User Activity reports provide an overview of the actions your users are taking in Box. Use this report to view the actions made by your users within a given time period. You can filter the report by:
- Groups or managed users
- Specific folders or files
- Action types (events)
If you choose to export this report, a new folder will be created in your Box Reports folder containing a .csv file. This folder description in the right-hand sidebar will contain information about your report. It may take some time for the .csv file to appear. While your report is exporting, the Status field in the folder description will read In Progress. Once your report has been exported, the status changes to Complete.
You must define filters for the User Activity report before you can run it.
User Activity Report Details
- File format: comma-separated value (.csv) file
-
Filename format:
user_activity_run_on_YYYY-MM-DD-HH-MM-SS_Page_#.csv
- Folder name format (each report run is placed in its own folder):
User Activity run on YYYY-MM-DD HH-MM-SS
- Filename and folder name time zone: the local date and time of the admin who ran the report or who set up the report schedule.
Notes:
- At least one Action Type must be selected to run a User Activity report.
- Actions taken by External Users will be included within a User Activity Report if the report is run on the entire Enterprise.
- If the date range is within last year, it is usually faster to run the report in Box rather than exporting it.
- If your date range is greater than 1 year, you must export the report. The run button will be disabled.
- User actions may be delayed by up to one day before uploading an exported .csv reports.
- A "user" with the name "Box Admin Reports" appears as a newly-created user the first time an admin runs a report.
- You cannot filter by a deleted user prior to running or exporting the report.
- Filtering for a folder displays activity for files and folders immediately within it, but not activity for content within subfolders.
- For the View report, events only within the last year are available.
User Activity Report Data Columns
This section describes the data columns that are generated in User Activity reports. You can select which data columns appear in the report. All columns are selected by default, and the columns marked with an asterisk are required.
- Date*
- Required. The date and time, in the local time of the admin who ran the report or who set up the report schedule, of the action.
- User Name*
- Required. The name of the user, from the value in the Name field in User Account Details.
- User Email
- The email address of the user, from the value in the Email field in User Account Details.
- IP Address
-
The IP address of the computer or device from which the action was initiated.
Box reports "Unknown IP" in the User Activity report when you
- Spoof an IP address
- Use a VPN proxy
- Use Box's internal IP address
- Action*
- Required. The action, or event. The Action Types section below lists all the possible values.
- Affected*
-
Required. The value in this field depends on the type of user action taken. User actions are divided into two types: item events and collaboration events.
- Item events are generated when users act on a file, actions such as move, copy, preview, and download. For item events, the value in the Affected field is the file or folder on which the action was taken.
- Collaboration events are generated when files and folder are shared with other users. For collaboration events, the value in the Affected field is the email address/user ID of the collaborator.
- Affected Id
- The unique number that identifies the file or folder on which the action was taken.
- Size (kB)
- The size in kilobytes of the file or folder on which the action was taken.
- Parent Folder
- The path to the file or folder on which the action was taken from the root of your Box instance.
- Details*
- Required. If there are any additional details to report on the user action, they are included here.
- Classification
- Available only for customers who use Box Shield, shows the classification label, if any, of the file or folder on which the action was taken.
User Activity Report Filters
- Users or Groups
- Optional. Enter one or more names of managed users or of user groups or User IDs of external users to limit the User Activity report to activities of those users.
Notes
- When entering names of managed users or groups, Box displays the first ten matches in alphabetical order rather than by exact match.
- When entering User IDs of external users, enter a full User ID (view external user User IDs at Admin Console > Users & Groups > External Users, in the User ID column) and press Enter, which will convert it to a name.
- Start Date
- Optional. Defines the start date for user activities in the report. If omitted, the report can go back as far as 7 years, or as long as you have had an account tariff with reporting access.
- End Date
- Optional. Defines the end date for user activity in the report. If omitted, the report will end with activities up to the current date.
- Affected Folder and Files
-
Optional. Defines the file(s) and folder(s) for which user activity will be included in the report. If any folders or files are selected, the User Activity report will contain only user actions that affect the chosen folders or files.
- Click Select.
- Find files and folders to select:
- Enter search text, which can be either a complete or partial folder name or a complete folder ID, and press Enter. If you enter all or part of a folder name, the results will contain files and folders with that text in their file and folder names. If you enter a folder ID, the folder with that corresponding ID will appear at the top of the search results, plus any files and folders with that folder ID in the file or folder name.
- Enter all or part of a user name to select one user and list all files and folders owned by that users.
- You can also do both: search for files and enter and select one user to list only the files and folders owned by that user that match the search text.
- Select one or more files and folders:
- Select the check box for one or more files and folders in the list. You can also select the Select All check box at the top of the list to select all files and folders in the list. If you select more than one folder, only the files within the selected folders, not within any subfolders, will be included in the report.
- Enable Include Subfolders, and then select one folder. All files within the folder and within all subfolders will be included in the report.
- Click Choose.
Note
If you enable the Include Subfolders option, you will be able to choose only one folder. If you select more than one folder, the Enable Subfolders option will be disabled.
Warning:
When the Includes Subfolders feature is on, the View option doesn't work - it doesn't pull events in the subfolders.
- Date Range
-
The date range or user activity. Select from:
- Last Day
- Last Week (default)
- Last Month
- Last Years (and then select a number of years from 1 to 7 or All Time, which is as long as you have had an account tariff with reporting access)
- Custom Range (and then select a start and/or end date)
Last day/week/month/year(s) values mean the previous day/week/month/year(s) from the date the report was run.
User Activity Report Action Types
User Activity reports contain data about actions, sometimes described as events, your users take in Box. The Action Types section is where you select which user actions you want to include in the User Activity report.
Select the check box for:
- Select All to include all user activities
- An Action Type category to select all of the user activities in that type
- Any individual user activity
At least one Action Type must be selected to run a User Activity report.
- AI Activity
-
Note: Box AI reporting is only available to customers on Enterprise+ tariff.
- AI query: User queried Box AI and received a response.
- Failed AI query: User queried Box AI but did not receive a response. A failed AI query may result from AI itself not being able to respond or the service failure.
- Application
-
- Added public key to application: Added a public key used to authenticate a custom app.
- Deleted public key from application: Removed a public key used to authenticate a custom app.
- Application created: Application was created.
- Enterprise App Authorization Created: User requested App Authorization for Admin.
- Enterprise App Authorization Updated: Admin updated App Authorization in Admin Console > Apps.
- Enterprise App Authorization Deleted: Admin deleted App Authorization in Admin Console.
- Automations
-
- Created Automation: User added a new Automation process in the Admin Console.
- Deleted Automation: User deleted an existing Automation process in the Admin Console.
- Edited Automation: User edited an existing Automation process in the Admin Console.
- Collaboration
-
- Accepted invite: User accepted an invitation to join a shared folder as a collaborator. This action is the same whether the user chose to auto-accept invitations or not. Text entered in the (optional) Message field appears in the Details column of the event.
- Changed user or group role: User has modified either their own or a collaborator's role (access level) in a shared folder.
- Extend collaborator expiration: User has extended the expiration date of another user's collaboration privileges.
- Removed Collaborator: User removed a collaborator from a shared folder.
- Invited collaborator: User added a collaborator to a shared folder. Text entered in the (optional) Message field appears in the Details column of the event.
- Rejected invite: User rejected an invitation to join a shared folder as a collaborator.
- Collaboration expired: User was removed from a shared folder after the collaboration expiration date (set by folder owner or enterprise admin) lapsed.
- Violated enterprise item transfer policy: User tried to transfer ownership of a file or folder to an external collaborator in violation of the Restrict Ownership Transfer policy enabled at Admin Console > Enterprise Settings > Content & Sharing > Collaborating on Content.
- Email sent to collaborators: User sent a message via email when inviting collaborators to a file or folder (at Share > enter email address(es) in Invite People field) or after collaboration has been created (at More Options (3-dot) menu for the file/folder with the collaboration > More Actions > Manage Collaborators > Mail All). Text entered in the Message field appears in the Details column of the event.
- Comments
-
- Created Comment: User added a comment on a file. The text entered as the comment appears in the Details column of the event.
- Edited Comment: User edited an existing comment on a file. The text entered as the comment appears in the Details column of the event.
- Deleted Comment: User deleted an existing comment on a file.
- Created Annotation: User created an annotation on a file.
- Deleted Annotation: User deleted an annotation on a file.
- Edited Annotation: User edited an annotation on a file.
- Endpoint Protection
-
- Device detected by CrowdStrike Falcon platform: A device connecting to your Box instance was detected by the CrowdStrike Falcon platform
- No Box Tools detected in device for CrowdStrike Falcon platform support: A device connecting to your Box instance was detected by the CrowdStrike Falcon platform and it was determined to not have Box Tools installed on the device.
- Box Tools outdated in device for CrowdStrike Falcon platform support: A device connecting to your Box instance was detected by the CrowdStrike Falcon platform and it was determined that the Box Tools version installed on the device was not sufficient to safely connect.
- Box Drive outdated in device for CrowdStrike Falcon platform support: A device connecting to your Box instance was detected by the CrowdStrike Falcon platform and it was determined that the Box Drive version installed on the device was not sufficient to safely connect.
- Access allowed to device not identified by CrowdStrike Falcon platform: A device that the CrowdStrike Falcon platform could not identify was given access to connect to your Box instance.
- Access revoked to device identified by CrowdStrike Falcon platform: A device that the CrowdStrike Falcon platform could not identify had its access to connect to your Box instance revoked.
- Domains
-
- Domain added: Admin added a verified domain to your organization in Domain Management.
- Domain deleted: Admin deleted a domain in Domain Management.
- Unverified domain added: A domain was added to your organization in Domain Management but the domain is not verified. This can occur when the domain was added to your organization by an admin but the verification process was not completed.
- Unverified domain deleted: Admin deleted an unverified domain in Domain Management.
- Enable Auto Roll In For Domain: Admin enabled Auto Enrollment for a domain in your organization.
- Disable Auto Roll in For Domain: Admin disabled Auto Enrollment for a domain in your organization.
- File Management
-
- Copied: User created a copy of a file.
- Moved to trash: User moved a file to the trash. Depending on your admin and enterprise settings, at any time you may be able to restore files that have been moved to the trash but not yet deleted. However, when a file is deleted from the trash, you have only 14 days to recover it before it is gone permanently. (You may need Box's assistance to do this.)
- Downloaded: User downloaded a file.
- Edit: User made changes or saved a new version of a file.
- Locked: User locked a file, restricting access.
- Moved: User moved a file to a new location in Box.
- Previewed: User previewed a file in Box.
- Renamed: User renamed a file.
- Set file auto-delete: User set a file to delete automatically on a certain date.
- Restored from trash: User restored a deleted file from the trash.
- Unlocked: User unlocked a file, permitting access.
- Uploaded: User uploaded a file or caused a file to be uploaded (such as when an Admin runs a report). When this event is selected, the report also includes Created events. A Created event is generated when a folder was created.
- File version restored: User restored a previous version of a file.
- File marked malicious: User marked a file as malicious.
- Applied watermark: User added a watermark to a file. Watermark will display the current viewer's email address or IP address, as well as time of access across the document's contents.
- Removed watermark: User removed the watermark from a watermarked file.
- Synced folder: User synced a folder to their desktop.
- Un-synced folder: User un-synced a folder from their desktop.
-
Content Access: This event occurs when:
- An item is accessed by an authorized end user or programmatically by a Box application.
- A thumbnail is generated for a file when a folder (in either the mobile or web app) is accessed.
In some cases, you might see multiple Content Access events logged for for a single activity, such as a Preview or Move. This is because, on a technical level, larger files are sometimes chunked to improve efficiency. This does not affect the user experience, but when this happens, each chunk involved is a separate Content Access event. For example, a Preview of a large PDF file might fetch the file in multiple batches of pages. While this would be one Previewed event for the file, it would be multiple Content Access events for the same file. This is quite normal; it just reveals a little bit of the technical aspects of activity in Box.
Content access events for thumbnail generation do not have related events or corresponding actions.
- File Request
-
- Created File Request: User created a new File Request on a folder
- Edited File Request: User edited an existing File Request
- Deleted File Request: User deleted a File Request
- Groups
-
- Added to group: User added another user to an existing group.
- Created new group: User created a new group.
- Deleted group: User deleted an existing group.
- Edited group: User edited a group in any way, including adding another user to the group.
- Created Group Admin: Admin or Co-Admin appointed a group admin.
- Updated Group Admin Permissions: Admin or Co-Admin modified group admin permissions.
- Deleted Group Admin: Admin or Co-Admin removed a group admin designation.
- Item removed from group: User removed a group's access to a specific file or folder.
- Granted folder access: User granted a group access to a specific folder.
- Removed from group: User removed another user from an existing group.
- Legal Holds
-
- Opened legal hold case: User created a legal hold policy in the Policies tab of the Admin Console.
- Edited legal hold case: User edited an existing legal hold policy.
- Closed legal hold case: User closed a legal hold policy.
- Created legal hold assignment: User assigned another user as a custodian in a legal hold policy. A custodian is a user who may have had access to the content affected by this legal hold.
- Removed legal hold assignment: User removed another user as a custodian in a legal hold policy. A custodian is a user who may have had access to the content affected by this legal hold.
- Login
-
- Admin Login: User with Admin privileges logged into the account of one of their managed users.
- Added Device Association: Admin pinned the Box application to a user's mobile device. You can view all devices that users have pinned by opening your Admin Console and navigating to Enterprise Settings > Device Trust tab.
- Accepted Terms of Service: User agreed to the Box Terms of Service upon initial login.
- Failed login: User failed to log in. User may have typed in an incorrect password.
- Login: User successfully logged into Box via any endpoint (Web application, mobile apps, Box APIs, and so on).
- Rejected Terms of Service: User rejected the Box Terms of Service upon initial login.
- Add login app: User logged in to the Box app in a browser from a new device or a new token is issued for an OAuth application.
- Removed login activity application: User logged out of a device that they logged into previously.
- Removed Device Association: Admin removed a user's device association. You can view all devices that users have pinned by opening your Admin Console and navigating to Enterprise Settings > Device Trust tab.
-
Login Verification enabled: User enabled two-step verification for their account in account settings.
Note
This action type was available up through November, 2021, when Box had only SMS as an additional authentication factor. When additional authentication factors were added, the Login multi factor verification enabled action type replaced this one. For reports spanning this date, you could see both action types.
-
Login verification disabled: User disabled two-step verification for their account in account settings.
Note
This action type was available up through November, 2021, when Box had only SMS as an additional authentication factor. When additional authentication factors were added, the Login multi factor verification disabled action type replaced this one. For reports spanning this date, you could see both action types.
- Failed Device Trust Check: User failed a device trust requirement set by enterprise administrator.
- OAuth2 access token created: An OAuth2 access token, which allows secure authorized access to Box, was created for a user. This typically occurs when a user successfully completes the multi-factor authentication process.
- OAuth2 access token revoked: An OAuth2 access token, which allows secure authorized access to Box, was revoked for a user. This typically occurs after a defined number of unsuccessful login attempts, and results in a requirement that the user re-establish valid multi-factor authentication.
- OAuth2 refresh token revoked: An OAuth2 refresh token, which allows secure authorized access to Box, was revoked for a user. This typically occurs after a period defined by admins to require users to change credentials such as passwords.
-
Login multi factor verification enabled: User enabled two-step verification (also known as MFA, or multi-factor authentication) for their account in account settings.
Note
This action type replaced Login verification enabled in November, 2021, when Box started supporting additional authentication factors. For reports spanning this date, you could see both action types.
-
Login multi factor verification disabled: User disabled two-step verification (also known as MFA, or multi-factor authentication) for their account in account settings.
Note
This action type replaced Login verification disabled in November, 2021, when Box started supporting additional authentication factors. For reports spanning this date, you could see both action types.
- Metadata
-
- Added template: User added a metadata template to a file.
- Removed template: User removed a metadata template from a file.
- Edited Attributes: User edited an existing metadata template, adding, removing, or editing attributes.
- Policies
-
- Violated share policy: User violated a sharing policy, set by enterprise administrator. User may have shared files with an unsecured or restricted web address.
- Unusual download activity: User has downloaded files at a rate that exceeds a download policy set by the enterprise administrator.
- Violated upload policy: User uploaded a document containing restricted information as defined by an upload policy set by the enterprise administrator.
-
Retention policy changed: User applied a data retention policy to a file version that was already subject to another data retention policy.
Note
Box stopped tracking this action type in April, 2021. You can still select this action type for reports that include data before April, 2021.
-
Retention policy applied: User applied a data retention policy to a file version. This is the first time the data retention policy is applied to the file version.
Note
Box stopped tracking this action type in April, 2021. You can still select this action type for reports that include data before April, 2021.
- Restored quarantined file: User has restored a file that had been moved to a quarantine folder as a result of a policy set by the enterprise administrator.
- Created Policy: User created a data retention policy or a security policy in either the Admin Console or Box public API. (You can use the Box public API to create only retention policies.)
-
Deleted Policy: User deleted an existing security policy in the Admin Console. Applies to all policies except retention policies, which can only be retired.
Information in the Details column includes:
- Policy name
- Policy type (Modifiable or Non-modifiable)
- Edited Policy: User edited an existing data retention policy or security policy in either the Admin Console or Box public API. (You can use the Box public API to edit only retention policies.)
- Retired Policy: User retired an existing policy in the Admin Console. Applies only to retention policies, which cannot be deleted.
-
Created retention policy assignment: User added a folder or metadata to a retention policy.
Information in the Details column includes:
- Policy name
-
Deleted retention policy assignment: User removed a folder or metadata from a retention policy.
Information in the Details column includes:
- Policy name
- Relay
-
- Created Workflow: User created a new workflow in Relay.
- Edited Workflow: User edited a workflow in Relay.
- Deleted Workflow: User deleted a workflow in Relay.
- Retention
-
- Opened retention: User created a retention policy in the Policies tab of the Admin Console.
- Edited retention: User edited an existing retention policy.
- Closed retention: User closed a retention policy.
- Created retention assignment: User assigned another user as a custodian in a retention policy. A custodian is a user who may have had access to the content affected by this policy.
- Removed retention assignment: User removed another user as a custodian in a retention policy. A custodian is a user who may have had access to the content affected by this policy.
- Shared Links
-
- Item Shared: User created a shared link to a file or folder.
- Item Share Updated: User updated the shared link settings for an existing shared link to a file or folder.
- Extend shared link expiration: User extended a shared link's expiration date.
- Set shared link expiration: User set an expiration date for a shared link. After this date, the link will no longer be valid.
- Disabled shared link: User disabled an existing shared link.
- Shared link email sent: User emailed a shared link. Text entered in the Message field appears in the Details column of the event.
- Sign
-
- Sign Document Created: User created a Sign document.
- Sign Document Viewed By Signer: User viewed a Sign document.
- Sign Document Signed: User signed a Sign document.
- Sign Document Declined: User declined to Sign document.
- Sign Document Cancelled: User cancelled a Sign document request.
- Sign Document Completed: User completed a Sign document request.
- Sign Document Assigned: User assigned Signers to a Sign document
- Sign Document Forwarded By Signer: Signer Forwarded Sign document to another user.
- Tasks
-
- Assigned a task: User added or deleted the assignee of a task (at Preview file > Activity tab > 3-dot menu for the task > Modify task, then adding or deleting an assignee or adding as assignee when creating a task).
- Updated a task assignment: User marked a task as complete (at Preview file > Activity tab > Complete task).
- Created a task: User created a task. This does not mean that the task was assigned to anyone. This event occurs as a result of the following action: Preview file > Activity tab > Add Task > General/Approval Task. Text entered in the Message field appears in the Details column of the event.
- Updated a task: User updated either the Message or the Due Date fields of a file task (at Preview file > Activity tab > 3-dot menu for the task > Modify task). Text entered in the Message field appears in the Details column of the event.
- Users
-
- Created new user: User created another user in your Box account using the Admin Console.
- Changed admin role: User changed an admin's privileges, either making a user an admin or removing a user as an admin.
- Changed primary email: User changed their primary email address.
- Deleted user: User deleted another user in your Box account using the Admin Console.
- Edited user: User modified another user's information using the Admin Console.
- Invited user to enterprise: User invited someone outside your enterprise to join your enterprise Box account.
- Rejected enterprise invite: User rejected an invitation to join your enterprise Box account.
- Removed secondary email: User removed their secondary email address.
- Accepted enterprise invite: User accepted an invitation to join your enterprise Box account.
- Added secondary email: User added a secondary email address.