Security Information and Event Management (SIEM) Logs Overview
Moveworks provides a daily export of logs in JSON format (via SFTP) for API request calls made from the Moveworks platform to your organization's enterprise systems e.g: ServiceNow, Microsoft Teams, Slack, Okta, Workday etc.
Customers can export these logs from SFTP to a storage solution in your organization, or leverage a forwarder to forward the logs into your organization’s SIEM.
For more details on SFTP access and how to set it up, please see this article.
Log Schema Dictionary
Each log follows the schema defined below:
version
: Version of the schema of the event. This version will be incremented if the schema changes in the future.
severity
: Determines the severity of the event. e.g: INFO
, ERROR
, etc. -- All successful API calls are logged as INFO
if an API call fails, it will be logged as ERROR
.
event_data
: Event specific details in key value pair. (Note: event_data
does NOT contain the request/response body of the API request, since these objects may contain sensitive information).
event_id
: Unique ID for the event.
event_source
: Source where the event was generated.
event_time
: Time at which the event occurred.
event_type
: Type of the event, eg. External API calls. Event type will be one of the values in the table below.
Value | Description |
---|---|
EXTERNAL_API | Any time Moveworks makes a call to external system / customer integrations, we create an event for this type of action |
EXTERNAL_LDAP_API | These are LDAP calls for customers using moveworks agents deployed on prem to connect to Active Directory. |
A note on EXTERNAL_API event_type
Although Moveworks Knowledge ingestion leverages External APIs, API calls from knowledge ingestion do not get logged under EXTERNAL_API.
Example Logs
Example Chat Event Log
{
"request_method": "POST",
"request_uri": "https://slack.com/api/chat.postMessage",
"response_status_code": "200"
}
Example ITSM System Event Log
{
"version": "1",
"severity": "INFO",
"event_id": "abCdeF2GP5F9",
"event_type": "EXTERNAL_API",
"event_source": "MOVEWORKS",
"event_time": "2023-03-14 00:37:54.284873",
"event_data": {
"request_method": "GET",
"request_uri": "https://company.service-now.com/api/now/table/incident",
"response_status_code": "200"
}
}
FAQ
Q: Why do I not see the logs in my SFTP folder?
A: The logs get stored in the logs
directory. Example path: logs/2024-08-20/2024-08-20_audit_log.json
where 2024-08-20 is the date of the log file. If you still do not see the folder, double check your SFTP configuration to ensure you are syncing & reading from the right folder.
Updated about 6 hours ago