SECURONIX
PROPRIETARY
STATEMENT
This material constitutes proprietary and trade secret information of Securonix, and shall not be disclosed to any third party, nor used by the recipient except under the terms and conditions prescribed by Securonix.
The trademarks, service marks, and logos of Securonix and others used herein are the property of Securonix or their respective owners.
SECURONIX
COPYRIGHT
STATEMENT
This material is also protected by Federal Copyright Law and is not to be copied or reproduced in any form, using any medium, without the prior written authorization of Securonix.
However, Securonix allows the printing of the Adobe Acrobat PDF files for the purposes of client training and reference. Information in this document is subject to change without notice. The software described in this document is furnished under a license agreement or nondisclosure agreement. The software may be used or copied only in accordance with the terms of those agreements. Nothing herein should be construed as constituting an additional warranty. Securonix shall not be liable for technical or editorial errors or omissions contained herein. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or any means electronic or mechanical, including photocopying and recording for any purpose other than the purchaser's internal use without the written permission of Securonix.
Copyright 2018 © Securonix All rights reserved.
CONTACT
INFORMATION
Securonix, Inc.
14665 Midway Rd. Ste. 100, Addison, TX 75001 www.securonix.com
855.732.6649
REVISION
HISTORY
Date Product Version Description
4/4/2018 6.1 First Release
8/2/2018 6.2 Revision
Table of Contents
2
Box 4
What is Box? 4
Box Integration 4
Configuring the Box API for SNYPR 4
Create an App 4
Configure the Box Connection in SNYPR 9
Supported Collection Methods 21
Taxonomy 21
Device Event Field Mapping 21
SNYPR Fields to Box 21
Device Event Severity Mapping 22
Device Event Categorization 23
Sample Line Filters 24
Box
This data source guide provides information about how the Box data source events are parsed, normalized and categorized to SNYPR fields. In particular, it provides the following:
l Device event field mapping l Device event severity mapping l Device event categorization
To download the Box API parser from the Securonix Threat Library, search Available Resources Types for Deployment by Vendor name or Functionality. Downloading the resource downloads the parser along with the applicable dashboards, reports, policies and threat models.
What is Box?
Box is a cloud content management and file sharing service for businesses. Box is a cloud computing business that provides file-sharing collaborating, and other tools for working with files that are uploaded to its servers.
Box Integration
Configuring the Box API for SNYPR
This section describes how to configure an app on Box to allow SNYPR to connect prior to importing data.
Note:The steps described in this section are specific to Box and may change. Consult Box documentation for the latest steps.
Create an App
You must create an app in the Box Developers console to configure Standard OAuth 2.0 User Authentication. To create an app in Box, complete the following steps:
1. Log in to your Box account. 2. Click Create New App.
3. Click Custom App on Let's get started page.
4. Click Next.
6. Click Next.
7. Provide a unique name for your app on What would you like to name your app? screen.
8. Click Create App.
9. Click View App from Woot! Your app has been created screen.
11. Copy the Client ID and Client Secret to be used to generate tokens in SNYPR to authenticate the connection to Box.
12. Enter the Redirect URI that will receive the OAuth 2.0 credentials from SNYPR. Example: https://localhost:8080/Snypr/connectionType/generateOauthCode.
Note:Replace local host and port number with SNYPR URL and port number.
Configure the Box Connection in SNYPR
This section describes how to import data from a Box data source using an API connector.
Prerequisites for Importing Events from Box
SNYPR uses open authentication (OAuth) to connect to Box to import data. Ensure you have the following information prior to setting up the connection:
l Client Key: The Client ID OAuth 2.0 credential from your Box App. l Secret Key: The Client Secret OAuth 2.0 credential from your Box App.
Note:For information about Box Apps, seeBox API Configuration.
To import events from Box, complete the following steps: 1. Navigate to Menu > Add Data > Activity.
2. Click + to add a new datasource.
4. Click Vendor and select the following:
l Vendors: Box. l Device Types: BoxT.
l Collection Method: BoxContent [BoxContent].
l Import Using: Select Console or ID of Remote Ingester if using remote ingester in the environment. l
Note:The information you select will populate the Device Type Information section.
5. Complete the following steps to configure the connection:
DEVICE
TYPE
INFORMATION
The following information is populated by the previous step:
a. Vendor: Box.
b. Resource Type: BOXT.
c. Collection Method: BoxContent[BoxContent]
d. Import Using: Select Console or ID of Remote Ingester if using remote ingester in the environment.
DEVICE
INFORMATION
a. Datasource Name: Box. b. IP Address: Not required.
c. Specify timezone for activity logs: Specify your time zone using dropdown.
COLLECTION
METHOD
2. Complete the following information:
a. Key: Enter Client ID from Box App. b. Secret: Enter Client Secret from Box App. 3. Click Generate Tokens.
The Box log in screen will appear as a pop up window.
4. Enter credentials to Log in to grant access to Box. 5. Click Authorize.
6. Click Grant access to Box.
Box will generate Access and Refresh tokens.
7. Click Populate Tokens in the SNYPR Activity Import window.
Note:The Parsing Technique will auto-populate for Key Value Pair.
MORE
SETTINGS
9. Complete the following information:
a. Action Taken on Unparsed Events: Select from dropdown. The following options are available:
l Save in unprocessed folder on HDFS l Drop Events
l Ingest as unparsed events
a. Success Folder: Specify the folder into which you would like the file to move upon successful upload. Default: /Securonix/tenants/four/snypr6/securonix_home/import/success/
c. Staging Folder: Specify the staging folder (required for data requiring preprocessing). Default: /Securonix/tenants/four/snypr6/securonix_home/import/in/
d. Enable Preprocessor: Toggle to Yes if you want to enable.
a. Preprocessor Class (optional): Enter a preprocessor class if Preprocessor is enabled. 10. Preview Input to ensure the file has uploaded successfully.
11. Click Save & Next to proceed toStep 5: Reviewing Import Summary.
Editing the Connection
To edit the existing Google connection, navigate to Menu > Add Data > Activity and complete the following steps:
2. Click and proceed to any of the following steps described inActivity Datato edit the information:
l Step 2: Parsing and Normalization l Step 3: Performing Conditional Actions l Step 4: Configuring Identity Attribution
OR
3. Click to delete the datasource.
Supported Collection Methods
The method of collection is Splunk.Taxonomy
Securonix Open Event Format (OEF) 1.0 is used. OEF is an event interoperability standard/schema. It
provides a set of standardized attributes (fields) for consistent representation of logging output from disparate security and non-security devices and applications. For additional information, refer to the Data Dictionary section on the Securonix documentation portal.
Device Event Field Mapping
This section lists the mappings of SNYPR fields to the device fields.SNYPR Fields to Box
Box Field SNYPR Field
Box Field SNYPR Field host SourceHostName source DeviceCustomString3 source.type DeviceCustomString1 additional_details.service_id CustomString3 additional_details.service_name CustomString2 event_id baseeventid event_type deviceeventcategory ip_address ipaddress source.item_id Additionaldetails1 source.item_name filename source.item_type Devicecustomstring3 source.parent_id AdditionalDetails2 source.parent_name AdditionalDetails3 source.parent_type Additionaldetails4 SharedLinkId Additionaldetails5 collab_id Additionaldetails6 accessible_by_login Additionaldetails7 performed_by_admin Additionaldetails8 additional_details.role Devicecustomstring6 additional_details.type Additionaldetails9 source.username Additionaldetails10 source.useremail Additionaldetails11 additional_details.size oldfilesize sizeinKb filesize
Device Event Severity Mapping
The SNYPR category severity fields are mapped to the device severity fields.
Category Severity Device Severity
alert Very High=0 ,1;
critical High=2.3;
warning Medium=4,5;
info low-6,7
Device Event Categorization
This section contains the rules used to categorize the device events.Rule Name Rule Category
Object Category Behavior
Category Outcome
Rule 1 File_Download File Download Success
Rule 2 File_Operation File Operation Success
Rule 3 File_Upload File Uplod Success
Rule 4 File_Access File Access Success
Rule 5 User_Authentication User Authentication Success
Rule 6 User_Administration User Administration Success
Rule 7 Set_Event_Category File Delete Success
Rule 8 Set_Event_Category_7 File Share Success
Rule 9 Set_Event_Category_8 File Operation Success
Rule 10 Set_Event_Category_9 File Operation Success
Rule 11 Set_Event_Category_10 File Operation Success
Rule 12 Set_Event_Category_11 File Share Success
Sample Line Filters
Reference
https://en.wikipedia.org/wiki/Box_(company)