Security Information and Event Management (SIEM) Logs Overview
UPDATE ON SIEM LOG MIGRATION: https://community.moveworks.com/stakeholder-tools-exi-mw-setup-ks-analytics-115/coming-soon-improved-siem-log-pipeline-streamlined-secure-and-more-structured-2748?fid=115&tid=2748
Moveworks provides a JSON-based SIEM log export (via SFTP) that captures API calls, authentication events, permission changes, config changes, and other platform activities. These logs can be ingested into any organizational SIEM, data lake, or analytics pipeline to support incident response, monitoring, and compliance workflows.
Customers can export these logs from SFTP into their internal storage systems or forward them using a SIEM/log forwarder.
This document describes:
- Current SIEM Log Export (available until March 2026)
- New SIEM Log Export (available since December 2025)
Both versions are documented here for customers who may still be using the existing pipeline during the transition.
1️⃣ CURRENT SIEM LOG EXPORT (Available Until March 2026)
This section applies to all customers until their migration date to the upgraded pipeline.
📂 File Structure & Delivery Cadence (Current)
Directory Layout
Logs are provided daily in the following structure:
logs/YYYY-MM-DD/YYYY-MM-DD_audit_log.jsonExample:
logs/2024-08-20/2024-08-20_audit_log.json
Refresh Frequency
- Once per day
- Each JSON file is generated for the previous 24 hours of activity
🧩 Current Log Schema Overview
Top-Level Fields
All logs include the following fields:
| Field | Description |
|---|---|
| version | Schema version number (e.g., "1"). |
| severity | INFO, ERROR. |
| event_id | Unique identifier for the event. |
| event_type | Category of event (e.g., EXTERNAL_API). |
| event_source | Always MOVEWORKS. |
| event_time | Time when the event occurred. |
| event_data | Key–value metadata. Sensitive request/response bodies are excluded. |
Supported Event Types (Current Version)
- EXTERNAL_API
- EXTERNAL_LDAP_API
- AUTHENTICATION
- PERMISSION_CHANGE
- CONFIG_CHANGE
Example Logs (Current Version)
External API Example
{
"version": "1",
"severity": "INFO",
"event_id": "abCdeF2GP5F9",
"event_type": "EXTERNAL_API",
"event_source": "MOVEWORKS",
"event_time": "2023-03-14 00:37:54.284873",
"event_data": {
"request_method": "GET",
"request_uri": "https://company.service-now.com/api/now/table/incident",
"response_status_code": "200"
}
}Authentication failure, permission change, and config change examples (from your existing helpdoc) are retained for backward compatibility.
2️⃣ NEW SIEM LOG EXPORT (Available since December 2025)
This section describes the enhanced logging pipeline that you will need to migrate your workflows to
🧩 What’s New in the Upgraded Pipeline
✔ Versioned Directory Structure
Logs now reside under a versioned subdirectory:
logs/v1/YYYY-MM-DD/YYYY-MM-DD_audit_log.json✔ More Frequent Log Refresh
Log files refresh every 3 hours instead of once daily.
✔ More Structured & Documented Schemas
All supported event types now use standardized, fully documented JSON schemas.
✔ Expanded Log Coverage
New event types such as AGENT_STUDIO_LOG and USER_TOKEN_LOG are part of the new pipeline.
📂 File Structure (New)
| Old Path | New Path |
|---|---|
logs/2024-08-20/2024-08-20_audit_log.json | logs/v1/2024-08-20/2024-08-20_audit_log.json |
🧩 New Log Schema Overview
The upgraded logs use schema version "2" and follow consistent structured definitions.
Supported Event Types (New Version)
- EXTERNAL_API
- EXTERNAL_LDAP_API
- CONFIG_CHANGE
- PERMISSION_CHANGE
- AUTHENTICATION
- AGENT_STUDIO_LOG
- USER_TOKEN_LOG
📄 Example Logs (New Structured v1 Pipeline)
You already provided full examples — they are preserved exactly and included here, grouped by event type.
EXTERNAL_API
{
"version": "2",
"severity": "INFO",
"event_id": "Que5vMmYkJuB",
"event_type": "EXTERNAL_API",
"event_source": "MOVEWORKS",
"event_time": "2025-10-16 19:00:23.850992",
"event_data": {
"user_id": "9422067216216842966",
"request_uri": "https://slack.com/api/chat.postMessage",
"request_method": "POST",
"response_status_code": "200",
"execution_time_ms": 172,
"response_size_bytes": 1194
}
}EXTERNAL_LDAP_API
{
"version": "2",
"severity": "INFO",
"event_id": "7UUWTmuqR1-I",
"event_type": "EXTERNAL_LDAP_API",
"event_source": "MOVEWORKS",
"event_time": "2025-07-25 23:08:06.715425",
"event_data": {
"user_id": "12608431283658477771",
"request": "{'search_request': {'base_dn': '{{dc_base_filter}}', 'scope': 2, 'filter': '(&(objectClass=user)(mail=coryweb*))'}}"
}
}CONFIG_CHANGE
{
"version": "2",
"severity": "INFO",
"event_id": "FIIqOSphTPGL",
"event_type": "CONFIG_CHANGE",
"event_source": "MOVEWORKS",
"event_time": "2025-07-29 15:21:33.228745",
"event_data": {
"config_version": 117,
"config_name": "ConversationalPluginBody",
"change_origin_type": "USER/SYSTEM",
"user_id": "1234223234"
}
}
PERMISSION_CHANGE
{
"version": "2",
"severity": "INFO",
"event_id": "LU8QgcnSTQ2m",
"event_type": "PERMISSION_CHANGE",
"event_source": "MOVEWORKS",
"event_time": "2025-07-29 15:53:42.047730",
"event_data": {
"user_id": "16054822774505271985",
"assigned_roles": [
{
"app": "APP_CREATOR_STUDIO",
"roles": ["ROLE_CREST_ADMIN"],
"grantee": "3743745632043933493"
}
],
"all_roles": [
{
"app": "APP_CREATOR_STUDIO",
"roles": ["ROLE_CREST_ADMIN"],
"grantee": "3743745632043933493"
},
{
"app": "APP_BOT_ANALYTICS",
"roles": ["ROLE_BOT_ANALYTICS_ADMIN"],
"grantee": "3743745632043933493"
},
{
"app": "APP_MW_SETUP",
"roles": ["ROLE_MW_SETUP_ADMIN"],
"grantee": "3743745632043933493"
}
]
}
}
Authentication
AUTHENTICATION
{
"version": "2",
"severity": "INFO",
"event_id": "OqsC6ItzTL6f",
"event_type": "AUTHENTICATION",
"event_source": "MOVEWORKS",
"event_time": "2025-10-15 15:38:31.883000",
"event_data": {
"user_id": "9733382206290329491",
"authn_event_type": "AUTHN_EVENT_LOGIN_SUCCESS",
"app": "AUTHN_APP_MY_MOVEWORKS",
"idp_metadata": {},
"source_ip": "208.127.82.164",
"user_agent": "Mozilla/5.0 ..."
}
}AGENT_STUDIO_LOG
{
"version": "2",
"severity": "INFO",
"event_id": "SorjFyTNZnDK",
"event_type": "AGENT_STUDIO_LOG",
"event_source": "MOVEWORKS",
"event_time": "2025-10-16 19:44:59.325022",
"event_data": {
"user_id": "10769617033889969982",
"uivar_uuid": "5d6edaaa-fe72-4ef1-8c3f-875c5f634726",
"result": "AGENT_STUDIO_LOG_RESULT_SUCCESS",
"method": "AGENT_STUDIO_LOG_METHOD_READ",
"log_type": "AGENT_STUDIO_LOG_TYPE_AGENT_STUDIO_CONNECTORS"
}
}USER_TOKEN_LOG
{
"version": "2",
"severity": "INFO",
"event_id": "HFm8ZebzGHdu",
"event_type": "USER_TOKEN_LOG",
"event_source": "MOVEWORKS",
"event_time": "2025-10-16 19:44:59.325022",
"event_data": {
"user_id": "8340006963328694015",
"status": "USER_TOKEN_EXECUTION_STATUS_SUCCESS",
"retrieve_access_token_log": {
"integration_id": "enterprise_search_google_drive_connector",
"sanitized_access_token_info": {
"integration_id": "enterprise_search_google_drive_connector",
"expires_at": "2025-10-16T19:58:13.331639Z"
}
}
}
}❓ FAQ (Applies to Both Versions)
Why don’t I see logs in my SFTP folder?
Depending on your pipeline version:
Current Version (pre-April 2026)
Check:
logs/YYYY-MM-DD/New Version (v1 pipeline)
Check:
logs/v1/YYYY-MM-DD/If neither folder appears, verify SFTP access configuration and root folder permissions.
🧭 How to Use This Documentation
| If you are… | Use this section |
|---|---|
| Still on the existing pipeline (through March 2026) | Section 1️⃣ Current SIEM Log Export |
| Migrated to the new structured v1 pipeline | Section 2️⃣ New SIEM Log Export |
Updated 16 days ago