Box Status
Print

Investigating Suspicious Login Activity

Security

When you investigate suspicious access in Box, coordinate your efforts with your IT and Security teams, who may leverage additional tools or resources beyond Box for a more comprehensive review.

User Activity report

When suspicious login activity is detected on a Box account you own or manage, it’s important to review user logs to understand what actions may have occurred during suspected unauthorized access.  Follow the steps below to generate and analyze User Activity Reports.

Generating a User Activity report

To generate a User Activity report:

  1. Go to Admin Console > Reports.
  2. Click Create Report.
  3. Select User Activity Report.
  4. Click Next.
  5. Configure the following settings:.
    • In Users or Groups, type the username of the affected account.
    • In Date Range, specify the date(s) when suspicious activity occurred.
    • In Action Types, select the following:
      • File Management
      • Collaboration
      • Shared Links
  6. Click Run.

Generating reports usually takes from several minutes to up to twelve hours, depending on data size.  Very large datasets may require more time.  For detailed information, see Running Reports.

Analyzing the User Activity report

The User Activity report provides several important data fields that can help you identify details about suspicious access.

Date    
Identify when suspicious access started and ended, helping determine exposure duration.

IP Address      
Differentiate between legitimate users and potential bad actors based on login locations.   IP addresses may not always reflect actual actor location, but are useful for distinguishing different users.

Action 
Understand specific activities performed, such as adding collaborators or creating shared links that may need remediation.

Affected           
See which files or users were impacted.  Identify content owners who should be promptly notified.

Details              
See what third-party applications or services may be involved.

Further actions

After reviewing the User Activity report:

  • Remove unauthorized collaborators or shared links added by suspicious actors.
  • Notify content owners if their files were accessed or modified without permission.
  • Contact the support teams of implicated third-party applications or services for further investigation.

For additional assistance with any questions, contact our Product Support team.

Related articles