To help protect you from data loss, you can use Code42 to monitor files moving to and from your organization's Box cloud storage environment.
When you add Box as a data connection, you must authorize Code42 as a custom application. Once connected, we monitor your organization's Box environment to capture when a user:
- Creates or uploads a file
- Shares a link to a file
- Shares a file directly with users inside or outside your organization
- Deletes a file
- Modifies a file's contents, name, or location
This article explains how to add Box as a data connection. It also explains why Code42 needs this level of access to your Box environment.
The following considerations apply to Box. See also the considerations applicable to all cloud storage environments.
- Code42 can connect to your Box environment only when supported by your Box product plan.
- Box allows you to add or remove individuals as collaborators on a file. However, for files that reside at the root of the drive and are not in a folder, these collaboration changes are not recorded until a file event occurs (for example, at file creation, modification, renaming, moving, or sharing with a link).
- Box limits API requests made by third-party integrations such as Code42. Throttling these API requests allows Box to better control their resources, but may slow down Code42 file metadata collection, especially after first configuring access to Box. Consider setting up Code42 access to Box when you have decreased activity in your environment.
- Detection of folder sharing permissions changes in Box may be delayed.
- If a user's status is set to inactive in Box, Code42 does not monitor file activity on the user's Box account.
Code42 temporarily streams files from your cloud storage or email service to the Code42 cloud to calculate the file hash. This may be reported as users downloading files. The requesting service's IP address may point to Microsoft Azure hosts.
Code42 never stores file contents or writes them to disk during this process.
There's not always a strict one-to-one relationship between the actions a user takes on a file in your corporate cloud storage environment and the file event representing those actions in Code42. After detecting activity, Code42 makes a best effort to interpret the user's actions on a file in cloud storage. Code42 may combine several of those actions into one file event to more efficiently and effectively display those details. For example, a user modifying a file repeatedly a few seconds apart in the cloud storage environment may appear as one "file modified" event in Forensic Search.
Throttling of API requests by the cloud storage vendor can also slow Code42's metadata collection and affect how file events are displayed in Forensic Search. Both this throttling and Code42's interpretation of actions can cause multiple actions in cloud storage to be displayed in fewer events in Forensic Search.
Authorize Code42's connection to Box
Step 1: Connect Code42 and Box
- Sign in to the Code42 console.
- Add a cloud storage data connection:
- Select Administration > Integrations > Data Connections.
- Click Add Data Connection.
The Add Data Connection dialog displays.
- From Data Connection, select Box under Cloud Storage.
- Enter a display name. This display name must be unique.
- Copy the Client ID. You will enter this in your Box Admin Console.
- Authorize the Code42 app in Box:
- Go to your Box Admin Console and log in using your Box Admin email and password.
- Click Apps.
- Click the Custom Apps tab.
- Click Authorize New App.
The App Authorization screen displays.
- Paste in the Client ID from the Code42 console.
- Click Next.
- Review the permissions granted. For more information, see Box permissions below.
- Click Authorize.
Code42 Cloud Services appears in the table of custom applications.
- (Optional) If Disable published third party apps by default is selected in Global App Settings in your Box Admin Console, hover your mouse over the Code42 Cloud Services app, click the ellipses button, and select Authorize App to allow Code42 access to your Box environment.
You can choose to disable third-party published applications to secure your Box environment. If you do so, you need to explicitly select and authorize the Code42 cloud service's access.
Step 2: Add Users
- Return to the Code42 console.
- In the Add Data Connection dialog, click Continue.
The Add Users panel displays.
- Select one of the following options:
Monitors all Box users in your environment.
- Specific Users
Monitors only the Box users you designate.
- Specific Groups
Monitors only the users in Box groups you designate.
Step 3: Verify the setup
- After uploading the .csv file, click Continue In the Add Data Connection dialog.
The Verify panel displays.
- Locate your Box Enterprise ID:
- Return to the Box Admin Console and select Account & Billing.
- Copy the Enterprise ID.
- Return to the Code42 console and enter your Box Enterprise ID and Box Admin email address:
- Paste the Box Enterprise ID into Box Enterprise ID.
- Enter the email address you use to log into the Box Admin Console into Box Admin Email Address.
- Click Authorize.
Box is added as a data connection, and Code42 begins the initial indexing process.
Once you have added Box as a data connection, learn more about:
- Common use cases for investigating security incidents with Forensic Search
- How to use Forensic Search
- Adding trusted domains to easily identify when files are shared with users not on your list of approved domains.
Upload a .csv file
In Step 2, if you select Specific Users or Specific Groups and click Upload .CSV file, you must upload a .csv file that lists Box users or groups you want to monitor.
General considerations for uploading a .csv file:
- The .csv file is limited to 1,000 entries.
- Uploading a new .csv replaces the existing list of people or groups being monitored.
Upload a .csv file listing Box users
See the Box documentation to export a list of all Box users to an Excel file. Convert the Excel file to .csv format, and create a .csv file from this list that contains only the users you want to monitor.
Code42 reads usernames from the column headers labeled Email or Email Address in the .csv file. If these columns contain any entries that aren't email addresses, the upload produces an error.
Upload a .csv file listing Box groups
To create a Box group, see the Box documentation. After your Box groups are set up, create a .csv file that contains only the groups you want to monitor. In this .csv file:
- Use a column header labeled either Group Name or Groups. Code42 reads the names of groups from rows under this column header. If neither of these column headers are specified, the upload produces an error.
- Under that column header, specify the names of the groups to monitor exactly as they appear in the Box Admin Console.
When a group name is provided, Code42 attempts to look up users with the specified group name from the .csv file. If the group name cannot be found, Code42 proceeds to the next group. Code42 looks for that group again every 24 hours.
As users are added and removed from the monitored groups, Code42 automatically detects changes and adjusts monitoring of users accordingly.
Users that are removed from monitored groups have their event history preserved so that it remains searchable in Forensic Search. When an unmonitored user in your Code42 organization shares a file with a monitored user, the events associated with that file are not captured because the unmonitored user is the owner of the file.
Code42 collects file events from Box. A file event is any activity observed for a file, such as creating, modifying, sharing, renaming, moving, or deleting a file. To see this file activity, Code42 requires access to your Box environment. The Box scopes we request are:
- Read all files and folders stored in Box (root_readonly)
- Read and write all files and folders stored in Box (root_readwrite)
- Manage groups (manage_groups)
- Manage webhooks v2 (manage_webhook)
- Manage enterprise properties (manage_enterprise_properties)
- Manage users (manage_app_users and manage_managed_users)
In addition, integrations are enabled.
This set of permissions gives Code42 the access to users, metadata for files, and drives needed to monitor file activity. Although the permissions include manage and write permissions, these are required for the integration with Box. Code42 is committed to data integrity and does not write to or modify content in your Box environment. We do not monitor the contents of those files, and do not back up files in the cloud storage environment.
For more information on the specific metadata and file events visible in Forensic Search, see the Forensic Search reference guide.
Maximum user drive number exceeded
Code42 can monitor a maximum number of drives in your cloud storage environment, depending on vendor:
- Box and Microsoft OneDrive: 500,000 drives
- Google Drive: 55,000 drives
If Code42 detects more than the maximum number of drives, the following error appears at the top of the Data Connections screen: "The number of supported user drives (<DriveMaximum>) for this connector has been exceeded. Deauthorize the connector and reauthorize with fewer than <DriveMaximum> drives."
If you receive this message:
- Deauthorize the cloud storage data connection.
- Resume monitoring the cloud storage data connection.
You are prompted to set up the cloud storage data connection again.
- In the Add Users step of the reauthorization process, select the Specific Users or Specific Groups option and ensure that the total number of drives included is below the maximum limit.
Reconfigure scoping for user and group monitoring
If needed, you can reconfigure the cloud storage's scoping to add new users or groups or switch from monitoring specific users to monitoring specific groups.
- Deauthorize the cloud storage connection.
You do not need to remove the Code42 application from the cloud storage environment. The app registration remains valid even if it is deauthorized.
- Resume monitoring the cloud storage connection.
You are prompted to set up the cloud storage connection again.
- In the Add Users step of the reauthorization process, select the appropriate monitoring option, and then upload a new .csv file containing the updated users or groups you want to monitor.
No Box file activity is reported in the Code42 console
If your Box subscription includes Box Shield, the security policies set up in Box Shield may prevent Code42 from accessing your environment and can stop its monitoring of shared file activity. When Box Shield blocks the Code42 application in your Box environment, the connection may appear to be functioning normally in the Code42 console. However, because Code42 is prevented from accessing files in your Box environment, it cannot collect or report any shared file activity.
To resolve this issue, add the Code42 application to a Smart Access policy in your Box environment:
- Log into your Box Admin Console using your Box Admin email and password.
- Click Admin Console at the bottom of the screen.
- In the Admin Console's navigation panel, click Shield.
- Click the Access Policies tab.
- Select an existing policy to edit, or create a new one. For more information, see the Box documentation.
- In the Security Controls section, add a new Application Restriction security control if needed. (You can also edit any existing Application Restriction security control.) For more information, see the Box documentation.
- Customize the Application Restriction security control for the Code42 application.
- Under Application Restriction, select Allow only specified applications to download content.
- In the Allowed Applications box, enter the name of the Code42 application (Code42 Cloud Services).
- Save your changes to the policy.
- If you updated an existing policy, click Update Policy to save your changes.
- If you created a new policy, make any other updates needed and then click Next. After reviewing the new policy's summary, click Start Policy.