User Activity reports provide an overview of the actions your users are taking in Box. Use this report to view the actions made by your users within a given time period. You can filter the report by:
- Groups or managed users
- Specific folders or files
- Action types (events)
If you choose to export this report, a new folder will be created in your Box Reports folder containing a .csv file. This folder description in the right-hand sidebar will contain information about your report. It may take some time for the .csv file to appear. While your report is exporting, the Status field in the folder description will read In Progress. Once your report has been exported, the status changes to Complete.
See User Activity Report Data Columns for more information about what's contained in User Activity reports.
You must define filters for the User Activity report before you can run it. See User Activity Report Filters for more information about User Activity report filters, including a list of actions you can filter by, and a description of each action.
User Activity reports are created as comma-separated value (.csv) files. The filenames have the format
user_activity_run_on_YYYY-MM-DD-HH-MM-SS_Page_#.csv and each report run is placed in its own folder with a folder name of the format
User Activity run on YYYY-MM-DD HH-MM-SS.
- At least one Action Type must be selected to run a User Activity report.
- Actions taken by External Users will be included within a User Activity Report if the report is run on the entire Enterprise.
- If the date range is within last year, it is usually faster to run the report in Box rather than exporting it.
- If your date range is greater than 1 year, you must export the report. The run button will be disabled.
- User actions may be delayed by up to one day before uploading an exported .csv reports.
- A "user" with the name "Box Admin Reports" appears as a newly-created user the first time an admin runs a report.
- You cannot filter by a deleted user prior to running or exporting the report.
- Filtering for a folder displays activity for files and folders immediately within it, but not activity for content within subfolders.
- For the View report, events only within the last year are available.
User Activity Report
This section describes the data columns that are generated in User Activity reports and the filters that you can configure to run User Activity reports. User Activity reports contain data about actions, sometimes described as events, your users take in Box.
User Activity Report Data Columns
This section describes the data columns that are generated in User Activity reports. You can select which data columns appear in the report. All columns are selected by default, and the columns marked with an asterisk are required.
- Required. The date and time of the action, in the user's local time zone.
- User Name*
- Required. The name of the user, from the value in the Name field in User Account Details.
- User Email
- The email address of the user, from the value in the Email field in User Account Details.
- IP Address
The IP address of the computer or device from which the action was initiated.
Box reports "Unknown IP" in the User Activity report when you
- Spoof an IP address
- Use a VPN proxy
- Use Box's internal IP address
- Required. The action, or event. The Action Types section below lists all the possible values.
Required. The value in this field depends on the type of user action taken. User actions are divided into two types: item events and collaboration events.
- Item events are generated when users act on a file, actions such as move, copy, preview, and download. For item events, the value in the Affected field is the file or folder on which the action was taken.
- Collaboration events are generated when files and folder are shared with other users. For collaboration events, the value in the Affected field is the email address/user ID of the collaborator.
- Affected Id
- The unique number that identifies the file or folder on which the action was taken.
- Size (kB)
- The size in kilobytes of the file or folder on which the action was taken.
- Parent Folder
- The path to the file or folder on which the action was taken from the root of your Box instance.
- Required. If there are any additional details to report on the user action, they are included here.
- Available only for customers who use Box Shield, shows the classification label, if any, of the file or folder on which the action was taken.
User Activity Report Filters
|Users or Groups||Optional. Enter one or more names of managed users or of user groups to limit the User Activity report to activities of those users.|
|Start Date||Optional. Defines the start date for user activities in the report. If omitted, the report can go back as far as 7 years, or as long as you have had an account tariff with reporting access.|
|End Date||Optional. Defines the end date for user activity in the report. If omitted, the report will end with activities up to the current date.|
|Affected Folder and Files||
Optional. Click Select to select one or more folders or files. If any folders or files are selected, the User Activity report will contain only user actions that affect the chosen folders or files.
Reports will run only on the direct contents of selected folders, not on the contents of any subfolders.
The date range or user activity. Select from:
Last day/week/month/year(s) values mean the previous day/week/month/year(s) from the date the report was run.
User Activity Report Action Types
The Action Types section is where you select which user actions you want to include in the User Activity report.
Select the check box for:
- Select All to include all user activities
- An Action Type category to select all of the user activities in that type
- Any individual user activity
At least one Action Type must be selected to run a User Activity report.
|(User) Action Type||Description|
|Added public key to application||Added a public key used to authenticate a custom app|
|Deleted public key from application||Removed a public key used to authenticate a custom app|
|Application created||Application was created|
|Enterprise App Authorization Created||User requested App Authorization for Admin|
|Enterprise App Authorization Updated||Admin updated App Authorization in Admin Console>Apps|
|Enterprise App Authorization Deleted||Admin deleted App Authorization in Admin Console|
|Created Automation||User added a new Automation process in the Admin Console.|
|Deleted Automation||User deleted an existing Automation process in the Admin Console.|
|Edited Automation||User edited an existing Automation process in the Admin Console.|
|Accepted invite||User accepted an invitation to join a shared folder as a collaborator. This action is the same whether the user chose to auto-accept invitations or not.|
|Changed user or group role||User has modified either their own or a collaborator's role (access level) in a shared folder.|
|Extend collaborator expiration||User has extended the expiration date of another user's collaboration privileges.|
|Removed Collaborator||User removed a collaborator from a shared folder|
|Invited collaborator||User added a collaborator to a shared folder|
|Rejected invite||User rejected an invitation to join a shared folder as a collaborator.|
|Collaboration expired||User was removed from a shared folder after the collaboration expiration date (set by folder owner or enterprise admin) lapsed.|
|Violated enterprise item transfer policy||User tried to transfer ownership of a file or folder to an external collaborator in violation of the Restrict Ownership Transfer policy enabled at Admin Console > Enterprise Settings > Content & Sharing > Collaborating on Content.|
|Created Comment||User added a comment on a file.|
|Edited Comment||User edited an existing comment on a file.|
|Deleted Comment||User deleted an existing comment on a file.|
|Created Annotation||User created an annotation on a file.|
|Deleted Annotation||User deleted an annotation on a file.|
|Edited Annotation||User edited an annotation on a file.|
|Domain added||Admin added a verified domain to your organization in Domain Management.|
|Domain deleted||Admin deleted a domain in Domain Management.|
|Unverified domain added||
A domain was added to your organization in Domain Management but the domain is not verified. This can occur when the domain was added to your organization by an admin but the verification process was not completed.
|Unverified domain deleted||Admin deleted an unverified domain in Domain Management.|
|Enable Auto Roll In For Domain||Admin enabled Auto Enrollment for a domain in your organization.|
|Disable Auto Roll in For Domain||Admin disabled Auto Enrollment for a domain in your organization.|
|Copied||User created a copy of a file.|
|Moved to trash||User moved a file to the trash. Depending on your admin and enterprise settings, at any time you may be able to restore files that have been moved to the trash but not yet deleted. However, when a file is deleted from the trash, you have only 14 days to recover it before it is gone permanently. (You may need Box's assistance to do this.)|
|Downloaded||User downloaded a file.|
|Edit||User made changes or saved a new version of a file.|
|Locked||User locked a file, restricting access.|
|Moved||User moved a file to a new location in Box.|
|Previewed||User previewed a file in Box.|
|Renamed||User renamed a file.|
|Set file auto-delete||User set a file to delete automatically on a certain date.|
|Restored from trash||User restored a deleted file from the trash.|
|Unlocked||User unlocked a file, permitting access.|
|Uploaded||User uploaded a file.|
|File version restored||User restored a previous version of a file.|
|File marked malicious||User marked a file as malicious.|
|Applied watermark||User added a watermark to a file. Watermark will display the current viewer's email address or IP address, as well as time of access across the document's contents.|
|Removed watermark||User removed the watermark from a watermarked file.|
|Synced folder||User synced a folder to their desktop.|
|Un-synced folder||User un-synced a folder from their desktop.|
|Content Access||Item has been accessed by an authorized end user or programmatically by a Box application.|
|Created File Request||User created a new File Request on a folder|
|Edited File Request||User edited an existing File Request|
|Deleted File Request||User deleted a File Request|
|Added to group||User added another user to an existing group.|
|Created new group||User created a new group.|
|Deleted group||User deleted an existing group.|
|Edited group||User edited a group in any way, including adding another user to the group.|
|Created Group Admin||Admin or Co-Admin appointed a group admin.|
|Updated Group Admin Permissions||Admin or Co-Admin modified group admin permissions.|
|Deleted Group Admin||Admin or Co-Admin removed a group admin designation.|
|Item removed from group||User removed a group's access to a specific file or folder.|
|Granted folder access||User granted a group access to a specific folder.|
|Removed from group||User removed another user from an existing group.|
|Opened legal hold case||User created a legal hold policy in the Policies tab of the Admin Console.|
|Edited legal hold case||User edited an existing legal hold policy.|
|Closed legal hold case||User closed a legal hold policy.|
|Created legal hold assignment||User assigned another user as a custodian in a legal hold policy. A custodian is a user who may have had access to the content affected by this legal hold.|
|Removed legal hold assignment||User removed another user as a custodian in a legal hold policy. A custodian is a user who may have had access to the content affected by this legal hold.|
|Admin Login||User with Admin privileges logged into the account of one of their managed users.|
|Added Device Association||Admin pinned the Box application to a user's mobile device. You can view all devices that users have pinned by opening your Admin Console and navigating to Enterprise Settings > Device Trust tab.|
|Accepted Terms of Service||User agreed to the Box Terms of Service upon initial login.|
|Failed login||User failed to log in. User may have typed in an incorrect password.|
|Login||User successfully logged into Box via any endpoint (Web application, mobile apps, Box APIs, and so on).|
|Rejected Terms of Service||User rejected the Box Terms of Service upon initial login.|
|Add login app||User logged in to the Box app in a browser from a new device or a new token is issued for an OAuth application.|
|Removed login activity application||User logged out of a device that they logged into previously.|
|Removed Device Association||Admin removed a user's device association. You can view all devices that users have pinned by opening your Admin Console and navigating to Enterprise Settings > Device Trust tab.|
|Login Verification enabled||User enabled two-step verification for their account in account settings.
This action type was available up through November, 2021, when Box had only SMS as an additional authentication factor. When additional authentication factors were added, the Login multi factor verification enabled action type replaced this one. For reports spanning this date, you could see both action types.
|Login verification disabled||User disabled two-step verification for their account in account settings.
This action type was available up through November, 2021, when Box had only SMS as an additional authentication factor. When additional authentication factors were added, the Login multi factor verification disabled action type replaced this one. For reports spanning this date, you could see both action types.
|Failed Device Trust Check||User failed a device trust requirement set by enterprise administrator.|
|OAuth2 access token created||An OAuth2 access token, which allows secure authorized access to Box, was created for a user. This typically occurs when a user successfully completes the multi-factor authentication process.|
|OAuth2 access token revoked||An OAuth2 access token, which allows secure authorized access to Box, was revoked for a user. This typically occurs after a defined number of unsuccessful login attempts, and results in a requirement that the user re-establish valid multi-factor authentication.|
|OAuth2 refresh token revoked||An OAuth2 refresh token, which allows secure authorized access to Box, was revoked for a user. This typically occurs after a period defined by admins to require users to change credentials such as passwords.|
|Login multi factor verification enabled||User enabled two-step verification (also known as MFA, or multi-factor authentication) for their account in account settings.
This action type replaced Login verification enabled in November, 2021, when Box started supporting additional authentication factors. For reports spanning this date, you could see both action types.
|Login multi factor verification disabled||User disabled two-step verification (also known as MFA, or multi-factor authentication) for their account in account settings.
This action type replaced Login verification disabled in November, 2021, when Box started supporting additional authentication factors. For reports spanning this date, you could see both action types.
|Added template||User added a metadata template to a file.|
|Removed template||User removed a metadata template from a file.|
|Edited Attributes||User edited an existing metadata template, adding, removing, or editing attributes.|
|Violated share policy||User violated a sharing policy, set by enterprise administrator. User may have shared files with an unsecured or restricted web address.|
|Unusual download activity||User has downloaded files at a rate that exceeds a download policy set by the enterprise administrator.|
|Violated upload policy||User uploaded a document containing restricted information as defined by an upload policy set by the enterprise administrator.|
|Retention policy changed||User applied a data retention policy to a file version that was already subject to another data retention policy.
Box stopped tracking this action type in April, 2021. You can still select this action type for reports that include data before April, 2021.
|Retention policy applied||User applied a data retention policy to a file version. This is the first time the data retention policy is applied to the file version.
Box stopped tracking this action type in April, 2021. You can still select this action type for reports that include data before April, 2021.
|Restored quarantined file||User has restored a file that had been moved to a quarantine folder as a result of a policy set by the enterprise administrator.|
|Created Policy||User created a data retention policy or a security policy in either the Admin Console or Box public API. (You can use the Box public API to create only retention policies.)|
|Deleted Policy||User deleted an existing security policy in the Admin Console. Applies to all policies except retention policies, which can only be retired.|
|Edited Policy||User edited an existing data retention policy or security policy in either the Admin Console or Box public API. (You can use the Box public API to edit only retention policies.)|
|Retired Policy||User retired an existing policy in the Admin Console. Applies only to retention policies, which cannot be deleted.|
|Created Workflow||User created a new workflow in Relay.|
|Edited Workflow||User edited a workflow in Relay.|
|Deleted Workflow||User deleted a workflow in Relay.|
|Opened retention||User created a retention policy in the Policies tab of the Admin Console.|
|Edited retention||User edited an existing retention policy.|
|Closed retention||User closed a retention policy.|
|Created retention assignment||User assigned another user as a custodian in a retention policy. A custodian is a user who may have had access to the content affected by this policy.|
|Removed retention assignment||User removed another user as a custodian in a retention policy. A custodian is a user who may have had access to the content affected by this policy.|
|Item Shared||User created a shared link to a file or folder.|
|Item Share Updated||User updated the shared link settings for an existing shared link to a file or folder.|
|Extend shared link expiration||User extended a shared link's expiration date.|
|Set shared link expiration||User set an expiration date for a shared link. After this date, the link will no longer be valid.|
|Disabled shared link||User disabled an existing shared link.|
|Sign Document Created||User created a Sign document.|
|Sign Document Viewed By Signer||User viewed a Sign document.|
|Sign Document Signed||User signed a Sign document.|
|Sign Document Declined||User declined to Sign document.|
|Sign Document Cancelled||User cancelled a Sign document request.|
|Sign Document Completed||User completed a Sign document request.|
|Sign Document Assigned||User assigned Signers to a Sign document|
|Sign Document Forwarded By Signer||Signer Forwarded Sign document to another user.|
|Assigned a task||User assigned another user a task.|
|Updated a task assignment||User modified a previously assigned task.|
|Created a task||User created a task. This does not mean that the task was assigned to anyone.|
|Created new user||User created another user in your Box account using the Admin Console.|
|Changed admin role||User changed an admin's privileges, either making a user an admin or removing a user as an admin.|
|Changed primary email||User changed their primary email address.|
|Deleted user||User deleted another user in your Box account using the Admin Console.|
|Edited user||User modified another user's information using the Admin Console.|
|Invited user to enterprise||User invited someone outside your enterprise to join your enterprise Box account.|
|Rejected enterprise invite||User rejected an invitation to join your enterprise Box account.|
|Removed secondary email||User removed their secondary email address.|
|Accepted enterprise invite||User accepted an invitation to join your enterprise Box account.|
|Added secondary email||User added a secondary email address.|