Box Developer Documentation
 

    Get Enterprise Events

    Get Enterprise Events

    To get a enterprise's events, make a call to the GET /events API with the stream_type set to admin_logs or admin_logs_streaming.

    This API requires the user to be an enterprise admin or co-admin with the permission to Run new reports and access existing reports.

    Stream Types

    Stream Type
    admin_logsEnables querying historical events up to one year
    admin_logs_streamingEnables subscribing to live events in near real time

    Live Monitoring

    To monitor recent events that have been generated within Box across the enterprise, set the stream_type to admin_logs_streaming. This is also known as the Enterprise Event Stream API.

    The emphasis for this feed is on low latency rather than chronological accuracy, which means that Box may return events more than once and out of chronological order. Events are returned via the API in near real time after they are processed by Box. A small delay/buffer ensures that new events are not written after your cursor position. Only two weeks of events are available via this stream_type.

    Historical Querying

    To query historical events across the enterprise up to one year old, set the stream_type to admin_logs. This is also known as the Enterprise Event History API.

    The emphasis for this feed is on completeness over latency, which means that Box will deliver admin events in chronological order and without duplicates, but with higher latency than the user or admin_logs_streaming feed. Consuming events in near real time may lead to missed events as events can arrive later than your filtering window.

    Anonymous Users

    In some cases, the event feed might list a user with an ID of 2. This is Box's internal identifier for anonymous users.

    An anonymous user is a user that is not logged in. This can happen any time a user interacts with content and they aren't asked to log in first. An example would be when a user downloads a file through an open shared link.

    Limitations

    The enterprise event feed does not support long polling.

    Box does not store events indefinitely. Two weeks of enterprise events are available when stream_type is set to admin_logs_streaming. One year of enterprise events are available when stream_type is set to admin_logs. Seven years of enterprise events are available via the Box Admin Console’s exported reports.

    The emphasis of the admin_logs_streaming feed is to return the complete results quickly, which means that Box may return events more than once and out of order. Duplicate events can be identified by their event IDs.

    Filter by Event Type

    The enterprise event feed supports filtering by event type.

    A full list of event types can be found below.

    Event Types

    The following events can be triggered for an enterprise. This list is not exhaustive, so it is possible events appear that are not listed.

    Event nameDescription
    ACCESS_GRANTEDA user has granted Box support access to their account
    ACCESS_REVOKEDA user has revoked Box support access to their account
    ADD_DEVICE_ASSOCIATIONAdded device association
    ADD_LOGIN_ACTIVITY_DEVICEA user is logging in from a device we have not seen before
    ADMIN_LOGINAdmin console used to log in to a managed user's account
    ANNOTATIONV2_CREATEAn annotation is created
    ANNOTATIONV2_DELETEAn annotation is deleted
    ANNOTATIONV2_EDITAn annotation is edited
    APPLICATION_CREATEDA new application is created in the Box Developer Console
    APPLICATION_PUBLIC_KEY_ADDEDAn application public key is added.
    APPLICATION_PUBLIC_KEY_DELETEDAn application public key is deleted.
    CHANGE_ADMIN_ROLEWhen an admin role changes for a user
    CHANGE_FOLDER_PERMISSIONEdit the permissions on a folder
    COLLABORATION_ACCEPTAccepted invites
    COLLABORATION_EXPIRATIONSet collaborator expiration
    COLLABORATION_INVITEInvited
    COLLABORATION_REMOVERemoved collaborators
    COLLABORATION_ROLE_CHANGEChanged user roles
    COLLECTION_CREATEA collection is created
    COLLECTION_DELETEA collection is deleted
    COLLECTION_UPDATEA collection is updated
    COLLECTION_ITEM_CREATEAn item is added to a collection
    COLLECTION_ITEM_DELETEAn item is removed from a collection
    COLLECTION_ITEM_UPDATEAn item in a collection is updated
    COMMENT_CREATEA comment is created on a file
    COMMENT_DELETEA comment is deleted on a file
    CONTENT_ACCESSA file is accessed by an authorized end user or programmatically by a Box application
    CONTENT_WORKFLOW_ABNORMAL_DOWNLOAD_ACTIVITYA policy set in the Admin console is triggered
    CONTENT_WORKFLOW_AUTOMATION_ADDAn automation is added
    CONTENT_WORKFLOW_AUTOMATION_DELETEAn automation is deleted
    CONTENT_WORKFLOW_POLICY_ADDA content policy is added
    CONTENT_WORKFLOW_SHARING_POLICY_VIOLATIONThere is a sharing policy violation.
    CONTENT_WORKFLOW_UPLOAD_POLICY_VIOLATIONA collaborator violated an admin-set upload policy
    COPYCopied
    DATA_RETENTION_CREATE_RETENTIONRetention is created
    DATA_RETENTION_REMOVE_RETENTIONRetention is removed
    DELETEDeleted
    DELETE_USERDeleted user
    DEVICE_TRUST_CHECK_FAILEDDevice Trust check failed
    DISABLE_MULTI_FACTOR_AUTHWhen multifactor authentication has been disabled
    DOWNLOADDownloaded
    EDITEdited
    EDIT_USEREdited user
    EDR_CROWDSTRIKE_DEVICE_DETECTEDDevice detected by the CrowdStrike Falcon platform
    EDR_CROWDSTRIKE_NO_BOX_TOOLSBox Tools package not detected on device with CrowdStrike Falcon platform support
    EDR_CROWDSTRIKE_BOX_TOOLS_OUTDATEDBox Tools package outdated on device with CrowdStrike Falcon platform support
    EDR_CROWDSTRIKE_DRIVE_OUTDATEDBox Drive application outdated on device with CrowdStrike Falcon platform support
    EDR_CROWDSTRIKE_ACCESS_ALLOWED_NO_CROWDSTRIKE_DEVICEAccess allowed to a device not identified by the CrowdStrike Falcon platform
    EDR_CROWDSTRIKE_ACCESS_REVOKEDAccess revoked to a device identified by the CrowdStrike Falcon platform
    EMAIL_ALIAS_CONFIRMA user email alias is confirmed
    EMAIL_ALIAS_REMOVEA user email alias is removed
    ENABLE_MULTI_FACTOR_AUTHWhen multifactor authentication has been enabled
    ENTERPRISE_APP_AUTHORIZATION_UPDATEWhen a JWT application has been authorized or reauthorized
    EXTERNAL_COLLAB_SECURITY_SETTINGSChanges in external collaboration security settings
    FAILED_LOGINFailed login
    FILE_MARKED_MALICIOUSVirus found on a file. Event is only received by enterprises that have opted in to be notified.
    FILE_WATERMARKED_DOWNLOADA watermarked file is downloaded
    GROUP_ADD_ITEMAn item is added to a group
    GROUP_ADD_USERAdded user to group
    GROUP_ADMIN_CREATEDGroup admin is created
    GROUP_ADMIN_DELETEDGroup admin is deleted
    GROUP_ADMIN_PERMISSIONS_UPDATEDGroup admin permissions are updated
    GROUP_CREATIONCreated new group
    GROUP_DELETIONDeleted group
    GROUP_EDITEDEdited group
    GROUP_REMOVE_ITEMFolders were removed from a group in the Admin console
    GROUP_REMOVE_USERRemoved user from group
    ITEM_EMAIL_SENDAn email is sent to a collaborator on an item
    ITEM_MODIFYItem is modified
    ITEM_OPENItem is opened
    ITEM_SHARED_UPDATEShare links settings updated
    ITEM_SYNCSynced folder
    ITEM_UNSYNCUnmarked folder for synced
    LEGAL_HOLD_ASSIGNMENT_CREATEA legal hold assignment is created
    LEGAL_HOLD_ASSIGNMENT_DELETEA legal hold assignment is deleted
    LEGAL_HOLD_POLICY_CREATEA legal hold policy is created
    LEGAL_HOLD_POLICY_DELETEA legal hold policy is deleted
    LEGAL_HOLD_POLICY_UPDATEA legal hold policy is updated
    LOCKLocked
    LOGINLogin
    METADATA_INSTANCE_CREATECreation of metadata instance
    METADATA_INSTANCE_DELETEDeletion of metadata instance
    METADATA_INSTANCE_UPDATEUpdate of metadata instance
    METADATA_TEMPLATE_CREATECreation of metadata template
    METADATA_TEMPLATE_UPDATEUpdate of metadata template
    METADATA_TEMPLATE_DELETEDeletion of metadata template
    MOVEMoved
    NEW_USERCreated user
    OAUTH2_ACCESS_TOKEN_REVOKEAn OAuth 2.0 access token has been revoked
    PREVIEWPreviewed
    REMOVE_DEVICE_ASSOCIATIONRemoved device association
    REMOVE_LOGIN_ACTIVITY_DEVICEWe invalidated a user session associated with an app
    RENAMEA file or folder name or description is changed
    RETENTION_POLICY_ASSIGNMENT_ADDA retention policy assignment is added
    SHAREEnabled shared links
    SHARE_EXPIRATIONSet shared link expiration
    SHARED_LINK_SENDAn email is sent with a shared link and an optional message
    SHARED_LINK_REDIRECT_OUT_OF_SHARED_CONTEXTShared link causes a redirect
    SHIELD_ALERTShield detected an anomalous download, session, location, or malicious content based on enterprise Shield rules. See shield alert events for more information.
    SHIELD_DOWNLOAD_BLOCKEDEnd user blocked from downloading a file based on a shield access policy
    SHIELD_EXTERNAL_COLLAB_ACCESS_BLOCKEDAccess to an external collaboration is blocked
    SHIELD_EXTERNAL_COLLAB_ACCESS_BLOCKED_MISSING_JUSTIFICATIONAccess to an external collaboration is blocked due to missing a justification
    SHIELD_EXTERNAL_COLLAB_INVITE_BLOCKEDAn invite to externally collaborate is blocked
    SHIELD_EXTERNAL_COLLAB_INVITE_BLOCKED_MISSING_JUSTIFICATIONAn invite to externally collaborate is blocked due to missing a justification
    SHIELD_EXTERNAL_COLLAB_INVITE_JUSTIFIEDAn invite to externally collaborate is justified
    SHIELD_JUSTIFICATION_APPROVALA Shield justification is approved
    SHIELD_SHARED_LINK_ACCESS_BLOCKEDAccess to a shared link is blocked
    SHIELD_SHARED_LINK_STATUS_RESTRICTED_ON_CREATEA shared link is created and access to the content is restricted
    SHIELD_SHARED_LINK_STATUS_RESTRICTED_ON_UPDATEA shared link is updated and access to the content is restricted
    SHIELD_INFORMATION_BARRIER_ENABLEDA Shield information barrier is enabled
    SHIELD_INFORMATION_BARRIER_DISABLEDA Shield information barrier is deactivated
    SHIELD_INFORMATION_BARRIER_PENDINGA Shield information barrier is not yet active
    SHIELD_INFORMATION_BARRIER_GROUP_ADD_USER_BLOCKEDAdding user blocked due to information barrier restrictions
    SHIELD_INFORMATION_BARRIER_COLLAB_BLOCKEDCreating collaborations for users blocked due to information barrier restrictions
    SHIELD_INFORMATION_BARRIER_SHARED_ITEM_ACCESS_BLOCKEDAccess to shared items blocked for users due to information barrier restrictions
    SHIELD_INFORMATION_BARRIER_ITEM_MOVE_BLOCKEDMoving items blocked due to information barrier restrictions
    SHIELD_INFORMATION_BARRIER_ITEM_COPY_BLOCKEDCopying items blocked due to information barrier restrictions
    SHIELD_INFORMATION_BARRIER_ITEM_OWNER_TRANSFER_BLOCKEDTransferring items blocked due to information barrier restrictions
    SIGN_DOCUMENT_ASSIGNEDA sign request was sent to a signer
    SIGN_DOCUMENT_CANCELLEDA sign request was cancelled via API or UI
    SIGN_DOCUMENT_COMPLETEDA sign request was signed by all signers
    SIGN_DOCUMENT_CONVERTEDA sign request was converted to a .pdf for signing
    SIGN_DOCUMENT_CREATEDA sign request was created via API or UI. The document is not yet sent to signers
    SIGN_DOCUMENT_DECLINEDA sign request was declined by a signer
    SIGN_DOCUMENT_EXPIREDA sign request expired with incomplete signatures
    SIGN_DOCUMENT_SIGNEDA sign request was signed by a signer
    SIGN_DOCUMENT_VIEWED_BY_SIGNERA signer clicked on Review Document in the signer email or visited the signing URL
    SIGNER_DOWNLOADEDA signer downloaded the signing document
    SIGNER_FORWARDEDA signer forwarded the signing document
    STORAGE_EXPIRATIONSet file auto-delete
    TASK_ASSIGNMENT_UPDATEUpdate of a task assignment
    TASK_ASSIGNMENT_CREATEA task assignment is created
    TASK_ASSIGNMENT_DELETEA task assignment is deleted
    TASK_CREATEA task is created.
    TASK_UPDATEA task's comment is edited
    TERMS_OF_SERVICE_ACCEPTAccepted terms
    TERMS_OF_SERVICE_REJECTRejected terms
    UNDELETERestored
    UNLOCKUnlocked
    UNSHAREShared link removed
    UPDATE_COLLABORATION_EXPIRATIONExtend collaborator expiration
    UPDATE_SHARE_EXPIRATIONExtend shared link expiration
    UPLOADUploaded
    USER_AUTHENTICATE_OAUTH2_ACCESS_TOKEN_CREATEAn OAuth 2.0 access token has been created
    WATERMARK_LABEL_CREATEA watermark is added to a file
    WATERMARK_LABEL_DELETEA watermark is removed from a file