Cato Networks Knowledge Base

Configuring the SaaS Security API Connector for Box

This article explains how to configure the Box connector for the SaaS Security API policy for your account and create rules that use this connector in the Data Protection Policy.

The SaaS Security API policy requires a separate Cato license.


Note: Please contact or your official Cato reseller for more information about using the SaaS Security API policy.

Overview of the Box Connector

Create the connector for the Box tenant for your organization. Then define rules in the Data Protection policy that include the Box connector and define that files that are scanned and inspected. You can create a single Box connector for each tenant.


  • Admin or co-admin permissions for the Box tenant

  • The connector monitors files, other actions will be supported soon

Required Permissions for the API Connectors for Box

To enable Cato's SaaS Security API to scan files and folders in your Box account, the connector gives Cato the following permissions and actions with the Box app:

  • Grant access to the app using Oauth2

  • Receive a token from the app to establish and maintain a secure connection

  • Connect to the Box APIs and fetch data and scan files according to the SaaS Security API Data Protection policy, including:

    • For monitoring action - Read all files and folders stored in Box

      • For other actions - Write permissions for all files and folders stored in Box

    • Manage these items in your Box account:

      • Groups

      • Webhooks v2

      • Enterprise properties

      • Retention policies

      • Users

      • App users

    • Cato admin can make calls on behalf of Box users

Working with Box Connectors

This section explains how to create API connectors for Box, and to connect your organization's Box tenant to your Cato account.

Creating the Box Connector

When you create the Box connector, the Cato Management Application generates the Client ID for that connector. Then, log in to the Admin Console for your Box account, and create a new User Authentication app. Enter the Client ID in the Cato Box app, and then authorize Cato to connect to your Box account. Finally, save the Box connector in the Cato Management Application and Cato is now ready monitor Box files and folders.

To create the connector for Box:

  1. From the navigation pane, select Security > SaaS Security API and select or expand Connectors Settings.

  2. Click New. The New Connector window opens.

  3. Create a new Box application.

    Currently, only Read permissions and actions are supported for the Box app. However, Read/Write permissions and actions will be supported soon.

  4. Enter the Connector Name.

  5. Copy the Client ID to the OS clipboard.

  6. Create the Cato Box app for this connector:

    1. Click the link to open the Box admin console for your account.

      The Box screen opens in a new browser tab.

    2. Log in to your Box account.

    3. From the Box navigation menu, select Admin Console.

    4. Select Apps > Custom Apps Manager > User Authentication Apps.

    5. Click Add App.

    6. In the Add App window, paste the Client ID (from step 5 above).

    7. Click Next.

    8. In the Authorize App window, click Authorize to give Cato permission to access the Box app.


      The new app is added to your Box account.

  7. In the Cato Management Application , click Authorize and Save.

    A Box permissions screen opens in a new browser tab.

  8. Give permissions for your Cato account to access the Box app.

    1. Click Grant access to Box to allow Cato to access the Box app.

    2. The screen shows that you have successfully applied the permissions for the app.


      You can close the browser tab and return to the Cato Management Application. It can take Box several seconds to process the request, so if you receive an error, refresh the browser.

      While Box is processing the request, the Status for the connector is Pending user consent (see below Understanding the Connector Status).

  9. The Box SaaS application is added to the Connectors Settings screen.


Understanding the Connector Status

The Status column on the Connectors Settings screen shows the status of the connection between the Box app and your Cato account. These are the explanations of the statuses:

  • Connected - Your account is connected to the app and working correctly

  • Connection warning - Some of the users in the Box tenant are not configured correctly to support Cato's SaaS Security API. Please open a ticket with Support.

  • Connection error - Connectivity or permissions issue with the Box connector. Please open a ticket with Support.

    Box supports only creating one connector per tenant.

  • Pending user consent - The Box connector is created in the Connect Settings screen, however you haven't completed the process to authorize Cato to connect to your Box account.

Adding Box Rules to the Data Protection Policy

This section explains how to use the Data Protection policy to monitor and manage the files and folders that your users upload and download with Box.

Configuring Box Rules

Use the Data Protection screen to add the SaaS application rules in your Data Protection policy.

Create a Data Protection rule to define the traffic that is scanned by SaaS Security API. Create separate rules for each SaaS app, and then define the criteria which determines which traffic is scanned.

For more information about the Box rule settings, see below Understanding the Box Rules.


To create a new Data Protection rule for the Box app:

  1. From the navigation pane, select Security > SaaS Security API and select or expand Data Protection.

  2. Click New. The New Rule panel opens.

  3. In Application Connector, select the Box app.

  4. Enter the General settings for the rule.

  5. In Owner, select one or more Box users that you are monitoring (default value is Any).

    When you select multiple users, there is an OR relationship between them.

  6. In Sharing Options, select permission level for files and folders that are scanned (default value is Any).

    When you select multiple options, there is an OR relationship between them.

  7. In File Attributes, define the criteria to specify the files which are scanned (the default setting is to scan all files).

  8. In Content Profile, select the DLP Content Profile for this rule.

    For more about DLP Content Profiles, see Creating DLP Content Profiles.

  9. In Actions, select the Monitor option.

  10. (Optional) Define the tracking options for the rules to generate email notifications.

    For more information about events and email notifications, see Working with Email Notifications for the Account.

  11. Click Apply. The rule is added to the Data Protection policy.

Understanding the Box Rules

This section explains how to define the settings for the Data Protection rules to scan the correct Box traffic. Each rule can be defined according to the following criteria:

  • Owner - Box users in your workspace (default value is Any)

    • Internal - Owner is any user in your company

    • Box User - Owner is a specific user

  • Sharing Options - Select the types of file and folder sharing permissions that match this rule (default value is Any)

    • Private - Only user has access

    • People with the link - Publicly accessible to anyone with the link (no need to sign in to Box)

    • People in the company - Any user in your company with the link

    • Invited only company people - Any user in your company with the link

    • Invited only public people - External users that received an invitation with the link

  • File Attributes - Criteria for attachments that are scanned (default value is all attachments)

    • File Type

    • File Name

    • File Size (maximum file size is 20 MB)

  • Content Profile - DLP Content Profile that defines the DLP content inspection

    You can create or edit Content Profiles in Security > DLP Configuration > Content Profile

  • Actions - Select if you want to generate an event or email notification when the rule is matched

Defining Files or Attachments for a Rule

You can define specific files (or attachments) for a rule and limit the SaaS API engine to only scan the specified files to see if they match the DLP Content Profile.

When you add multiple files to a rule, select the relationship between them:

  • Satisfy any (OR) - Match only one of the File Types in the rule

  • Satisfy all (AND) - Match all the File Types in the rule (otherwise, the rule is ignored)

You can use the File Name setting in a rule to define the exact file name or use wildcards to define keywords. For example, you can define the File Name as internal to match all file names that contain the word internal.

Working with Ordered Data Protection Rules

The SaaS Security API engine inspects the data sequentially, and checks to see if it matches a rule. If the data does not match a rule, that it is not inspected. Rules that are at the top of the rulebase have a higher priority and they are applied before the rules lower down in the rulebase. Each type of application or connector is only applied to the data once.

Best Practice - To maximize the efficiency of your rulebase, we recommend that for each connector type, rules for specific users have a higher priority than rules with that apply to Any users.

For example, if the data matches a connector in rule #2, the data is inspected by the SaaS Security API engine. The engine does not continue to apply rules #3 and below for the same connector. However, the data could match a lower priority rule with a different connector.

Adding Threat Protection to the Connector

You can create Threat Protection rules for the connector to scan files and attachment for malware and viruses using the Anti-Malware and Next Gen Anti-Malware engines that are enabled for your account. The SaaS Security API engine scans the connector traffic and applies the action and tracking options that you configure for the rule:

  • Monitor the traffic (block will be supported soon)

  • Generate events

  • Send email notifications

When you create a SaaS Security API Threat Protection rule, the Anti-Malware engines that are enabled for your account (Security > Anti-Malware) preform malware scans on the files that are sent for that connector application.

The following screenshot shows a Threat Protection rule for the OneDrive connector that scans files sent by Internal users or Guests:


Analyzing SaaS Security API Events

The Monitoring > Events screen shows all the SaaS Security API events for your account. The powerful search tools let you drill-down and identify the few events that contain the relevant data that you need.

SaaS Security API events can be identified by the following fields:

  • Event Type - Security

  • Sub-Type - SaaS Security API Data Protection and SaaS Security API Anti Malware

You can learn more about using the Events screen here. You can use the SaaS Security API Data Protection preset to filter the events.

Explaining the SaaS Security API Events Fields

Field Name


Connector Name

Name for the connector that is defined for the rule

Connector Type

SaaS app that is defined for this connector

DLP Profile

DLP Content Profile that generated this event

File Name

Name of the attached file

File Size

Size of the attached file

File Type

File type for the attached file

Matched Data Types

Data Types in the Content Profile that matched the rule


Email addresses of the users that received the file


Name of the rule in the Data Protection policy


File owner


Severity defined for the rule

Sharing Scope

Sharing Options for the Box attachment

Was this article helpful?

0 out of 0 found this helpful



Article is closed for comments.