Skip to main content
After USM Anywhere identifies Box events and alarms, you determine which Box activities are suspicious and should be investigated, and use the Box workflow to notify the investigator. For example, if you see a file upload event and think it should be investigated, rather than manually notifying the investigator, you can use the BlueApp for Box response action, Create Box Task, to create a task in Box and send an email to the owner, thus simplifying your workflow. The BlueApp for Box provides two actions: Disable Box User and Create Box Task. Both actions are available when you launch a response action directly from an alarm (described in the table below) or launch a response action in an orchestration rule.
ActionDescription
Disable Box UserRun this action to inactivate the user account in Box.
Create Box TaskRun this action to create a task on a file in Box.
Note: Before launching a Box response action, you must have enabled and connected the BlueApp for Box to your Box Enterprise account. See Configuring the BlueApp for Box for more information.
When reviewing an alarm originated from a Box event, should you conclude that the Box user account has been compromised, you can launch an to inactivate the Box user account associated with that alarm. If you want to apply the action to similar alarms that occur in the future, you can create an orchestration rule after you apply the action. To launch the Disable Box User action for an alarm
  1. Go to Activity > Alarms.
  2. Review the alarms generated on the Box events, and then click the alarm to open its details.
  3. Click Select Action, and then select the Run Box Action tile.
  4. (Optional) If you have more than one USM Anywhere Sensor configured for the BlueApp for Box, select the sensor that you want to use for the action.
  5. In the App Action list, select Disable Box User.
    Important: If you create your own alarm rule for Box events, keep in mind that the Disable Box User action only works when the alarm rule selects source_userid as one of the Highlight Fields.
  6. Click Run. After USM Anywhere initiates the action for the alarm, it displays a confirmation dialog box.
  7. If you want to create a rule to apply the action to similar items that occur in the future, click Create rule for similar alarms and define the new rule. If not, click OK.
If the alarm is related to a file in you Box environment and you want it to be investigated, you can launch an to create a task on the specific file. If you want to apply the action to similar alarms that occur in the future, you can create an orchestration rule after you apply the action. To launch the Create Box Task action for an alarm
  1. Go to Activity > Alarms.
  2. Review the alarms generated on the Box events, and then click the alarm to open its details.
  3. Click Select Action, and then select the Run Box Action tile.
  4. (Optional) If you have more than one USM Anywhere Sensor configured for the BlueApp for Box, select the sensor that you want to use for the action.
  5. In the App Action list, select Create Box Task. Additional fields will be populated based on the action you’ve selected. Fill out the necessary fields for the app action. For your convenience, USM Anywhere populates some of the fields with the information it has collected, but you can modify them accordingly.
    • In Message Prefix, provide a brief reasoning for the investigation.
    • In Assignees, enter the email addresses of users who you want to notify about this task. These users should be the owner of the file or the administrator of the account.
    Important: If you create your own alarm rule for Box events, keep in mind that the Create Box Task action only works when the alarm rule has file_id and file_owner selected as Highlight Fields.
  6. Click Run. After USM Anywhere initiates the action for the alarm, it displays a confirmation dialog box.
  7. If you want to create a rule to apply the action to similar items that occur in the future, click Create rule for similar alarms and define the new rule. If not, click OK.
I