Enterprise Recon Cloud 2.13.0
How To Scan Box Inc
This section covers the following topics:
- Overview
- Licensing
- Requirements
- Configure Box Account
- Set Up and Scan a Box Inc Target
- Edit Box Inc Target Path
- Remediate Matches in Box Inc
- User Account in Multiple Groups
Overview
When Box Inc is added as a scan Target, ER Cloud returns all groups and users accounts of each group in the Box Inc domain. You can select specific groups, users, folders, or files when setting up the scan schedule, and each is reported as distinct Target locations.
You can also scan all user accounts in your organization's Box Inc domain by selecting the "All Users" group as a scan location.
Example of Box Inc structure:
Box [domain: example.app.box.com]
    +- Box on target BOX:EXAMPLE.APP.BOX.COM
        +- Group All Users
            +- User A
                +- Folder_1
                    +- File_1
                    +- File_2
                +- File_3
            +- User B
                +- File_1
                +- File_2
            +- User C
                +- Folder_1
                    +- File_2
                +- Folder_2
        +- Group Design
            +- User A
                +- Folder_1
                    +- File_1
                    +- File_2
                +- File_3
            +- User B
                +- File_1
                +- File_2
        +- Group Engineering
            +- User A
                +- User A
                    +- Folder_1
                        +- File_1
                        +- File_2
                    +- File_3
            +- User C
                +- Folder_1
                    +- File_2
                +- Folder_2
To set up and scan Box Inc as a Target:
- Check the Requirements.
- Configure Box Account.
- Set Up and Scan a Box Inc Target.
- Edit Box Inc Target Path, if needed.
Licensing
For Sitewide Licenses, all scanned Box Targets consume data from the Sitewide License data allowance limit.
For Non-Sitewide Licenses, Box Targets require Client Licenses, and consume data from the Client License data allowance limit.
See Target Licenses for more information.
Requirements
| Requirements | Description | 
|---|---|
| Proxy Agent | 
 Recommended Proxy Agents: 
 | 
| TCP Allowed Connections | Port 443 | 
Configure Box Account
Create Custom App
- With an administrator account, log in to your organization's Box account or custom domain account.
- Go to the Box Dev Console.
- Click Create New App.
- In the My Apps > Create New App page, click Custom App.
- 
    In the Create a Custom App dialog box: Field Description App Name Enter a descriptive display name for the ER Cloud app (e.g. Enterprise_Recon). Description (optional) Enter a brief description for the app. Purpose Select Integration. Categories Select Security & Compliance. Which external system are you integrating with? Enter ER Cloud. Who is building this application? (optional) Select Partner. Please specify Enter Ground Labs. 
- Click Next.
- In the Authentication Method section, select Server Authentication (with JWT).
- Click Create App. You will be redirected to the Configuration tab for the newly created app, Enterprise_Recon.
- 
    In the Configuration tab, go to the following sections and set up the app as follows: Section Setup App Access Level Select App + Enterprise Access. Application Scopes Select: - Read all files and folders stored in Box
- Write all files and folders stored in Box
- Manage users
- Manage groups
 Deselect: - Manage enterprise properties
 Advanced Features Select: - Make API calls using the as-user header
- Generate user access tokens
 
- Click Save Changes.
- 
    In the Add and Manage Public Keys section, click Generate a Public/Private Keypair and OK. This will generate and download a JSON configuration file containing all the settings (including the private key) for the custom app, Enterprise_Recon. This configuration file is required to set up and scan a Box Inc Target. Two-factor authentication (2FA) must be enabled for the Box Inc domain to set up and configure the custom app for use with ER Cloud.
- Go to the Authorization tab and click Review and Submit.
- In the Review App Authorization Submission dialog box, click Submit. The Authorization Status will be set to Pending Authorization.
Authorize Custom App
- With an administrator account, log in to your organization's Box account or custom domain account.
- In the left navigation pane, click on Admin Console.
- In the left navigation pane, click on Apps > Custom Apps Manager.
- Under the list of Server Authentication Apps, search for the newly created custom app, Enterprise_Recon.
- Click View.
- In the Custom Apps Manager > app name Enterprise_Recon page, click Authorize.
- In the Authorize App dialog box, review the details of the custom app and click Authorize. The Authorization Status for the Enterprise_Recon app should be set to Authorized.
Set Up and Scan a Box Inc Target
- Configure Box Account.
- From the New Scan page, add Targets. Refer to the Add Targets section.
- In the Select Target Type dialog box, select Box.
- 
    Fill in the following details: 
  Field Description Box Domain Enter the Box Inc domain to scan. Example: example.app.box.com New Credential Label Enter a descriptive label for the Box credential set. Example: box_example_domain_credentials Configuration File Upload the JSON configuration file (*.json) containing all the settings for the custom app (e.g. Enterprise_Recon). For more information, refer to the step 11 of Create Custom App section. Agent to act as proxy host Select a Windows or Linux Proxy Agent host with direct Internet access. 
- Click Test. If ER Cloud can connect to the Target, the button changes to a Commit button.
- Click Commit to add the Target.
- Back in the New Scan page, locate the newly added Box Target and click on the arrow next to it to display a list of available groups for the domain.
- Select the Target location(s) to scan:
    - 
        If "All Users" is selected, ER Cloud scans all user accounts in the Box Inc domain. "All Users" is a default, non-configurable virtual group in ER Cloud that automatically includes all user accounts in the Box Inc domain. If a similar "All Users" group pre-exists in your Box environment, we recommend that you change the group name as it will be viewed as a duplicate group and will not be displayed in ER Cloud.
- 
        If only specific groups are selected, ER Cloud only scans (the folders and files of) user accounts in the selected groups. 
 For Box Inc Target location paths that contain special characters (e.g. "#", "%", "&", etc…), probe the Target to add and scan the location. Refer to Probe Targets in the Start a Scan section.
- 
        
- Click Test. If ER Cloud can connect to the Target, the button changes to a Commit button.
- Click Commit to add the Target.
- 
    (Optional) On the Select Locations page, probe the Target to browse and select specific Target locations to scan. Refer to Probe Targets in the Start a Scan section. 
- Click Next.
- On the Select Data Types page, select the data type profiles to be included in your scan (refer to the Use Data Type Profile section) and click Next.
- 
    On the Set Schedule page, configure the parameters for your scan. For more information, refer to Set Schedule in the Start a Scan section. 
- 
    (Optional) Select / deselect the Enable Box Bulk Download parameter. Enabling this setting will allow bulk download of files for scans of Box Targets. This feature is currently in beta stage. When the Enable Box Bulk Download parameter is selected, scan results in Box Targets may report Inaccessible Locations. We strongly recommend using the feature in test environments as there may be other limitations associated with its usage.
- Click Next.
- On the Confirm Details page, review the details of the scan schedule, and click Start Scan to start the scan. Otherwise, click Back to modify the scan schedule settings.
Edit Box Inc Target Path
To scan a specific path in Box Inc:
- Set Up and Scan a Box Inc Target.
- 
    In the Select Locations section, select your Box Target location and click Edit. For Box Inc Target location paths that contain special characters (e.g. "#", "%", "&", etc…), probe the Target to add and scan the location. Refer to Probe Targets in the Start a Scan section.
- 
    In the Edit Box dialog box, enter the path to scan. Use the following syntax: Path Syntax Whole domain Leave blank. All user accounts in all groups Syntax: All Users 
 Example: All UsersAll user accounts in a specific group Syntax: <Group Name> 
 Example: EngineeringSpecific user account in group Syntax: <Group Name>/<User> 
 Example: Engineering/user1@example.comSpecific folder for user account in group Syntax: <Group Name>/<User>/<Folder> 
 Example: Engineering/user1@example.com/Project ASpecific file for user account in group Syntax: <Group Name>/<User>/<File> 
 Example: Engineering/Project A/user1@example.com/example.htmlSpecific file in a folder for user account in group Syntax: <Group Name>/<User>/<Folder><File> 
 Example: Engineering/Project A/user1@example.com/example.html
- (Optional) Select a different Windows or Linux Agent to act as a proxy host.
- Click Test and then Commit to save the path to the Target location.
Remediate Matches in Box Inc
The following remediation actions are supported for Box Targets:
To remediate matches in Box, refer to the Perform Remedial Actions section.
For more information on the supported remedial actions, refer to the Remedial Actions in ER Cloud section.
User Account in Multiple Groups
This section describes the behavior of users that are members of multiple groups for the Box Target.
License Consumption
A Box user account that belongs to multiple groups
- is scanned each time a group the user belongs to is scanned.
- consumes only 1x data allowance usage regardless of how many times it is scanned as part of different groups.
When both "Engineering" and "Design" groups are added to the same scan, the folders and files for "UserA" are scanned once when"Engineering" is scanned, and a second time when "Design" is scanned.
"UserA" consumes only one Client License, and 5 MB Client License data allowance despite having been scanned twice.
Scan Results
Matches that are found in the folders and files for users that belong to multiple groups will be reported as a distinct match count for each group.
Take for example a simplified Box Target for the domain "example.app.box.com" below:
EXAMPLE.APP.BOX.COM                                55 matches
+– Engineering                                     30 matches
    +– UserA                                       10 matches
    +– UserB                                       20 matches
+– Design                                          25 matches
    +– UserA                                       10 matches
    +– UserC                                       15 matches
Matches found in the folders and files for "UserA" will be included in the match count for both Engineering and Design groups.
PRO This feature is only available in Enterprise Recon Cloud PRO Edition. To find out more about upgrading your ER Cloud license, please contact Ground Labs Licensing. See Subscription License for more information.