All Apps and Add-ons

Splunk Add-On for Box only receiving my file/folder data

kprior201_lilly
Path Finder

We have the Box integration set up on a HFW, and we have proper permissions set up on the Box side. The integration user has the following co-admin rights:
- Manage users
- Manage groups
- View users content
- Edit users content (for testing)
- Log in to users accounts (for testing)
- View settings / apps for your company
- Edit settings and apps for your company
- Run new reports and access existing reports
- View policies set up for your company
- Create, edit, and delete policies for your company (for testing)
- View automations set up for your company
- Create, edit, and delete automations for your company (for testing)
- Create and edit metadata templates for your company (for testing)

However, the file/folder sourcetypes are only pulling data for the integration user. All other sourcetypes pull through with everyone's data just fine. Anyone have any ideas as to why that might be? Thanks.

0 Karma

carlkennedy
Path Finder

Did you get this figured out? I am having the same issue.

0 Karma

kprior201_lilly
Path Finder

Negative; I have a support case still open about it. I'll update as I get useful information.

0 Karma

samejgink
Explorer

Did you ever get a resolution to this?

0 Karma

KaraD
Community Manager
Community Manager

Hi @samejgink! Since this question was from a few years ago, we recommend posting your question in a new thread to gain more visibility. Thanks!

 

- Kara D, Community Manager

0 Karma

carlkennedy
Path Finder

I worked with a Box technical engineer on this and he indicated it is because we have an "open file structure" at Box instead of "closed". Anybody can post to the Open Files folder. We are getting everything important with the sourcetype box:events so we can see who logs in, uploads, downloads, delete, etc. The box:files sourcetype sounds like it is functioning as designed with our file structure.

0 Karma

kprior201_lilly
Path Finder

Only the file/folder sourcetypes allow for the 'location' field to be populated, though, and that's what we're trying to get. Thank you for the information you've gotten thus far!

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...