True Client IP vs Accelerator IP in Audit Logs
To improve download speeds, Box automatically leverages "accelerator" hosts on various cloud/hosting providers around the world. When this happens, the "client IP address" recorded in the audit logs is the accelerator IP address, and not the true endpoint IP address. This results in false positives in "impossible travel" analytics, and could result in false negatives. We request that the audit logs be enhanced to capture the true client IP and accelerator IP (where applicable) as separate fields in the logs.