Get Enterprise Events

Guides Events Get Enterprise Events
Edit this page

Get Enterprise Events

To get a enterprise's events, authenticate a user with admin permission and make a call to the GET /events API with the stream_type set to admin_logs.

cURL
curl https://api.box.com/2.0/events?stream_type=admin_logs \
  -H "authorization: Bearer <ACCESS_TOKEN>"
Java
// get the last two hours of unfiltered enterprise events
Date startDate = new Date(System.currentTimeMillis() - (1000 * 60 * 60 * 2));
Date endDate = new Date(System.currentTimeMillis());
EventLog eventLog = EventLog.getEnterpriseEvents(api, startDate, endDate);
for (BoxEvent event : eventLog) {
    System.out.println("Enterprise Event Created by User: "
            + event.getCreatedBy().getName()
            + " Login: " + event.getCreatedBy().getLogin()
            + " Event Type: " + event.getType()
            + " Created at: " + event.getCreatedAt().toString());
};
Python
events = client.events()
    .get_admin_events(created_after='2019-07-01T22:02:24-07:00')
 for event in events['entries']:
    print('Got {0} event that occurred at {1}'.format(event.event_type, event.created_at))

This API requires the user to be an enterprise admin or co-admin with the permission to Run new reports and access existing reports.

Filter by Event Type

The enterprise event feed support filtering by event type.

cURL
curl https://api.box.com/2.0/events?stream_type=admin_logs&event_type=LOGIN,FAILED_LOGIN \
  -H "authorization: Bearer <ACCESS_TOKEN>"
Python
events = client.events()
    .get_admin_events(created_after='2019-07-01T22:02:24-07:00', event_types=['ITEM_CREATE'])
 for event in events['entries']:
    print('Got {0} event that occurred at {1}'.format(event.event_type, event.created_at))

A full list of event types can be found below.

Limitations

The admin event feed does not support long polling. To long poll for events, use the user event feed.

Box does not store events indefinitely.

User events are stored for between two weeks and two months, after which the user events are removed. Enterprise events are accessible for one year via the API and seven years via exported reports in the Box Admin Console.

The emphasis for this feed is on completeness over latency, which means that Box may deliver admin events with higher latency than the user feed. Unlike the user events stream, the admin events stream supports filtering for specific events but does not support long polling.

Event Types

The following events can be triggered for an enterprise.

Event nameDescription
ACCESS_GRANTEDA user has granted Box access to their account.
ACCESS_REVOKEDA user has revoked Box access to their account.
ADD_DEVICE_ASSOCIATIONAdded device association
ADD_LOGIN_ACTIVITY_DEVICEA user is logging in from a device we haven’t seen before
ADMIN_LOGINAdmin login
APPLICATION_CREATEDA new application was created in the Box developer console.
APPLICATION_PUBLIC_KEY_ADDEDAn application public key is added.
APPLICATION_PUBLIC_KEY_DELETEDAn application public key is deleted.
CHANGE_ADMIN_ROLEWhen an admin role changes for a user
CHANGE_FOLDER_PERMISSIONEdit the permissions on a folder
COLLABORATION_ACCEPTAccepted invites
COLLABORATION_EXPIRATIONSet collaborator expiration
COLLABORATION_INVITEInvited
COLLABORATION_REMOVERemoved collaborators
COLLABORATION_ROLE_CHANGEChanged user roles
COMMENT_CREATEA comment is created on a file.
COMMENT_DELETEA comment is deleted on a file.
CONTENT_ACCESSA file was accessed by an authorized end user or programmatically by a Box application.
CONTENT_WORKFLOW_ABNORMAL_DOWNLOAD_ACTIVITYWhen a policy set in the Admin console is triggered.
CONTENT_WORKFLOW_AUTOMATION_ADDAn automation is added.
CONTENT_WORKFLOW_AUTOMATION_DELETEAn automation is deleted.
CONTENT_WORKFLOW_POLICY_ADDA content policy is added.
CONTENT_WORKFLOW_SHARING_POLICY_VIOLATIONThere is a sharing policy violation.
CONTENT_WORKFLOW_UPLOAD_POLICY_VIOLATIONA collaborator violated an admin-set upload policy
COPYCopied
DATA_RETENTION_CREATE_RETENTIONRetention is created.
DATA_RETENTION_REMOVE_RETENTIONRetention is removed.
DELETEDeleted
DELETE_USERDeleted user
DEVICE_TRUST_CHECK_FAILEDDevice Trust check failed
DOWNLOADDownloaded
EDITEdited
EDIT_USEREdited user
EMAIL_ALIAS_CONFIRMA user email alias is confirmed.
EMAIL_ALIAS_REMOVEA user email alias is removed.
ENTERPRISE_APP_AUTHORIZATION_UPDATEWhen a JWT application has been authorized or reauthorized
EXTERNAL_COLLAB_SECURITY_SETTINGSChanges in external collaboration security settings
FAILED_LOGINFailed login
FILE_MARKED_MALICIOUSVirus found on a file. Event is only received by enterprises that have opted in to be notified.
FILE_WATERMARKED_DOWNLOADA watermarked file was downloaded.
GROUP_ADD_ITEMAn item is added to a group.
GROUP_ADD_USERAdded user to group
GROUP_CREATIONCreated new group
GROUP_DELETIONDeleted group
GROUP_EDITEDEdited group
GROUP_REMOVE_ITEMFolders were removed from a group in the Admin console.
GROUP_REMOVE_USERRemoved user from group
ITEM_MODIFYItem was modified.
ITEM_OPENItem was opened.
ITEM_SHARED_UPDATEShare links settings updated
ITEM_SYNCSynced folder
ITEM_UNSYNCUnmarked folder for synced
LEGAL_HOLD_ASSIGNMENT_CREATEA legal hold assignment is created.
LEGAL_HOLD_ASSIGNMENT_DELETEA legal hold assignment is deleted.
LEGAL_HOLD_POLICY_CREATEA legal hold policy is created.
LEGAL_HOLD_POLICY_DELETEA legal hold policy is deleted.
LEGAL_HOLD_POLICY_UPDATEA legal hold policy is updated.
LOCKLocked
LOGINLogin
METADATA_INSTANCE_CREATECreation of metadata instance.
METADATA_INSTANCE_DELETEDeletion of metadata instance.
METADATA_INSTANCE_UPDATEUpdate of metadata instance.
METADATA_TEMPLATE_CREATECreation of metadata template instance.
METADATA_TEMPLATE_UPDATEUpdate of metadata template instance.
METADATA_TEMPLATE_DELETEDeletion of metadata template instance.
MOVEMoved
NEW_USERCreated user
OAUTH2_ACCESS_TOKEN_REVOKEAn OAuth 2.0 access token has been revoked
PREVIEWPreviewed
REMOVE_DEVICE_ASSOCIATIONRemoved device association
REMOVE_LOGIN_ACTIVITY_DEVICEWe invalidated a user session associated with an app
RENAMEA file or folder name or description is changed.
RETENTION_POLICY_ASSIGNMENT_ADDA retention policy assignment is added.
SHAREEnabled shared links
SHARE_EXPIRATIONSet shared link expiration
SHIELD_ALERTShield detected an anomalous download, session, location, or malicious content based on enterprise Shield rules. See shield alert events for more information.
STORAGE_EXPIRATIONSet file auto-delete
TASK_ASSIGNMENT_UPDATEUpdate of a task assignment.
TASK_ASSIGNMENT_CREATEA task assignment is created.
TASK_ASSIGNMENT_DELETEA task assignment is deleted.
TASK_CREATEA task is created.
TASK_UPDATEA task's comment was edited.
TERMS_OF_SERVICE_ACCEPTAccepted terms
TERMS_OF_SERVICE_REJECTRejected terms
UNDELETERestored
UNLOCKUnlocked
UNSHAREShared link removed
UPDATE_COLLABORATION_EXPIRATIONExtend collaborator expiration
UPDATE_SHARE_EXPIRATIONExtend shared link expiration
UPLOADUploaded
USER_AUTHENTICATE_OAUTH2_ACCESS_TOKEN_CREATEAn OAuth 2.0 access token has been created
WATERMARK_LABEL_CREATEA watermark is added to a file.
WATERMARK_LABEL_DELETEA watermark is removed from a file.

Anonymous Users

In some cases, the event feed might list a user with an ID of 2. This is Box's internal identifier for anonymous users.

An anonymous user is a user that is not logged in. This can happen any time a user interacts with content and they aren't asked to log in first. An example would be when a user downloads a file through an open shared link.