Data Schema (Logs)
- 31 Jan 2024
- Print
- DarkLight
Data Schema (Logs)
- Updated on 31 Jan 2024
- Print
- DarkLight
Article Summary
Share feedback
Thanks for sharing your feedback!
Supported types
- Legitimate
- Block
- Captcha
Fields
The data schema for each log type is returned with the following fields:
Legitimate
Field Name | Description | Value |
| event_type | legitimate | |
| timestamp | Time of the request | |
| px_app_id | HUMAN app ID assigned per application | |
| px_vid | Visitor id designated by HUMAN cookie | |
| px_client_uuid | Page view identifier designated by HUMAN | |
| full_url | Full URL of the request (including domain, request params etc.) | |
| domain | Parent domain for the request as derived from location href (URL) | |
| path | Path the request originates from (within the customer’s domain) | |
| risk_rtt | Roundtrip time for risk_api (from the enforcer to the collector and back) | |
| risk_score | Scoring of the request | Between 0 and 100 |
| user_agent | User Agent string the request came from | |
| country | The country the request came from | |
| city | The city the request came from | |
| os_family | Type of operating system used in the request | |
| os_version | The version of operating system used in the request | |
| browser_version | The version of the browser used | |
| browser_family | Type of browser used | |
| true_ip_asn_name | ISP provider for the request original IP | |
| true_ip_classification | Any known classifications/ characteristics we might have for the original IP | |
| true_ip | Original IP for the request (ignoring CDN/ load balancer) | |
| client_ip | IP the request came from | |
| incident_types | Requests are tagged with the types of detection which flagged them. See this section for possible values. | |
| ivt | Requests are tagged with the types of IVT taxonomy they were flagged with. See this section for possible values. | |
filter_type | Indicating if the request is classified as "always deny" or "always allow" | |
referrer | The previous page the request came from (the page that led to this request) | |
| request_id | The ID of the request | |
custom_parameter1-10 | Custom parameters as defined by the customer | |
breached_account | Value is set to true if the request was flagged as breached by HUMAN Credential Intelligence product | |
| http_method | The HTTP method used in communication (for example between the end user's browser and the client’s server) | |
filter_origin | Indicating what is the origin of the filter, the customer or HUMAN | |
filter_id | The filter identifier | |
filter_category | Indicating what category the filter belongs to. For example, known bots |
Block
Field Name | Description | Value |
|---|---|---|
event_type | block | |
timestamp | Time of the request | |
px_app_id | HUMAN app ID assigned per application | |
px_vid | Visitor id designated by HUMAN cookie | |
px_client_uuid | Page view identifier designated by HUMAN | |
full_url | Full URL of the request (including domain, request params etc.) | |
domain | Parent domain for the request as derived from location href (URL) | |
path | Path the request originates from (within the customer’s domain) | |
rsk_rtt | Roundtrip time for risk_api (from the enforcer to the collector and back) | |
user_agent | User Agent string the request came from | |
country | Country the request came from | |
city | City the request came from | |
os_family | Type of operating system used in the request | |
os_version | Version of operating system used in the request | |
browser_version | Version of the browser used | |
browser_family | Type of browser used | |
true_ip_asn_name | ISP provider for the request original IP | |
true_ip_classification | Any known classifications/ characteristics we might have for the original IP | |
true_ip | Original IP for the request (ignoring CDN/ load balancer) | |
client_ip | IP the request came from | |
incident_types | Requests are tagged with the types of detection which flagged it. See this section for possible values. | |
ivt | Requests are tagged with the types of IVT taxonomy they were flagged with. See this section for possible values. | |
filter_type | Indicating if the request is classified as "always deny" or "always allow" | |
simulated_block | Was there actual block activity or just a simulation for block for statistics and monitoring purpose | |
referrer | The previous page the request came from (the page that led to this request) | |
custom_parameter1-9 | Custom parameters as defined by the customer | |
breached_account | Value is set to true if the request was flagged as breached by HUMAN Credential Intelligence | |
filter_origin | Indicating what is the origin of the filter, the customer or HUMAN | |
filter_id | The filter identifier | |
filter_category | Indicating what category the filter belongs to. For example, known bots. |
Captcha
Field Name | Description | Value |
|---|---|---|
event_type | captcha_pass | |
timestamp | Time of the request | |
px_app_id | HUMAN app IP assigned per application | |
px_vid | Visitor id designated by HUMAN cookie | |
px_client_uuid | Page view identifier designated by HUMAN | |
full_url | Full URL of the request (including domain, request params etc.) | |
domain | Parent domain for the request as derived from location href (URL) | |
path | Path the request originates from (within the customer’s domain) | |
risk_score | Score given to request estimating likelihood of the request originating from bot traffic | |
risk_rtt | Roundtrip time for risk_api (from the enforcer to the collector and back) | |
user_agent | User Agent string the request came from | |
country | Country the request came from | |
city | City the request came from | |
os_family | Type of operating system used in requested | |
os_version | Version of operating system used in requested | |
browser_family | Type of browser used | |
browser_version | Version of the browser used | |
true_ip_asn_name | ISP provider for the request original IP | |
true_ip_classification | Any known classifications/ characteristics we might have for the original ip | |
true_ip | Original IP for the request (ignoring CDN/ load balancer) | |
client_ip | IP the request came from | |
incident_types | Requests are tagged with the types of detection which flagged it. See this section for possible values. | |
ivt | Requests are tagged with the types of IVT taxonomy they were flagged with. See this section for possible values. | |
referrer | The previous page the request came from (the page that led to this request) | |
captcha_type | Challenge type- is it google recaptcha or HUMAN challenge | |
challenge_tries_count | Number of incomplete hold attempts of the Human Challenge | |
custom_parameter1-9 | Custom parameters as defined by the customer | |
breached_account | Value is set to true if the request was flagged as breached by HUMAN Credential Intelligence | |
filter_type | Indicating if the request is classified as "always deny" or "always allow" | |
filter_id | The filter identifier | |
filter_origin | Indicating what is the origin of the filter, the customer or HUMAN | |
filter_category | Indicating what category the filter belongs to. For example knownBots | |
| beta human_challenge_release_version | Indicating when a user used the accessible challenge icon option | 2b |
- captcha_pass - if captcha was solved
- captcha_block - if the activity was blocked by captcha
Account Defender Logs
Single incidents logs
| Field Name | Description |
|---|---|
| timestamp | Time of the request |
| user_id | Account ID as known on the customer side |
| vid | Visitor ID designated by the HUMAN cookie |
| activity_type | Activity type (e.g, fingerprint - Sensor, page_requester - Enforcer, app_info - mobile) |
| device | Hash of the device browser fingerprint |
| ip | IP the request originates from |
| user_agent | User agent the request originates from |
| path | Path the request originates from (within the customer’s domain) |
| score | Score assigned by Account Defender - an integer in the range of 1-100 |
| asn | ISP provider for the request's original IP |
| country | Country the request originates from |
| state | State the request originates from |
| city | City the request originates from |
| continent | Continent the request originates from |
| carrier | Carrier for the request's original IP |
| organization | Network organization of the request's original IP |
| anonymizer_status | Anonymizer status for the request's original IP |
| proxy_type | Proxy for the request's original IP |
| hosting_facility | Hosting for the request's original IP |
| attack_pattern | Attack pattern classified by Account Defender |
| matched_rules_names | Account Defender rules matched against the request |
| custom_param1 | Custom parameter 1 defined by the customer |
| custom_param2 | Custom parameter 2 defined by the customer |
| custom_param3 | Custom parameter 3 defined by the customer |
| custom_param4 | Custom parameter 4 defined by the customer |
| custom_param5 | Custom parameter 5 defined by the customer |
| custom_param6 | Custom parameter 6 defined by the customer |
| custom_param7 | Custom parameter 7 defined by the customer |
| custom_param8 | Custom parameter 8 defined by the customer |
| custom_param9 | Custom parameter 9 defined by the customer |
| custom_param10 | Custom parameter 10 defined by the customer |
| sensitive_transaction | Classification of the path, if the path was defined as a sensitive one |
| account_age | The age of the account on the customer side (i.e, time since registration) in hours |
Cluster incidents logs
Field Name | Description |
| timestamp | Time of incident creation |
| user_ids | List of the account IDs as known on the customer side |
| attack_type | An attack classification of the cluster incident |
| score | Score assigned by Account Defender - an integer in the range of 1-100 |
| cluster_key | The Visitor ID or hash value that is common for all of the accounts in a cluster |
| cluster_type | Visitor ID designated by the HUMAN cookie or fingerprint hash |
| matched_rule_name | Name of the Account Defender rule that matched against the cluster |
Incident Types
Type ID | Name | Description |
|---|---|---|
12 | UI Anomaly | User interface interaction is typical of non-human users |
13 | Denied Service | One or more of the client's properties was denied |
14 | Custom Denylist | The request was denied because of a customer defined rule |
15 | Cloud Service | The request was detected as a cloud service |
16 | Anonymizing Service | Request originates from a Cloud Provider, VPN, Anonymizing Proxy or spoofed IP |
17 | Bot Behavior | Behavioral patterns deviate from typical human activity |
18 | Spoof | The detected browser does not match the declared browser |
19 | Predictive Analytics | Anomalies in behavioral data relevant for the request |
20 | Automation Tool | Request properties indicate the use of an automation tool |
21 | Bad Reputation | In the past, users with the same properties performed malicious activities |
22 | Volumetric Rule | Activity exceeded volumetric policy definition |
23 | Missing Sensor Data | JS Sensor information was not sent |
24 | Allowed Volume Exceeded | Request volume anomaly detected |
| 25 | Captcha Solving Attack | Indications of a CAPTCHA solving attack such as solving farms and solving automation |
IVT (Invalid Traffic Taxonomy)
Code | Category |
|---|---|
AB | Automated Browsing |
DC | Data Center |
FR | False Representation |
KC | Known Crawler |
UC | Undisclosed Classification |
Was this article helpful?