Skip to main content

I get a bunch of alerts that are generated through Box Shield’s threat detection feature. How should I be triaging these with my InfoSec team?

Hi Kylie,   

When you receive a Shield Threat Detection alert, you have to decide which alerts represent real threats, which alerts represent no threats, and everything in between. There are 4 threat cases, but only 2 cases trigger Threat Detection alerts:

  • No threat, no alert: This is what you hope to see 100% of the time. Unfortunately, it is not representative of the real world.

  • Threat, no alert: This is what you want never to happen because this means a threat slipped through your security measures somehow.

  • No threat, alert: This is a false positive, and when you discover one, you want to take steps to receive less of them, while not allowing any increased risk of threats to your organization. You also want to minimize the time it takes to deal with false positives. Shield Threat Detection gives you information that will help make this task take less time.

  • Threat, alert: This is a threat to your enterprise that has been caught, and you should analyze and remediate the threat. Shield Threat Detection gives you information that can help you in the analysis and remediation process, increasing your security efficiency.

More information can be found HERE.


Reply