Both admins and co-admins can run and filter reports, depending on permission settings:
- The primary admin can run reports and filter by any group or user type (managed, unmanaged, admin, co-admin).
- Any co-admin who has permission to Run new reports and access existing reports (marked in orange below) can run the usage logs that are date bound (without selecting a user or group).
- A co-admin who has permission to Run new reports and access existing reports (marked in orange below) and permission to Manage groups (marked in green below) can run a usage log by groups.
- A co-admin who has reporting permissions can run a usage log by user.

- User Detail
- User Activity
- User Statistics
- Managed Users Report
- Security Logs
- Folders & Files
- Collaborations
- Shared Links
- Outbound Collaboration
- Legal Holds
- Retention
- Platform Activity
- Historical Platform Activity
Note:
- This report typically takes up to 12 hours to generate. However, for particularly large data sets, it can take longer.
- If the status of your report does not update in 24 hours, or has been in a Pending status for 24 hours, please contact Product Support.
User Details
User Details reports provide a range of data about every user in your organization (name, emails, groups, collaboration permissions, and so on). This includes identifying whether and how many of the users in your organization are unmanaged. More information on running the User Details report.
The User Details report provides the following for each user:
- name
- secondary emails
- groups
- storage (limit)
- restricted external collaboration (enabled/disabled)
- status
- storage used
- last password change
- last login
- user type (managed/unmanaged/admin/co-admin)
- managed user permissions
- co-admin permission
User Activity
Note
Box reports "Unknown IP" in the User Activity report when you
- spoof an IP,
- use a VPN proxy, or
- use Box's internal IP.
Added public key to application
|
Added a public key used to authenticate a custom app
|
Deleted public key from application
|
Removed a public key used to authenticate a custom app
|
Application created
|
Application was created
|
Enterprise App Authorization Created
|
User requested App Authorization for Admin
|
Enterprise App Authorization Updated
|
Admin updated App Authorization in Admin Console>Apps
|
Enterprise App Authorization Deleted
|
Admin deleted App Authorization in Admin Console
|
Created Automation
|
User added a new Automation process in the Admin Console.
|
Deleted Automation
|
User deleted an existing Automation process in the Admin Console.
|
Edited Automation
|
User edited an existing Automation process in the Admin Console.
|
Accepted invite
|
User accepted an invitation to join a shared folder as a collaborator. This action is the same whether the user chose to auto-accept invitations or not.
|
Changed user or group role
|
|
Extend collaborator expiration
|
User has extended the expiration date of another user's collaboration privileges.
|
Removed Collaborator
|
User removed a collaborator from a shared folder
|
Invited collaborator
|
User added a collaborator to a shared folder
|
Rejected invite
|
User rejected an invitation to join a shared folder as a collaborator.
|
Collaboration expired
|
User was removed from a shared folder after the collaboration expiration date (set by folder owner or enterprise admin) lapsed.
|
Violated enterprise item transfer policy
|
User tried to transfer ownership of a file or folder to an external collaborator in violation of the Restrict Ownership Transfer policy enabled at Admin Console > Enterprise Settings > Content & Sharing > Collaborating on Content.
|
Created Comment
|
User added a comment on a file.
|
Edited Comment
|
User edited an existing comment on a file.
|
Deleted Comment
|
User deleted an existing comment on a file.
|
Created Annotation
|
User created an annotation on a file. |
Deleted Annotation
|
User deleted an annotation on a file. |
Edited Annotation
|
User edited an annotation on a file. |
Copied
|
User created a copy of a file.
|
Moved to trash
|
User moved a file to the trash. Depending on your admin and enterprise settings, at any time you may be able to restore files that have been moved to the trash but not yet deleted. However, when a file is deleted from the trash, you have only 14 days to recover it before it is gone permanently. (You may need Box's assistance to do this.)
|
Downloaded
|
User downloaded a file.
|
Edit
|
User made changes or saved a new version of a file.
|
Locked
|
User locked a file, restricting access.
|
Moved
|
User moved a file to a new location in Box.
|
Previewed
|
User previewed a file in Box.
|
Renamed
|
User renamed a file.
|
Set file auto-delete
|
User set a file to delete automatically on a certain date.
|
Restored from trash
|
User restored a deleted file from the trash.
|
Unlocked
|
User unlocked a file, permitting access.
|
Uploaded
|
User uploaded a file.
|
File version restored
|
User restored a previous version of a file.
|
File marked malicious
|
User marked a file as malicious.
|
Applied watermark
|
User added a watermark to a file. Watermark will display the current viewer's email address or IP address, as well as time of access across the document's contents.
|
Removed watermark
|
User removed the watermark from a watermarked file.
|
Synced folder
|
User synced a folder to his/her desktop.
|
Un-synced folder
|
User un-synced a folder from his/her desktop.
|
Content Accessed
|
Item has been accessed by an authorized end user or programmatically by a Box application.
|
Created File Request
|
User created a new File Request on a folder
|
Edited File Request
|
User edited an existing File Request
|
Deleted File Request
|
User deleted a File Request
|
Added to group
|
User added another user to an existing group.
|
Created new group
|
User created a new group.
|
Deleted group
|
User deleted an existing group.
|
Edited group
|
User edited a group in any way, including adding another user to the group.
|
Created Group Admin
|
Admin or Co-Admin appointed a group admin.
|
Updated Group Admin Permissions
|
Admin or Co-Admin modified group admin permissions.
|
Deleted Group Admin
|
Admin or Co-Admin removed a group admin designation. |
Item removed from group
|
User removed a group's access to a specific file or folder.
|
Granted folder access
|
User granted a group access to a specific folder.
|
Removed from group
|
User removed another user from an existing group.
|
Opened legal hold case
|
User created a legal hold policy in the Policies tab of the Admin Console.
|
Edited legal hold case
|
User edited an existing legal hold policy.
|
Closed legal hold case
|
User closed a legal hold policy.
|
Created legal hold assignment
|
User assigned another user as a custodian in a legal hold policy. A custodian is a user who may have had access to the content affected by this legal hold.
|
Removed legal hold assignment
|
User removed another user as a custodian in a legal hold policy. A custodian is a user who may have had access to the content affected by this legal hold.
|
Admin Login
|
User with Admin privileges logged into the account of one of their managed users.
|
Added Device Association
|
Admin pinned the Box application to a user's mobile device. You can view all devices that users have pinned by opening your Admin Console and navigating to Enterprise Settings > Device Trust tab.
|
Terms of service agreed
|
User agreed to the Box Terms of Service upon initial login.
|
Failed login
|
User failed to log in. User may have typed in an incorrect password.
|
Login
|
User successfully logged into Box via any endpoint (Web application, mobile apps, Box APIs, and so on).
|
Terms of service reject
|
User rejected the Box Terms of Service upon initial login.
|
Add login app
|
User or Admin enabled device pinning, then User logged in.
|
Removed login activity application
|
User logged out of a device that they logged into previously.
|
Removed Device Association
|
Admin removed a user's device association. You can view all devices that users have pinned by opening your Admin Console and navigating to Enterprise Settings > Device Trust tab.
|
Login Verification enabled
|
User enabled two-step verification for their account in account settings.
|
Login verification disabled
|
User disabled two-step verification for their account in account settings.
|
Failed Device Trust Check
|
Added template
|
Created a new metadata template in the Admin Console.
|
Removed template
|
Removed an existing metadata template in the Admin Console.
|
Edited Attributes
|
User edited an existing metadata template, adding, removing, or editing attributes.
|
Violated share policy
|
User violated a sharing policy, set by enterprise administrator. User may have shared files with an unsecured or restricted web address.
|
Unusual download activity
|
User has downloaded files at a rate that exceeds a download policy set by the enterprise administrator.
|
Violated upload policy
|
User uploaded a document containing restricted information as defined by an upload policy set by the enterprise administrator.
|
Retention policy changed
|
User applied a data retention policy to a file version that was already subject to another data retention policy.
|
Retention policy applied
|
User applied a data retention policy to a file version. This is the first time the data retention policy is applied to the file version.
|
Restored quarantined file
|
User has restored a file that had been moved to a quarantine folder as a result of a policy set by the enterprise administrator.
|
Created Policy
|
User created a data retention policy or a security policy in either the Admin Console or Box public API. (You can use the Box public API to create only retention policies.)
|
Deleted Policy
|
User deleted an existing security policy in the Admin Console. Applies to all policies except retention policies, which can only be retired.
|
Edited Policy
|
User edited an existing data retention policy or security policy in either the Admin Console or Box public API. (You can use the Box public API to edit only retention policies.)
|
Retired Policy
|
User retired an existing policy in the Admin Console. Applies only to retention policies, which cannot be deleted.
|
Created Workflow
|
User created a new workflow in Relay.
|
Edited Workflow
|
User edited a workflow in Relay.
|
Deleted Workflow
|
User deleted a workflow in Relay.
|
Opened retention
|
User created a retention policy in the Policies tab of the Admin Console.
|
Edited retention
|
User edited an existing retention policy.
|
Closed retention
|
User closed a retention policy.
|
Created retention assignment
|
User assigned another user as a custodian in a retention policy. A custodian is a user who may have had access to the content affected by this policy.
|
Removed retention assignment
|
User removed another user as a custodian in a retention policy. A custodian is a user who may have had access to the content affected by this policy.
|
Item Shared
|
User created a shared link to a file or folder.
|
Item Share Updated
|
User updated the shared link settings for an existing shared link to a file or folder.
|
Extend shared link expiration
|
User extended a shared link's expiration date.
|
Set shared link expiration
|
User set an expiration date for a shared link. After this date, the link will no longer be valid.
|
Disabled shared link
|
User disabled an existing shared link.
|
Assigned a task
|
User assigned another user a task.
|
Updated a task assignment
|
User modified a previously assigned task.
|
Created a task
|
User created a task. This does not mean that the task was assigned to anyone.
|
Created new user
|
User created another user in your Box account using the Admin Console.
|
Changed admin role
|
User changed an admin's privileges, either making a user an admin or removing a user as an admin.
|
Changed primary email
|
User changed his/her primary email address.
|
Deleted user
|
User deleted another user in your Box account using the Admin Console.
|
Edited user
|
User modified another user's information using the Admin Console.
|
Invited user to enterprise
|
User invited someone outside your enterprise to join your enterprise Box account.
|
Rejected enterprise invite
|
User rejected an invitation to join your enterprise Box account.
|
Removed secondary email
|
User removed his/her secondary email address.
|
Accepted enterprise invite
|
User accepted an invitation to join your enterprise Box account.
|
Added secondary email
|
User added a secondary email address.
|
- Actions taken by External Users will be included within a User Activity Report if the report is run on the entire Enterprise.
- If the date range is within last year, it is usually faster to run the report in Box rather than exporting it.
- If your date range is greater than 1 year, you must export the report. The run button will be disabled.
- User actions may be delayed by up to one day before uploading an exported .csv reports.
- A "user" with the name "Box Admin Reports" appears as a newly-created user the first time an admin runs a report.
- You cannot filter by a deleted user prior to running or exporting the report.
- Filtering for a folder displays activity for files and folders immediately within it, but not activity for content within subfolders.
User Statistics
- logged in
- used incorrect log in credentials
- uploaded a file
- downloaded a file
- previewed a file
- edited a file
- deleted a file
- Shared Links: Users do not need to be logged into Box to access a shared link. Thus you may see previews, uploads, and downloads by "Anonymous". This typically relates to shared link activity.
- Email Upload: Users do not need to be logged into Box to upload via email. As a result, you may see "Anonymous" making many uploads.
- Embed Widget: Users do not need to be logged into Box to preview an embed widget on a website. Thus, you may see "Anonymous" previews.
- API integration: you may see other "Anonymous" actions if you have an API integration that performs actions in your account.
- When uploads occur via File Request you may see the folder owner as the name of the uploader (as it is technically an anonymous uploader). To identify uploads via a file request navigate to User Activity Report > File Management Report > Uploads. Then, under Details, filter by Service = File Request.
- If you are curious for more details around an "Anonymous" action, run a User Activity Report for that action type and select the same date range.
Managed Users Report
The Managed Users report gives you an overview of account details, permissions, and groups for all your managed users in Box.
Run the Managed Users report if you want to know:
- The name of the managed user
- Primary email address of the managed user
- List of secondary email addresses for the managed user
- The groups the managed user belongs to
- Storage allocation for the managed user
- Storage used by the managed user
- Whether the managed user's external collaboration is restricted
- Status of the managed user's account
- Date when the managed user last changed his or her password
- Data residency zone of the managed user
- Date when the managed user last logged in and started a new session in the web application, Sync, Drive, or mobile
Security Logs
Folders and Files
- Owner Name
- Owner Login
- Path (file path in Box)
- Path ID (item ID of each item in file path)
- Item Name
- Item ID (unique ID number assigned to each file)
- Item Type (folder/file)
- Size
- Created
- Last Modified
- Uploaded
Notes:
There is a 10 million item limit on this report. If an organization has greater than 10 million items, the report will not run.
Collaborations
- Owner Name
- Owner Login
- Path (file path in Box)
- Path IDs (item IDs of each item in file path)
- Item Name
- Item ID (unique ID number assigned to each file and folder)
- Item Type (folder/file)
- Collaborator Name
- Collaborator Login
- Collaborator Type
- managed
- external
- group & group name
- Collaborator Permission
- Inviter Email
- Invited Date
- Invite Accepted Date
Shared Links
- Owner Login (user who owns the file or folder associated with the shared link)
- Folder/File ID (unique ID number assigned to each file and folder)
- Folder/File Name
- Path (file path in Box)
- Shared Link Status (who can access the item via the shared link)
- Shared Link (actual shared link URL)
- Custom URL (if no custom URL has been set, field will remain blank)
- Password
- Expiration
- Permissions
Outbound Collaboration
- Account Name (name of external user)
- Account Login (email of external user)
- Owner Login (managed user who invited external user)
- Item Name (folder in which external user is a collaborator)
- Item ID (unique ID number assigned to folder)
- Permission Level (access level of external user)
- Inviter Email
- Invited Date
- Invite Accepted Date
Legal Holds
- Assignment Type
- Assignment ID
- Parent Folder
- Parent Folder ID
- File Name
- File ID
- File Version ID
- Creation Date
- Uploaded Date
Retention
Retention policies enable you to retain certain types of content in Box for a specified period of time, and remove content from Box that is no longer relevant. A retention report exports details of a particular retention policy, along with a list of all of the files the policy covers. Retention reports do not include files that have already met their retention requirements and been removed.
Each report provides basic information about the retention policy, including:
- Policy Name
- Policy Status
- Policy Type
- Policy Time Period
- Policy Disposition Action
- Policy Created Date
And for each file listed, the report displays:
- Parent Folder Path
- Parent Folder Path ID
- File Name
- File ID
- File Version ID
- Disposition Date
- Created
- Uploaded
Platform Activity
The platform activity report enables you to monitor on demand your organization’s consumption of platform resources. Using this report can help you:
- verify resource consumption for yourself, saving you the time and hassle of reaching out for support from anyone at Box
- figure out more precisely how your people are adopting Box and integrating it into their daily work routines
- determine the growth or success of any applications your organization may have built on the Box platform
- ascertain the overall value your Box investment is returning
- identify your most highly-consumed integrations
- see how many custom apps are being built
The platform activity report is a downloadable .CSV file, accessible from your admin console via the Reports tab. The report displays your organization’s resource usage in the form of API calls. (Each time someone uploads, downloads, modifies, or access a file, he or she generates an API call.)
More details about the Platform Activity report.
Historical Platform Activity
This report provides archived monthly total usage from January 2017 through March 2018. (Box does not maintain historical data on a daily basis; the date listed on this report represents information – in this case, the total number of API calls – for that entire month.)
Like the Platform activity report, this report displays activity broken out by application (Salesforce, Slack, Box Sync, any custom app, and so on). This report contains the following fields:
- Date (month)
- App Name
- Metric
- Value
- App ID
- Chargeable