The Splunk Add-on for Box collects a lot of valuable data including Box users, files, folders, groups, and more. Included in the Splunk Add-on for Box are several pre-built panels to get quick insights into this data. The purpose of this post is to introduce various use cases around Box data included in the pre-built panels and custom searches and visualizations not included in the pre-built panels.
Before a user can access Box content, they have to authenticate. It is important to keep an eye on the percentage of failed logins, where logins are coming from, user accounts associated with failed logins, etc. The Splunk Add-on for Box has an event type named box_events_authentication that gives you all the raw Box authentication events. Using this event type, we can get a good amount of intelligence about our user authentications.
Percentage of Failed Logins
Knowing the percentage of failed logins over time can help you get a baseline for your environment and possibly set up an alert if you see the percentage spike outside the normal range. This could indicate malicious activity. Here is an example search and visualization:
eventtype=box_events_authentication action!=”unknown” | stats count by _time action ip_address | timechart count by action limit=10 usenull=f | eval pct_failed=failure/(failure+success)*100 | eval pct_failed=round(pct_failed,1) | rename pct_failed AS “% Failed”
Logins on a Map
Another compelling use case for this Box authentication data is geographically mapping successful and failed logins on a map. This help you quickly identify if you are seeing login events from regions you do not expect. Here is an example search and visualization:
eventtype=box_events_authentication action!=”unknown” | stats count by _time action ip_address | iplocation ip_address | geostats count by action
Putting it all Together
To make life easier and so that you can follow along at home, I have created a public GitHub repo that has these use cases pre-built. I will be adding to this repo as this blog series progresses.