Skip to main content

Box Event Collector

This Integration is part of the Box Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.6.0 and later.

Box Event Collector#

Collect events from Box's logs.


The command is using the events endpoint with enterprise login. The user making the API call will need to have admin privileges, and the application will need to have the scope manage enterprise properties checked.

This is the default integration for this content pack when configured by the Data Onboarder in Cortex XSIAM.

Configure Box Event Collector on Cortex XSOAR#

To acquire the "Credential JSON", you need to get a JWT token and an app from Box. You can use the guide from Box V2 to get those credentials.

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for Box Event Collector.

  3. Click Add instance to create and configure a new integration instance.

    Verify SSL CertificateFalse
    Credentials JSONTrue
    Fetch EventsFalse
    First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days)False
    The maximum amount of events to fetch at once. 500 is maximumFalse
  4. Click Test to validate the URLs, token, and connection.


You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.


Get events.

Base Command#



Argument NameDescriptionRequired
limitMaximum events to fetch. Default is 10.Optional
created_afterFetch events from this time (<number> <time unit>, e.g., 12 hours, 7 days). Default is 3 days.Optional

Context Output#

There is no context output for this command.

Command example#

!box-get-events limit=1 created_after="30 days"

Context Example#

"BoxEvents": {
"action_by": null,
"additional_details": null,
"created_at": "2022-04-10T05:39:15-07:00",
"created_by": {
"id": "00000000000",
"login": "",
"name": "John Doe",
"type": "user"
"event_id": "event_id",
"ip_address": "ip_address",
"session_id": null,
"source": {
"id": "00000000000",
"login": "",
"name": "John Doe",
"type": "user"
"type": "event"

Human Readable Output#


2022-04-10T05:39:15-07:00type: user
id: 0000000000
name: John Doe
event_idADD_LOGIN_ACTIVITY_DEVICEip_addresstype: user
id: 0000000000
name: John Doe