Detection rules › Panther
Box Large Number of Permission Changes
A user has exceeded the threshold for number of folder permission changes within a single time frame.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Privilege Escalation | T1548 Abuse Elevation Control Mechanism |
Rule body yaml
AnalysisType: rule
Filename: box_user_permission_updates.py
RuleID: "Box.Large.Number.Permission.Updates"
DisplayName: "Box Large Number of Permission Changes"
Enabled: true
LogTypes:
- Box.Event
Tags:
- Box
- Privilege Escalation:Abuse Elevation Control Mechanism
Reports:
MITRE ATT&CK:
- TA0004:T1548
Severity: Low
Description: >
A user has exceeded the threshold for number of folder permission changes within a single time frame.
Reference: https://support.box.com/hc/en-us/articles/360043697254-Understanding-Folder-Permissions
Runbook: >
Investigate whether this user's activity is expected.
SummaryAttributes:
- ip_address
Threshold: 100
DedupPeriodMinutes: 60
Tests:
- Name: Regular Event
ExpectedResult: false
Log:
{
"type": "event",
"additional_details": '{"key": "value"}',
"created_by":
{
"id": "12345678",
"type": "user",
"login": "cat@example",
"name": "Bob Cat",
},
"event_type": "DELETE",
}
- Name: User Permission Change
ExpectedResult: true
Log:
{
"type": "event",
"additional_details": '{"key": "value"}',
"created_by":
{
"id": "12345678",
"type": "user",
"login": "cat@example",
"name": "Bob Cat",
},
"event_type": "CHANGE_FOLDER_PERMISSION",
"source":
{
"id": "12345678",
"type": "user",
"login": "user@example",
"name": "Bob Cat",
},
}
- Name: User Shares Item
ExpectedResult: true
Log:
{
"type": "event",
"additional_details": '{"key": "value"}',
"created_by":
{
"id": "12345678",
"type": "user",
"login": "cat@example",
"name": "Bob Cat",
},
"event_type": "ITEM_SHARED_CREATE",
"source":
{
"id": "12345678",
"type": "user",
"login": "user@example",
"name": "Bob Cat",
},
}
Detection logic
Condition
event_type in ["CHANGE_FOLDER_PERMISSION", "ITEM_SHARED_CREATE", "ITEM_SHARED", "SHARE"]
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
event_type | in |
|
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field | Source |
|---|---|
login | created_by.login |