Saket Bajoria

Dropbox and RSA NetWitness Integration

Blog Post created by Saket Bajoria Employee on Apr 13, 2018

Dropbox is a file hosting service that offers cloud storage, file synchronization and personal cloud services. Dropbox allows its users access to files and folders anytime from desktop, web and mobile clients or even through applications connected to Dropbox. This presents a huge challenge for enterprises to closely monitor daily activities and look for malicious file activity, ex filtration of data.unauthorized file access, sharing, etc. 




RSA Netwitness Plugin framework can be used to connect to Dropbox via API v2 to collect all user activity. Here are some of the common scenarios that can be monitored using this integration:


  • Monitoring Sharing Policy.  Statistics around number of shares, number of shares with users outside of the organization (as indicated by the corresponding flag on the event in the sharing category), domains being shared with, etc.
  • Aggregate information on content being added & deleted (file operations category), and logins (login category). Reporting bursts of file deletes/renames, large number of attempted/failed logins, etc.
  • App linkages & behaviors around apps (apps are noted as an actor in actions they perform)


For more details on what can be collected please refer to this link:


Here are some of the use-cases that can be built on NetWitness Platform:



1. Content Sharing Activity (Internal vs External)

2. Login Activity from various localities

3. Top 10 File Uploaded/Downloaded

4. Third-Party App activity.

5. Summary of File activity per user

6. Top User Activities



1. Login from suspicious Locality 

2. Rapid Renames of Files 

3. Sharing of file with more than the allowed number of users

4. External Sharing of Business sensitive files


Combined with the complete visibility that the RSA NetWitness Platform delivers for threat detection and response across logs, network, and endpoints for both private and public cloud environments – securing the cloud is simplified.


Downloads and Documentation:


Configuration Guide: Dropbox 

Collector Package on RSA Live: "Dropbox"

Parser on RSA Live: CEF (device.type="dropbox")