Supported Cortex XSOAR versions: 6.6.0 and later.
Collect events from Box's logs.
The command is using the events endpoint with enterprise login. The user making the API call will need to have admin privileges, and the application will need to have the scope manage enterprise properties checked.
To acquire the "Credential JSON", you need to get a JWT token and an app from Box. You can use the guide from Box V2 to get those credentials.
Navigate to Settings > Integrations > Servers & Services.
Search for Box Event Collector.
Click Add instance to create and configure a new integration instance.
Parameter Required Verify SSL Certificate False Credentials JSON True Fetch Events False First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days) False The maximum amount of events to fetch at once. 500 is maximum False
Click Test to validate the URLs, token, and connection.
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
|limit||Maximum events to fetch. Default is 10.||Optional|
|created_after||Fetch events from this time (<number> <time unit>, e.g., 12 hours, 7 days). Default is 3 days.||Optional|
There is no context output for this command.
!box-get-events limit=1 created_after="30 days"
action_by additional_details created_at created_by event_id event_type ip_address session_id source type 2022-04-10T05:39:15-07:00 type: user
name: John Doe
event_id ADD_LOGIN_ACTIVITY_DEVICE ip_address type: user
name: John Doe