34 / 567").
As each drive completes initial extraction, Code42 begins monitoring file activity on the drive and sends events to Forensic File Search. To speed up initial extraction, file hashes are omitted. As a result, you see the message Hash Unavailable. File not modified since initial extraction in the MD5 Hash and SHA256 Hash fields displayed for these files in Forensic File Search. However, the files will be hashed when file events occur.
For most environments, initial extraction takes between 24 and 48 hours. Once initial extraction is complete for each drive, it takes about 20 minutes for a new event from that drive to appear in search results in Forensic File Search.
After initial extraction, Code42 looks for new files in existing drives every 12 hours, and looks for new drives every 24 hours.
Forensic File Search collects file events from Box. A file event is any activity observed for a file, such as creating, modifying, sharing, renaming, moving, or deleting a file. To see this file activity, Code42 requires access to your Box environment. The Box scopes we request are:
- Read all files and folders stored in Box (root_readonly)
- Read and write all files and folders stored in Box (root_readwrite)
- Manage users (manage_app_users and manage_managed_users)
- Manage webhooks (manage_webhook)
In addition, integrations are enabled.
This set of permissions gives Code42 the access to users, metadata for files, and drives needed to monitor file activity. Although the permissions include manage and write permissions, these are required for the integration with Box. Code42 is committed to data integrity and does not write to or modify content in your Box environment. Forensic File Search does not monitor the contents of those files, and does not back up files in the cloud service.
For more information on the specific metadata and file events collected and stored by Forensic File Search, see the Forensic File Search reference guide.
Maximum user drive number exceeded
Code42's maximum number of drives allowed for monitoring in Box connections is 5,500. If Code42 detects more than this number of drives, it displays the following error in the Data Sources panel:
The number of supported user drives (5,500) for this connector has been exceeded. Deauthorize the connector and reauthorize with fewer than 5,500 drives.
If you receive this message:
- Deauthorize the cloud service connection.
- Reauthorize the cloud service connection.
You are prompted to set up the cloud service connection again.
- In the Add Users step of the reauthorization process, select the Specific Users or Specific Groups option and ensure that the total number of drives included is below the 5,500 drive limit.