Package for security monitoring of BOX SaaS leverages the power of the Elastic stack to detect incidents and security violations in the Box platform. MITRE ATT&CK tactics covered are Exfiltration and Execution. Includes Logstash configs for mapping to Elastic Common Schema (ECS) and 15+ threat detection content items.
Machine Learning Recipes:
- Download or Upload Spikes in BOX Logs (Abnormal counts of downloads or uploads for an account)
- Unexpected Source Address for the User (Unusual connection for an account)
Dashboard BOX Admin Activity
- [BOX] Admin Login from Suspicious Network (Admin login from non corporate network)
- [BOX] Anonymizer Tools Detected (An anonymizer or an anonymous proxy is a tool that attempts to make activity on the Internet untraceable.)
- [BOX] Cryptominer Tools Detected (Detects the mining tools)
- [BOX] Direct User Bruteforce (Possible direct bruteforce (SSO and 2FA bypass)
- [BOX] Files Marked as Malware (This files marked as malicious)
- [BOX] Files Shared Outside Organization (A folder or document can be shared with an external user via an anonymous link, meaning the person accessing the document can’t be identified by the organization)
Full list of Watchers is available at tdm.socprime.com
MITRE ATT&CK tags:
- Automated Exfiltration T1020
Data, such as sensitive documents, may be exfiltrated through the use of automated processing or Scripting after being gathered during Collection. When automated exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as Exfiltration Over Command and Control Channel and Exfiltration Over Alternative Protocol.
- Scheduled Transfer T1029
Data exfiltration may be performed only at certain times of day or at certain intervals. This could be done to blend traffic patterns with normal activity or availability. When scheduled exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as Exfiltration Over Command and Control Channel and Exfiltration Over Alternative Protocol.
- User Execution T1204
An adversary may rely upon specific actions by a user in order to gain execution. This may be direct code execution, such as when a user opens a malicious executable delivered via Spearphishing Attachment with the icon and apparent extension of a document file. It also may lead to other execution techniques, such as when a user clicks on a link delivered via Spearphishing Link that leads to exploitation of a browser or application vulnerability via Exploitation for Client Execution. While User Execution frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user’s desktop hoping that a user will click on it.