Panther can pull audit events from the Box Events API every 1 minute intervals for real-time detection.
In order for Panther to access the API you will need to create a new Box App and provide its credentials to Panther.
Login to your Panther account
Go to Log analysis > Sources from the sidebar menu
Click Add Source
Select Box from the list of available types
Enter a name for the source (e.g. My Box logs
), then click Next
On the next, click the Copy link to the redirect URL. You'll need this in the next step.
For security and availability reasons, we recommend creating a new Box App solely for Panther. Make sure to copy the redirect URL from this page.
To read events from the entire enterprise account, the Box user performing the following steps must have admin priviledges on the account.
In a new tab, log in to the Box Developer Console​
Click Create New App
Select Custom App and click Next
Select User Authentication (OAuth 2.0), enter a name for your app (e.g. Panther
) and click Create App
In your new app's Configuration tab, scroll down to the OAuth 2.0 Redirect URI section and paste the redirect URL copied from the previous Panther tab
On the Application Scopes section make sure Manage enterprise properties is selected (it is not selected by default)
Click Save Changes to store the app configuration
Scroll to the OAuth 2.0 Credentials section and copy the Client ID and Client Secret credentials into the Panther onboarding screen.
Click Next. The Client Secret will be stored, encrypted, in Panther backend.
Click Save Source
Click Authorize (you will be redirected to Box)
Click Grant access to Box (you will be redirected back to Panther)
Your new Box Source should be healthy and ready to fetch events from Box!