What Changed
This PR fixes multiple compounding issues in the Box CCF connector and its parser introduced or exposed since v3.1.0:
- DCR field mapping error - source_owned_by_id was incorrectly mapped to owned_by.type (a string type field) instead of owned_by.id. Queries referencing SourceOwnedById against this parser returned the owner type string (e.g., “user”) rather than the numeric owner ID - a silent data fidelity failure.
- Missing classification fields - source.classification.name, source.classification.color, and source.classification.definition were not extracted in the DCR transform. The BoxEventsV2_CL table lacked these three columns entirely; any hunt or detection referencing file classification context returned null.
- OAuth 400 connectivity failure - The box_subject_id OAuth parameter was left as a raw {{boxEnterpriseId}} placeholder by the packaging tool instead of being rendered to the correct ARM parameter reference. Deployments of 3.1.4 may have experienced a complete OAuth authentication failure, meaning zero Box events were ingested.
- Parser fixes - The updated BoxEvents parser addresses:
- CCF data path: reads flat classification columns (source_classification_name_s, source_classification_color_s, source_classification_definition_s) from BoxEventsV2_CL with backfill via regex extraction
- BoxType fix: was incorrectly set to event_type for the v2 path; corrected
- SourceOwnedById guard added
- event_id_g normalized via tostring() cast for type consistency
- created_at_t datetime cast fixed for the v1 path
- Deduplication uses take_anyif for classification merge with shuffle hint
Security Impact (Visibility & Fidelity)
OAuth 400 error (critical): Deployments running the 3.1.4 packaging with the raw placeholder had an OAuth authentication failure at connector creation - zero Box event data was ingested by affected deployments. No file access, sharing, permission change, or admin activity events from Box were arriving in the workspace.
Classification blind spot: Even for deployments that were ingesting data, source.classification.name/color/definition fields were null in all rows. If your environment uses Box Shield data classification for sensitive file governance, no classification context was available for any detection or hunting query - this is a data fidelity gap, not a cosmetic fix.
SourceOwnedById corruption: Queries filtering or joining on SourceOwnedById were matching against the owner type string (“user”) instead of the owner ID integer, producing incorrect or empty result sets for ownership-based detection logic.
Upgrade to 3.1.5 is required to restore full Box event ingestion and classification field fidelity.
Affected Files
Solutions/Box/Data Connectors/BoxEvents_ccp/BoxEvents_DCR.json
Solutions/Box/Data Connectors/BoxEvents_ccp/BoxEvents_table.json
Solutions/Box/Parsers/BoxEvents.yaml
(packaging artefacts: 3.1.5.zip, ReleaseNotes.md, Solution_Box.json, mainTemplate.json)