Security Information and Event Management (SIEM) Logs Overview

UPDATE ON SIEM LOG MIGRATION: https://community.moveworks.com/stakeholder-tools-exi-mw-setup-ks-analytics-115/coming-soon-improved-siem-log-pipeline-streamlined-secure-and-more-structured-2748?fid=115&tid=2748

Moveworks provides a JSON-based SIEM log export (via SFTP) that captures API calls, authentication events, permission changes, config changes, and other platform activities. These logs can be ingested into any organizational SIEM, data lake, or analytics pipeline to support incident response, monitoring, and compliance workflows.

Customers can export these logs from SFTP into their internal storage systems or forward them using a SIEM/log forwarder.

This document describes:

Current SIEM Log Export (available until March 2026)
New SIEM Log Export (available since December 2025)

Both versions are documented here for customers who may still be using the existing pipeline during the transition.

1️⃣ CURRENT SIEM LOG EXPORT (Available Until March 2026)

This section applies to all customers until their migration date to the upgraded pipeline.

📂 File Structure & Delivery Cadence (Current)

Directory Layout

Logs are provided daily in the following structure:

logs/YYYY-MM-DD/YYYY-MM-DD_audit_log.json

Example: logs/2024-08-20/2024-08-20_audit_log.json

Refresh Frequency

Once per day
Each JSON file is generated for the previous 24 hours of activity

🧩 Current Log Schema Overview

Top-Level Fields

All logs include the following fields:

Field	Description
version	Schema version number (e.g., `"1"`).
severity	INFO, ERROR.
event_id	Unique identifier for the event.
event_type	Category of event (e.g., EXTERNAL_API).
event_source	Always `MOVEWORKS`.
event_time	Time when the event occurred.
event_data	Key–value metadata. Sensitive request/response bodies are excluded.

Supported Event Types (Current Version)

EXTERNAL_API
EXTERNAL_LDAP_API
AUTHENTICATION
PERMISSION_CHANGE
CONFIG_CHANGE

Example Logs (Current Version)

External API Example

1 {
2   "version": "2",
3   "severity": "INFO",
4   "event_id": "NehDqj2G5tWQ",
5   "event_type": "EXTERNAL_API",
6   "event_source": "MOVEWORKS",
7   "event_time": "2026-01-08 00:43:46.697786",
8   "event_data": {
9     "user_id": "11596068552251261002",
10     "request_uri": "https://<your_instance>.com/",
11     "request_method": "GET",
12     "response_status_code": "200",
13     "execution_time_ms": 6191,
14     "response_size_bytes": 3783,
15     "trace_id": "dxV_H7S_84yY"
16   }
17 }

Authentication failure, permission change, and config change examples (from your existing helpdoc) are retained for backward compatibility.

2️⃣ NEW SIEM LOG EXPORT (Available since December 2025)

This section describes the enhanced logging pipeline that you will need to migrate your workflows to

🧩 What’s New in the Upgraded Pipeline

✔ Versioned Directory Structure

Logs now reside under a versioned subdirectory:

logs/v1/YYYY-MM-DD/YYYY-MM-DD_audit_log.json

✔ More Frequent Log Refresh

Log files refresh every 3 hours instead of once daily.

✔ More Structured & Documented Schemas

All supported event types now use standardized, fully documented JSON schemas.

✔ Expanded Log Coverage

New event types such as AGENT_STUDIO_LOG and USER_TOKEN_LOG are part of the new pipeline.

📂 File Structure (New)

Old Path	New Path
`logs/2024-08-20/2024-08-20_audit_log.json`	`logs/v1/2024-08-20/2024-08-20_audit_log.json`

🧩 New Log Schema Overview

The upgraded logs use schema version “2” and follow consistent structured definitions.

Supported Event Types (New Version)

EXTERNAL_API
EXTERNAL_LDAP_API
CONFIG_CHANGE
PERMISSION_CHANGE
AUTHENTICATION
AGENT_STUDIO_LOG
USER_TOKEN_LOG

Notable Schema Updates

CONFIG_CHANGE Event Enhancement: Starting in 2026, CONFIG_CHANGE events now include an operation_type field that distinguishes between configuration updates and deletions:

Field	Value	Description
`operation_type`	`CONFIG_OPERATION_TYPE_UPDATE`	Configuration was modified or updated
`operation_type`	`CONFIG_OPERATION_TYPE_DELETE`	Configuration was removed or deleted

This enhancement enables SIEM systems to easily distinguish between configuration modifications and deletions for improved audit tracking and security monitoring.

📄 Example Logs (New Structured v1 Pipeline)

You already provided full examples — they are preserved exactly and included here, grouped by event type.

EXTERNAL_API

1 {
2     "version": "2",
3     "severity": "INFO",
4     "event_id": "Que5vMmYkJuB",
5     "event_type": "EXTERNAL_API",
6     "event_source": "MOVEWORKS",
7     "event_time": "2025-10-16 19:00:23.850992",
8     "event_data": {
9         "user_id": "9422067216216842966",
10         "request_uri": "https://slack.com/api/chat.postMessage",
11         "request_method": "POST",
12         "response_status_code": "200",
13         "execution_time_ms": 172,
14         "response_size_bytes": 1194
15     }
16 }

EXTERNAL_LDAP_API

1 {
2   "version": "2",
3   "severity": "INFO",
4   "event_id": "7UUWTmuqR1-I",
5   "event_type": "EXTERNAL_LDAP_API",
6   "event_source": "MOVEWORKS",
7   "event_time": "2025-07-25 23:08:06.715425",
8   "event_data": {
9     "user_id": "12608431283658477771",
10     "request": "{'search_request': {'base_dn': '{{dc_base_filter}}', 'scope': 2, 'filter': '(&(objectClass=user)(mail=coryweb*))'}}"
11   }
12 }

CONFIG_CHANGE

Configuration Update Example:

1 {
2   "version": "2",
3   "severity": "INFO",
4   "event_id": "hLOXixn7T1iW",
5   "event_type": "CONFIG_CHANGE",
6   "event_source": "MOVEWORKS",
7   "event_time": "2026-01-06 03:49:38.763026",
8   "event_data": {
9     "user_id": "412307323227731938",
10     "config_version": 3,
11     "config_name": "ScriptConfig",
12     "change_origin_type": "CONFIG_SOURCE_USER",
13     "operation_type": "CONFIG_OPERATION_TYPE_UPDATE",
14     "updated_configs": [
15       {
16         "op": "update",
17         "path": "root['code']"
18       }
19     ]
20   }
21 }

Configuration Deletion Example:

1 {
2   "version": "2",
3   "severity": "INFO",
4   "event_id": "mN8PqX2wR5tZ",
5   "event_type": "CONFIG_CHANGE",
6   "event_source": "MOVEWORKS",
7   "event_time": "2026-01-06 04:15:22.891037",
8   "event_data": {
9     "user_id": "412307323227731938",
10     "config_version": 4,
11     "config_name": "NotificationOrgConfig",
12     "change_origin_type": "CONFIG_SOURCE_USER",
13     "operation_type": "CONFIG_OPERATION_TYPE_DELETE",
14     "updated_configs": [
15       {
16         "op": "remove",
17         "path": "root['notification_noise_control_config']"
18       }
19     ]
20   }
21 }

PERMISSION_CHANGE

1 {
2     "version": "2",
3     "severity": "INFO",
4     "event_id": "LU8QgcnSTQ2m",
5     "event_type": "PERMISSION_CHANGE",
6     "event_source": "MOVEWORKS",
7     "event_time": "2025-07-29 15:53:42.047730",
8     "event_data": {
9         "user_id": "16054822774505271985",
10         "assigned_roles": [
11             {
12                 "app": "APP_CREATOR_STUDIO",
13                 "roles": ["ROLE_CREST_ADMIN"],
14                 "grantee": "3743745632043933493"
15             }
16         ],
17         "all_roles": [
18             {
19                 "app": "APP_CREATOR_STUDIO",
20                 "roles": ["ROLE_CREST_ADMIN"],
21                 "grantee": "3743745632043933493"
22             },
23             {
24                 "app": "APP_BOT_ANALYTICS",
25                 "roles": ["ROLE_BOT_ANALYTICS_ADMIN"],
26                 "grantee": "3743745632043933493"
27             },
28             {
29                 "app": "APP_MW_SETUP",
30                 "roles": ["ROLE_MW_SETUP_ADMIN"],
31                 "grantee": "3743745632043933493"
32             }
33         ]
34     }
35 }

Authentication

1 AUTHENTICATION
2 {
3     "version": "2",
4     "severity": "INFO",
5     "event_id": "OqsC6ItzTL6f",
6     "event_type": "AUTHENTICATION",
7     "event_source": "MOVEWORKS",
8     "event_time": "2025-10-15 15:38:31.883000",
9     "event_data": {
10         "user_id": "9733382206290329491",
11         "authn_event_type": "AUTHN_EVENT_LOGIN_SUCCESS",
12         "app": "AUTHN_APP_MY_MOVEWORKS",
13         "idp_metadata": {},
14         "source_ip": "208.127.82.164",
15         "user_agent": "Mozilla/5.0 ..."
16     }
17 }

AGENT_STUDIO_LOG

1 {
2     "version": "2",
3     "severity": "INFO",
4     "event_id": "SorjFyTNZnDK",
5     "event_type": "AGENT_STUDIO_LOG",
6     "event_source": "MOVEWORKS",
7     "event_time": "2025-10-16 19:44:59.325022",
8     "event_data": {
9         "user_id": "10769617033889969982",
10         "uivar_uuid": "5d6edaaa-fe72-4ef1-8c3f-875c5f634726",
11         "result": "AGENT_STUDIO_LOG_RESULT_SUCCESS",
12         "method": "AGENT_STUDIO_LOG_METHOD_READ",
13         "log_type": "AGENT_STUDIO_LOG_TYPE_AGENT_STUDIO_CONNECTORS"
14     }
15 }

USER_TOKEN_LOG

1 {
2     "version": "2",
3     "severity": "INFO",
4     "event_id": "HFm8ZebzGHdu",
5     "event_type": "USER_TOKEN_LOG",
6     "event_source": "MOVEWORKS",
7     "event_time": "2025-10-16 19:44:59.325022",
8     "event_data": {
9         "user_id": "8340006963328694015",
10         "status": "USER_TOKEN_EXECUTION_STATUS_SUCCESS",
11         "retrieve_access_token_log": {
12             "integration_id": "enterprise_search_google_drive_connector",
13             "sanitized_access_token_info": {
14                 "integration_id": "enterprise_search_google_drive_connector",
15                 "expires_at": "2025-10-16T19:58:13.331639Z"
16             }
17         }
18     }
19 }

❓ FAQ (Applies to Both Versions)

Why don’t I see logs in my SFTP folder?

Depending on your pipeline version:

Current Version (pre-April 2026)

Check:

logs/YYYY-MM-DD/

New Version (v1 pipeline)

Check:

logs/v1/YYYY-MM-DD/

If neither folder appears, verify SFTP access configuration and root folder permissions.

🧭 How to Use This Documentation

If you are…	Use this section
Still on the existing pipeline (through March 2026)	Section 1️⃣ Current SIEM Log Export
Migrated to the new structured v1 pipeline	Section 2️⃣ New SIEM Log Export

1	{
2	"version": "2",
3	"severity": "INFO",
4	"event_id": "NehDqj2G5tWQ",
5	"event_type": "EXTERNAL_API",
6	"event_source": "MOVEWORKS",
7	"event_time": "2026-01-08 00:43:46.697786",
8	"event_data": {
9	"user_id": "11596068552251261002",
10	"request_uri": "https://<your_instance>.com/",
11	"request_method": "GET",
12	"response_status_code": "200",
13	"execution_time_ms": 6191,
14	"response_size_bytes": 3783,
15	"trace_id": "dxV_H7S_84yY"
16	}
17	}

1	{
2	"version": "2",
3	"severity": "INFO",
4	"event_id": "Que5vMmYkJuB",
5	"event_type": "EXTERNAL_API",
6	"event_source": "MOVEWORKS",
7	"event_time": "2025-10-16 19:00:23.850992",
8	"event_data": {
9	"user_id": "9422067216216842966",
10	"request_uri": "https://slack.com/api/chat.postMessage",
11	"request_method": "POST",
12	"response_status_code": "200",
13	"execution_time_ms": 172,
14	"response_size_bytes": 1194
15	}
16	}

1	{
2	"version": "2",
3	"severity": "INFO",
4	"event_id": "7UUWTmuqR1-I",
5	"event_type": "EXTERNAL_LDAP_API",
6	"event_source": "MOVEWORKS",
7	"event_time": "2025-07-25 23:08:06.715425",
8	"event_data": {
9	"user_id": "12608431283658477771",
10	"request": "{'search_request': {'base_dn': '{{dc_base_filter}}', 'scope': 2, 'filter': '(&(objectClass=user)(mail=coryweb*))'}}"
11	}
12	}

1	{
2	"version": "2",
3	"severity": "INFO",
4	"event_id": "hLOXixn7T1iW",
5	"event_type": "CONFIG_CHANGE",
6	"event_source": "MOVEWORKS",
7	"event_time": "2026-01-06 03:49:38.763026",
8	"event_data": {
9	"user_id": "412307323227731938",
10	"config_version": 3,
11	"config_name": "ScriptConfig",
12	"change_origin_type": "CONFIG_SOURCE_USER",
13	"operation_type": "CONFIG_OPERATION_TYPE_UPDATE",
14	"updated_configs": [
15	{
16	"op": "update",
17	"path": "root['code']"
18	}
19	]
20	}
21	}

1	{
2	"version": "2",
3	"severity": "INFO",
4	"event_id": "mN8PqX2wR5tZ",
5	"event_type": "CONFIG_CHANGE",
6	"event_source": "MOVEWORKS",
7	"event_time": "2026-01-06 04:15:22.891037",
8	"event_data": {
9	"user_id": "412307323227731938",
10	"config_version": 4,
11	"config_name": "NotificationOrgConfig",
12	"change_origin_type": "CONFIG_SOURCE_USER",
13	"operation_type": "CONFIG_OPERATION_TYPE_DELETE",
14	"updated_configs": [
15	{
16	"op": "remove",
17	"path": "root['notification_noise_control_config']"
18	}
19	]
20	}
21	}

1	{
2	"version": "2",
3	"severity": "INFO",
4	"event_id": "LU8QgcnSTQ2m",
5	"event_type": "PERMISSION_CHANGE",
6	"event_source": "MOVEWORKS",
7	"event_time": "2025-07-29 15:53:42.047730",
8	"event_data": {
9	"user_id": "16054822774505271985",
10	"assigned_roles": [
11	{
12	"app": "APP_CREATOR_STUDIO",
13	"roles": ["ROLE_CREST_ADMIN"],
14	"grantee": "3743745632043933493"
15	}
16	],
17	"all_roles": [
18	{
19	"app": "APP_CREATOR_STUDIO",
20	"roles": ["ROLE_CREST_ADMIN"],
21	"grantee": "3743745632043933493"
22	},
23	{
24	"app": "APP_BOT_ANALYTICS",
25	"roles": ["ROLE_BOT_ANALYTICS_ADMIN"],
26	"grantee": "3743745632043933493"
27	},
28	{
29	"app": "APP_MW_SETUP",
30	"roles": ["ROLE_MW_SETUP_ADMIN"],
31	"grantee": "3743745632043933493"
32	}
33	]
34	}
35	}

1	{
2	"version": "2",
3	"severity": "INFO",
4	"event_id": "SorjFyTNZnDK",
5	"event_type": "AGENT_STUDIO_LOG",
6	"event_source": "MOVEWORKS",
7	"event_time": "2025-10-16 19:44:59.325022",
8	"event_data": {
9	"user_id": "10769617033889969982",
10	"uivar_uuid": "5d6edaaa-fe72-4ef1-8c3f-875c5f634726",
11	"result": "AGENT_STUDIO_LOG_RESULT_SUCCESS",
12	"method": "AGENT_STUDIO_LOG_METHOD_READ",
13	"log_type": "AGENT_STUDIO_LOG_TYPE_AGENT_STUDIO_CONNECTORS"
14	}
15	}

1	{
2	"version": "2",
3	"severity": "INFO",
4	"event_id": "HFm8ZebzGHdu",
5	"event_type": "USER_TOKEN_LOG",
6	"event_source": "MOVEWORKS",
7	"event_time": "2025-10-16 19:44:59.325022",
8	"event_data": {
9	"user_id": "8340006963328694015",
10	"status": "USER_TOKEN_EXECUTION_STATUS_SUCCESS",
11	"retrieve_access_token_log": {
12	"integration_id": "enterprise_search_google_drive_connector",
13	"sanitized_access_token_info": {
14	"integration_id": "enterprise_search_google_drive_connector",
15	"expires_at": "2025-10-16T19:58:13.331639Z"
16	}
17	}
18	}
19	}