Overview
SurePath AI seamlessly integrates with your preferred cloud file storage providers to deliver detailed User Activity logs and Administrative audit trail events. These logs are designed for easy integration with your SIEM or other log management and ingestion tools, enabling centralized monitoring and analysis.
The logs provide a comprehensive record of user interactions across various services, including policy enforcement outcomes, sensitive data handling events, user intents, service responses, and risk assessments. This rich data supports auditing, troubleshooting, and analysis, empowering your tools with insights for alerting, reporting, and incident response.
To configure where these logs are delivered, see Configuring telemetry destinations.
File information
Retention
SurePath AI does not manage file deletion from your cloud storage. Ensure your organization implements cleanup procedures according to its data retention policies.
Output frequency
User activity and related information are uploaded every 15 minutes into new files.
File naming convention and directory structure
Log files are organized in a hierarchical directory structure based on UTC timestamps and use clear naming to indicate the time range of the data they contain.
Directory structure:
User Events: surepath-ai/user-events/v2/YYYY/MM/DD/HH/
Audit Events: surepath-ai/audit-events/v1/YYYY/MM/DD/HH/
Files are partitioned by UTC hour, making it easy to locate events from specific time periods. If your organization has configured a custom bucket key prefix, it will be prepended to this path.
File naming pattern: <start-timestamp>-<end-timestamp>-part-<number>.ndjson.gz
Each file name includes:
Start timestamp: The earliest event timestamp in the file
End timestamp: The latest event timestamp in the file
Part number: A zero-padded six-digit chunk identifier (e.g.,
part-000001)
Example path: surepath-ai/user-events/v2/2025/10/09/15/2025-10-09T15-07-57-875Z-2025-10-09T15-08-45-123Z-part-000001.ndjson.gz
File format and compression
Files are delivered in NDJSON (newline-delimited JSON) format, where each line represents a single JSON event object. This format enables efficient streaming and processing of large datasets.
All files are compressed using gzip compression to reduce storage costs and transfer times. Files are automatically chunked into parts of up to 10,000 lines each to maintain optimal file sizes for processing.
Log format
The log format of User Events and Audit events consist of NDJSON, adhering to standard JSON syntax and conventions. Each line in the file represents a complete JSON object containing detailed logs of user activities and system interactions.
Example of a single event entry:
{ "event": { "id": "evt-123", "category": "user", "type": "intercept", "action": "allow", "schema_version": "v2.0.1", "timestamp": "2025-10-09T15:07:57.875Z", "trace_id": "abc123" }, "destination": { "name": "ChatGPT" }, "actor": { "name": "Jane Doe", "email": "[email protected]", "type": "user" }, "http": { "url": "https://api.example.com/intercept", "user_agent": "Mozilla/5.0" }, "network": { "remote_ip": "203.0.113.10", "remote_port": "443", "internal_ip": "10.0.0.5", "x_forwarded_for": "203.0.113.10" }, "policy": { "decision": "allow", "violations": { "access": false, "pii": false, "intent": false, "confidential_data": false, "prompt_injection": false, "toxicity": false, "code": false, "bias": false, "risk": false } }, "conversation": { "id": "conv-1" }, "messages": { "input": [ { "role": "user", "content": "Create a social media post about our new feature" } ], "output": [ { "role": "assistant", "content": "Here's a draft post..." } ] }, "intent": { "domain": "Marketing", "action": "create social media post" }, "risk": { "overall": "medium", "destination": "low", "input": { "overall": "medium", "intent": "low", "data_sensitivity": "internal", "data_exposure_impact": "medium", "harmful_content": "low", "prompt_injection": "low" }, "output": { "overall": "low", "harmful_content": "low", "bias": "low" } }, "detections": [ { "type": "pii", "name": "person_name", "action": "mask" } ], "gen_ai": { "model_name": "gpt-4o", "model_id": "gpt-4o-2024-06", "assistant_name": "Analyst", "token_count": { "input": 125, "output": 98 } }, "timing": { "downstream_start": "2025-10-09T15:07:57.900Z", "downstream_end": "2025-10-09T15:07:58.100Z" }}
User Events - JSON field descriptions
The following tables describe the structure and fields available in the telemetry schema. Not all fields are present in every event.
Event metadata
Field | Type | Description |
| object | Event identity, classification, and timing |
| string | Unique event identifier |
| string | Event category (e.g., user, audit, network) |
| string | Event type (e.g., intercept, access, internal) |
| string | Event action (e.g., allow, block, redirect, redact, login, error) |
| string | Full schema version string (e.g., v2.0.1) |
| string | URL where the schema can be referenced |
| string | ISO 8601 UTC timestamp |
| string (uuid) | Correlation identifier for the event that can be provided to SurePath AI support for investigation |
Destination
Field | Type | Description |
| object | Information about the destination service |
| string | Destination service name from the Public Service Catalog |
Actor
Field | Type | Description |
| object | Actor (user or app) associated with the event |
| string | Actor name |
| string | Actor email address |
| string | Actor type (e.g., user, app) |
HTTP and network
Field | Type | Description |
| object | HTTP request information |
| string | Request URL |
| string | User agent string |
| object | Network connection information |
| string | Remote address IP |
| string | Remote address port |
| string | Internal IP address |
| string | X-Forwarded-For header value indicating IP addresses from which a client has been forwarded through proxies |
Policy decision
Field | Type | Description |
| object | Policy decision and violation information |
| string | Policy decision (e.g., allow, block, redirect, redact) |
| object | Violation flags |
| boolean | Access violation detected |
| boolean | PII violation detected |
| boolean | Intent violation detected |
| boolean | Confidential data violation detected |
| boolean | Prompt injection violation detected |
| boolean | Toxicity violation detected |
| boolean | Code-sharing violation detected |
| boolean | Bias violation detected |
| boolean | Risk policy violation detected |
Conversation and messages
Field | Type | Description |
| object | Conversation context |
| string | Conversation identifier |
| object | Input/output message content captured for the event |
| array | Array of input message items |
| string | Message role (e.g., user, assistant, system) |
| string | Message text content. Detected PII data may be replaced with tags (e.g., [PERSON], [US_SSN]) |
| array | Array of output message items with the same shape as input |
Intent classification
Field | Type | Description |
| object | High-level domain and action classification |
| string | Domain classification (e.g., Human Resources, IT, Finance, Marketing) |
| string | Action classification (e.g., generate, execute, analyze, create) |
Risk assessment
Field | Type | Description |
| object | Risk assessment across overall, input, output, and destination |
| string | Overall risk rating (low, medium, high) |
| string | Destination-specific risk rating (low, medium, high) |
| object | Input risk assessment |
| string | Overall input risk rating (low, medium, high) |
| string | Input intent risk (low, medium, high) |
| string | Data sensitivity level (unknown, public, internal, confidential, critical) |
| string | Potential impact if data were exposed (low, medium, high) |
| string | Harmful content risk (low, medium, high) |
| string | Prompt injection risk (low, medium, high) |
| object | Output risk assessment |
| string | Overall output risk rating (low, medium, high) |
| string | Harmful content risk (low, medium, high) |
| string | Bias risk (low, medium, high) |
Detections
Field | Type | Description |
| array | Detection results associated with the event |
| string | Detection type (e.g., pii, code, intent) |
| string | Detection name (e.g., person_name, code_block, custom intent) |
| string | Detection action taken (e.g., mask, delete, block) |
Generative AI metadata
Field | Type | Description |
| object | Generative AI metadata for the event |
| string | Model name |
| string | Model identifier |
| string | Assistant name |
| object | Token usage information |
| integer | Input token count |
| integer | Output token count |
Timing and errors
Field | Type | Description |
| object | The start and end timestamps for request processing |
| string | Downstream processing start timestamp (ISO 8601 UTC) |
| string | Downstream processing end timestamp (ISO 8601 UTC) |
| object | Error context for the event |
| string | Error type (e.g., service-error, subscription-expired, maintenance) |
Audit Events - JSON field descriptions
The following tables describe the structure and fields available in the audit trail schema. Audit trail events record administrative actions or system events performed within the SurePath AI platform. Not all fields are present in every event.
Event metadata
Field | Type | Description |
| string | Unique event identifier |
| string | Administrative action performed (e.g., upload, read) |
| string | Event category (e.g., audit) |
| string | ISO 8601 UTC timestamp of when the action occurred |
| string | Type of administrative action (e.g., audit-event-sync, Partial Conversation, Full Conversation) |
| string | Human-readable description of the administrative action |
| string | Organization identifier |
| string | Schema version (e.g., v1) |
Resource
Field | Type | Description |
| string | Identifier of the resource the administrator acted upon |
| string | Name of the resource the administrator acted upon |
Actor
Field | Type | Description |
| object | Administrator who performed the action |
| boolean | Whether the administrator's identity was assumed (impersonated) |
| string | Administrator's email address |
| string | Administrator's display name |
| string | Administrator's organization identifier |
| string | Administrator's user identifier |
Additional properties
Field | Type | Description |
| object | Supplemental context for the administrative action |
| object | End user who owns the resource being accessed by the administrator |
| string | Resource owner's user identifier |
| string | Resource owner's display name |
| string | Resource owner's email address |
Migrating to a newer version of the schema
To migrate to a newer version of the schema a new Telemetry Destination must be added. Previous Telemetry Destinations with older versions of the schema will continue to function while customers integrate the new schema into their telemetry destination.
For AWS S3 Buckets customers can use the same connector and bucket name in the new Telemetry Destination as newer schemas contain different prefixes allowing two versions of schema to be written to the same location. Other telemetry connectors' functionality may differ.
When the newer schema integration is validated, the previous Telemetry Destination can be disabled and then eventually deleted.
Legacy V1 schema (Deprecated)
The information below describes the legacy V1 schema format. New telemetry destinations automatically use the latest V2 schema described above. Existing destinations using V1 continue to operate with their configured version.
V1 file information
V1 file information
Directory structure: user-events/
V1 uses a flat directory structure without hierarchical date-based partitioning. If your organization has configured a custom bucket key prefix, it will be prepended to this path.
File naming pattern: <start-timestamp>-<end-timestamp>.json
Each file name includes the earliest and latest event timestamps in the file using ISO 8601 UTC format.
Example path: user-events/2024-12-10T16-48-29-028Z-2024-12-10T16-48-45-354Z.json
V1 file format
Files are delivered as a single JSON array containing multiple event objects. V1 files are not compressed and do not use chunking. Each file contains a complete JSON array with all events from the 15-minute export window.
V1 format example
[ { "traceId": "d1a2b3c4", "serviceName": "ChatGPT", "messages": { "request": [{ "role": "user", "content": "Summarize quarterly results" }], "response": [{ "role": "assistant", "content": "Here is a summary..." }] }, "intent": { "request": [{ "action": "Create social media post", "role": "Marketing" }] }, "sensitiveData": { "request": { "action": "mask" } }, "policyDecision": { "action": "allow", "code": "P200", "violations": { "sensitiveData": false, "access": false } }, "firewallDecision": { "target": { "name": "Engineering (gpt-4o)" } }, "user": { "name": "Jane Doe", "email": "[email protected]" }, "userAgent": "Mozilla/5.0", "clientIp": { "remoteIp": "203.0.113.10", "remotePort": "443", "xForwardedFor": "203.0.113.10" }, "startTime": 1733246296533, "endTime": 1733246335420, "duration": "00:00:39.887", "requestUrl": "https://api.example.com/analyze" }]
V1 JSON fields
Field | Type | Description |
| string (uuid) | Correlation identifier for the event used to trace requests across systems that can be provided to SurePath AI support for investigation |
| string | Name of the destination service name from the Public Service Catalog |
| object | Input/output message content for the event |
| array | Array of message items |
| string | Message role (e.g., user, assistant, system) |
| string | Message text content |
| array | Array of message items with the same shape as request |
| object | Detected user intent information |
| array | Array of intent entries |
| string | Intent action label |
| string | Role associated with the intent |
| object | Sensitive data handling outcome for the request |
| object | Sensitive data request details |
| string | Sensitive data action taken (e.g., delete, mask, synthesize, tag) |
| object | Decision and metadata from the policy engine |
| string | Policy decision action (e.g., allow) |
| string | Policy decision code for categorization that can be provided to SurePath AI support for investigation |
| object | Violation flags |
| boolean | Indicates a sensitive data violation |
| boolean | Indicates an access violation |
| object | Model routing decision details |
| object | Target model information |
| string | Selected target/model name as defined by admins in the SurePath AI console |
| object | Actor identifiers |
| string | End-user display name |
| string | End-user email address |
| string | Client user agent string |
| object | Client network identifiers |
| string | Remote address IP |
| string | Remote address port |
| string | X-Forwarded-For header value |
| integer | Millisecond epoch when processing started |
| integer | Millisecond epoch when processing ended |
| string | Duration of processing (formatted as HH:MM:SS.mmm) |
| string | Full request URL |