Data Schema (Logs)
  • 19 Jun 2024
  • Dark
    Light

Data Schema (Logs)

  • Dark
    Light

Article summary

Supported types

  • Legitimate

  • Block

  • Captcha

Fields

The data schema for each log type is returned with the following fields:

Legitimate

Field Name

Description

Value

event_type


legitimate

timestamp

Time of the request


px_app_id

HUMAN app ID assigned per application


px_vid

Visitor id designated by HUMAN cookie


px_client_uuid

Page view identifier designated by HUMAN


full_url

Full URL of the request (including domain, request params etc.)


domain

Parent domain for the request as derived from location href (URL)


path

Path the request originates from (within the customer’s domain)


risk_rtt

Roundtrip time for risk_api (from the enforcer to the collector and back)


risk_score

Scoring of the request 

Between 0 and 100

user_agent

User Agent string the request came from


country

The country the request came from


city

The city the request came from


os_family

Type of operating system used in the request


os_version

The version of operating system used in the request


browser_version

The version of the browser used


browser_family

Type of browser used


true_ip_asn_name

ISP provider for the request original IP


true_ip_classification

Any known classifications/ characteristics we might have for the original IP


true_ip

Original IP for the request (ignoring CDN/ load balancer)


client_ip

IP the request came from


incident_types

Requests are tagged with the types of detection which flagged them. See this section for possible values.


ivt

Requests are tagged with the types of IVT taxonomy they were flagged with. See this section for possible values.


filter_type

Indicating if the request is classified as "always deny" or "always allow"


referrer

The previous page the request came from (the page that led to this request)


request_id

The ID of the request


custom_parameter1-10

Custom parameters as defined by the customer



breached_account

Value is set to true if the request was flagged as breached by HUMAN Credential Intelligence product



http_method

The HTTP method used in communication (for example between the end user's browser and the client’s server)


filter_origin

Indicating what is the origin of the filter, the customer or HUMAN


filter_id

The filter identifier


filter_category


Indicating what category the filter belongs to. For example, known bots


Block

Field Name

Description

Value

event_type


block

timestamp

Time of the request


px_app_id

HUMAN app ID assigned per application


px_vid

Visitor id designated by HUMAN cookie


px_client_uuid

Page view identifier designated by HUMAN


full_url

Full URL of the request (including domain, request params etc.)


domain

Parent domain for the request as derived from location href (URL)


path

Path the request originates from (within the customer’s domain)


rsk_rtt

Roundtrip time for risk_api (from the enforcer to the collector and back)


user_agent

User Agent string the request came from


country

Country the request came from


city

City the request came from


os_family

Type of operating system used in the request


os_version

Version of operating system used in the request


browser_version

Version of the browser used


browser_family

Type of browser used


true_ip_asn_name

ISP provider for the request original IP


true_ip_classification

Any known classifications/ characteristics we might have for the original IP


true_ip

Original IP for the request (ignoring CDN/ load balancer)


client_ip

IP the request came from


incident_types

Requests are tagged with the types of detection which flagged it. See this section for possible values.


ivt

Requests are tagged with the types of IVT taxonomy they were flagged with. See this section for possible values.


filter_type

Indicating if the request is classified as "always deny" or "always allow"


simulated_block

Was there actual block activity or just a simulation for block for statistics and monitoring purpose


referrer

The previous page the request came from (the page that led to this request)


custom_parameter1-9

Custom parameters as defined by the customer


breached_account

Value is set to true if the request was flagged as breached by HUMAN Credential Intelligence


filter_origin

Indicating what is the origin of the filter, the customer or HUMAN


filter_id

The filter identifier


filter_category

Indicating what category the filter belongs to. For example, known bots.


Captcha

Field Name

Description

Value

event_type


captcha_pass
captcha_block*

timestamp

Time of the request


px_app_id

HUMAN app IP assigned per application


px_vid

Visitor id designated by HUMAN cookie


px_client_uuid

Page view identifier designated by HUMAN


full_url

Full URL of the request (including domain, request params etc.)


domain

Parent domain for the request as derived from location href (URL)


path

Path the request originates from (within the customer’s domain)


risk_score

Score given to request estimating likelihood of the request originating from bot traffic
Range 0 (most likely human) to 100 (most likely bot)


risk_rtt

Roundtrip time for risk_api (from the enforcer to the collector and back)


user_agent

User Agent string the request came from


country

Country the request came from


city

City the request came from


os_family

Type of operating system used in requested


os_version

Version of operating system used in requested


browser_family

Type of browser used


browser_version

Version of the browser used


true_ip_asn_name

ISP provider for the request original IP


true_ip_classification

Any known classifications/ characteristics we might have for the original ip


true_ip

Original IP for the request (ignoring CDN/ load balancer)


client_ip

IP the request came from


incident_types

Requests are tagged with the types of detection which flagged it. See this section for possible values.


ivt

Requests are tagged with the types of IVT taxonomy they were flagged with. See this section for possible values.


referrer

The previous page the request came from (the page that led to this request)


captcha_type

Challenge type- is it google recaptcha or HUMAN challenge


challenge_tries_count

Number of incomplete hold attempts of the Human Challenge


custom_parameter1-9

Custom parameters as defined by the customer


breached_account

Value is set to true if the request was flagged as breached by HUMAN Credential Intelligence


filter_type

Indicating if the request is classified as "always deny" or "always allow"


filter_id

The filter identifier


filter_origin

Indicating what is the origin of the filter, the customer or HUMAN


filter_category

Indicating what category the filter belongs to. For example knownBots


beta

human_challenge_release_version


Indicating when a user used the accessible challenge icon option

2b

  • captcha_pass - if captcha was solved

  • captcha_block - if the activity was blocked by captcha

Account Defender Logs

Single incidents logs

Field Name

Description

timestamp

Time of the request

user_id

Account ID as known on the customer side

vid

Visitor ID designated by the HUMAN cookie

activity_type

Activity type (e.g, fingerprint - Sensor, page_requester - Enforcer, app_info - mobile)

device

Hash of the device browser fingerprint

ip

IP the request originates from

user_agent

User agent the request originates from

path

Path the request originates from (within the customer’s domain)

score

Score assigned by Account Defender - an integer in the range of 1-100

asn

ISP provider for the request's original IP

country

Country the request originates from

state

State the request originates from

city

City the request originates from

continent

Continent the request originates from

carrier

Carrier for the request's original IP

organization

Network organization of the request's original IP

anonymizer_status

Anonymizer status for the request's original IP

proxy_type

Proxy for the request's original IP

hosting_facility

Hosting for the request's original IP

attack_pattern

Attack pattern classified by Account Defender

matched_rules_names

Account Defender rules matched against the request

custom_param1

Custom parameter 1 defined by the customer

custom_param2

Custom parameter 2 defined by the customer

custom_param3

Custom parameter 3 defined by the customer

custom_param4

Custom parameter 4 defined by the customer

custom_param5

Custom parameter 5 defined by the customer

custom_param6

Custom parameter 6 defined by the customer

custom_param7

Custom parameter 7 defined by the customer

custom_param8

Custom parameter 8 defined by the customer

custom_param9

Custom parameter 9 defined by the customer

custom_param10

Custom parameter 10 defined by the customer

sensitive_transaction

Classification of the path, if the path was defined as a sensitive one

account_age

The age of the account on the customer side (i.e, time since registration) in hours

Cluster incidents logs

Field Name

Description

timestamp

Time of incident creation

user_ids

List of the account IDs as known on the customer side

attack_type

An attack classification of the cluster incident

score

Score assigned by Account Defender - an integer in the range of 1-100

cluster_key

The Visitor ID or hash value that is common for all of the accounts in a cluster

cluster_type

Visitor ID designated by the HUMAN cookie or fingerprint hash

matched_rule_id

ID of the Account Defender rule that matched against the cluster

matched_rule_name

Name of the Account Defender rule that matched against the cluster

Network incidents logs

Field Name

Description

timestamp

Time of incident creation

attack_type

An attack classification of the network incident

score

Score assigned by Account Defender - an integer in the range of 1-100

network_type

Type of the network attack that was detected by Account Defender

network_id

ID of the network attack that was detected by Account Defender

user_ids

List of the account IDs that are part of the network incident, as known on the customer side

matched_rule_id

ID of the Account Defender rule that matched against the network

matched_rule_name

Name of the Account Defender rule that matched against the network

Incident Types

Type ID

Name

Description

12

UI Anomaly

User interface interaction is typical of non-human users

13

Denied Service

One or more of the client's properties was denied

14

Custom Denylist

The request was denied because of a customer defined rule

15

Cloud Service

The request was detected as a cloud service

16

Anonymizing Service

Request originates from a Cloud Provider, VPN, Anonymizing Proxy or spoofed IP

17

Bot Behavior

Behavioral patterns deviate from typical human activity

18

Spoof

The detected browser does not match the declared browser

19

Predictive Analytics

Anomalies in behavioral data relevant for the request

20

Automation Tool

Request properties indicate the use of an automation tool

21

Bad Reputation

In the past, users with the same properties performed malicious activities

22

Volumetric Rule

Activity exceeded volumetric policy definition

23

Missing Sensor Data

JS Sensor information was not sent

24

Allowed Volume Exceeded

Request volume anomaly detected

25Captcha Solving Attack
Indications of a CAPTCHA solving attack such as solving farms and solving automation

IVT (Invalid Traffic Taxonomy)

Code

Category

AB

Automated Browsing

DC

Data Center

FR

False Representation

KC

Known Crawler

UC

Undisclosed Classification


Was this article helpful?