Enterprise Recon 2.9.0
Box
This section covers the following topics:
Box Enterprise
Licensing
For Sitewide Licenses, all scanned Box Targets consume data from the Sitewide License data allowance limit.
For Non-Sitewide Licenses, Box Targets require Client Licenses, and consume data from the Client License data allowance limit.
See Target Licenses for more information.
Requirements
Requirements | Description |
---|---|
Proxy Agent |
|
TCP Allowed Connections | Port 443 |
Set Up Box Enterprise as a Target location
- From the New Scan page, Add Targets.
- In the Select Target Type dialog box, select Box.
- In the Box Details section, fill in the following fields:
Field Description Box Domain Enter the Box Enterprise administrator account email address. Box Account Authorization Obtain the Box Enterprise authorization key: - In Box Details, click on Box Account Authorization. This opens the Box authorization page in a new browser tab.
- In the Box authorization page:
- Enter your Box Enterprise administrator account user name and password.
- Click Authorize.
- Click Grant access to Box.
- Copy the Access Code.
Access Code Enter the Access Code obtained during Box Account Authorization. Agent to act as proxy host Select a Proxy Agent host with direct Internet access. - Click Test. If ER2 can connect to the Target, the button changes to a Commit button.
- Click Commit to add the Target.
Edit Box Enterprise Target Path
To scan a specific path in Box Enterprise:
- Set Up Box Enterprise as a Target location.
- In the Select Locations section, select your Box Enterprise Target location and click Edit.
-
In the Edit Box.Net Location dialog box, enter the path to scan. Use the following syntax:
Path Syntax Whole domain Leave blank. Specific user account Syntax: <username@domain>
Example: user1@example.comSpecific folder in user account Syntax: <username@domain/folder>
Example: user1@example.com/ProjectASpecific file in user account Syntax: <username@domain[/folder_name]/file_name.txt>
Example: user1@example.com/ProjectA/example.txt -
Click on Box Account Authorization and follow the on-screen instructions. Enter the Access Code obtained into the Access Code field.
Each additional location requires you to generate a new Access Code for use with ER2. - Click Test and then Commit to save the path to the Target location.
Box Inc
Overview
When Box Inc is added as a scan Target, ER2 returns all groups and users accounts of each group in the Box Inc domain. You can select specific groups, users, folders, or files when setting up the scan schedule, and each is reported as distinct Target locations.
You can also scan all user accounts in your organization's Box Inc domain by selecting the "All Users" group as a scan location.
Example of Box Inc structure:
Box [domain: example.app.box.com]
+- Box on target BOX:EXAMPLE.APP.BOX.COM
+- Group All Users
+- User A
+- Folder_1
+- File_1
+- File_2
+- File_3
+- User B
+- File_1
+- File_2
+- User C
+- Folder_1
+- File_2
+- Folder_2
+- Group Design
+- User A
+- Folder_1
+- File_1
+- File_2
+- File_3
+- User B
+- File_1
+- File_2
+- Group Engineering
+- User A
+- User A
+- Folder_1
+- File_1
+- File_2
+- File_3
+- User C
+- Folder_1
+- File_2
+- Folder_2
Licensing
For Sitewide Licenses, all scanned Box Targets consume data from the Sitewide License data allowance limit.
For Non-Sitewide Licenses, Box Targets require Client Licenses, and consume data from the Client License data allowance limit.
See Target Licenses for more information.
Requirements
Requirements | Description |
---|---|
Proxy Agent |
|
TCP Allowed Connections | Port 443 |
Configure Box Account
For ER 2.9.0 and above, you will need to perform the following setup to scan Box Targets:
Create Custom App
- With an administrator account, log in to your organization's Box account or custom domain account.
- Go to the Box Dev Console.
- Click Create New App.
- In the My Apps > Create New App page, click Custom App.
-
In the Create a Custom App dialog box:
Field Description App Name Enter a descriptive display name for the ER2 app (e.g. Enterprise_Recon). Description (optional) Enter a brief description for the app. Purpose Select Integration. Categories Select Security & Compliance. Which external system are you integrating with? Enter ER2. Who is building this application? (optional) Select Partner. Please specify Enter Ground Labs. - Click Next.
- In the Authentication Method section, select Server Authentication (with JWT).
- Click Create App. You will be redirected to the Configuration tab for the newly created app, Enterprise_Recon.
-
In the Configuration tab, go to the following sections and set up the app as follows:
Section Setup App Access Level Select App + Enterprise Access. Application Scopes Select:
- Read all files and folders stored in Box
- Write all files and folders stored in Box
- Manage users
- Manage groups
Deselect:
- Manage enterprise properties
Advanced Features Select:
- Make API calls using the as-user header
- Generate user access tokens
- Click Save Changes.
-
In the Add and Manage Public Keys section, click Generate a Public/Private Keypair and OK. This will generate and download a JSON configuration file containing all the settings (including the private key) for the custom app, Enterprise_Recon. This configuration file will be required to Set Up and Scan a Box Inc Target.
Two-factor authentication (2FA) must be enabled for the Box Inc domain to set up and configure the custom app for use with ER2. - Go to the Authorization tab and click Review and Submit.
- In the Review App Authorization Submission dialog box, click Submit. The Authorization Status will be set to Pending Authorization.
Authorize Custom App
- With an administrator account, log in to your organization's Box account or custom domain account.
- In the left navigation pane, click on Admin Console.
- In the left navigation pane, click on Apps > Custom Apps Manager.
- Under the list of Server Authentication Apps, search for the newly created custom app, Enterprise_Recon.
- Click View.
- In the Custom Apps Manager > app name Enterprise_Recon page, click Authorize.
- In the Authorize App dialog box, review the details of the custom app and click Authorize. The Authorization Status for the Enterprise_Recon app should be set to Authorized.
Set Up and Scan a Box Inc Target
- Configure Box Account.
- From the New Scan page, Add Targets.
- In the Select Target Type dialog box, select Box.
-
Fill in the following details:
Field Description Box Domain Enter the Box Inc domain to scan.
Example: example.app.box.com
New Credential Label Enter a descriptive label for the Box credential set.
Example: box_example_domain_credentials
Configuration File Upload the JSON configuration file (*.json) containing all the settings for the custom app (e.g. Enterprise_Recon).
See step 11 of Create Custom App for more information.
Agent to act as proxy host Select a Windows or Linux Proxy Agent host with direct Internet access. - Click Test. If ER2 can connect to the Target, the button changes to a Commit button.
- Click Commit to add the Target.
- Back in the New Scan page, locate the newly added Box Target and click on the arrow next to it to display a list of available groups for the domain.
- Select the Target location(s) to scan:
-
If "All Users" is selected, ER2 scans all user accounts in the Box Inc domain.
"All Users" is a default, non-configurable virtual group in ER2 that automatically includes all user accounts in the Box Inc domain. If a similar "All Users" group pre-exists in your Box environment, we recommend that you change the group name as it will be viewed as a duplicate group and will not be displayed in ER2. -
If only specific groups are selected, ER2 only scans (the folders and files of) user accounts in the selected groups.
For Box Inc Target location paths that contain special characters (e.g. "#", "%", "&", etc…), probe the Target to add and scan the location. -
- Click Test. If ER2 can connect to the Target, the button changes to a Commit button.
- Click Commit to add the Target.
-
(Optional) On the Select Locations page, probe the Target to browse and select specific Target locations to scan.
- Click Next.
- On the Select Data Types page, select the Data Type Profiles to be included in your scan and click Next.
-
On the Set Schedule page, configure the parameters for your scan. See Set Schedule for more information.
-
(Optional) Select / deselect the Enable Box Bulk Download parameter. Enabling this setting will allow bulk download of files for scans of Box Targets.
This feature is currently in BETA stage. When the Enable Box Bulk Download parameter is selected, scan results in Box Targets may report Inaccessible Locations. We strongly recommend using the feature in test environments as there may be other limitations associated with its usage. - Click Next.
- On the Confirm Details page, review the details of the scan schedule, and click Start Scan to start the scan. Otherwise, click Back to modify the scan schedule settings.
Edit Box Inc Target Path
To scan a specific path in Box Inc:
- Set Up and Scan a Box Inc Target.
-
In the Select Locations section, select your Box Target location and click Edit.
For Box Inc Target location paths that contain special characters (e.g. "#", "%", "&", etc…), probe the Target to add and scan the location. -
In the Edit Box dialog box, enter the path to scan. Use the following syntax:
Path Syntax Whole domain Leave blank. All user accounts in all groups Syntax: All Users
Example: All UsersAll user accounts in a specific group Syntax: <Group Name>
Example: EngineeringSpecific user account in group Syntax: <Group Name>/<User>
Example: Engineering/user1@example.comSpecific folder for user account in group Syntax: <Group Name>/<User>/<Folder>
Example: Engineering/user1@example.com/Project ASpecific file for user account in group Syntax: <Group Name>/<User>/<File>
Example: Engineering/Project A/user1@example.com/example.htmlSpecific file in a folder for user account in group Syntax: <Group Name>/<User>/<Folder><File>
Example: Engineering/Project A/user1@example.com/example.html - (Optional) Select a different Windows or Linux Agent to act as a proxy host.
- Click Test and then Commit to save the path to the Target location.
Box Remediation
The following remediation actions are supported for Box Targets:
User Account in Multiple Groups
This section describes the behavior of users that are members of multiple groups for the Box Target.
License Consumption
A Box user account that belongs to multiple groups
- is scanned each time a group the user belongs to is scanned.
- consumes only 1x data allowance usage regardless of how many times it is scanned as part of different groups.
When both "Engineering" and "Design" groups are added to the same scan, the folders and files for "UserA" are scanned once when"Engineering" is scanned, and a second time when "Design" is scanned.
"UserA" consumes only one Client License, and 5 MB Client License data allowance despite having been scanned twice.
Scan Results
Matches that are found in the folders and files for users that belong to multiple groups will be reported as a distinct match count for each group.
Take for example a simplified Box Target for the domain "example.app.box.com" below:
EXAMPLE.APP.BOX.COM 55 matches
+– Engineering 30 matches
+– UserA 10 matches
+– UserB 20 matches
+– Design 25 matches
+– UserA 10 matches
+– UserC 15 matches
Matches found in the folders and files for "UserA" will be included in the match count for both Engineering and Design groups.
PRO This feature is only available in Enterprise Recon PRO Edition. To find out more about upgrading your ER2 license, please contact Ground Labs Licensing. See Subscription License for more information.