Skip to main content

Retrieving and Using Your Logs

Detailed guide to the format, structure, and usage of SurePath AI user activity logs

Updated over 4 months ago

Overview

SurePath AI seamlessly integrates with your preferred cloud file storage providers to deliver detailed User Activity logs. These logs are designed for easy integration with your SIEM or other log management and ingestion tools, enabling centralized monitoring and analysis.

The logs provide a comprehensive record of user interactions across various services, including policy enforcement outcomes, sensitive data handling events, user intents, and service responses. This rich data supports auditing, troubleshooting, and analysis, empowering your tools with insights for alerting, reporting, and incident response.

File Information

Retention

SurePath AI does not manage file deletion from your cloud storage. Ensure you implement cleanup procedures according to your organization’s data retention policies.

Output Frequency

User activity and related information are uploaded every 15 minutes into a new file.

File Naming Convention

Log file names clearly indicate the time range of the data they contain, formatted in Coordinated Universal Time (UTC/Zulu).

  • Example: 2024-12-10T16-48-29-028Z-2024-12-10T16-48-45-354Z.json

Data Visualization and Analysis with AWS QuickSight

For quick and easy data exploration and analysis of your log information, you could use AWS QuickSight. This business intelligence tool integrates seamlessly with your AWS environment and reduces effort when exploring the following:

  1. Quick Setup: AWS QuickSight can be easily connected to your data sources, allowing for rapid implementation and analysis.

  2. Interactive Dashboards: Create dynamic, interactive visualizations that help you identify trends and patterns in your consumption data.

  3. Ad-hoc Analysis: Perform on-the-fly queries and generate custom reports to address specific questions about your resource usage.

  4. Sharing and Collaboration: Share your dashboards and insights with team members, promoting collaborative decision-making.

Our team has tested AWS QuickSight and found it to be effective for quick analysis of your log data.

Format Example

  • Fully structured JSON, adhering to standard JSON syntax and conventions.

  • Each file contains an array of JSON objects.

  • Each object provides detailed logs of user activities and system interactions.

The accompanying graphic displays a modified version of the log file, with all but one JSON record collapsed for clarity. This highlights the structured nature of the data while demonstrating its organization and accessibility.

JSON Format (not all fields are present)

{
    "traceId": "70d80f3c-6947-47a5-bd8e-3cc77148438c",
    "serviceName": "SurePath AI",
    "messages": {
      "request": [{ "role": "user", "content": "What's the reporting structure of LucidWay?" }],
      "response": [
        {
          "role": "assistant",
          "content": "Lucid Way Financial has a hierarchical reporting structure. At the top is the Executive Leadership Team led by Alicia Rodriguez as the Chief Executive Officer (CEO)<sup>1</sup>. Directly reporting to the CEO are six C-suite executives: CFO, COO, CMO, CTO, CPO, and CRO<sup>1</sup>.\n\nBelow this executive level, the company is organized into departments, each led by one of the C-suite executives. For instance, the Finance Department is headed by Jessica Turner (CFO), the Operations Department by David Harris (COO), and so on<sup>1</sup>. Within each department, there are individual contributors or managers who report to their respective department heads. For example, Tim Walsh, a Senior Financial Analyst, reports to the CFO in the Finance Department<sup>1</sup>.\n\nThis structure suggests a clear chain of command, with information and decisions flowing up and down through the organizational hierarchy from the CEO to department heads and then to individual contributors/managers."
        }
      ]
    },
    "intent": {
      "request": [{ "action": "understand corporate reporting structure or roles", "role": "general" }]
    },
    "policyDecision": { "action": "intercept", "violations": { "sensitiveData": false, "access": false } },
    "risk": { "score": "low"},
    "user": { "name": "Maria Dyer", "email": "[email protected]" },
    "startTime": 1732654165947,
    "endTime": 1732654180843,
    "requestUrl": "https://edge-dev.api.surepath.ai/message/stream",
    "clientConnection": { "remoteAddr": {"ip":"172.70.126.80", "port": "51042"}, "xForwardedFor": "172.70.126.80" }
  }

JSON Fields

Field

Information

traceId

string (uuid)

(required) SurePath AI information used to identify sessions.

service

object

service.name

string

(required) The name of the service that provided the model response. Examples: SurePath AI, ChatGPT, Gemini

messages

object

(required)

messages.request[]

array

(required)

messages.request[].role

string (enum)

(required). Indicates what supplied the prompt sent to a model. Can be one of the following: user

messages.request[].content

string

(required) Input prompt. Detected PII data will be replaced with tags. Examples: Is this a valid [US_SSN]?, Who is [PERSON]?, What country is [IP_ADDRESS] in?

messages.request[].sensitiveDataDetections[]

array

(optional)

messages.request[].sensitiveDataDetections[].type

string

(required) The type(s) of sensitive data that was detected in the prompt. Example: US_SSN, PERSON, IP_ADDRESS

messages.response[]

array

(required)

messages.response[].role

string (enum)

(required) Indicates this is a model response. Can be one of the following: assistant

messages.response[].content

string

(required) The model response to the user.

intent

object

(required)

intent.request[]

array

(required)

intent.request[].action

string

(required)

intent.request[].role

string

(required)

policy

object

policy.decision

object

policy.decision.action

string (enum)

(required). The action taken per the policy applied to the user action. Can be one of the following: intercept, access, error, login

policy.decision.violations

object

policy.decision.violations.sensitiveData

boolean (true/false)

(required) Indicates whether sensitiveData was detected and factored into the policy decision.

policy.decision.violations.access

boolean (true/false)

(required) Indicates whether an access violation was detected and factored into the policy decision.

user

object

user.name

string

(optional) Name of the end user (from SCIM sync)

user.email

string

(required) Email address of the end user.

risk

object

risk.score

integer

(required)

request

object

request.url

string (url)

(required) The URL of the GenAI service that was requested.

request.startTime

integer (EpochMillis)

(required) The timestamp of when a request was received.

request.endTime

integer (EpochMillis)

(required) The timestamp of when a request was completed.

request.clientIP

object

request.clientIP.remoteAddr

object

(required)

request.clientIP.remoteAddr.ip

string

(required) Client IP address (End user address will be masked by proxy setups)

request.clientIP.remoteAddr.port

string

(required) Client source TCP port (End user address may be masked by proxy setups)

request.clientIP.xForwardedFor

string

(optional) A list of IP addresses from which a client has been forwarded through proxies

request.clientIP.xRealIp

string

(optional) The original client IP address and port

Related Articles
End User Guide
Exporting User Activity Logs
Did this answer your question?