Data Export Schema
Schema for User Activity Logs
A single log record for user activity might look like the following. This is an example user activity log as captured by Lacework Edge Proxy logs. (Note the DATASOURCE
field.)
{
"CATEGORY": "unproductivity",
"CLIENT_INFO": {
"ip": "7.7.7.7"
},
"CLIENT_TYPE": "client-app",
"DATASOURCE": "EgAccessLog",
"DATA_TRANSFER_INFO": {
"rx_bytes": 1990,
"tx_bytes": 1990
},
"DEVICE": {
"type": "client-app"
"uuid": "deviceUUID_1"
},
"DST_APPLICATION": {
"appName": "Example App"
},
"DST_HOST_NAME": "example.com",
"DST_TYPE": "Dns",
"EVENT_TYPE": "Access",
"GATEWAY_NAME": "us-west-1b-1-aws",
"POLICY_DETAILS": {
"is_mitm": true,
"policy_id": "policyUUID_1",
"decision": "allow"
},
"REQUEST_PROPS": {
"headers": {
"accept": "*/*",
"accept-encoding": "gzip, deflate, br",
"accept-language": "en-US,en;q=0.9",
"content-length": "0",
"dnt": "1",
"origin": "https://example.com",
"referer": "https://example.com/assets/something.js",
"scoped-csrf-token": "some-csrf-token-1",
"sec-fetch-dest": "empty",
"sec-fetch-mode": "same-origin",
"sec-fetch-site": "same-origin",
"user-agent": "user-agent-string"
},
"index": 777,
"method": "POST",
"start_epoch_msec": 1689077774393,
"uri": "https://example.com/",
"version": "HTTP/2.0"
},
"RESPONSE_PROPS": {
"header_len_bytes": 7777,
"len_bytes": 1024,
"status_code": 200
},
"ROW_ID": 123456,
"SESSION_ID": "session_id-1",
"SUBCATEGORY": "Search Engines",
"TIMESTAMP": "2023-07-07 07:07:07.522 Z",
"USER": {
"tags": {
"department": "Engineering",
"user_risk": "high"
},
"uuid": "userUUID_1"
}
}
User activity log JSON is composed of the following key-value pairs:
- CATEGORY (string)
- Represents the category of the access event.
- CLIENT_INFO (JSON object)
ip
(string): IP address of the client.
- CLIENT_TYPE (string)
- Indicates the type of client. Value could be client-app, browser-ext.
- DATASOURCE (string)
- Represents the source of the log. Log can be from Lacework Edge Proxy Access
Log (EgAccessLog) or API logs from 3rd parties like Okta, Google Workplace, Office 365 etc.
Datasource can be
EgAccessLog
,OKTA
,GSUITE
,OFFICE365
,AZURE
,SALESFORCE
etc.
- DATA_TRANSFER_INFO (JSON object)
rx_bytes
(integer): number of bytes received in this observation for the request.tx_bytes
(integer): number of bytes transmitted in this observation for the request.
- DEVICE (JSON object)
uuid
(string): UUID of the client's device
- DST_APPLICATION (JSON object)
appName
(string): name of the destination application being accessed.
- DST_HOST_NAME (string)
- Represents the hostname of the destination being accessed by the client.
- DST_TYPE (string)
- Type of destination.
- EVENT_TYPE (string)
- Self explanatory.
- GATEWAY_NAME (string)
- Represents the name of the Lacework Edge gateway or point of presence associated with the access log for the user.
- POLICY_DETAILS (JSON object)
is_mitm
(boolean): is man-in-the-middle enabled.policy_id
(string): UUID of the policy applied.decision
(string): decision made based on the policy (e.g., "allow").
- REQUEST_PROPS (JSON object)
headers
(JSON object): Contains various header information from the client's request.index
(integer): An index value associated with the request.method
(string): The HTTP method used for the request (e.g., "GET", "POST", "CONNECT", etc.).start_epoch_msec
(integer): start time of the request in epoch milliseconds.
- RESPONSE_PROPS (JSON object)
header_len_bytes
(integer): Length of the response header in bytes.headers
(JSON object): Contains various response header information.len_bytes
(integer): Length of the response content in bytes.status_code
(integer): HTTP status code of the response.
- ROW_ID (integer)
- UUID associated with this event or log entry.
- SESSION_ID (string)
- UUID representing the client's session for this specific event.
- SUBCATEGORY (string)
- Represents the subcategory of the access event.
- TIMESTAMP (string)
- Represents the timestamp when the event occurred, in UTC format (e.g.,"2023-07-07 07:07:07.693 Z").
- USER (JSON object)
tags
(JSON object): Contains various tags associated with the user making the request.uuid
(string): UUID for the user.
Schema for Browser Log exports
A sample browser log record looks as follows:
{
"BROWSER_TYPE": "chrome",
"CLIENT_INFO": {
"ip": "1.1.1.1"
},
"DEVICE": {
"uuid": "device_uuid"
},
"HTTP_METHOD": "POST",
"IS_BACKGROUND_REQUEST": true,
"ORIGIN_URL": "https://chat.google.com",
"RESOURCE_TYPE": "xmlhttprequest",
"SESSION_ID": "session_id_1",
"STATUS_CODE": 200,
"TIMESTAMP": "2024-01-01 10:10:10.222 Z",
"URL": "https://play.google.com/log",
"URL_PROPS": {
"classification": {
"engines": {
"dga": {
"verdict": "clean"
},
"netify": {
"categories": [
{
"category": "bandwidth_intensive",
"confidence": 100,
"message": "OS/Software Updates"
}
],
"verdict": "unknown"
},
"webroot": {
"categories": [
{
"category": "productivity",
"confidence": 93,
"message": "Shopping"
}
],
"verdict": "clean"
}
},
"resource": "play.google.com",
"risk": 4,
"verdict": "clean"
},
"host": {
"fragment": null,
"host": "play.google.com",
"parameters": null,
"path": "log",
"port": null,
"query": null,
"scheme": "https"
},
"origin_domain": "google.com",
"resource": "play.google.com",
"tags": [
"classification:os/software updates",
"classification:shopping",
"domain:google.com",
"domain:play.google.com",
"host:play.google.com",
"webapp:google play"
],
"webapp_name": "Google Play"
},
"USER": {
"uuid": "user_uuid_1"
}
}
Browser log JSON is composed of the following key-value pairs:
- BROWSER_TYPE (string)
- Type of browser used (e.g.,
chrome
,firefox
).
- CLIENT_INFO (JSON object)
ip
(string): IP address of the client.
- DEVICE (JSON object)
uuid
(string): UUID of the client's device.
- HTTP_METHOD (string)
- HTTP method used (e.g.,
GET
,POST
).
- IS_BACKGROUND_REQUEST (boolean)
- Represents whether a request was triggered by user directly (false) or if it was a background request (true).
- ORIGIN_URL (string)
- URL of the origin of the request.
- RESOURCE_TYPE
- Represents the type of request (e.g.,
xmlhttprequest
).
- SESSION_ID (string)
- UUID representing the client's session for this specific event.
- STATUS_CODE (integer)
- HTTP status code returned by the request.
- TIMESTAMP (string)
- Timestamp of the request.
- URL (string)
- URL of the request (e.g.,
https://play.google.com/log
).
- URL_PROPS (JSON object)
- Properties related to the URL, including classification, host information, tags, and web app name.
- USER (JSON object)
uuid
(string): UUID for the user.
Schema for Event exports
A single event log record might look like the following:
{
"BYTES_IN": 0,
"BYTES_OUT": 0,
"CONNECTIONS": 0,
"DEVICE_COUNT": 1,
"DEVICE_TYPE": "macOS",
"DEVICE_UUID": "deviceUUID_1",
"DOCUMENT_TARGET_USER": {
},
"ENTITY_COUNT": 7,
"EVENT_ID": 7777,
"EVENT_TYPE": "WorkflowApproved",
"FIRST_TIME_SEEN": "2023-07-07 07:07:07.125",
"HAS_ALERT": false,
"HOSTNAME": "example.atlassian.net",
"HOSTNAME_COUNT": 1,
"LAST_TIME_SEEN": "2023-07-07 07:07:07.605",
"LOCATION": "California",
"POLICY_UUID": "policyUUID_1",
"PORT_COUNT": 0,
"SEVERITY": 5,
"SEVERITY_SCORE": 1,
"SRC_IP": {
"ipv4":"7.7.7.7"
},
"USER":{
"uuid":"userUUID_1"
},
"USER_COUNT":1,
"WEB_APP":"access to JIRA",
"WORKFLOW_RUN_UUID":"workflowRunUUID_1",
"WORKFLOW_UUID":"workflowUUID_1"
}
Event JSON is composed of the following key-value pairs:
- BYTES_IN (integer)
- Represents the number of bytes received. Relevant for events or alerts related to abnormal uploads/downloads.
- BYTES_OUT (integer)
- Represents the number of bytes transmitted. Relevant for events or alerts related to abnormal uploads/downloads.
- CONNECTIONS (integer)
- Represents the number of connections. Relevant for events or alerts related to abnormal number of connections to an app/website.
- DEVICE_COUNT (integer)
- Represents the count of devices involved in the event.
- DEVICE_TYPE (string)
- Represents the type of device(s) used in the workflow. For example, "macOS" indicates the use of macOS devices.
- DEVICE_UUID (string)
- UUID of the device involved in the event.
- DOCUMENT_TARGET_USER (object)
- Relevant to document sharing events. For example, this contains information for the user, the document is shared with.
- ENTITY_COUNT (integer)
- Represents the count of entities involved in the event.
- EVENT_ID (integer)
- A unique identifier associated with this event.
- EVENT_TYPE (string)
- Represents the type of event. In this case, "WorkflowApproved" indicates a workflow approval event.
- FIRST_TIME_SEEN (string)
- Represents the timestamp when some activity for the event was first seen.
- HAS_ALERT (boolean)
- Indicates whether the event was severe or interesting enough to become an
alert. A value of
true
indicates an alert is present.
- HOSTNAME (string)
- Represents the hostname associated with the event.
- HOSTNAME_COUNT (integer)
- Represents the count of unique hostnames associated with the event.
- LAST_TIME_SEEN (string)
- Represents the timestamp when some activity related to the event was last seen, in UTC format. 16 LOCATION (string)
- Represents the location associated with the event.
- POLICY_UUID (string)
- UUID of the policy associated with the event.
- PORT_COUNT (integer)
- Represents the count of ports associated with the event.
- SEVERITY (integer)
- Represents the severity level of the event.
- SEVERITY_SCORE (integer)
- Represents the severity score of the event.
- SRC_IP (JSON object)
ipv4
(string): IPv4 address associated with the source of the event.ipv6
(string): IPv6 address associated with the source of the event.
- USER (JSON object)
uuid
(string): UUID of the user associated with the event.
- USER_COUNT (integer)
- Count of users associated with the event.
- WEB_APP (string)
- Represents the web application relevant in the event.
- WORKFLOW_RUN_UUID (string)
- UUID of the workflow run associated with the event. Relevant for workflow related events.
- WORKFLOW_UUID (string)
- UUID of the workflow associated with the event.