Security Information and Event Management (SIEM) Logs Overview
Moveworks provides a daily export of logs in JSON format (via SFTP) for API request calls made from the Moveworks platform to your organization's enterprise systems e.g: ServiceNow, Microsoft Teams, Slack, Okta, Workday etc.
Customers can export these logs from SFTP to a storage solution in your organization, or leverage a forwarder to forward the logs into your organization’s SIEM.
For more details on SFTP access and how to set it up, please see this article.
Log Schema Dictionary
Each log follows the schema defined below:
version: Version of the schema of the event. This version will be incremented if the schema changes in the future.
severity: Determines the severity of the event. e.g: INFO, ERROR, etc. -- All successful API calls are logged as INFO if an API call fails, it will be logged as ERROR.
event_data: Event specific details in key value pair. (Note: event_data does NOT contain the request/response body of the API request, since these objects may contain sensitive information).
event_id: Unique ID for the event.
event_source: Source where the event was generated.
event_time: Time at which the event occurred.
event_type: Type of the event, eg. External API calls, config changes, etc. Event type will be one of the values in the table below.
| Value | Description |
|---|---|
| EXTERNAL_API | Any time Moveworks makes a call to external system / customer integrations, we create an event for this type of action |
| CONFIG_CHANGE | Moveworks Configuration Changes |
| EXTERNAL_LDAP_API | These are LDAP calls for customers using moveworks agents deployed on prem to connect to Active Directory. |
| WorkflowTriggerLog | Moveworks Copilot workflow triggers |
| WorkflowUpdateLog | Moveworks Copilot workflow updates |
| ActionLog | Moveworks Copilot actions |
A note on EXTERNAL_API event_type
Although Moveworks Knowledge ingestion leverages External APIs, API calls from knowledge ingestion do not get logged under EXTERNAL_API.
Example Logs
Example Chat Event Log
{
"request_method": "POST",
"request_uri": "https://slack.com/api/chat.postMessage",
"response_status_code": "200"
}
Example ITSM System Event Log
{
"version": "1",
"severity": "INFO",
"event_id": "abCdeF2GP5F9",
"event_type": "EXTERNAL_API",
"event_source": "MOVEWORKS",
"event_time": "2023-03-14 00:37:54.284873",
"event_data": {
"request_method": "GET",
"request_uri": "https://company.service-now.com/api/now/table/incident",
"response_status_code": "200"
}
}
Updated 5 months ago