Data Schema (Logs)

HUMAN supports the following log types:

The data schema for each log type is returned with the following fields:

Legitimate

Field NameData TypeDescriptionValue
access_tokenStringThe display name for any access token used in the request
browser_familyStringType of browser used
browser_versionStringThe version of the browser used
cityStringThe city the request came from
client_ipStringIP the request came from
countryStringThe country the request came from
custom_parameterNStringCustom parameters as defined by the customer, where N is a number between 1-10. For example, the first custom parameter is custom_parameter1.
domainStringParent domain for the request as derived from location HREF (URL)
event_typeStringlegitimate
filter_categoryStringIndicating what category the filter belongs to, for example, "known bots"
filter_idStringThe filter identifier
filter_originStringIndicating the origin of the filter, either customer or HUMAN
filter_typeStringThe type of filter applied
full_urlStringFull URL of the request (including domain, request params, etc.)
graphql_operation_nameString
http_methodStringThe HTTP method used in communication (for example, between the end user's browser and the client’s server)
http_statusNumberThe HTTP status of the request
incident_typesArray of stringsRequests are tagged with the types of detection which flagged them. See Incident types for possible values.
ivtArray of stringsRequests are tagged with the types of IVT taxonomy they were flagged with. See IVT for possible values.
latitudeStringThe latitudinal coordinates that the request came from
longitudeStringThe longitudinal coordinates that the request came from
os_familyStringType of operating system used in the request
os_versionStringThe version of the operating system used in the request
pathString
px_app_idStringHUMAN app ID assigned per application
px_client_uuidStringPage view identifier designated by HUMAN
px_vidStringVisitor ID designated by HUMAN cookie
referrerStringThe previous page the request came from (the page that led to this request)
request_idStringThe ID of the request
risk_rttNumberRoundtrip time for risk_api (from the Enforcer to the collector and back)
risk_scoreNumberScoring of the requestBetween 0 and 100
timestampStringTime of the request
true_ipStringOriginal IP for the request (ignoring CDN/load balancer)
true_ip_asn_nameStringISP provider for the request's original IP
true_ip_classificationJSONAny known classifications/characteristics we might have for the original IP
user_agentStringUser Agent string the request came from

Block

Field NameData TypeDescriptionValue
access_tokenStringThe display name for any access token used in the request
asnString
block_scoreNumberThe block score assigned by HUMAN
breached_accountBooleanWhether the account was breached
browser_familyStringType of browser used
browser_versionStringVersion of the browser used
cityStringThe city the request came from
client_ipStringIP the request came from
countryStringCountry the request came from
custom_parameterNStringCustom parameters as defined by the customer, where N is a number between 1-10. For example, the first custom parameter is custom_parameter1.
domainStringParent domain for the request as derived from location HREF (URL)
event_typeStringblock
filter_categoryStringIndicating what category the filter belongs to. For example, known bots.
filter_idStringThe filter identifier
filter_originStringIndicating what is the origin of the filter, the customer or HUMAN
filter_typeStringIndicating if the request is classified as "always deny" or "always allow"
full_urlStringFull URL of the request (including domain, request params, etc.)
http_methodStringThe HTTP method used in communication (for example, between the end user's browser and the client’s server)
http_statusNumberThe HTTP status of the request
incident_typesArray of stringsRequests are tagged with the types of detection which flagged it. See Incident Types for possible values.
ivtArray of stringsRequests are tagged with the types of IVT taxonomy they were flagged with. See IVT for possible values.
latitudeStringThe latitudinal coordinates that the request came from
longitudeStringThe longitudinal coordinates that the request came from
os_familyStringType of operating system used in the request
os_versionStringVersion of operating system used in the request
pathString
px_app_idStringHUMAN app ID assigned per application
px_client_uuidStringPage view identifier designated by HUMAN
px_vidStringVisitor ID designated by HUMAN cookie
referrerStringThe previous page the request came from (the page that led to this request)
risk_rttNumberRoundtrip time for risk_api (from the Enforcer to the collector and back)
simulated_blockBooleanWhether there actual block activity or just a simulation for statistics and monitoring purposes
timestampStringTime of the request
true_ipStringOriginal IP for the request (ignoring CDN/load balancer)
true_ip_asn_nameStringISP provider for the request's original IP
true_ip_classificationStringAny known classifications/characteristics we might have for the original IP
user_agentStringUser Agent string the request came from

CAPTCHA

Field NameData TypeDescriptionValue
access_tokenStringThe display name for any access token used in the request
asnString
browser_familyStringType of browser used
browser_versionStringVersion of the browser used
captcha_abandoned_reasonString
captcha_typeStringChallenge type (e.g. HUMAN Challenge)
challenge_tries_countNumberThe number of times the challenge was attempted
cityStringCity the request came from
client_ipStringIP the request came from
countryStringCountry the request came from
custom_parameterNStringCustom parameters as defined by the customer, where N is a number between 1-10. For example, the first custom parameter is custom_parameter1.
domainStringParent domain for the request as derived from location href (URL)
event_typeStringcaptcha_pass, captcha_block*
filter_categoryStringIndicates what category the filter belongs to (e.g., known bots)
filter_idStringThe filter identifier
filter_originStringIndicates the origin of the filter, either customer or HUMAN
filter_typeStringIndicates if the request is classified as "always deny" or "always allow"
full_urlStringFull URL of the request (including domain, request params, etc.)
human_challenge_release_versionStringThe release number of the Human Challenge used
http_methodStringThe HTTP method used in communication (for example, between the end user's browser and the client’s server)
http_statusNumberThe HTTP status of the request
incident_typesArray of StringsRequests tagged with the detection types that flagged it. See Incident Types for values.
ivtArray of StringsRequests tagged with the IVT taxonomy types flagged. See IVT for values.
latitudeStringThe latitudinal coordinates that the request came from
longitudeStringThe longitudinal coordinates that the request came from
os_familyStringType of operating system used in the request
os_versionStringVersion of operating system used in the request
pathString
px_app_idStringHUMAN app ID assigned per application
px_client_uuidStringPage view identifier designated by HUMAN
px_vidStringVisitor ID designated by HUMAN cookie
referrerStringThe previous page the request came from (the page that led to this request)
risk_scoreNumberScore estimating likelihood of the request originating from bot traffic. Range: 0 (human) to 100 (bot)
timestampStringTime of the request
true_ipStringOriginal IP for the request (ignoring CDN/load balancer)
true_ip_asn_nameStringISP provider for the request’s original IP
true_ip_classificationJSONKnown classifications/characteristics for the original IP
user_agentStringUser Agent string the request came from

Field values

Some fields have certain values. These are listed here.

Incident Types

Type IDNameDescription
12UI AnomalyUser interface interaction typical of non-human users
13Denied ServiceOne or more of the client's properties was denied
14Custom DenylistThe request was denied because of a customer-defined rule
15Cloud ServiceThe request was detected as a cloud service
16Anonymizing ServiceRequest originates from a Cloud Provider, VPN, Anonymizing Proxy, or spoofed IP
17Bot BehaviorBehavioral patterns deviate from typical human activity
18SpoofThe detected browser does not match the declared browser
19Predictive AnalyticsAnomalies in behavioral data relevant for the request
20Automation ToolRequest properties indicate the use of an automation tool
21Bad ReputationUsers with the same properties previously performed malicious activities
22Volumetric RuleActivity exceeded volumetric policy definition
23Missing Sensor DataJavaScript sensor information was not sent
24Allowed Volume ExceededRequest volume anomaly detected
25Captcha Solving AttackIndications of a CAPTCHA solving attack, such as solving farms or automation

IVT (Invalid Traffic Taxonomy)

CodeCategory
ABAutomated Browsing
DCData Center
FRFalse Representation
KCKnown Crawler
UCUndisclosed Classification

Account Defender Logs

Single incidents logs

Field NameDescription
timestampTime of the request
user_idAccount ID as known on the customer side
vidVisitor ID designated by the HUMAN cookie
activity_typeActivity type (e.g., fingerprint - Sensor, page_requester - Enforcer, app_info - mobile)
deviceHash of the device browser fingerprint
ipIP the request originates from
user_agentUser agent the request originates from
pathPath the request originates from (within the customer’s domain)
scoreScore assigned by Account Defender - an integer in the range of 1-100
asnISP provider for the request's original IP
countryCountry the request originates from
stateState the request originates from
cityCity the request originates from
continentContinent the request originates from
carrierCarrier for the request's original IP
organizationNetwork organization of the request's original IP
anonymizer_statusAnonymizer status for the request's original IP
proxy_typeProxy for the request's original IP
hosting_facilityHosting for the request's original IP
attack_patternAttack pattern classified by Account Defender
matched_rules_namesAccount Defender rules matched against the request
custom_param1Custom parameter 1 defined by the customer
custom_param2Custom parameter 2 defined by the customer
custom_param3Custom parameter 3 defined by the customer
custom_param4Custom parameter 4 defined by the customer
custom_param5Custom parameter 5 defined by the customer
custom_param6Custom parameter 6 defined by the customer
custom_param7Custom parameter 7 defined by the customer
custom_param8Custom parameter 8 defined by the customer
custom_param9Custom parameter 9 defined by the customer
custom_param10Custom parameter 10 defined by the customer
sensitive_transactionClassification of the path, if the path was defined as a sensitive one
account_ageThe age of the account on the customer side (i.e., time since registration) in hours

Network incidents logs

Field NameDescription
timestampTime of incident creation
attack_typeAn attack classification of the network incident
scoreScore assigned by Account Defender, ranging from 1 to 100
network_typeType of the network attack that was detected by Account Defender
network_idID of the network attack that was detected by Account Defender
user_idsList of account IDs that are part of the network incident, as known on the customer side
matched_rule_idID of the Account Defender rule that matched against the network
matched_rule_nameName of the Account Defender rule that matched against the network