Enterprise Recon 2.9.0

Box

This section covers the following topics:

Box Enterprise

Licensing

For Sitewide Licenses, all scanned Box Targets consume data from the Sitewide License data allowance limit.

For Non-Sitewide Licenses, Box Targets require Client Licenses, and consume data from the Client License data allowance limit.

See Target Licenses for more information.

Requirements

Requirements Description
Proxy Agent
  • Proxy Agent host with direct Internet access.
  • ER 2.9.0 Agent and newer.
Recommended Proxy Agents:
  • Windows Agent with database runtime components
  • Windows Agent
  • Linux Agent with database runtime components
  • Linux Agent
TCP Allowed Connections Port 443

Set Up Box Enterprise as a Target location

  1. From the New Scan page, Add Targets.
  2. In the Select Target Type dialog box, select Box.
  3. In the Box Details section, fill in the following fields:
    Field Description
    Box Domain Enter the Box Enterprise administrator account email address.
    Box Account Authorization Obtain the Box Enterprise authorization key:
    1. In Box Details, click on Box Account Authorization. This opens the Box authorization page in a new browser tab.
    2. In the Box authorization page:
      1. Enter your Box Enterprise administrator account user name and password.
      2. Click Authorize.
      3. Click Grant access to Box.
    3. Copy the Access Code.
    Access Code Enter the Access Code obtained during Box Account Authorization.
    Agent to act as proxy host Select a Proxy Agent host with direct Internet access.
  4. Click Test. If ER2 can connect to the Target, the button changes to a Commit button.
  5. Click Commit to add the Target.

Edit Box Enterprise Target Path

To scan a specific path in Box Enterprise:

  1. Set Up Box Enterprise as a Target location.
  2. In the Select Locations section, select your Box Enterprise Target location and click Edit.
  3. In the Edit Box.Net Location dialog box, enter the path to scan. Use the following syntax:

    Path Syntax
    Whole domain Leave blank.
    Specific user account Syntax: <username@domain>
    Example: user1@example.com
    Specific folder in user account Syntax: <username@domain/folder>
    Example: user1@example.com/ProjectA
    Specific file in user account Syntax: <username@domain[/folder_name]/file_name.txt>
    Example: user1@example.com/ProjectA/example.txt
  4. Click on Box Account Authorization and follow the on-screen instructions. Enter the Access Code obtained into the Access Code field.

  5. Click Test and then Commit to save the path to the Target location.

Box Inc

Overview

When Box Inc is added as a scan Target, ER2 returns all groups and users accounts of each group in the Box Inc domain. You can select specific groups, users, folders, or files when setting up the scan schedule, and each is reported as distinct Target locations.

You can also scan all user accounts in your organization's Box Inc domain by selecting the "All Users" group as a scan location.

Example of Box Inc structure: Box [domain: example.app.box.com] +- Box on target BOX:EXAMPLE.APP.BOX.COM +- Group All Users +- User A +- Folder_1 +- File_1 +- File_2 +- File_3 +- User B +- File_1 +- File_2 +- User C +- Folder_1 +- File_2 +- Folder_2 +- Group Design +- User A +- Folder_1 +- File_1 +- File_2 +- File_3 +- User B +- File_1 +- File_2 +- Group Engineering +- User A +- User A +- Folder_1 +- File_1 +- File_2 +- File_3 +- User C +- Folder_1 +- File_2 +- Folder_2

Licensing

For Sitewide Licenses, all scanned Box Targets consume data from the Sitewide License data allowance limit.

For Non-Sitewide Licenses, Box Targets require Client Licenses, and consume data from the Client License data allowance limit.

See Target Licenses for more information.

Requirements

Requirements Description
Proxy Agent
  • Proxy Agent host with direct Internet access.
  • ER 2.9.0 Agent and newer.
Recommended Proxy Agents:
  • Windows Agent with database runtime components
  • Windows Agent
  • Linux Agent with database runtime components
  • Linux Agent
TCP Allowed Connections Port 443

Configure Box Account

For ER 2.9.0 and above, you will need to perform the following setup to scan Box Targets:

  1. Create Custom App
  2. Authorize Custom App

Create Custom App

  1. With an administrator account, log in to your organization's Box account or custom domain account.
  2. Go to the Box Dev Console.
  3. Click Create New App.
  4. In the My Apps > Create New App page, click Custom App.
  5. In the Create a Custom App dialog box:

    Field Description
    App Name Enter a descriptive display name for the ER2 app (e.g. Enterprise_Recon).
    Description (optional) Enter a brief description for the app.
    Purpose Select Integration.
    Categories Select Security & Compliance.
    Which external system are you integrating with? Enter ER2.
    Who is building this application? (optional) Select Partner.
    Please specify Enter Ground Labs.
  6. Click Next.
  7. In the Authentication Method section, select Server Authentication (with JWT).
  8. Click Create App. You will be redirected to the Configuration tab for the newly created app, Enterprise_Recon.
  9. In the Configuration tab, go to the following sections and set up the app as follows:

    Section Setup
    App Access Level Select App + Enterprise Access.
    Application Scopes

    Select:

    • Read all files and folders stored in Box
    • Write all files and folders stored in Box
    • Manage users
    • Manage groups

    Deselect:

    • Manage enterprise properties
    Advanced Features

    Select:

    • Make API calls using the as-user header
    • Generate user access tokens
  10. Click Save Changes.
  11. In the Add and Manage Public Keys section, click Generate a Public/Private Keypair and OK. This will generate and download a JSON configuration file containing all the settings (including the private key) for the custom app, Enterprise_Recon. This configuration file will be required to Set Up and Scan a Box Inc Target.

  12. Go to the Authorization tab and click Review and Submit.
  13. In the Review App Authorization Submission dialog box, click Submit. The Authorization Status will be set to Pending Authorization.

Authorize Custom App

  1. With an administrator account, log in to your organization's Box account or custom domain account.
  2. In the left navigation pane, click on Admin Console.
  3. In the left navigation pane, click on Apps > Custom Apps Manager.
  4. Under the list of Server Authentication Apps, search for the newly created custom app, Enterprise_Recon.
  5. Click View.
  6. In the Custom Apps Manager > app name Enterprise_Recon page, click Authorize.
  7. In the Authorize App dialog box, review the details of the custom app and click Authorize. The Authorization Status for the Enterprise_Recon app should be set to Authorized.

Set Up and Scan a Box Inc Target

  1. Configure Box Account.
  2. From the New Scan page, Add Targets.
  3. In the Select Target Type dialog box, select Box.
  4. Fill in the following details:
    Example of Box dialog box to configure the path, credentials and proxy agent for a Box Target

    Field Description
    Box Domain

    Enter the Box Inc domain to scan.

    Example: example.app.box.com

    New Credential Label

    Enter a descriptive label for the Box credential set.

    Example: box_example_domain_credentials

    Configuration File

    Upload the JSON configuration file (*.json) containing all the settings for the custom app (e.g. Enterprise_Recon).

    See step 11 of Create Custom App for more information.

    Agent to act as proxy host Select a Windows or Linux Proxy Agent host with direct Internet access.
  5. Click Test. If ER2 can connect to the Target, the button changes to a Commit button.
  6. Click Commit to add the Target.
  7. Back in the New Scan page, locate the newly added Box Target and click on the arrow next to it to display a list of available groups for the domain.
  8. Select the Target location(s) to scan:
    1. If "All Users" is selected, ER2 scans all user accounts in the Box Inc domain.

    2. If only specific groups are selected, ER2 only scans (the folders and files of) user accounts in the selected groups.

  9. Click Test. If ER2 can connect to the Target, the button changes to a Commit button.
  10. Click Commit to add the Target.
  11. (Optional) On the Select Locations page, probe the Target to browse and select specific Target locations to scan.

  12. Click Next.
  13. On the Select Data Types page, select the Data Type Profiles to be included in your scan and click Next.
  14. On the Set Schedule page, configure the parameters for your scan. See Set Schedule for more information.

  15. (Optional) Select / deselect the Enable Box Bulk Download parameter. Enabling this setting will allow bulk download of files for scans of Box Targets.

  16. Click Next.
  17. On the Confirm Details page, review the details of the scan schedule, and click Start Scan to start the scan. Otherwise, click Back to modify the scan schedule settings.

Edit Box Inc Target Path

To scan a specific path in Box Inc:

  1. Set Up and Scan a Box Inc Target.
  2. In the Select Locations section, select your Box Target location and click Edit.

  3. In the Edit Box dialog box, enter the path to scan. Use the following syntax:

    Path Syntax
    Whole domain Leave blank.
    All user accounts in all groups Syntax: All Users
    Example: All Users
    All user accounts in a specific group Syntax: <Group Name>
    Example: Engineering
    Specific user account in group Syntax: <Group Name>/<User>
    Example: Engineering/user1@example.com
    Specific folder for user account in group Syntax: <Group Name>/<User>/<Folder>
    Example: Engineering/user1@example.com/Project A
    Specific file for user account in group Syntax: <Group Name>/<User>/<File>
    Example: Engineering/Project A/user1@example.com/example.html
    Specific file in a folder for user account in group Syntax: <Group Name>/<User>/<Folder><File>
    Example: Engineering/Project A/user1@example.com/example.html
  4. (Optional) Select a different Windows or Linux Agent to act as a proxy host.
  5. Click Test and then Commit to save the path to the Target location.

Box Remediation

The following remediation actions are supported for Box Targets:

User Account in Multiple Groups

This section describes the behavior of users that are members of multiple groups for the Box Target.

License Consumption

A Box user account that belongs to multiple groups

  • is scanned each time a group the user belongs to is scanned.
  • consumes only 1x data allowance usage regardless of how many times it is scanned as part of different groups.

Scan Results

Matches that are found in the folders and files for users that belong to multiple groups will be reported as a distinct match count for each group.

Take for example a simplified Box Target for the domain "example.app.box.com" below:

EXAMPLE.APP.BOX.COM 55 matches +– Engineering 30 matches +– UserA 10 matches +– UserB 20 matches +– Design 25 matches +– UserA 10 matches +– UserC 15 matches

Matches found in the folders and files for "UserA" will be included in the match count for both Engineering and Design groups.


PRO This feature is only available in Enterprise Recon PRO Edition. To find out more about upgrading your ER2 license, please contact Ground Labs Licensing. See Subscription License for more information.