AlienVault® USM Anywhere™

Launching a Box Response Action

Role Availability Read-Only Analyst   Manager

After USM Anywhere identifies Box events and alarms, you determine which Box activities are suspicious and should be investigated, and use the Box workflow to notify the investigator. For example, if you see a file upload event and think it should be investigated, rather than manually notifying the investigator, you can use the AlienApp for Box response action, Create Box Task, to create a task in Box and send an email to the owner, thus simplifying your workflow.

The AlienApp for Box provides two actions: Disable Box User and Create Box Task. Both actions are available when you launch a response action directly from an alarm (described below) or launch a response action in an orchestration rule.

Action Function

Disable Box User

Run this action to inactivate the user account in Box.

Create Box Task Run this action to create a task on a file in Box.

Note: Before launching a Box response action, you must have enabled and connected the AlienApp for Box to your Box Enterprise account. See Configuring the AlienApp for Box for more information.

When reviewing an alarm originated from a Box event, should you conclude that the Box user account has been compromised, you can launch an actionIn USM Anywhere you can execute an action from alarms, events, and vulnerabilities to run a scan, get forensic information, or execute a response for a configured AlienApp. to inactivate the Box user account associated with that alarm. If you want to apply the action to similar alarms that occur in the future, you can create an orchestration rule after you apply the action.

To launch the Disable Box User action for an alarm

  1. Go to Activity > Alarms.
  2. Review the alarms generated on the Box events, and then click the alarm to open its details.
  3. Click Select Action, and then select the Run Box Action tile.
  4. (Optional.) If you have more than one USM Anywhere Sensor configured for the AlienApp for Box, select the sensor that you want to use for the action.
  5. In the App Action list, select Disable Box User.

    Important: If you create your own alarm rule for Box events, keep in mind that the Disable Box User action only works when the alarm rule selects source_userid as one of the Highlight Fields.

  6. Click Run.

    After USM Anywhere initiates the action for the alarm, it displays a confirmation dialog box.

    You can create a rule to launch a Box response action for similar items

  7. If you want to create a rule to apply the action to similar items that occur in the future, click Create rule for similar alarms and define the new rule. If not, click OK.

If the alarm is related to a file in you Box environment and you want it to be investigated, you can launch an actionIn USM Anywhere you can execute an action from alarms, events, and vulnerabilities to run a scan, get forensic information, or execute a response for a configured AlienApp. to create a task on the specific file. If you want to apply the action to similar alarms that occur in the future, you can create an orchestration rule after you apply the action.

To launch the Create Box Task action for an alarm

  1. Go to Activity > Alarms.
  2. Review the alarms generated on the Box events, and then click the alarm to open its details.
  3. Click Select Action, and then select the Run Box Action tile.
  4. (Optional.) If you have more than one USM Anywhere Sensor configured for the AlienApp for Box, select the sensor that you want to use for the action.
  5. In the App Action list, select Create Box Task.

    This displays the options for the selected action. You must complete all the fields.

    For your convenience, USM Anywhere populates some of the fields with the information it has collected, but you can modify them accordingly.

    Create Box Task options

    • In Message Prefix, provide a brief reasoning for the investigation.
    • In Assignees, enter the email addresses of users who you want to notify about this task. These users should be the owner of the file or the administrator of the account.

    Important: If you create your own alarm rule for Box events, keep in mind that the Create Box Task action only works when the alarm rule has file_id and file_owner selected as Highlight Fields.

  6. Click Run.

    After USM Anywhere initiates the action for the alarm, it displays a confirmation dialog box.

    You can create a rule to launch a Box response action for similar items

  7. If you want to create a rule to apply the action to similar items that occur in the future, click Create rule for similar alarms and define the new rule. If not, click OK.