Create, Edit, and Delete a Threat Detection Rule

​

Create a threat detection rule

1. Navigate to Admin Console > Shield.
2. Select the Detection Rules tab.
3. Select Enable for the detection rule you want to configure and start.
4. Enter a Rule Name. This should be a short, unique, and descriptive name with a maximum of 80 characters.
5. Enter a Description (optional). Enter an optional description of a maximum of 255 characters, that provides a summary of the rule purpose and function.
6. Certain rule configurations vary depending on the rule:
   • Malicious Content, decide if you want to enable deep scan and download restrictions.
   • Suspicious Location, click Add Rule to configure locations and activity to monitor, whether to restrict target user access, and decide which filters to enable.
   • Suspicious Session, decide which filters to enable.
7. Select a Default Alert Priority. Select from:
   • Low
   • Informational
   • Medium (default)
   • High
   • Critical
8. Select whether to enable any rule specific settings, where applicable.
9. For all rules, decide whether to:
   • Publish alerts to Box Event Stream: Enable this to allow alerts from this rule to be forwarded to a third-party tool, such as a SIEM or CASB tool, via the Box Event Stream. The default state is disabled.
   • Send Notifications: Enter one or more email addresses or managed usernames to receive email notifications of alerts. The only email addresses or managed usernames you can enter in this field are co-admins who have at least one Shield permission enabled in their user account settings.
10. Once complete, select Next.
11. Review the rule settings then select Start Rule.

​

Edit a threat detection rule

1. Navigate to Admin Console > Shield.
2. Select the Detection Rules tab.
3. Select the rule.
4. Select Edit, then Update Rule after implementing changes.

​

Delete a threat detection rule

1. Navigate to Admin Console > Shield.
2. Select the Detection Rules tab.
3. Select the rule.
4. Select Delete.