Overview
SurePath AI seamlessly integrates with your preferred cloud file storage providers to deliver detailed User Activity logs and Administrative audit trail events. These logs are designed for easy integration with your SIEM or other log management and ingestion tools, enabling centralized monitoring and analysis.
The logs provide a comprehensive record of user interactions across various services, including policy enforcement outcomes, sensitive data handling events, user intents, service responses, and risk assessments. This rich data supports auditing, troubleshooting, and analysis, empowering your tools with insights for alerting, reporting, and incident response.
To configure where these logs are delivered, see Configuring telemetry destinations.
File information
Retention
SurePath AI does not manage file deletion from your cloud storage. Ensure your organization implements cleanup procedures according to its data retention policies.
Output frequency
User activity and related information are uploaded every 15 minutes into new files.
File naming convention and directory structure
Log files are organized in a hierarchical directory structure based on UTC timestamps and use clear naming to indicate the time range of the data they contain.
Directory structure:
User Events: surepath-ai/user-events/v2/YYYY/MM/DD/HH/
Audit Events: surepath-ai/audit-events/v1/YYYY/MM/DD/HH/
Files are partitioned by UTC hour, making it easy to locate events from specific time periods. If your organization has configured a custom bucket key prefix, it will be prepended to this path.
File naming pattern: <start-timestamp>-<end-timestamp>-part-<number>.ndjson.gz
Each file name includes:
Start timestamp: The earliest event timestamp in the file
End timestamp: The latest event timestamp in the file
Part number: A zero-padded six-digit chunk identifier (e.g.,
part-000001)
Example path: surepath-ai/user-events/v2/2025/10/09/15/2025-10-09T15-07-57-875Z-2025-10-09T15-08-45-123Z-part-000001.ndjson.gz
File format and compression
Files are delivered in NDJSON (newline-delimited JSON) format, where each line represents a single JSON event object. This format enables efficient streaming and processing of large datasets.
All files are compressed using gzip compression to reduce storage costs and transfer times. Files are automatically chunked into parts of up to 10,000 lines each to maintain optimal file sizes for processing.
Log format
The log format of User Events and Audit events consist of NDJSON, adhering to standard JSON syntax and conventions. Each line in the file represents a complete JSON object containing detailed logs of user activities and system interactions.
Example of a single event entry:
{ "event": { "id": "evt-123", "category": "user", "type": "intercept", "action": "allow", "schema_version": "v2.0.1", "timestamp": "2025-10-09T15:07:57.875Z", "trace_id": "abc123" }, "destination": { "name": "ChatGPT" }, "actor": { "name": "Jane Doe", "email": "[email protected]", "type": "user" }, "http": { "url": "https://api.example.com/intercept", "user_agent": "Mozilla/5.0" }, "network": { "remote_ip": "203.0.113.10", "remote_port": "443", "internal_ip": "10.0.0.5", "x_forwarded_for": "203.0.113.10" }, "policy": { "decision": "allow", "violations": { "access": false, "pii": false, "intent": false, "confidential_data": false, "prompt_injection": false, "toxicity": false, "code": false, "bias": false, "risk": false } }, "conversation": { "id": "conv-1" }, "messages": { "input": [ { "role": "user", "content": "Create a social media post about our new feature" } ], "output": [ { "role": "assistant", "content": "Here's a draft post..." } ] }, "intent": { "domain": "Marketing", "action": "create social media post" }, "risk": { "overall": "medium", "destination": "low", "input": { "overall": "medium", "intent": "low", "data_sensitivity": "internal", "data_exposure_impact": "medium", "harmful_content": "low", "prompt_injection": "low" }, "output": { "overall": "low", "harmful_content": "low", "bias": "low" } }, "detections": [ { "type": "pii", "name": "person_name", "action": "mask" } ], "gen_ai": { "model_name": "gpt-4o", "model_id": "gpt-4o-2024-06", "assistant_name": "Analyst", "token_count": { "input": 125, "output": 98 } }, "timing": { "downstream_start": "2025-10-09T15:07:57.900Z", "downstream_end": "2025-10-09T15:07:58.100Z" }}
User Events - JSON field descriptions
The following tables describe the structure and fields available in the telemetry schema. Not all fields are present in every event.
Event metadata
Field | Type | Description |
| object | Event identity, classification, and timing |
| string | Unique event identifier |
| string | Event category (e.g., user, audit, network) |
| string | Event type (e.g., intercept, access, internal) |
| string | Event action (e.g., allow, block, redirect, redact, login, error) |
| string | Full schema version string (e.g., v2.0.1) |
| string | URL where the schema can be referenced |
| string | ISO 8601 UTC timestamp |
| string (uuid) | Correlation identifier for the event that can be provided to SurePath AI support for investigation |
Destination
Field | Type | Description |
| object | Information about the destination service |
| string | Destination service name from the Public Service Catalog |
Actor
Field | Type | Description |
| object | Actor (user or app) associated with the event |
| string | Actor name |
| string | Actor email address |
| string | Actor type (e.g., user, app) |
HTTP and network
Field | Type | Description |
| object | HTTP request information |
| string | Request URL |
| string | User agent string |
| object | Network connection information |
| string | Remote address IP |
| string | Remote address port |
| string | Internal IP address |
| string | X-Forwarded-For header value indicating IP addresses from which a client has been forwarded through proxies |
Policy decision
Field | Type | Description |
| object | Policy decision and violation information |
| string | Policy decision (e.g., allow, block, redirect, redact) |
| object | Violation flags |
| boolean | Access violation detected |
| boolean | PII violation detected |
| boolean | Intent violation detected |
| boolean | Confidential data violation detected |
| boolean | Prompt injection violation detected |
| boolean | Toxicity violation detected |
| boolean | Code-sharing violation detected |
| boolean | Bias violation detected |
| boolean | Risk policy violation detected |
Conversation and messages
Field | Type | Description |
| object | Conversation context |
| string | Conversation identifier |
| object | Input/output message content captured for the event |
| array | Array of input message items |
| string | Message role (e.g., user, assistant, system) |
| string | Message text content. Detected PII data may be replaced with tags (e.g., [PERSON], [US_SSN]) |
| array | Array of output message items with the same shape as input |
Intent classification
Field | Type | Description |
| object | High-level domain and action classification |
| string | Domain classification (e.g., Human Resources, IT, Finance, Marketing) |
| string | Action classification (e.g., generate, execute, analyze, create) |
Risk assessment
Field | Type | Description |
| object | Risk assessment across overall, input, output, and destination |
| string | Overall risk rating (low, medium, high) |
| string | Destination-specific risk rating (low, medium, high) |
| object | Input risk assessment |
| string | Overall input risk rating (low, medium, high) |
| string | Input intent risk (low, medium, high) |
| string | Data sensitivity level (unknown, public, internal, confidential, critical) |
| string | Potential impact if data were exposed (low, medium, high) |
| string | Harmful content risk (low, medium, high) |
| string | Prompt injection risk (low, medium, high) |
| object | Output risk assessment |
| string | Overall output risk rating (low, medium, high) |
| string | Harmful content risk (low, medium, high) |
| string | Bias risk (low, medium, high) |
Detections
Field | Type | Description |
| array | Detection results associated with the event |
| string | Detection type (e.g., pii, code, intent) |
| string | Detection name (e.g., person_name, code_block, custom intent) |
| string | Detection action taken (e.g., mask, delete, block) |
Generative AI metadata
Field | Type | Description |
| object | Generative AI metadata for the event |
| string | Model name |
| string | Model identifier |
| string | Assistant name |
| object | Token usage information |
| integer | Input token count |
| integer | Output token count |
Timing and errors
Field | Type | Description |
| object | The start and end timestamps for request processing |
| string | Downstream processing start timestamp (ISO 8601 UTC) |
| string | Downstream processing end timestamp (ISO 8601 UTC) |
| object | Error context for the event |
| string | Error type (e.g., service-error, subscription-expired, maintenance) |
Audit Events - JSON field descriptions
The following tables describe the structure and fields available in the audit trail schema. Audit trail events record administrative actions or system events performed within the SurePath AI platform. Not all fields are present in every event.
Event metadata
Field | Type | Description |
| string | Unique event identifier |
| string | Administrative action performed (e.g., upload, read) |
| string | Event category (e.g., audit) |
| string | ISO 8601 UTC timestamp of when the action occurred |
| string | Type of administrative action (e.g., audit-event-sync, Partial Conversation, Full Conversation) |
| string | Human-readable description of the administrative action |
| string | Organization identifier |
| string | Schema version (e.g., v1) |
Resource
Field | Type | Description |
| string | Identifier of the resource the administrator acted upon |
| string | Name of the resource the administrator acted upon |
Actor
Field | Type | Description |
| object | Administrator who performed the action |
| boolean | Whether the administrator's identity was assumed (impersonated) |
| string | Administrator's email address |
| string | Administrator's display name |
| string | Administrator's organization identifier |
| string | Administrator's user identifier |
Additional properties
Field | Type | Description |
| object | Supplemental context for the administrative action |
| object | End user who owns the resource being accessed by the administrator |
| string | Resource owner's user identifier |
| string | Resource owner's display name |
| string | Resource owner's email address |
Migrating to a newer version of the schema
To migrate to a newer version of the schema a new Telemetry Destination must be added. Previous Telemetry Destinations with older versions of the schema will continue to function while customers integrate the new schema into their telemetry destination.
For AWS S3 Buckets customers can use the same connector and bucket name in the new Telemetry Destination as newer schemas contain different prefixes allowing two versions of schema to be written to the same location. Other telemetry connectors' functionality may differ.
When the newer schema integration is validated, the previous Telemetry Destination can be disabled and then eventually deleted.
Legacy V1 schema (Deprecated)
The information below describes the legacy V1 schema format. New telemetry destinations automatically use the latest V2 schema described above. Existing destinations using V1 continue to operate with their configured version.
V1 file information
V1 file information
Directory structure: user-events/
V1 uses a flat directory structure without hierarchical date-based partitioning. If your organization has configured a custom bucket key prefix, it will be prepended to this path.
File naming pattern: <start-timestamp>-<end-timestamp>.json
Each file name includes the earliest and latest event timestamps in the file using ISO 8601 UTC format.
Example path: user-events/2024-12-10T16-48-29-028Z-2024-12-10T16-48-45-354Z.json
V1 file format
Files are delivered as a single JSON array containing multiple event objects. V1 files are not compressed and do not use chunking. Each file contains a complete JSON array with all events from the 15-minute export window.
V1 format example
[ { "traceId": "d1a2b3c4", "serviceName": "ChatGPT", "messages": { "request": [{ "role": "user", "content": "Summarize quarterly results" }], "response": [{ "role": "assistant", "content": "Here is a summary..." }] }, "intent": { "request": [{ "action": "Create social media post", "role": "Marketing" }] }, "sensitiveData": { "request": { "action": "mask" } }, "policyDecision": { "action": "allow", "code": "P200", "violations": { "sensitiveData": false, "access": false } }, "firewallDecision": { "target": { "name": "Engineering (gpt-4o)" } }, "user": { "name": "Jane Doe", "email": "[email protected]" }, "userAgent": "Mozilla/5.0", "clientIp": { "remoteIp": "203.0.113.10", "remotePort": "443", "xForwardedFor": "203.0.113.10" }, "startTime": 1733246296533, "endTime": 1733246335420, "duration": "00:00:39.887", "requestUrl": "https://api.example.com/analyze" }]
V1 JSON fields
Field
Type
Description
traceId
string (uuid)
Correlation identifier for the event used to trace requests across systems that can be provided to SurePath AI support for investigation
serviceName
string
Name of the destination service name from the Public Service Catalog
messages
object
Input/output message content for the event
messages.request[]
array
Array of message items
messages.request[].role
string
Message role (e.g., user, assistant, system)
messages.request[].content
string
Message text content
messages.response[]
array
Array of message items with the same shape as request
intent
object
Detected user intent information
intent.request[]
array
Array of intent entries
intent.request[].action
string
Intent action label
intent.request[].role
string
Role associated with the intent
sensitiveData
object
Sensitive data handling outcome for the request
sensitiveData.request
object
Sensitive data request details
sensitiveData.request.action
string
Sensitive data action taken (e.g., delete, mask, synthesize, tag)
policyDecision
object
Decision and metadata from the policy engine
policyDecision.action
string
Policy decision action (e.g., allow)
policyDecision.code
string
Policy decision code for categorization that can be provided to SurePath AI support for investigation
policyDecision.violations
object
Violation flags
policyDecision.violations.sensitiveData
boolean
Indicates a sensitive data violation
policyDecision.violations.access
boolean
Indicates an access violation
firewallDecision
object
Model routing decision details
firewallDecision.target
object
Target model information
firewallDecision.target.name
string
Selected target/model name as defined by admins in the SurePath AI console
user
object
Actor identifiers
user.name
string
End-user display name
user.email
string
End-user email address
userAgent
string
Client user agent string
clientIp
object
Client network identifiers
clientIp.remoteIp
string
Remote address IP
clientIp.remotePort
string
Remote address port
clientIp.xForwardedFor
string
X-Forwarded-For header value
startTime
integer
Millisecond epoch when processing started
endTime
integer
Millisecond epoch when processing ended
duration
string
Duration of processing (formatted as HH:MM:SS.mmm)
requestUrl
string
Full request URL