For organizations that actually care about their security, they probably find value in the reports Box can generate related to user activity, which includes the useful geographic activity report among others. I had high hopes the geographic activity report would make for a very easy way to screen out a ton of valid activity, leaving just things to investigate. Unfortunately there's several issues I've run into that make it difficult to impossible to easily screen out what is actually valid activity:

1) geolocation doesn't seem to be accurate when it comes to certain internet providers, including mobile, satellite, and airplane. For example, if flying on Southwest, activity is going to be reported as coming from Westlake Village, CA, because that's where the whois info for Row44 points. It is obviously impossible to determine a real location for Row44-based internet access, so it would be preferable for Box to identify this as actual "Airplane ISP" or something along those lines, a special category that does not have a geographic location, because then it would be easy to screen users who were known to be traveling on specific dates.

2) Unfortunately integration activity reports as coming from the service provider's IP space instead of the user who initiated the activity. This becomes a huge problem if you're using the Box to Microsoft Office 365 integration, because every single file your staff edit with an Office Online tool is going to create activity logged to a Microsoft IP, and in many cases, Azure-space, which can include both Microsoft corporate services as well as end user services. This means you really have little to no chance of determining if a given access was malicious from a compromised end user server in Microsoft land, or one of your real staff simply using Excel Online.

I assume there's some session tracking / data exchange allowing Box to determine the access is being authorized / performed by a legit user, from a specific IP; I'd prefer the activity be attributed to that user's IP, or at least have it as an option.

3) Some of the geolocation data seems to simply be wrong, while also not based on whois / IRR data, so I have no idea where it came from. This seems to be mostly associated with large internet providers, wireless, CenturyLink, Comcast, etc. That would suggest the source of the data is not particularly good. MaxMind seems to do a much better job at this; perhaps Box can consider using them to supply the data instead of whomever is supplying it currently.