Data Schema (Logs)
HUMAN supports the following log types:
The data schema for each log type is returned with the following fields:
Legitimate
| Field Name | Data Type | Description | Value |
|---|---|---|---|
access_token | String | The display name for any access token used in the request | |
browser_family | String | Type of browser used | |
browser_version | String | The version of the browser used | |
city | String | The city the request came from | |
client_ip | String | IP the request came from | |
country | String | The country the request came from | |
custom_parameterN | String | Custom parameters as defined by the customer, where N is a number between 1-10. For example, the first custom parameter is custom_parameter1. | |
domain | String | Parent domain for the request as derived from location HREF (URL) | |
event_type | String | legitimate | |
filter_category | String | Indicating what category the filter belongs to, for example, "known bots" | |
filter_id | String | The filter identifier | |
filter_origin | String | Indicating the origin of the filter, either customer or HUMAN | |
filter_type | String | The type of filter applied | |
full_url | String | Full URL of the request (including domain, request params, etc.) | |
graphql_operation_name | String | ||
http_method | String | The HTTP method used in communication (for example, between the end user's browser and the client’s server) | |
http_status | Number | The HTTP status of the request | |
incident_types | Array of strings | Requests are tagged with the types of detection which flagged them. See Incident types for possible values. | |
ivt | Array of strings | Requests are tagged with the types of IVT taxonomy they were flagged with. See IVT for possible values. | |
latitude | String | The latitudinal coordinates that the request came from | |
longitude | String | The longitudinal coordinates that the request came from | |
os_family | String | Type of operating system used in the request | |
os_version | String | The version of the operating system used in the request | |
path | String | ||
px_app_id | String | HUMAN app ID assigned per application | |
px_client_uuid | String | Page view identifier designated by HUMAN | |
px_vid | String | Visitor ID designated by HUMAN cookie | |
referrer | String | The previous page the request came from (the page that led to this request) | |
request_id | String | The ID of the request | |
risk_rtt | Number | Roundtrip time for risk_api (from the Enforcer to the collector and back) | |
risk_score | Number | Scoring of the request | Between 0 and 100 |
timestamp | String | Time of the request | |
true_ip | String | Original IP for the request (ignoring CDN/load balancer) | |
true_ip_asn_name | String | ISP provider for the request's original IP | |
true_ip_classification | JSON | Any known classifications/characteristics we might have for the original IP | |
user_agent | String | User Agent string the request came from |
Block
| Field Name | Data Type | Description | Value |
|---|---|---|---|
access_token | String | The display name for any access token used in the request | |
asn | String | ||
block_score | Number | The block score assigned by HUMAN | |
breached_account | Boolean | Whether the account was breached | |
browser_family | String | Type of browser used | |
browser_version | String | Version of the browser used | |
city | String | The city the request came from | |
client_ip | String | IP the request came from | |
country | String | Country the request came from | |
custom_parameterN | String | Custom parameters as defined by the customer, where N is a number between 1-10. For example, the first custom parameter is custom_parameter1. | |
domain | String | Parent domain for the request as derived from location HREF (URL) | |
event_type | String | block | |
filter_category | String | Indicating what category the filter belongs to. For example, known bots. | |
filter_id | String | The filter identifier | |
filter_origin | String | Indicating what is the origin of the filter, the customer or HUMAN | |
filter_type | String | Indicating if the request is classified as "always deny" or "always allow" | |
full_url | String | Full URL of the request (including domain, request params, etc.) | |
http_method | String | The HTTP method used in communication (for example, between the end user's browser and the client’s server) | |
http_status | Number | The HTTP status of the request | |
incident_types | Array of strings | Requests are tagged with the types of detection which flagged it. See Incident Types for possible values. | |
ivt | Array of strings | Requests are tagged with the types of IVT taxonomy they were flagged with. See IVT for possible values. | |
latitude | String | The latitudinal coordinates that the request came from | |
longitude | String | The longitudinal coordinates that the request came from | |
os_family | String | Type of operating system used in the request | |
os_version | String | Version of operating system used in the request | |
path | String | ||
px_app_id | String | HUMAN app ID assigned per application | |
px_client_uuid | String | Page view identifier designated by HUMAN | |
px_vid | String | Visitor ID designated by HUMAN cookie | |
referrer | String | The previous page the request came from (the page that led to this request) | |
risk_rtt | Number | Roundtrip time for risk_api (from the Enforcer to the collector and back) | |
simulated_block | Boolean | Whether there actual block activity or just a simulation for statistics and monitoring purposes | |
timestamp | String | Time of the request | |
true_ip | String | Original IP for the request (ignoring CDN/load balancer) | |
true_ip_asn_name | String | ISP provider for the request's original IP | |
true_ip_classification | String | Any known classifications/characteristics we might have for the original IP | |
user_agent | String | User Agent string the request came from |
CAPTCHA
| Field Name | Data Type | Description | Value |
|---|---|---|---|
access_token | String | The display name for any access token used in the request | |
asn | String | ||
browser_family | String | Type of browser used | |
browser_version | String | Version of the browser used | |
captcha_abandoned_reason | String | ||
captcha_type | String | Challenge type (e.g. HUMAN Challenge) | |
challenge_tries_count | Number | The number of times the challenge was attempted | |
city | String | City the request came from | |
client_ip | String | IP the request came from | |
country | String | Country the request came from | |
custom_parameterN | String | Custom parameters as defined by the customer, where N is a number between 1-10. For example, the first custom parameter is custom_parameter1. | |
domain | String | Parent domain for the request as derived from location href (URL) | |
event_type | String | captcha_pass, captcha_block* | |
filter_category | String | Indicates what category the filter belongs to (e.g., known bots) | |
filter_id | String | The filter identifier | |
filter_origin | String | Indicates the origin of the filter, either customer or HUMAN | |
filter_type | String | Indicates if the request is classified as "always deny" or "always allow" | |
full_url | String | Full URL of the request (including domain, request params, etc.) | |
human_challenge_release_version | String | The release number of the Human Challenge used | |
http_method | String | The HTTP method used in communication (for example, between the end user's browser and the client’s server) | |
http_status | Number | The HTTP status of the request | |
incident_types | Array of Strings | Requests tagged with the detection types that flagged it. See Incident Types for values. | |
ivt | Array of Strings | Requests tagged with the IVT taxonomy types flagged. See IVT for values. | |
latitude | String | The latitudinal coordinates that the request came from | |
longitude | String | The longitudinal coordinates that the request came from | |
os_family | String | Type of operating system used in the request | |
os_version | String | Version of operating system used in the request | |
path | String | ||
px_app_id | String | HUMAN app ID assigned per application | |
px_client_uuid | String | Page view identifier designated by HUMAN | |
px_vid | String | Visitor ID designated by HUMAN cookie | |
referrer | String | The previous page the request came from (the page that led to this request) | |
risk_score | Number | Score estimating likelihood of the request originating from bot traffic. Range: 0 (human) to 100 (bot) | |
timestamp | String | Time of the request | |
true_ip | String | Original IP for the request (ignoring CDN/load balancer) | |
true_ip_asn_name | String | ISP provider for the request’s original IP | |
true_ip_classification | JSON | Known classifications/characteristics for the original IP | |
user_agent | String | User Agent string the request came from |
Field values
Some fields have certain values. These are listed here.
Incident Types
| Type ID | Name | Description |
|---|---|---|
| 12 | UI Anomaly | User interface interaction typical of non-human users |
| 13 | Denied Service | One or more of the client's properties was denied |
| 14 | Custom Denylist | The request was denied because of a customer-defined rule |
| 15 | Cloud Service | The request was detected as a cloud service |
| 16 | Anonymizing Service | Request originates from a Cloud Provider, VPN, Anonymizing Proxy, or spoofed IP |
| 17 | Bot Behavior | Behavioral patterns deviate from typical human activity |
| 18 | Spoof | The detected browser does not match the declared browser |
| 19 | Predictive Analytics | Anomalies in behavioral data relevant for the request |
| 20 | Automation Tool | Request properties indicate the use of an automation tool |
| 21 | Bad Reputation | Users with the same properties previously performed malicious activities |
| 22 | Volumetric Rule | Activity exceeded volumetric policy definition |
| 23 | Missing Sensor Data | JavaScript sensor information was not sent |
| 24 | Allowed Volume Exceeded | Request volume anomaly detected |
| 25 | Captcha Solving Attack | Indications of a CAPTCHA solving attack, such as solving farms or automation |
IVT (Invalid Traffic Taxonomy)
| Code | Category |
|---|---|
| AB | Automated Browsing |
| DC | Data Center |
| FR | False Representation |
| KC | Known Crawler |
| UC | Undisclosed Classification |
Account Defender Logs
Single incidents logs
| Field Name | Description |
|---|---|
timestamp | Time of the request |
user_id | Account ID as known on the customer side |
vid | Visitor ID designated by the HUMAN cookie |
activity_type | Activity type (e.g., fingerprint - Sensor, page_requester - Enforcer, app_info - mobile) |
device | Hash of the device browser fingerprint |
ip | IP the request originates from |
user_agent | User agent the request originates from |
path | Path the request originates from (within the customer’s domain) |
score | Score assigned by Account Defender - an integer in the range of 1-100 |
asn | ISP provider for the request's original IP |
country | Country the request originates from |
state | State the request originates from |
city | City the request originates from |
continent | Continent the request originates from |
carrier | Carrier for the request's original IP |
organization | Network organization of the request's original IP |
anonymizer_status | Anonymizer status for the request's original IP |
proxy_type | Proxy for the request's original IP |
hosting_facility | Hosting for the request's original IP |
attack_pattern | Attack pattern classified by Account Defender |
matched_rules_names | Account Defender rules matched against the request |
custom_param1 | Custom parameter 1 defined by the customer |
custom_param2 | Custom parameter 2 defined by the customer |
custom_param3 | Custom parameter 3 defined by the customer |
custom_param4 | Custom parameter 4 defined by the customer |
custom_param5 | Custom parameter 5 defined by the customer |
custom_param6 | Custom parameter 6 defined by the customer |
custom_param7 | Custom parameter 7 defined by the customer |
custom_param8 | Custom parameter 8 defined by the customer |
custom_param9 | Custom parameter 9 defined by the customer |
custom_param10 | Custom parameter 10 defined by the customer |
sensitive_transaction | Classification of the path, if the path was defined as a sensitive one |
account_age | The age of the account on the customer side (i.e., time since registration) in hours |
Network incidents logs
| Field Name | Description |
|---|---|
timestamp | Time of incident creation |
attack_type | An attack classification of the network incident |
score | Score assigned by Account Defender, ranging from 1 to 100 |
network_type | Type of the network attack that was detected by Account Defender |
network_id | ID of the network attack that was detected by Account Defender |
user_ids | List of account IDs that are part of the network incident, as known on the customer side |
matched_rule_id | ID of the Account Defender rule that matched against the network |
matched_rule_name | Name of the Account Defender rule that matched against the network |
Updated 18 days ago