Security Information and Event Management (SIEM) Logs Overview

Moveworks provides a daily export of logs in JSON format (via SFTP) for API request calls made from the Moveworks platform to your organization's enterprise systems e.g: ServiceNow, Microsoft Teams, Slack, Okta, Workday etc.

Customers can export these logs from SFTP to a storage solution in your organization, or leverage a forwarder to forward the logs into your organization’s SIEM.

Log Schema Dictionary

Each log follows the schema defined below:

version: Version of the schema of the event. This version will be incremented if the schema changes in the future.

severity: Determines the severity of the event. e.g: INFO, ERROR, etc. -- All successful API calls are logged as INFO if an API call fails, it will be logged as ERROR.

event_data: Event specific details in key value pair. (Note: event_data does NOT contain the request/response body of the API request, since these objects may contain sensitive information).

event_id: Unique ID for the event.

event_source: Source where the event was generated.

event_time: Time at which the event occurred.

event_type: Type of the event, eg. External API calls, config changes, etc. Event type will be one of the values in the table below.

📘

A note on EXTERNAL_API event_type

Although Moveworks Knowledge ingestion leverages External APIs, API calls from knowledge ingestion do not get logged under EXTERNAL_API.

Example Logs

Example Chat Event Log

{
    "request_method": "POST",
    "request_uri": "https://slack.com/api/chat.postMessage",
    "response_status_code": "200"
}

Example ITSM System Event Log

{
    "version": "1",
    "severity": "INFO",
    "event_id": "abCdeF2GP5F9",
    "event_type": "EXTERNAL_API",
    "event_source": "MOVEWORKS",
    "event_time": "2023-03-14 00:37:54.284873",
    "event_data": {
        "request_method": "GET",
        "request_uri": "https://company.service-now.com/api/now/table/incident",
        "response_status_code": "200"
    }
}