Skip to main content

Exporting User Activity logs

Explains manual CSV export with filters (date, user, service, violations, risk) and when to use automated telemetry (S3, Splunk, HTTPS) for production.

Updated over a month ago

SurePath AI supports two distinct methods for accessing User Activity logs, each designed for different use cases and operational requirements.

For organizations that need continuous, automated export of User Activity logs to external systems such as AWS S3 buckets, Splunk, or SIEM platforms, see the Configuring Telemetry Destinations documentation. Telemetry destinations provide real-time log delivery for long-term retention, compliance archiving, automated alerting, and enterprise-wide analytics. This is the recommended approach for production deployments that require comprehensive visibility into GenAI usage.

This document focuses on manual log exports through the SurePath AI admin interface. Manual exports enable admins to download filtered User Activity logs as CSV files for ad-hoc analysis, troubleshooting, or generating targeted reports. This method is ideal for investigating specific incidents, reviewing recent activity, analyzing individual user behavior, or creating one-time reports for stakeholders.

Prerequisites

To export User Activity logs manually, admins need admin access to the SurePath AI admin interface. No additional configuration or cloud permissions are required for manual downloads.

For automated telemetry export, see the Configuring Telemetry Destinations documentation for detailed prerequisites and configuration steps.

Exporting User Activity logs manually

The manual export feature enables admins to download filtered User Activity logs as a file for analysis, reporting, or offline review. The export process captures all log entries that match the currently applied filters, allowing admins to generate targeted exports that contain only relevant events.

Applying filters before export

Before exporting logs, admins should apply filters to narrow the results to the desired log entries. Filters help reduce the export file size and ensure that the downloaded data contains only relevant information for the intended analysis.

Available filters include date range, user or actor, destination service, policy decision, violations, risk level, and intent classification. Admins can combine multiple filters to create precise queries that match specific use cases, such as exporting all blocked requests in the past week or exporting all interactions with a specific GenAI service by a particular user.

To apply filters:

  • Click User Activity in the OBSERVE section

  • Click the filter icon or ADD FILTER button

  • Select the filter criteria from the available options

  • Enter or select the filter values

  • Click APPLY to update the log view with filtered results

  • Review the filtered results to confirm they match the intended export scope

The log table updates to show only entries that match the applied filters. Admins can add multiple filters to further refine the results before exporting.

Downloading the export file

Once the desired filters are applied and the log table shows the correct entries, admins can download the filtered logs as a CSV file.

To download User Activity logs:

  • Click User Activity in the OBSERVE section

  • Apply filters as needed to narrow the results

  • Click the EXPORT button in the top right of the page

  • Wait for the export to generate

  • The browser automatically downloads a CSV file containing the filtered log entries

The exported CSV file includes all log fields visible in the User Activity table, along with additional metadata fields. The file name includes a timestamp indicating when the export was generated.

Understanding the export file format

The manual export generates a CSV (comma-separated values) file that can be opened in spreadsheet applications such as Microsoft Excel, Google Sheets, or Apple Numbers. The file contains one row per log entry, with columns representing different log fields.

Common fields in the export include timestamp, user email, user name, destination service, policy decision, violations, risk scores, intent classifications, and message content. The exact fields may vary based on the event type and policy configuration.

Organizations can import the CSV file into analysis tools, data visualization platforms, or custom applications for further processing. The CSV format provides a simple, widely compatible format for offline analysis and reporting.

Automated telemetry export for production deployments

Organizations that require continuous, automated export of User Activity logs should configure telemetry destinations rather than relying on manual exports. Telemetry destinations provide several advantages over manual exports including real-time or near-real-time delivery, automatic export every 15 minutes, support for multiple destination types, comprehensive event data in structured JSON format, and no manual intervention required.

Telemetry destinations support AWS S3 buckets for long-term storage and analytics, Splunk HEC indexes for SIEM integration and real-time monitoring, and generic HTTPS endpoints for custom integrations with third-party platforms. Organizations can configure multiple destinations simultaneously to send logs to different systems for different purposes.

For complete instructions on configuring automated telemetry export including AWS connector setup, Splunk HEC token creation, and HTTPS endpoint configuration, see the Configuring Telemetry Destinations documentation.

Related Articles
Initial configuration steps
Updating Access Permissions for SurePath AI's CloudFormation Stack
Reading User Activity events
Telemetry schema and format
Configuring telemetry destinations
Did this answer your question?