Box Event Collector
This Integration is part of the Box Pack.#
Supported versions
Supported Cortex XSOAR versions: 6.6.0 and later.
Box Event Collector#
Collect events from Box's logs.
Permissions#
The command is using the events endpoint with enterprise login. The user making the API call will need to have admin privileges, and the application will need to have the scope manage enterprise properties checked.
This is the default integration for this content pack when configured by the Data Onboarder in Cortex XSIAM.
Configure Box Event Collector in Cortex#
To acquire the "Credential JSON", you need to get a JWT token and an app from Box. You can use the guide from Box V2 to get those credentials.
| Parameter | Required |
|---|---|
| Verify SSL Certificate | False |
| Credentials JSON | True |
| Fetch Events | False |
| First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days) | False |
| The maximum amount of events to fetch at once. 500 is maximum | False |
Commands#
You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
box-get-events#
Get events.
Base Command#
box-get-events
Input#
| Argument Name | Description | Required |
|---|---|---|
| limit | Maximum events to fetch. Default is 10. | Optional |
| created_after | Fetch events from this time (<number> <time unit>, e.g., 12 hours, 7 days). Default is 3 days. | Optional |
Context Output#
There is no context output for this command.
Command example#
!box-get-events limit=1 created_after="30 days"
Context Example#
Human Readable Output#
Results#
action_by additional_details created_at created_by event_id event_type ip_address session_id source type 2022-04-10T05:39:15-07:00 type: user
id: 0000000000
name: John Doe
login: johndoe@example.comevent_id ADD_LOGIN_ACTIVITY_DEVICE ip_address type: user
id: 0000000000
name: John Doe
login: johndoe@example.comevent