Â
At Moveworks, we’re committed to continuously improving the reliability, transparency, and security of our platform. To that end, we’ll soon be upgrading our SIEM log processing pipeline.
This change unifies all customers under a single, modernized system — delivering more structured logs, clearer schemas, and more frequent updates, all while reducing operational complexity behind the scenes.
Â
🧩 What’s Changing
Â
Updated File Structure
Your SIEM logs will now be stored in a versioned subdirectory (v1) within your SFTP bucket. This helps clearly distinguish between versions of the logging pipeline.
| Old File Path | New File Path |
|---|---|
logs/2024-08-20/2024-08-20_audit_log.json | logs/v1/2024-08-20/2024-08-20_audit_log.json |
Â
More Frequent Log Updates
Your .json log files will now refresh every 3 hours throughout the day — replacing the previous once-daily update schedule.
This ensures you have faster visibility into your environment’s activity and can act on insights sooner.
Â
More Defined Log Schemas
Previously, only a subset of log types were documented and consistently structured. With the new version, we’re introducing well-defined schemas for each supported log type, making parsing and integration with your SIEM solution far more reliable.
Supported Log Types
-
EXTERNAL_API -
EXTERNAL_LDAP_API -
CONFIG_CHANGE -
PERMISSION_CHANGE -
AUTHENTICATION -
AGENT_STUDIO_LOG -
USER_TOKEN_LOG
Below are examples of the new, standardised JSON formats.
Â
EXTERNAL_API
{
"version": "2",
"severity": "INFO",
"event_id": "Que5vMmYkJuB",
"event_type": "EXTERNAL_API",
"event_source": "MOVEWORKS",
"event_time": "2025-10-16 19:00:23.850992",
"event_data": {
"user_id": "9422067216216842966",
"request_uri": "https://slack.com/api/chat.postMessage",
"request_method": "POST",
"response_status_code": "200",
"execution_time_ms": 172,
"response_size_bytes": 1194
}
}Â
EXTERNAL_LDAP_API!-->
{
"version": "2",
"severity": "INFO",
"event_id": "7UUWTmuqR1-I",
"event_type": "EXTERNAL_LDAP_API",
"event_source": "MOVEWORKS",
"event_time": "2025-07-25 23:08:06.715425",
"event_data": {
"user_id": "12608431283658477771",
"request": "{'search_request': {'base_dn': '{{dc_base_filter}}', 'scope': 2, 'filter': '(&(objectClass=user)(mail=coryweb*))'}}"
}
}Â
CONFIG_CHANGE!-->
{
"version": "2",
"severity": "INFO",
"event_id": "NQZxdqmGTgqi",
"event_type": "PERMISSION_CHANGE",
"event_source": "MOVEWORKS",
"event_time": "2025-10-16 19:44:59.325022",
"event_data": {
"user_id": "10769617033889969982",
"revoked_roles": [
{
"app": "APP_CREATOR_STUDIO",
"roles": [
"ROLE_CREST_DEVELOPER",
"ROLE_CREST_LOGS_VIEWER"
],
"grantee": "16996686220091535521"
}
],
"all_roles": [
{
"app": "APP_MW_SETUP",
"grantee": "16996686220091535521"
},
{
"app": "APP_CREATOR_STUDIO",
"grantee": "16996686220091535521"
},
{
"app": "APP_BOT_ANALYTICS",
"grantee": "16996686220091535521"
},
{
"app": "APP_ECOMMS",
"grantee": "16996686220091535521"
},
{
"app": "APP_KNOWLEDGE_STUDIO",
"grantee": "16996686220091535521"
},
{
"app": "APP_EXI",
"grantee": "16996686220091535521"
},
{
"app": "APP_SUPER_APP",
"grantee": "16996686220091535521"
}
]
}
}Â
PERMISSION_CHANGE!-->
{
"version": "2",
"severity": "INFO",
"event_id": "NQZxdqmGTgqi",
"event_type": "PERMISSION_CHANGE",
"event_source": "MOVEWORKS",
"event_time": "2025-10-16 19:44:59.325022",
"event_data": {
"user_id": "10769617033889969982",
"revoked_roles": [
{
"app": "APP_CREATOR_STUDIO",
"roles": [
"ROLE_CREST_DEVELOPER",
"ROLE_CREST_LOGS_VIEWER"
],
"grantee": "16996686220091535521"
}
],
"all_roles": [
{
"app": "APP_MW_SETUP",
"grantee": "16996686220091535521"
},
{
"app": "APP_CREATOR_STUDIO",
"grantee": "16996686220091535521"
},
{
"app": "APP_BOT_ANALYTICS",
"grantee": "16996686220091535521"
},
{
"app": "APP_ECOMMS",
"grantee": "16996686220091535521"
},
{
"app": "APP_KNOWLEDGE_STUDIO",
"grantee": "16996686220091535521"
},
{
"app": "APP_EXI",
"grantee": "16996686220091535521"
},
{
"app": "APP_SUPER_APP",
"grantee": "16996686220091535521"
}
]
}
}Â
AUTHENTICATIONÂ
{
"version": "2",
"severity": "INFO",
"event_id": "OqsC6ItzTL6f",
"event_type": "AUTHENTICATION",
"event_source": "MOVEWORKS",
"event_time": "2025-10-15 15:38:31.883000",
"event_data": {
"user_id": "9733382206290329491",
"authn_event_type": "AUTHN_EVENT_LOGIN_SUCCESS",
"app": "AUTHN_APP_MY_MOVEWORKS",
"idp_metadata": {},
"source_ip": "208.127.82.164",
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36"
}
}Â
Â
AGENT_STUDIO_LOGÂ
{
"version": "2",
"severity": "INFO",
"event_id": "SorjFyTNZnDK",
"event_type": "AGENT_STUDIO_LOG",
"event_source": "MOVEWORKS",
"event_time": "2025-10-16 19:44:59.325022",
"event_data": {
"user_id": "10769617033889969982",
"uivar_uuid": "5d6edaaa-fe72-4ef1-8c3f-875c5f634726",
"result": "AGENT_STUDIO_LOG_RESULT_SUCCESS",
"method": "AGENT_STUDIO_LOG_METHOD_READ",
"log_type": "AGENT_STUDIO_LOG_TYPE_AGENT_STUDIO_CONNECTORS"
}
}Â
USER_TOKEN_LOG
{
"version": "2",
"severity": "INFO",
"event_id": "HFm8ZebzGHdu",
"event_type": "USER_TOKEN_LOG",
"event_source": "MOVEWORKS",
"event_time": "2025-10-16 19:44:59.325022",
"event_data": {
"user_id": "8340006963328694015",
"status": "USER_TOKEN_EXECUTION_STATUS_SUCCESS",
"retrieve_access_token_log": {
"integration_id": "enterprise_search_google_drive_connector",
"sanitized_access_token_info": {
"integration_id": "enterprise_search_google_drive_connector",
"expires_at": "2025-10-16T19:58:13.331639Z"
}
}
}
}Â
Â
📆 Next Steps
Â
We’ll begin transitioning to the new pipeline soon and will communicate your specific migration date in advance. No action is required at this time.
Comment on this post if you have further questions.Â