***

title: Security Information and Event Management (SIEM) Logs Overview
excerpt: ''
deprecated: false
hidden: false
metadata:
title: ''
description: ''
robots: index
next:
description: ''
---------------

<Callout intent="info">
  UPDATE ON SIEM LOG MIGRATION: [https://community.moveworks.com/stakeholder-tools-exi-mw-setup-ks-analytics-115/coming-soon-improved-siem-log-pipeline-streamlined-secure-and-more-structured-2748?fid=115\&tid=2748](https://community.moveworks.com/stakeholder-tools-exi-mw-setup-ks-analytics-115/coming-soon-improved-siem-log-pipeline-streamlined-secure-and-more-structured-2748?fid=115\&tid=2748)
</Callout>

Moveworks provides a JSON-based SIEM log export (via SFTP) that captures API calls, authentication events, permission changes, config changes, and other platform activities. These logs can be ingested into any organizational SIEM, data lake, or analytics pipeline to support incident response, monitoring, and compliance workflows.

Customers can export these logs from SFTP into their internal storage systems or forward them using a SIEM/log forwarder.

This document describes:

1. **Current SIEM Log Export (available until March 2026)**
2. **New SIEM Log Export (available since December 2025)**

Both versions are documented here for customers who may still be using the existing pipeline during the transition.

***

# 1️⃣ CURRENT SIEM LOG EXPORT (Available Until March 2026)

This section applies to all customers until their migration date to the upgraded pipeline.

***

## 📂 File Structure & Delivery Cadence (Current)

### **Directory Layout**

Logs are provided daily in the following structure:

```
logs/YYYY-MM-DD/YYYY-MM-DD_audit_log.json
```

Example:
`logs/2024-08-20/2024-08-20_audit_log.json`

### **Refresh Frequency**

* **Once per day**
* Each JSON file is generated for the previous 24 hours of activity

***

## 🧩 Current Log Schema Overview

### **Top-Level Fields**

All logs include the following fields:

| Field             | Description                                                         |
| ----------------- | ------------------------------------------------------------------- |
| **version**       | Schema version number (e.g., `"1"`).                                |
| **severity**      | INFO, ERROR.                                                        |
| **event\_id**     | Unique identifier for the event.                                    |
| **event\_type**   | Category of event (e.g., EXTERNAL\_API).                            |
| **event\_source** | Always `MOVEWORKS`.                                                 |
| **event\_time**   | Time when the event occurred.                                       |
| **event\_data**   | Key–value metadata. Sensitive request/response bodies are excluded. |

### **Supported Event Types (Current Version)**

* EXTERNAL\_API
* EXTERNAL\_LDAP\_API
* AUTHENTICATION
* PERMISSION\_CHANGE
* CONFIG\_CHANGE

### **Example Logs (Current Version)**

**External API Example**

```json
{
  "version": "2",
  "severity": "INFO",
  "event_id": "NehDqj2G5tWQ",
  "event_type": "EXTERNAL_API",
  "event_source": "MOVEWORKS",
  "event_time": "2026-01-08 00:43:46.697786",
  "event_data": {
    "user_id": "11596068552251261002",
    "request_uri": "https://<your_instance>.com/",
    "request_method": "GET",
    "response_status_code": "200",
    "execution_time_ms": 6191,
    "response_size_bytes": 3783,
    "trace_id": "dxV_H7S_84yY"
  }
}
```

Authentication failure, permission change, and config change examples (from your existing helpdoc) are retained for backward compatibility.

***

# 2️⃣ NEW SIEM LOG EXPORT (Available since December 2025)

This section describes the enhanced logging pipeline that you will need to migrate your workflows to

***

## 🧩 What’s New in the Upgraded Pipeline

### ✔ **Versioned Directory Structure**

Logs now reside under a versioned subdirectory:

```
logs/v1/YYYY-MM-DD/YYYY-MM-DD_audit_log.json
```

### ✔ **More Frequent Log Refresh**

Log files refresh **every 3 hours** instead of once daily.

### ✔ **More Structured & Documented Schemas**

All supported event types now use standardized, fully documented JSON schemas.

### ✔ **Expanded Log Coverage**

New event types such as AGENT\_STUDIO\_LOG and USER\_TOKEN\_LOG are part of the new pipeline.

***

## 📂 File Structure (New)

| Old Path                                    | New Path                                       |
| ------------------------------------------- | ---------------------------------------------- |
| `logs/2024-08-20/2024-08-20_audit_log.json` | `logs/v1/2024-08-20/2024-08-20_audit_log.json` |

***

## 🧩 New Log Schema Overview

The upgraded logs use **schema version "2"** and follow consistent structured definitions.

### **Supported Event Types (New Version)**

* EXTERNAL\_API
* EXTERNAL\_LDAP\_API
* CONFIG\_CHANGE
* PERMISSION\_CHANGE
* AUTHENTICATION
* AGENT\_STUDIO\_LOG
* USER\_TOKEN\_LOG

***

# 📄 Example Logs (New Structured v1 Pipeline)

You already provided full examples — they are preserved exactly and included here, grouped by event type.

### **EXTERNAL\_API**

```json
{
    "version": "2",
    "severity": "INFO",
    "event_id": "Que5vMmYkJuB",
    "event_type": "EXTERNAL_API",
    "event_source": "MOVEWORKS",
    "event_time": "2025-10-16 19:00:23.850992",
    "event_data": {
        "user_id": "9422067216216842966",
        "request_uri": "https://slack.com/api/chat.postMessage",
        "request_method": "POST",
        "response_status_code": "200",
        "execution_time_ms": 172,
        "response_size_bytes": 1194
    }
}
```

### EXTERNAL\_LDAP\_API

<br />

```json
{
  "version": "2",
  "severity": "INFO",
  "event_id": "7UUWTmuqR1-I",
  "event_type": "EXTERNAL_LDAP_API",
  "event_source": "MOVEWORKS",
  "event_time": "2025-07-25 23:08:06.715425",
  "event_data": {
    "user_id": "12608431283658477771",
    "request": "{'search_request': {'base_dn': '{{dc_base_filter}}', 'scope': 2, 'filter': '(&(objectClass=user)(mail=coryweb*))'}}"
  }
}
```

### CONFIG\_CHANGE

```json
{
  "version": "2",
  "severity": "INFO",
  "event_id": "hLOXixn7T1iW",
  "event_type": "CONFIG_CHANGE",
  "event_source": "MOVEWORKS",
  "event_time": "2026-01-06 03:49:38.763026",
  "event_data": {
    "user_id": "412307323227731938",
    "config_version": 3,
    "config_name": "ScriptConfig",
    "change_origin_type": "CONFIG_SOURCE_USER",
    "updated_configs": [
      {
        "op": "update",
        "path": "root['code']"
      }
    ]
  }
}
```

### PERMISSION\_CHANGE

```json
{
    "version": "2",
    "severity": "INFO",
    "event_id": "LU8QgcnSTQ2m",
    "event_type": "PERMISSION_CHANGE",
    "event_source": "MOVEWORKS",
    "event_time": "2025-07-29 15:53:42.047730",
    "event_data": {
        "user_id": "16054822774505271985",
        "assigned_roles": [
            {
                "app": "APP_CREATOR_STUDIO",
                "roles": ["ROLE_CREST_ADMIN"],
                "grantee": "3743745632043933493"
            }
        ],
        "all_roles": [
            {
                "app": "APP_CREATOR_STUDIO",
                "roles": ["ROLE_CREST_ADMIN"],
                "grantee": "3743745632043933493"
            },
            {
                "app": "APP_BOT_ANALYTICS",
                "roles": ["ROLE_BOT_ANALYTICS_ADMIN"],
                "grantee": "3743745632043933493"
            },
            {
                "app": "APP_MW_SETUP",
                "roles": ["ROLE_MW_SETUP_ADMIN"],
                "grantee": "3743745632043933493"
            }
        ]
    }
}

```

### Authentication

```json
AUTHENTICATION
{
    "version": "2",
    "severity": "INFO",
    "event_id": "OqsC6ItzTL6f",
    "event_type": "AUTHENTICATION",
    "event_source": "MOVEWORKS",
    "event_time": "2025-10-15 15:38:31.883000",
    "event_data": {
        "user_id": "9733382206290329491",
        "authn_event_type": "AUTHN_EVENT_LOGIN_SUCCESS",
        "app": "AUTHN_APP_MY_MOVEWORKS",
        "idp_metadata": {},
        "source_ip": "208.127.82.164",
        "user_agent": "Mozilla/5.0 ..."
    }
}
```

### AGENT\_STUDIO\_LOG

```json
{
    "version": "2",
    "severity": "INFO",
    "event_id": "SorjFyTNZnDK",
    "event_type": "AGENT_STUDIO_LOG",
    "event_source": "MOVEWORKS",
    "event_time": "2025-10-16 19:44:59.325022",
    "event_data": {
        "user_id": "10769617033889969982",
        "uivar_uuid": "5d6edaaa-fe72-4ef1-8c3f-875c5f634726",
        "result": "AGENT_STUDIO_LOG_RESULT_SUCCESS",
        "method": "AGENT_STUDIO_LOG_METHOD_READ",
        "log_type": "AGENT_STUDIO_LOG_TYPE_AGENT_STUDIO_CONNECTORS"
    }
}
```

### USER\_TOKEN\_LOG

```json
{
    "version": "2",
    "severity": "INFO",
    "event_id": "HFm8ZebzGHdu",
    "event_type": "USER_TOKEN_LOG",
    "event_source": "MOVEWORKS",
    "event_time": "2025-10-16 19:44:59.325022",
    "event_data": {
        "user_id": "8340006963328694015",
        "status": "USER_TOKEN_EXECUTION_STATUS_SUCCESS",
        "retrieve_access_token_log": {
            "integration_id": "enterprise_search_google_drive_connector",
            "sanitized_access_token_info": {
                "integration_id": "enterprise_search_google_drive_connector",
                "expires_at": "2025-10-16T19:58:13.331639Z"
            }
        }
    }
}
```

***

# ❓ FAQ (Applies to Both Versions)

### **Why don’t I see logs in my SFTP folder?**

Depending on your pipeline version:

#### **Current Version (pre-April 2026)**

Check:

```
logs/YYYY-MM-DD/
```

#### **New Version (v1 pipeline)**

Check:

```
logs/v1/YYYY-MM-DD/
```

If neither folder appears, verify SFTP access configuration and root folder permissions.

***

# 🧭 How to Use This Documentation

| If you are…                                             | Use this section                    |
| ------------------------------------------------------- | ----------------------------------- |
| **Still on the existing pipeline (through March 2026)** | Section 1️⃣ Current SIEM Log Export |
| **Migrated to the new structured v1 pipeline**          | Section 2️⃣ New SIEM Log Export     |

<br />