Dropbox monitoring / alerting

Hello everyone and welcome to 2024, its going to be a great year, hope you’re all ready. :slight_smile:

I am looking for how others have used or setup Rapid7 to monitor and/or alert on dropbox related “things”. Things like - large file upload or download, access to non-approved dropbox accounts, personal v business, new user or unauthorized user accessing dropbox personal or business. or anything else you feel should be monitored and or tracked.

thanks all,

1 Like

You have three options within InsightIDR

  1. Search DNS for any activity relating to Dropbox queries. Something like where(“top_private_domain” = “dropbox.com”) would be a good starting point
  2. Look for any Investigations associated with Attacker Technique - Exfiltration Of Data To Dropbox. This looks out for any process activity which is trying to connect to Dropbox APIs
  3. If you have sensors deployed with ENTA enabled, you can search for any flow records associated with Dropbox. This is the only way you will see data transfer volumes. It cannot tell the difference between personal vs business as both hit the same Dropbox endpoints. See screenshot for an example of a flow record.

Screenshot 2024-01-15 at 14.57.26
Screenshot 2024-01-15 at 14.56.08

1 Like

Thanks, this is great :slight_smile:, really do appreciate it.
No ENTA yet, soon tho, I hope

Great question! Good topic for many to be aware of. Thanks for posting!

Great response. I would have said much the same so I am glad to know I was thinking the right direction. The ENTA is a powerful weapon in our arsenal when we can deploy it. It is a shame more networks are not using it. Thanks for posting the LEQL query. Super-helpful! I really like that feature and the power it gives for hunting!