Skip to content

Configure credentials on Box for the Splunk Add-on for Box

Oauth 2.0 - Authorization Code Grant Type

Box uses OAuth 2.0 for authentication and authorization. For the Splunk Add-on for Box to collect data from the Box APIs, you must obtain an OAuth 2.0 client ID and client secret from Box. Before you attempt to set up the Splunk Add-on for Box, use the following steps to configure a Box client app and obtain these credentials.

Refer to Box documentation for more details and additional reference information.

  1. Log in to Box using an existing Box account. The role of the Box account that you use for this configuration step affects the scope of the data you can gather with the add-on. The account and the credentials are persistent, explicitly have more than read-only permissions in Box, and and not just used to establish an API key for the nodes to communicate:

    • If you use a Box account with the admin role, the add-on has permissions to gather all metadata of all files and folders and all enterprise events for your entire organization through the Box APIs.
    • If you use a Box account with a co-admin role, you need to enable the permission to “Run new reports and access existing reports” for that account.
    • If you use an account with a user role, you may not be able to collect all data.

    Use an account with the appropriate roles and permissions to gather the scope of data that you want to collect with the add-on.

    Note

    To allow Admins, Co-Admins, and Service Accounts to retrieve any content they do not own or are not collaborators on within their enterprise, you must configure the following setting as described in this Box documentation: Global Content Manager (GCM) Configuration.

  2. Go to https://app.box.com/master/settings/apps. Admin role will be required to access these settings.

  3. Select Individual Application Controls.
  4. Search for Splunk Add-on for Box in the search bar.
  5. Hover over it and select Configure. Box displays a configuration window with Splunk Add-on settings.
  6. In the Additional Configuration section, select + Add Integration Credentials.
  7. (Optional) Change the default name of the integration credentials and select Save.

  8. Next to OAuth 2.0 Redirect URI, in the Redirect URI field, enter the SSL-secured HTTPS URI of the Splunk Platform instance that you want to be responsible for data collection from Box, usually a heavy forwarder. For example, if the URL of your heavy forwarder is http://<host>:8000/en-US/app/Splunk_TA_box/splunk_ta_box_redirect, then the redirect URI is exactly the same as this. The OAuth 2.0 specification only supports HTTPS redirects, which means you need turn on SSL for Splunk Web on the instance you are using for Box data collection. Refer to Turn on encryption (https) with Splunk Web in the Splunk Enterprise security documentation for details on how to turn on SSL for Splunk Web.

  9. In Application Scopes, select the following options based on the data you want to pull from your Box account:

    Application Scope Uses
    Read all files and folders stored in Box. Gets data of Folders endpoint (Collect folder metadata, Collect folder collaboration, Collect file metadata).
    Read and write all files and folders in Box. Gets data of Folders endpoint (Collect tasks and comments).
    Manage users. Gets data of Users endpoint
    Manage groups. Gets data of Groups endpoint
    Manage enterprise properties. Gets data of Events endpoint

    Note

    If the application scopes are changed after configuring your account in the Splunk Add-on for Box, the Box account will have to be reconfigured in the Box add-on to generate a new token with the upgraded, and downgraded access.

  10. Note down the Client ID and Client Secret in OAuth 2.0 Credentials. You need this when you set up the Splunk Add-on for Box.

  11. Click Save Changes.

Oauth 2.0 - Client Credentials Grant Type

Box supports OAuth 2.0 Client Credentials grant type for server-to-server authentication. The Splunk Add-on for Box can use this method to collect data from Box APIs without requiring user interaction. Use the following steps to configure a Box app for OAuth 2.0 Client Credentials and obtain the necessary credentials for the add-on.

Refer to Box documentation for additional reference information.

Prerequisites

Before you configure OAuth 2.0 Client Credentials in Box, ensure the following requirements are met:

  • A Box Platform Application using Server Authentication (Client Credentials Grant), created in the Box Developer Console.
  • 2FA enabled on your Box account to view and copy the application’s client secret from the configuration tab.
  • The application must be authorized in the Box Admin Console.

Steps to configure an OAuth 2.0 Client Credentials App in Box Developer Console

  1. Log in to the Box Developer Console using your Box account.
  2. Navigate to My Platform Apps and click Create New App.
  3. In App Type, select Custom App.
  4. Provide a name and any other required details, then click Next.
  5. Under App Authentication, select Server Authentication (Client Credentials Grant).
  6. Click Create App.
  7. Under the Application Access section, select App Access + Enterprise Access.
  8. Under Application Scopes, enable the following permissions:
Application Scope Uses
Read all files and folders stored in Box. Gets data of Folders endpoint (Collect folder metadata, Collect folder collaboration, Collect file metadata).
Read and write all files and folders in Box. Gets data of Folders endpoint (Collect tasks and comments).
Manage users. Gets data of Users endpoint
Manage groups. Gets data of Groups endpoint
Manage enterprise properties. Gets data of Events endpoint

Note

To allow Admins, Co-Admins, and Service Accounts to retrieve any content they do not own or are not collaborators on within their enterprise, you must configure the following setting as described in this Box documentation: Global Content Manager (GCM) Configuration.

  1. Under Advanced Features, enable: - Generate user access tokens
  2. Click Save Changes.
  3. Go to the Authorization tab.
  4. Click Review and Submit to send the app for approval by your Box enterprise admin.

Note

The app must be authorized after any change to scopes or features. Re-submit it for approval each time you make such changes.

Steps to Authorize the App in the Box Admin Console

  1. Log in to the Box Admin Console.
  2. In the left-hand menu, navigate to Integrations.
  3. Select Platform Apps Manager.
  4. Under Server Authentication Apps, locate your app.
  5. Click More, and then select Authorize App.