Box, Inc. specialises in developing and marketing cloud-based content management, collaboration, and file-sharing tools for businesses. While Box’s services are widely recognised as best-in-class, it’s easy to overlook the security posture of platforms like Box, Salesforce, and GitLab amidst the vast array of cloud-based SaaS tools. As part of our Securing SaaS with Falco series, we’d like to highlight Falco’s Box plugin.
What the Box plugin does
The Falco plugin for Box ingests Enterprise Events from Box and makes them accessible as fields in Falco. With these fields, you can create Falco rules to detect threats within Box in real time and trigger alerts through your configured notification channels. Why is ingesting Box events into Falco valuable? Because Falco enables threat detection across multiple cloud platforms simultaneously, it allows you to correlate security events from various sources in real time, effectively identifying active lateral movement as it happens.
Why integrate Box events with Falco?
The Enterprise Events provided by Box give admins a comprehensive feed of user and content activity within an enterprise Box instance. Depending on the stream_type, your application can either subscribe to live events or query historical ones. Access to these streams is restricted to users with admin permissions, enabling them to run new reports and view existing ones.
To allow Falco to communicate with Box via 2-Legged oAuth, a Custom App must be created in your account’s Developer Console. The entire process for creating an app within the Box Developer Console is documented in the Box Plugin Github Repo.
IP geolocation enrichment for Falco
Similar to the GitLab plugin for Falco, this Box plugin also allows you to enhance IP addresses with geolocation information using either MaxMind’s GeoLite or GeoIP2 databases. You can register for access to GeoLite2 databases and web services here. Once registered, download the MaxMind City Database in .mmdb format and save it to a location on your file system that Falco can access. To enable the plugin to use the database, configure the maxmindcitydbpath option in the falco.yaml file. The instructions for building the plugin are listed here.
Rule creation
As always, Falco rules are written in YAML format. The plugin comes packed with many Default Falco Rules in the rules/box.yaml file which will detect a number of malicious events. As is a common use case for these SaaS plugins, we want to observe cases of Disabling of Multi-Factor Authentication (MFA), or Failed MFA token responses.
- rule: Box - Multifactor Authentication disabled
desc: Multifactor Authentication has been disabled for a device.
condition: box.eventtype=MULTI_FACTOR_AUTH_DISABLE
output: >
Box Plugin: MULTIFACTOR AUTHENTICATION has been DISABLED! for user: %box.userlogin
(uid: %box.userid name: %box.username) by user: %box.created_by_login (uid:
%box.created_by_id name: %box.created_by_name). Details: (IP=%box.ipaddress,
city=%box.city, country=%box.country, Box Event Id=%box.eventid)
priority: WARNING
source: box
tags: [box, Defense_Evasion, T1556.006, Persistence]Code language: YAML (yaml)Box offers a built-in security solution called Box Shield, which provides intelligent and seamless protection for content workflows. Box Shield incorporates advanced, multi-layered threat detection to help mitigate content-related risks. With its deep machine learning-powered malware detection, it identifies and prevents the spread of malware before it can lead to a data breach. Box Shield actively scans content during various actions — such as uploading, sharing, previewing, editing, and downloading — offering comprehensive protection against sophisticated threats, including ransomware.
The Falco plugin taps into all audit activity from Box Shield allowing admins to detect Advanced Persistent Threats (APTs) based on SaaS-specific indicators. The only condition we need to look for here are events that start with “SHIELD_“. Box Shield does all the hard work for you.
- rule: Box - Shield Alert
desc: Box issued a shield alert!!
condition: box.eventtype startswith "SHIELD_"
output: >
Box Plugin: Box issued a Shield Alert!! - User: %box.created_by_login, IP Address:
%box.ipaddress, Event ID: %box.eventid - Additional Details: %box.shieldalert
priority: WARNING
source: box
tags: [box, Mitre_Attack, APT, Shield]Code language: YAML (yaml)API polling frequency and API rate limits
The plugin interacts with the Box Admin Event Streaming API, mapping Box event fields to Falco plugin fields for evaluation and alerting. It uses the admin_logs_streaming log stream type to collect events from the time the plugin starts. However, it does not process the two weeks of historical events stored in this stream.
By default, the plugin polls the API every 300 seconds. You can adjust this interval by modifying the PollIntervalSecs setting in the falco.yaml file. Be aware that changing the polling frequency may affect your costs. Box enforces strict API rate limits to maintain service quality and prevent overload. These limits vary based on your licensing type and the specific API endpoint. For detailed information, refer to the Box API documentation.
Conclusion
Falco’s extensive open-source plugin architecture exemplifies why we need to rethink threat detection and response in the age of cloud-native and the associated, sprawling SaaS service ecosystem. As more and more SaaS services are introduced in an organization to help with code development, content management, file sharing, and more, we have to be realistic about the threat exposure associated with all of these services. Falco plugins allow businesses to build their own middleware for streaming audit activity from cloud-hosted SaaS services to a unified detection and response platform for improved threat mitigation.