> ## Documentation Index
> Fetch the complete documentation index at: https://docs.levelblue.com/llms.txt
> Use this file to discover all available pages before exploring further.

# BlueApp for Box Orchestration

With the collection of your Box Enterprise account activities through the configured BlueApp for Box, USM Anywhere collects, enriches, and analyzes data from your Box environment. It detects any suspicious activity, such as anomalous user behavior, credential abuse, or <Tooltip tip="Technique or attack method, typically used with authentication, involving an exhaustive procedure that tries all possibilities (for example, to find a valid password), one-by-one.">brute-force</Tooltip> authentications. When USM Anywhere detects a threat, it generates an <Tooltip tip="Alarms provide notification of an event or sequence of events that require attention or investigation.">alarm</Tooltip>. See the following table for examples of alarms that the BlueApp may produce.

**Examples of Alarms Generated from Box Data**

| Intent                      | Strategy                                   | Method                                                      |
| --------------------------- | ------------------------------------------ | ----------------------------------------------------------- |
| System Compromise           | Credential Abuse                           | Authentication to Box from a known malicious host           |
|                             | Ransomware Infection                       | Multiple uploads with known ransomware extension            |
|                             |                                            | Ransomware decryption instructions file upload              |
| Exploitation & Installation | Malware Infection                          | Executable downloaded from Box followed by malware activity |
| Delivery & Attack           | Brute Force Authentication                 | Successful login after a brute-force attack                 |
|                             |                                            | Password spraying against Box                               |
|                             | Data Exfiltration                          | File sent to a known malicious host                         |
|                             | Known Malicious Infrastructure             | Box application created from a known malicious host         |
|                             |                                            | File shared from a known malicious host                     |
| Reconnaissance & Probing    | Brute Force Authentication                 | Multiple login failures                                     |
| Environmental Awareness     | Access Control Modification                | Two-factor authentication disabled                          |
|                             | Account Manipulation                       | Multiple user accounts deleted                              |
|                             | Anomalous User Behavior                    | Admin login from an unknown device                          |
|                             | Credential Abuse                           | User login from two different countries in a short period   |
|                             | Defense Evasion - Cover Tracks             | User account created and deleted in short period            |
|                             | Defense Evasion - Disabling Security Tools | Box security policy deleted                                 |
|                             | Malware Infection                          | Box detected a malicious file upload                        |
|                             | Sensitive Data Disclosure                  | Box support access granted                                  |

You can create more rules to generate alarms for the Box events that are important to you. See [Creating Alarm Rules from the Events page](../../user-guide/events/alarm-rules) for detailed instructions. If you want to use the [Disable Box User](../../alienapps-guide/box/actions-alienapp-box) action from the resulting alarm, you must select **source\_userid** as one of the fields when creating such a rule. For example:

<Frame>
  <img src="https://mintcdn.com/levelblue-5324744e/6YRWvQYX2vFHJpyA/images/usm-anywhere/alienapps/box/box-alarmrule-highlight-field.webp?fit=max&auto=format&n=6YRWvQYX2vFHJpyA&q=85&s=b11570ecac2f7877a75671f914c2096b" width="772" height="520" data-path="images/usm-anywhere/alienapps/box/box-alarmrule-highlight-field.webp" />
</Frame>

Similarly, if you want to use the [Create Box Task](actions-alienapp-box) action from the resulting alarm, you must select **file\_id** and **file\_owner** as highlight fields when creating the alarm rule.