With the collection of your Box Enterprise account activities through the configured AlienApp for Box, USM Anywhere collects, enriches, and analyzes data from your Box environment. It detects any suspicious activity, such as anomalous user behavior, credential abuse, or brute-forceTechnique or attack method, typically used with authentication, involving an exhaustive procedure that tries all possibilities (for example, to find a valid password), one-by-one. authentications. When USM Anywhere detects a threat, it generates an alarmAlarms provide notification of an event or sequence of events that require attention or investigation.. See the following table for examples of alarms that the AlienApp may produce.
| Intent | Strategy | Method |
|---|---|---|
| System Compromise | Credential Abuse | Authentication to Box from a known malicious host |
| Ransomware Infection | Multiple uploads with known ransomware extension | |
| Ransomware decryption instructions file upload | ||
| Exploitation & Installation | Malware Infection | Executable downloaded from Box followed by malware activity |
| Delivery & Attack | Brute Force Authentication | Successful login after a brute-force attack |
| Password spraying against Box | ||
| Data Exfiltration | File sent to a known malicious host | |
| Known Malicious Infrastructure | Box application created from a known malicious host | |
| File shared from a known malicious host | ||
| Reconnaissance & Probing | Brute Force Authentication | Multiple login failures |
| Environmental Awareness | Access Control Modification | Two-factor authentication disabled |
| Account Manipulation | Multiple user accounts deleted | |
| Anomalous User Behavior | Admin login from an unknown device | |
| Credential Abuse | User login from two different countries in a short period | |
| Defense Evasion - Cover Tracks | User account created and deleted in short period | |
| Defense Evasion - Disabling Security Tools | Box security policy deleted | |
| Malware Infection | Box detected a malicious file upload | |
| Sensitive Data Disclosure | Box support access granted |
You can create more rules to generate alarms for the Box events that are important to you. See Creating Alarm Rules from the Events page for detailed instructions. If you want to use the Disable Box User action from the resulting alarm, you must select source_userid as one of the fields when creating such a rule. For example:
Similarly, if you want to use the Create Box Task action from the resulting alarm, you must select file_id and file_owner as highlight fields when creating the alarm rule.
Feedback