Overview
SurePath AI seamlessly integrates with your preferred cloud file storage providers to deliver detailed User Activity logs. These logs are designed for easy integration with your SIEM or other log management and ingestion tools, enabling centralized monitoring and analysis.
The logs provide a comprehensive record of user interactions across various services, including policy enforcement outcomes, sensitive data handling events, user intents, service responses, and risk assessments. This rich data supports auditing, troubleshooting, and analysis, empowering your tools with insights for alerting, reporting, and incident response.
To configure where these logs are delivered, see Configuring telemetry destinations.
File information
Retention
SurePath AI does not manage file deletion from your cloud storage. Ensure your organization implements cleanup procedures according to its data retention policies.
Output frequency
User activity and related information are uploaded every 15 minutes into new files.
File naming convention and directory structure
Log files are organized in a hierarchical directory structure based on UTC timestamps and use clear naming to indicate the time range of the data they contain.
Directory structure: surepath-ai/user-events/v2/YYYY/MM/DD/HH/
Files are partitioned by UTC hour, making it easy to locate events from specific time periods. If your organization has configured a custom bucket key prefix, it will be prepended to this path.
File naming pattern: <start-timestamp>-<end-timestamp>-part-<number>.ndjson.gz
Each file name includes:
Start timestamp: The earliest event timestamp in the file
End timestamp: The latest event timestamp in the file
Part number: A zero-padded six-digit chunk identifier (e.g.,
part-000001)
Example path: surepath-ai/user-events/v2/2025/10/09/15/2025-10-09T15-07-57-875Z-2025-10-09T15-08-45-123Z-part-000001.ndjson.gz
File format and compression
Files are delivered in NDJSON (newline-delimited JSON) format, where each line represents a single JSON event object. This format enables efficient streaming and processing of large datasets.
All files are compressed using gzip compression to reduce storage costs and transfer times. Files are automatically chunked into parts of up to 10,000 lines each to maintain optimal file sizes for processing.
Format example
The log format consists of NDJSON, adhering to standard JSON syntax and conventions. Each line in the file represents a complete JSON object containing detailed logs of user activities and system interactions.
{ "event": { "id": "evt-123", "category": "user", "type": "intercept", "action": "allow", "schema_version": "v2.0.1", "timestamp": "2025-10-09T15:07:57.875Z", "trace_id": "abc123" }, "destination": { "name": "ChatGPT" }, "actor": { "name": "Jane Doe", "email": "[email protected]", "type": "user" }, "http": { "url": "https://api.example.com/intercept", "user_agent": "Mozilla/5.0" }, "network": { "remote_ip": "203.0.113.10", "remote_port": "443", "internal_ip": "10.0.0.5", "x_forwarded_for": "203.0.113.10" }, "policy": { "decision": "allow", "violations": { "access": false, "pii": false, "intent": false, "confidential_data": false, "prompt_injection": false, "toxicity": false, "code": false, "bias": false, "risk": false } }, "conversation": { "id": "conv-1" }, "messages": { "input": [ { "role": "user", "content": "Create a social media post about our new feature" } ], "output": [ { "role": "assistant", "content": "Here's a draft post..." } ] }, "intent": { "domain": "Marketing", "action": "create social media post" }, "risk": { "overall": "medium", "destination": "low", "input": { "overall": "medium", "intent": "low", "data_sensitivity": "internal", "data_exposure_impact": "medium", "harmful_content": "low", "prompt_injection": "low" }, "output": { "overall": "low", "harmful_content": "low", "bias": "low" } }, "detections": [ { "type": "pii", "name": "person_name", "action": "mask" } ], "gen_ai": { "model_name": "gpt-4o", "model_id": "gpt-4o-2024-06", "assistant_name": "Analyst", "token_count": { "input": 125, "output": 98 } }, "timing": { "downstream_start": "2025-10-09T15:07:57.900Z", "downstream_end": "2025-10-09T15:07:58.100Z" }}
JSON fields
The following tables describe the structure and fields available in the telemetry schema. Not all fields are present in every event.
Event metadata
Field
Type
Description
event
object
Event identity, classification, and timing
event.id
string
Unique event identifier
event.category
string
Event category (e.g., user, audit, network)
event.type
string
Event type (e.g., intercept, access, internal)
event.action
string
Event action (e.g., allow, block, redirect, redact, login, error)
event.schema_version
string
Full schema version string (e.g., v2.0.1)
event.schema_url
string
URL where the schema can be referenced
event.timestamp
string
ISO 8601 UTC timestamp
event.trace_id
string (uuid)
Correlation identifier for the event that can be provided to SurePath AI support for investigation
Destination
Field
Type
Description
destination
object
Information about the destination service
destination.name
string
Destination service name from the Public Service Catalog
Actor
Field
Type
Description
actor
object
Actor (user or app) associated with the event
actor.name
string
Actor name
actor.email
string
Actor email address
actor.type
string
Actor type (e.g., user, app)
HTTP and network
Field
Type
Description
http
object
HTTP request information
http.url
string
Request URL
http.user_agent
string
User agent string
network
object
Network connection information
network.remote_ip
string
Remote address IP
network.remote_port
string
Remote address port
network.internal_ip
string
Internal IP address
network.x_forwarded_for
string
X-Forwarded-For header value indicating IP addresses from which a client has been forwarded through proxies
Policy decision
Field
Type
Description
policy
object
Policy decision and violation information
policy.decision
string
Policy decision (e.g., allow, block, redirect, redact)
policy.violations
object
Violation flags
policy.violations.access
boolean
Access violation detected
policy.violations.pii
boolean
PII violation detected
policy.violations.intent
boolean
Intent violation detected
policy.violations.confidential_data
boolean
Confidential data violation detected
policy.violations.prompt_injection
boolean
Prompt injection violation detected
policy.violations.toxicity
boolean
Toxicity violation detected
policy.violations.code
boolean
Code-sharing violation detected
policy.violations.bias
boolean
Bias violation detected
policy.violations.risk
boolean
Risk policy violation detected
Conversation and messages
Field
Type
Description
conversation
object
Conversation context
conversation.id
string
Conversation identifier
messages
object
Input/output message content captured for the event
messages.input[]
array
Array of input message items
messages.input[].role
string
Message role (e.g., user, assistant, system)
messages.input[].content
string
Message text content. Detected PII data may be replaced with tags (e.g., [PERSON], [US_SSN])
messages.output[]
array
Array of output message items with the same shape as input
Intent classification
Field
Type
Description
intent
object
High-level domain and action classification
intent.domain
string
Domain classification (e.g., Human Resources, IT, Finance, Marketing)
intent.action
string
Action classification (e.g., generate, execute, analyze, create)
Risk assessment
Field
Type
Description
risk
object
Risk assessment across overall, input, output, and destination
risk.overall
string
Overall risk rating (low, medium, high)
risk.destination
string
Destination-specific risk rating (low, medium, high)
risk.input
object
Input risk assessment
risk.input.overall
string
Overall input risk rating (low, medium, high)
risk.input.intent
string
Input intent risk (low, medium, high)
risk.input.data_sensitivity
string
Data sensitivity level (unknown, public, internal, confidential, critical)
risk.input.data_exposure_impact
string
Potential impact if data were exposed (low, medium, high)
risk.input.harmful_content
string
Harmful content risk (low, medium, high)
risk.input.prompt_injection
string
Prompt injection risk (low, medium, high)
risk.output
object
Output risk assessment
risk.output.overall
string
Overall output risk rating (low, medium, high)
risk.output.harmful_content
string
Harmful content risk (low, medium, high)
risk.output.bias
string
Bias risk (low, medium, high)
Detections
Field
Type
Description
detections[]
array
Detection results associated with the event
detections[].type
string
Detection type (e.g., pii, code, intent)
detections[].name
string
Detection name (e.g., person_name, code_block, custom intent)
detections[].action
string
Detection action taken (e.g., mask, delete, block)
Generative AI metadata
Field
Type
Description
gen_ai
object
Generative AI metadata for the event
gen_ai.model_name
string
Model name
gen_ai.model_id
string
Model identifier
gen_ai.assistant_name
string
Assistant name
gen_ai.token_count
object
Token usage information
gen_ai.token_count.input
integer
Input token count
gen_ai.token_count.output
integer
Output token count
Timing and errors
Field
Type
Description
timing
object
The start and end timestamps for request processing
timing.downstream_start
string
Downstream processing start timestamp (ISO 8601 UTC)
timing.downstream_end
string
Downstream processing end timestamp (ISO 8601 UTC)
error
object
Error context for the event
error.type
string
Error type (e.g., service-error, subscription-expired, maintenance)
Migrating to a newer version of the schema
To migrate to a newer version of the schema a new Telemetry Destination must be added. Previous Telemetry Destinations with older versions of the schema will continue to function while customers integrate the new schema into their telemetry destination.
For AWS S3 Buckets customers can use the same connector and bucket name in the new Telemetry Destination as newer schemas contain different prefixes allowing two versions of schema to be written to the same location. Other telemetry connectors' functionality may differ.
When the newer schema integration is validated, the previous Telemetry Destination can be disabled and then eventually deleted.
Legacy schema (V1)
The information below describes the legacy V1 schema format. New telemetry destinations automatically use the latest V2 schema described above. Existing destinations using V1 continue to operate with their configured version.
V1 file information
Directory structure: user-events/
V1 uses a flat directory structure without hierarchical date-based partitioning. If your organization has configured a custom bucket key prefix, it will be prepended to this path.
File naming pattern: <start-timestamp>-<end-timestamp>.json
Each file name includes the earliest and latest event timestamps in the file using ISO 8601 UTC format.
Example path: user-events/2024-12-10T16-48-29-028Z-2024-12-10T16-48-45-354Z.json
V1 file format
Files are delivered as a single JSON array containing multiple event objects. V1 files are not compressed and do not use chunking. Each file contains a complete JSON array with all events from the 15-minute export window.
V1 format example
[ { "traceId": "d1a2b3c4", "serviceName": "ChatGPT", "messages": { "request": [{ "role": "user", "content": "Summarize quarterly results" }], "response": [{ "role": "assistant", "content": "Here is a summary..." }] }, "intent": { "request": [{ "action": "Create social media post", "role": "Marketing" }] }, "sensitiveData": { "request": { "action": "mask" } }, "policyDecision": { "action": "allow", "code": "P200", "violations": { "sensitiveData": false, "access": false } }, "firewallDecision": { "target": { "name": "Engineering (gpt-4o)" } }, "user": { "name": "Jane Doe", "email": "[email protected]" }, "userAgent": "Mozilla/5.0", "clientIp": { "remoteIp": "203.0.113.10", "remotePort": "443", "xForwardedFor": "203.0.113.10" }, "startTime": 1733246296533, "endTime": 1733246335420, "duration": "00:00:39.887", "requestUrl": "https://api.example.com/analyze" }]
V1 JSON fields
Field
Type
Description
traceId
string (uuid)
Correlation identifier for the event used to trace requests across systems that can be provided to SurePath AI support for investigation
serviceName
string
Name of the destination service name from the Public Service Catalog
messages
object
Input/output message content for the event
messages.request[]
array
Array of message items
messages.request[].role
string
Message role (e.g., user, assistant, system)
messages.request[].content
string
Message text content
messages.response[]
array
Array of message items with the same shape as request
intent
object
Detected user intent information
intent.request[]
array
Array of intent entries
intent.request[].action
string
Intent action label
intent.request[].role
string
Role associated with the intent
sensitiveData
object
Sensitive data handling outcome for the request
sensitiveData.request
object
Sensitive data request details
sensitiveData.request.action
string
Sensitive data action taken (e.g., delete, mask, synthesize, tag)
policyDecision
object
Decision and metadata from the policy engine
policyDecision.action
string
Policy decision action (e.g., allow)
policyDecision.code
string
Policy decision code for categorization that can be provided to SurePath AI support for investigation
policyDecision.violations
object
Violation flags
policyDecision.violations.sensitiveData
boolean
Indicates a sensitive data violation
policyDecision.violations.access
boolean
Indicates an access violation
firewallDecision
object
Model routing decision details
firewallDecision.target
object
Target model information
firewallDecision.target.name
string
Selected target/model name as defined by admins in the SurePath AI console
user
object
Actor identifiers
user.name
string
End-user display name
user.email
string
End-user email address
userAgent
string
Client user agent string
clientIp
object
Client network identifiers
clientIp.remoteIp
string
Remote address IP
clientIp.remotePort
string
Remote address port
clientIp.xForwardedFor
string
X-Forwarded-For header value
startTime
integer
Millisecond epoch when processing started
endTime
integer
Millisecond epoch when processing ended
duration
string
Duration of processing (formatted as HH:MM:SS.mmm)
requestUrl
string
Full request URL