Skip to main content
With the collection of your Box Enterprise account activities through the configured BlueApp for Box, USM Anywhere collects, enriches, and analyzes data from your Box environment. It detects any suspicious activity, such as anomalous user behavior, credential abuse, or authentications. When USM Anywhere detects a threat, it generates an . See the following table for examples of alarms that the BlueApp may produce. Examples of Alarms Generated from Box Data
IntentStrategyMethod
System CompromiseCredential AbuseAuthentication to Box from a known malicious host
 Ransomware InfectionMultiple uploads with known ransomware extension
  Ransomware decryption instructions file upload
Exploitation & InstallationMalware InfectionExecutable downloaded from Box followed by malware activity
Delivery & Attack Brute Force AuthenticationSuccessful login after a brute-force attack
  Password spraying against Box
 Data ExfiltrationFile sent to a known malicious host
 Known Malicious InfrastructureBox application created from a known malicious host
  File shared from a known malicious host
Reconnaissance & ProbingBrute Force AuthenticationMultiple login failures
Environmental AwarenessAccess Control ModificationTwo-factor authentication disabled
 Account ManipulationMultiple user accounts deleted
 Anomalous User BehaviorAdmin login from an unknown device
 Credential AbuseUser login from two different countries in a short period
 Defense Evasion - Cover TracksUser account created and deleted in short period
 Defense Evasion - Disabling Security ToolsBox security policy deleted
 Malware InfectionBox detected a malicious file upload
 Sensitive Data DisclosureBox support access granted
You can create more rules to generate alarms for the Box events that are important to you. See Creating Alarm Rules from the Events page for detailed instructions. If you want to use the Disable Box User action from the resulting alarm, you must select source_userid as one of the fields when creating such a rule. For example:
Similarly, if you want to use the Create Box Task action from the resulting alarm, you must select file_id and file_owner as highlight fields when creating the alarm rule.