Programmatically triggering a Box Shield alert?

Is it possible to programmatically trigger a Box Shield alert?

I have a tool that periodically checks for Box enterprise events. As a test, I’d like to prompt a Box Shield alert, then verify that the tool consumes the expected Box Shield alert.

I’ve set up a Suspicious Location alert that triggers when a user accesses content in a Box account from the country in which I’m running the code. In the code, I attempt to read the contents of a folder. I’m able to read the contents of the folder (as expected), but it does not appear to generate a Suspicious Location alert. Should it?

More details: I’m using the same method to connect to Box in the tests as I’m using to connect to Box in the tool - the BoxDeveloperEditionAPIConnection::getAppEnterpriseConnection method - and the same configuration file for both connections - the json file produced from the App Settings.

I’m using the following code in my test to read the contents of the folder; I’m deliberately doing nothing with the items themselves, as I assume reading the folder should be sufficient to trigger a Suspicious Location alert:

    .forEach(boxItemInfo -> {});

Should this kind of code trigger a Shield Alert? If not, what kind of code would?

Hi Drew

According to the documentation here you need to access the content to trigger the alert so you’d probably need to download a file for it to trigger

Using Threat Detection – Box Support.

Peter Christensen, Platform Solutions Engineer, Box

Thanks, Peter. I modified the code to download instead of simply access the folder and list the files:

        BoxFolder.getRootFolder(boxAPIConnection).forEach(boxItemInfo -> {
            if (boxItemInfo instanceof BoxFile.Info) {
                final BoxFile boxFile = new BoxFile(boxAPIConnection, boxItemInfo.getID());

This prompted an access denied error, but it didn’t produce any Shield alerts. Should it have done so? I’d think if a user attempted to download a file that they don’t have permission to download, from a suspicious location, that should trigger an alert.

Is the fact that the user is an app user, not a managed or external user, relevant here? Can app users trigger Shield alerts, or is it only possible for managed or external users to do so?


App user can trigger the alert but it would go on the IP where the API call comes from. I don’t think we trigger for unsuccessful downloads so you’d need to give access to the app user to preview or download to trigger the alert