หมายเหตุ
การเข้าถึงหน้านี้ต้องได้รับการอนุญาต คุณสามารถลอง ลงชื่อเข้าใช้หรือเปลี่ยนไดเรกทอรีได้
การเข้าถึงหน้านี้ต้องได้รับการอนุญาต คุณสามารถลองเปลี่ยนไดเรกทอรีได้
As a cloud file storage and collaboration tool, Box enables your users to share their documents across your organization and partners in a streamlined and efficient way. Using Box might expose your sensitive data not only internally, but also to external collaborators, or even worse make it publicly available via a shared link. Such incidents can be caused by malicious actors, or by unaware employees.
Connecting Box to Defender for Cloud Apps gives you improved insights into your users' activities, provide threat detection using machine learning based anomaly detections, information protection detections such as detecting external information sharing, and enabling automated remediation controls.
Main threats
- Compromised accounts and insider threats
- Data leakage
- Insufficient security awareness
- Malware
- Ransomware
- Unmanaged bring your own device (BYOD)
How Defender for Cloud Apps helps to protect your environment
- Detect cloud threats, compromised accounts, and malicious insiders
- Discover, classify, label, and protect regulated and sensitive data stored in the cloud
- Enforce DLP and compliance policies for data stored in the cloud
- Limit exposure of shared data and enforce collaboration policies
- Use the audit trail of activities for forensic investigations
Control Box with built-in policies and policy templates
You can use the following built-in policy templates to detect and notify you about potential threats:
| Type | Name |
|---|---|
| Built-in anomaly detection policy | Activity from anonymous IP addresses Activity from infrequent country Activity from suspicious IP addresses Impossible travel Activity performed by terminated user (requires Microsoft Entra ID as IdP) Malware detection Multiple failed login attempts Ransomware detection Unusual administrative activities Unusual file deletion activities Unusual file share activities Unusual multiple file download activities |
| Activity policy template | Logon from a risky IP address Mass download by a single user Potential ransomware activity |
| File policy template | Detect a file shared with an unauthorized domain Detect a file shared with personal email addresses Detect files with PII/PCI/PHI |
For more information about creating policies, see Create a policy.
Automate governance controls
In addition to monitoring for potential threats, you can apply and automate the following Box governance actions to remediate detected threats:
| Type | Action |
|---|---|
| Data governance | - Change shared link access level on folders - Put folders in admin quarantine - Put folders in user quarantine - Remove a collaborator from folders - Remove direct shared links on folders - Send policy-match digest to file owners - Send violation digest to last file editor - Set expiration date to a folder shared link - Trash folder |
| User governance | - Suspend user - Notify user on alert (via Microsoft Entra ID) - Require user to sign in again (via Microsoft Entra ID) - Suspend user (via Microsoft Entra ID) |
For more information about remediating threats from apps, see Governing connected apps.
Protect Box in real time
Review our best practices for securing and collaborating with external users and blocking and protecting the download of sensitive data to unmanaged or risky devices.
Connect Box to Microsoft Defender for Cloud Apps
This section provides instructions for connecting Microsoft Defender for Cloud Apps to your existing Box account using the App Connector APIs. This connection gives you visibility into and control over Box use. For information about how Defender for Cloud Apps protects Box, see Protect Box.
Note
Deploying with an account that isn't an Admin account leads to a failure in the API test and doesn't allow Defender for Cloud Apps to scan all of the files in Box. If this is a problem for you, you can deploy with a Co-Admin that has all of the privileges checked, but the API test will continue to fail and files owned by other admins in Box will not be scanned.
Configure Box
- Sign into your Box account as an Admin user.
- Go to the custom app settings. For more information, see Managing custom apps – Box Support
- If your settings are configured to disable unpublished apps by default, enter the Defender for Cloud Apps API key for your data center, as listed in the following table, and save your changes.
| Data center |
Defender for Cloud Apps API key |
|---|---|
| US1 | nduj1o3yavu30dii7e03c3n7p49cj2qh |
| US2 | w0ouf1apiii9z8o0r6kpr4nu1pvyec75 |
| US3 | dmcyvu1s9284i2u6gw9r2kb0hhve4a0r |
| EU1 | me9cm6n7kr4mfz135yt0ab9f5k4ze8qp |
| EU2 | uwdy5r40t7jprdlzo85v8suw1l4cdsbf |
Your data center details are shown in the Defender for Cloud Apps About page in the Settings area. For more information, see View your data center.
Connect Defender for Cloud Apps
In the Microsoft Defender Portal, select Settings. Then choose Cloud Apps. Under Connected apps, select App Connectors.
In the App connectors page, select +Connect an app, and then select Box.
In the Instance name page, enter a name for the connection. Then select Next.
In the Follow the link pop-up, select Connect Box.
The Box sign-in page opens. Enter your credentials to allow Defender for Cloud Apps access to your team's Box app.
Box asks you if you want to allow Defender for Cloud Apps access to your team information, activity log, and perform activities as a team member. To proceed, select Allow.
Back in the Microsoft Defender Portal, you should receive a message saying that Box was successfully connected.
In the Microsoft Defender Portal, select Settings. Then choose Cloud Apps. Under Connected apps, select App Connectors. Make sure the status of the connected App Connector is Connected.
After connecting Box:
- You'll receive events for the 7 days prior to connection.
- Defender for Cloud Apps will perform a full scan of all files. Depending on how many files and users you have, completing the full scan can take a while.
To enable near real-time scanning, files on which activities are detected are moved to the beginning of the scan queue. For example, a file that is edited, updated, or shared is scanned right away rather than waiting for the regular scan process. Near real-time scanning doesn't apply to files that aren't inherently modified. For example, files that are viewed, previewed, printed, or exported are scanned as part of the regularly scheduled scan.
Related articles
If you have any problems connecting the app, see Troubleshooting App Connectors.