How Lumos Logs to Your SIEM

Last updated: October 7, 2024

After this article...

You'll know how Lumos posts event data to your SIEM integration and which Lumos events are sent to your SIEM integration.

Log format

Lumos posts events to your SIEM integration as a JSON payload in the following format.

{
  "event_hash": str,
  "event_type": <EventType>,
  "event_type_user_friendly": str,
  "actor": {
    "actor_type": <ActorType>,
    **actor data**
    },
  "targets": [
    {
      "target_type": <TargetType>,
      **target data**
    },
    ...
  ],
  "event_began_at": datetime
}

Event types

The event types in the table below are logged to your SIEM by Lumos.

These are stored in the "event_type" field in the JSON payload.

ValuesDescription

APP_STORE_CREATE_ ACCESS_REQUEST

A new access request was created.

APP_STORE_AUTOMATIC_PROVISIONING_ FOR_ACCESS_REQUEST

A user was automatically provisioned to an app through a Lumos integration (IdP or direct) after their request was approved.

APP_STORE_INLINE_ WEBHOOK_PROVISIONING_FOR_ACCESS_REQUEST

A provisioning webhook was triggered after an access request was approved.
Seeđź“„ Extending Lumos With Webhooks

APP_STORE_INLINE_WEBHOOK_ REQUEST_VALIDATION_FOR_ACCESS_REQUEST

A request validation webhook was triggered after an access request was approved.
Seeđź“„ Request Validation Webhooks

APP_STORE_MANUAL_CONFIRM_PROVISIONING_FOR_ACCESS_REQUEST

Someone completed a "Confirm Provisioning" step for an access request by confirming that the account was provisioned.

APP_STORE_MANUAL_DENY_PROVISIONING_FOR_ACCESS_REQUEST

Someone completed a "Confirm Provisioning" step for an access request by denying that the account was provisioned.

APP_STORE_MANUAL_CONFIRM_DEPROVISIONING_FOR_ACCESS_REQUEST

A user confirmed that they completed the manual steps required to remove access that was granted through the AppStore.

APP_STORE_EDIT_PERMISSIONS_ON_REQUEST

An approver edited the permissions requested on an access request in progress.

APP_STORE_EDIT_ACCESS_LENGTH_ON_REQUEST

An approver edited the access length requested on an access request in progress.

APP_STORE_APPROVE_ACCESS_REQUEST

An approver approved an access request.

APP_STORE_DENY_ACCESS_REQUEST

An approver denied an access request.

APP_STORE_CANCEL_ACCESS_REQUEST

A requester canceled their access request.

APP_STORE_REVERT_ACCESS_REQUEST

An approver reverted a previously-approved access request.

APP_STORE_EXTEND_ACCESS_TIME

A requester's access request was extended.

APP_STORE_REVERT_REQUEST_AUTOMATIC_DEPROVISIONING

After reverting an access request, the automated provisioning action was undone/reverted.

TIME_BASED_ACCESS_EXPIRED

A time-based access request expired.

APP_STORE_REVERT_REQUEST_MANUAL_ACTION_NEEDED

A user confirmed with Lumos that they completed the manual steps required to revert an access request for another user.

APP_STORE_CREATE_CUSTOM_ACCESS_REQUEST

A custom access request was created in the AppStore.

APP_STORE_OVERRIDE_APPROVAL

Someone overrode the default approval workflow and approved an access request.

APP_STORE_OVERRIDE_MANAGER_APPROVAL

Manager approval was overridden for an access request and the request was approved.

APP_STORE_APPROVERS_REASSIGNED

An AppStore request was re-assigned to another user.

APP_STORE_OVERRIDE_DENY

Someone overrode the default approval workflow and denied an access request.

APP_STORE_OVERRIDE_MANAGER_DENY

Manager approval was overridden for an access request and the request was denied.

APP_STORE_ACCESS_REQUEST_EXPIRED

An access request expired before it was acted upon.

APP_STORE_ACCESS_REQUEST_PREAPPROVED

An access request was preapproved.

APP_STORE_NO_ADMINS_FOUND_FOR_PROVISIONING_ACCESS_REQUEST

An access request moved to the "Confirm Provisioning" stage and no app admins were set up for the app.

APP_STORE_SEND_SLACK_MESSAGE_FOR_ACCESS_REQUEST

A message was sent by a participant in a Slack thread for an access request.

APP_STORE_REASSIGN_SET_APPROVERS_ACTION

Lumos tried to set new approvers for an access request.

APP_STORE_REASSIGN_REMINDER_ESCALATIONS_EMAIL

Lumos tried to send an email to the original approver of an access request that their approval was being escalated.

APP_STORE_REASSIGN_REMINDER_ESCALATIONS_SLACK

Lumos tried to send a Slack message to the original approver of an access request that their approval was being escalated.

APP_STORE_NEW_APPROVERS_REASSIGN_ESCALATIONS_EMAIL

Lumos tried to email the new approvers about an escalated access request.

APP_STORE_NEW_APPROVERS_REASSIGN_ESCALATIONS_SLACK

Lumos tried to send a Slack message to the new approvers about an escalated access request.

APP_STORE_CURRENT_APPROVERS_REASSIGN_ESCALATIONS_EMAIL

Lumos tried to send an email to the current approvers that their request has been escalated.

APP_STORE_CURRENT_APPROVERS_REASSIGN_ESCALATIONS_SLACK

Lumos tried to send a Slack message to the current approvers that their request has been escalated.

APP_STORE_REMIND_MANAGER_APPROVAL_EMAIL

Lumos tried to send an email to a manager to remind them to act on their request.

APP_STORE_REMIND_MANAGER_APPROVAL_SLACK

Lumos tried to send a Slack message to a manager to remind them to act on their request.

APP_STORE_REMIND_APPROVERS_APPROVAL_EMAIL

Lumos sent an email reminder to approvers to complete their approval task.

APP_STORE_REMIND_APPROVERS_APPROVAL_SLACK

Lumos sent a Slack reminder to approvers to complete their approval task.

APP_STORE_REMIND_ADMINS_PROVISIONING_EMAIL

Lumos sent an email reminder to app admins to complete their provisioning task.

APP_STORE_REMIND_ADMINS_PROVISIONING_SLACK

Lumos sent a Slack reminder to app admins to complete their provisioning task.

SEND_REQUEST_APPROVAL_FOR_ACCESS_REQUEST_EMAIL

Lumos attempted to send an email to an approver to notify them of an access request.

SEND_REQUEST_APPROVAL_FOR_ACCESS_REQUEST_SLACK

Lumos attempted to send a Slack message to an approver to notify them of an access request.

SEND_MANUAL_DEPROVISIONING_REQUEST_VIA_SLACK

Lumos attempted to send a Slack message to an app admin to notify them of an access deprovisioning task.

SEND_MANUAL_DEPROVISIONING_REQUEST_VIA_EMAIL

Lumos attempted to send an email to an app admin to notify them of an access deprovisioning task.

SEND_ACCESS_REQUEST_EMAIL

Lumos attempted to send an email to an approver to notify them of an access request.

CONFIRM_ACCESS_REQUEST_EMAIL_DELIVERY

Lumos confirmed that an access request email was delivered.

SEND_ACCESS_REQUEST_SLACK

Lumos attempted to send a Slack notification to an approver to notify them of an access request.

SEND_MANUAL_PROVISIONING_REQUEST_VIA_SLACK

Lumos attempted to send a Slack notification to an app admin to notify them of manual provisioning steps.

SEND_MANUAL_PROVISIONING_REQUEST_VIA_EMAIL

Lumos attempted to send an email to an app admin to notify them of manual provisioning steps.

ITSM_TICKET_LINKED_TO_ACCESS_REQUEST

Lumos linked an existing ITSM ticket to an access request.

ITSM_TICKET_CREATED_FOR_ACCESS_REQUEST

Lumos created a ticket in an ITSM for an access request.

ITSM_TICKET_COULD_NOT_BE_UPDATED

An ITSM ticket's status could not be updated via an integration.

ITSM_TICKET_STATUS_UPDATED

An ITSM ticket's status was updated via an integration.

ADMIN_CONNECTS_INTEGRATION

A Lumos admin attempted to connect a new integration.

ADMIN_UPDATES_INTEGRATION

A Lumos admin attempted to update an already-connected integration.

ADMIN_ADDED_APP_TO_APPSTORE

A user attempted  to add an app to the AppStore.

ADMIN_REMOVED_APP_FROM_APPSTORE

A user attempted  to remove an app from the AppStore.

ADMIN_ADDED_PERMISSION_TO_APP

A user attempted to add a permission to an app.

ADMIN_UPDATED_APP_APPROVERS

A user updated an app's approvers.

ADMIN_UPDATED_PERMISSION_APPROVERS

A user updated a permission's approvers.

ADMIN_UPDATED_APP_MANAGER_APPROVAL

A user updated an app's manager approval setting.

ADMIN_UPDATED_PERMISSION_MANAGER_APPROVAL

A user updated a permission's manager approval setting.

fADMIN_UPDATED_APP_ADMINS

A user updated an app's admins.

ADMIN_UPDATED_USERS_LUMOS_USER_ROLE

A Lumos User's access level was updated by an Admin.

ACCOUNT_SUSPENDED_VIA_INTEGRATION

Someone attempted to suspend a user's app account via an integration.

ACCOUNT_CREATED_VIA_INTEGRATION

Someone attempted to create a user account via a Lumos integration.

ACCOUNT_ASSIGNED_TO_GROUP_VIA_INTEGRATION

A user was added to an application (IdP) group.

ACCOUNT_UNASSIGNED_FROM_GROUP_VIA_INTEGRATION

A user was removed from an application (IdP) group.

ACCOUNT_UNASSIGNED_FROM_APP_VIA_INTEGRATION

Lumos attempted to unassign a user from an app via an integration.

ACCOUNT_DEPROVISIONED_VIA_WEBHOOK

Lumos attempted to deprovision an account via a webhook.

ACCOUNT_DEPROVISIONED_VIA_INTEGRATION

Lumos attempted to deprovision a user's app account through an integration.

ACCOUNT_ARCHIVED_VIA_INTEGRATION

Lumos attempted to archive a user's app account through an integration.

ACCOUNT_LICENSE_REMOVED_VIA_INTEGRATION

Lumos attempted to remove the license for an account via an intgration.

ACCOUNT_DOWNGRADED_VIA_INTEGRATION

Lumos attempted to downgrade a user's app account through an integration.

ACCOUNT_DATA_TRANSFERED_VIA_INTEGRATION

Lumos attempted to transfer a user's data for their app account through an integration.

ACCOUNT_EMAIL_REROUTED_VIA_INTEGRATION

Lumos attempted to reroute a user's email for their account via integration.

ACCOUNT_ORGANIZATION_UNIT_CHANGED_VIA_INTEGRATION

Lumos attempted to change an account's organization unit via an integration.

ACCOUNT_RESOURCES_RELEASED_VIA_INTEGRATION

Lumos attempted to release an account's resources via an integration.

ACCOUNT_MARKED_AS_DEPROVISIONED

A user's app account status was updated to "Deprovisioned".

USER_ADDS_APP_STORE_PRE_APPROVAL_RULE

A pre-approval rule was added to an application.

USER_REMOVES_APP_STORE_PRE_APPROVAL_RULE

A pre-approval rule was updated for an application.

APPSTORE_WEBHOOK_OPTIONS_UPDATED

A user updated the webhook options for a permission or app.

INACTIVITY_WORKFLOW_CREATED

An inactivity workflow was created (not enabled)

INACTIVITY_WORKFLOW_ENABLED

An inactivity workflow was enabled.

INACTIVITY_WORKFLOW_DISABLED

Any inactivity workflow was disabled.

INACTIVITY_WORKFLOW_REMOVED

An inactivity workflow was removed.

INACTIVITY_WORKFLOW_TRIGGERED_FOR_ACCOUNT

An inactivity workflow triggered on an inactive account.

INACTIVITY_WORKFLOW_ASKED_ACCOUNT_OWNER_FOR_APPROVAL

An inactivity workflow notified the account owner to confirm removal of their account.

INACTIVITY_WORKFLOW_ASKED_REVIEWER_FOR_APPROVAL

An inactivity workflow notified it's reviewer to confirm removal of an inactive account.

INACTIVITY_WORKFLOW_NOTIFICATION_ACCEPTED

A user approved an inactivity workflow notification.

INACTIVITY_WORKFLOW_NOTIFICATION_REJECTED

A user rejected an inactivity workflow notification.

INACTIVITY_WORKFLOW_NOTIFICATION_IGNORED

A user ignored an inactivity workflow notification.

APPSTORE_WEBHOOK_UPDATED_FOR_APP

A user updated a webhook for an app.

APPSTORE_WEBHOOK_UPDATED_FOR_PERMISSION

A user updated a permission webhook for an app.

ADMIN_UPDATES_APP_USER_ ACCOUNT_STATUS_TO_DISCOVERED

A user attempted to update another user's account status to Discovered.

ADMIN_UPDATES_APP_USER_ ACCOUNT_STATUS_TO_STAGED

A user attempted to update another user's account status to Staged.

ADMIN_UPDATES_APP_USER_ ACCOUNT_STATUS_TO_ACCESS_CREATED

A user attempted to update another user's account status to "Access Created".

ADMIN_UPDATES_APP_USER_ ACCOUNT_STATUS_TO_ACTIVE

A user attempted to update another user's account status to "Active".

ADMIN_UPDATES_APP_USER_ ACCOUNT_STATUS_TO_SUSPENDED

A user attempted to update another user's account status to "Suspended".

ADMIN_UPDATES_APP_USER_ ACCOUNT_STATUS_TO_DEPROVISIONED

A user attempted to update another user's account status to "Deprovisioned".

ADMIN_UPDATES_APP_USER_ ACCOUNT_STATUS_TO_MANUALLY_REMOVED

A user attempted to update another user's account status to "Manually Removed".

TIME_BASED_ACCESS_EXPIRED_ REQUEST_AUTOMATIC_UNASSIGN_FROM_GROUP

A user was unassigned from an app (IdP) group via time-based access expiration.

TIME_BASED_ACCESS_EXPIRED_ REQUEST_DEPROVISION_INLINE_WEBHOOK

A deprovisioning webhook was triggered when a user's time-based access expired.

TIME_BASED_ACCESS_EXPIRED_ REQUEST_AUTOMATIC_DEPROVISIONING

A user was deprovisioned from an app via time-based access expiration.

TIME_BASED_ACCESS_EXPIRED_ REQUEST_AUTOMATIC_SUSPEND

A user was suspended from an app via time-based access expiration.

ONBOARDING_RULE_CREATED

An onboarding rule was created.

ONBOARDING_RULE_UPDATED

An onboarding rule was updated.

ONBOARDING_RULE_DELETED

An onboarding rule was deleted.

ESCALATION_POLICY_CREATED

An escalation policy was created.

ESCALATION_POLICY_UPDATED

An escalation policy was updated.

ESCALATION_POLICY_DELETED

An escalation policy was deleted.

ACCESS_REVIEW_CREATED

A new access review was created.

ACCESS_REVIEW_DETAILS_UPDATED

An access review's details have been edited.

ACCESS_REVIEW_DELETED

An access review has been deleted.

ACCESS_REVIEW_COMPLETED

An access review has been completed.

ACCESS_REVIEW_APPS_ADDED

New apps have been added to an access review.

ACCESS_REVIEW_APPS_REMOVED

Apps have been removed from an access review.

ACCESS_REVIEW_DOMAIN_APP_ADDED

An application has been to an access review.

ACCESS_REVIEW_DOMAIN_APP_REMOVED

An application has been removed from an access review.

ACCESS_REVIEW_DOMAIN_APP_ADMIN_ASSIGNED

A user has been added as the Access Review App Admin for an app.

ACCESS_REVIEW_DOMAIN_APP_REVIEW_TYPE_SELECTED

The review type has been selected for an access review.

ACCESS_REVIEW_DOMAIN_APP_SCOPED

Scopes have been applied to an access review app.

ACCESS_REVIEW_DOMAIN_APP_COMPLETED

The review has been completed for an access review app.

ACCESS_REVIEW_ACCOUNT_REVIEWER_ASSIGNED

An access review account has been assigned to a reviewer.

ACCESS_REVIEW_ACCOUNT_REVIEWER_NOTIFIED

The reviewer for an access review account has been notified about the assignment.

ACCESS_REVIEW_ACCOUNT_REMOVER_ASSIGNED

The account has been delegated to a user for removal.

ACCESS_REVIEW_ACCOUNT_ACCESS_APPROVED

The account reviewer marked an access review account as approved.

ACCESS_REVIEW_ACCOUNT_ACCESS_REJECTED

The account reviewer marked an access review account as rejected.

ACCESS_REVIEW_ACCOUNT_ACCESS_NEEDS_MODIFICATION

The account reviewer marked an access review account as needing modification.

ACCESS_REVIEW_ACCOUNT_REVIEW_DECISION_REMOVED

The decision was removed for an access review account.

ACCESS_REVIEW_ACCOUNT_REMOVED

An access review account has been marked as removed.

ACCESS_REVIEW_ACCOUNT_REMOVAL_FAILED

There was an error removing account access.

ACCESS_REVIEW_ACCOUNT_NOTES_ADDED

A user added notes to an account review.

ACCESS_REVIEW_ACCOUNT_EVIDENCE_UPLOADED

A user uploaded evidence related to an account review.

ACCESS_REVIEW_ACCOUNT_ REASSIGNMENT_REMINDER_ESCALATIONS

A reviewer has been notified about assignments that will be escalated based on company policies.

ACCESS_REVIEW_NEW_ APPROVER_ACCOUNT_REASSIGNMENT_ESCALATIONS

A reviewer has been notified about assignments that were escalated to them.

ACCESS_REVIEW_CURRENT_ APPROVER_ACCOUNT_REASSIGNMENT_ESCALATIONS

The current reviewer has been notified about assignments that were escalated based on company policies.

ACCESS_REVIEW_ACCOUNT_REVIEWERS_ REASSIGN_ACTION_ESCALATIONS

A review has been escalated based on company policies.

ACCESS_REVIEW_ACCOUNT_ENTITLEMENT_ REVIEWER_ASSIGNED

An account permission review has been delegated to a reviewer.

ACCESS_REVIEW_ACCOUNT_ENTITLEMENT_ REVIEWER_NOTIFIED

A reviewer has been notified of their permission review assignments.

ACCESS_REVIEW_ACCOUNT_ENTITLEMENT_ REMOVER_ASSIGNED

An account permission review has been removed from a reviewer.

ACCESS_REVIEW_ACCOUNT_ENTITLEMENT_ACCESS_APPROVED

An account permission review has been approved.

ACCESS_REVIEW_ACCOUNT_ENTITLEMENT_ACCESS_REJECTED

An account permission review has been rejected.

ACCESS_REVIEW_ACCOUNT_ENTITLEMENT_ACCESS_NEEDS_MODIFICATION

An account permission review has been marked as needing modification.

ACCESS_REVIEW_ACCOUNT_ENTITLEMENT_REVIEW_DECISION_REMOVED

An account permission review has had its decision removed.

ACCESS_REVIEW_ACCOUNT_ENTITLEMENT_REMOVED

An account permission has been marked as removed.

ACCESS_REVIEW_ACCOUNT_ENTITLEMENT_REMOVAL_FAILED

An account permission has failed to be removed.

ACCESS_REVIEW_ACCOUNT_ENTITLEMENT_EVIDENCE_UPLOADED

Evidence has been uploaded for a reviewed account permission.

ACCESS_REVIEW_ACCOUNT_ ENTITLEMENT_NOTES_ADDED

An account permission has had notes added to it.

ACCESS_REVIEW_ACCOUNT_ENTITLEMENT_ REASSIGNMENT_REMINDER_ESCALATIONS

An account permission reviewer has been notified that their review will be escalated. 

ACCESS_REVIEW_NEW_APPROVER_ACCOUNT_ ENTITLEMENT_REASSIGNMENT_ESCALATIONS

A new (escalated) account permission reviewer has been notified that they have a review to complete.

ACCESS_REVIEW_CURRENT_APPROVER_ACCOUNT_ ENTITLEMENT_REASSIGNMENT_ESCALATIONS

The current account permission reviewer has been notified that their review has been escalated.

ACCESS_REVIEW_ACCOUNT_ENTITLEMENT_ REVIEWERS_REASSIGN_ACTION_ESCALATIONS

An account permission review has been escalated.

USER_ONBOARDING_TRIGGERED

A new hire onboarding for a user has been triggered.

Actor types

In the event payload, Lumos tells you what type of actor initiated the event in the "actor_type" field and sends a payload of data about them as part of the "actor" data.

Actor TypeDescriptionPayload

ANONYMOUS

The action was performed by an unauthenticated user.

N/A

LUMOS_USER

The Lumos User that performed the action.

{
  "email": str,
  "given_name": str,
  "family_name": str
}

LUMOS_SYSTEM

An automated or asynchronous event initiated by the Lumos application.

N/A

Target types

For every event, there are one-to-many targets that were acted upon by that event.

The type of target is specified in the "target_type" field and information about the targets is stored in a list as part of the "targets" field.

Target TypeDescriptionPayload

APP

Provides information about the application.

{
  "app_id": str,
  "name": str
}

APP_INSTANCE

Provides information about this specific instance of an application.

{
  "app_id": str,
  "instance_id": str,
  "user_friendly_label": str
}

LUMOS_USER

The Lumos User on which the action (ex. provisioning) was performed.

{
  "email": str,
  "given_name": str,
  "family_name": str
}

USER_APP_RELATIONSHIP

The relationship between a Lumos User and an App.

{
  "user": {
    "email": str,
    "given_name": str,
    "family_name": str
  }
  "app": {
    "app_id": str,
    "instance_id": str
    "user_friendly_label": str
  }
}

ACCOUNT

A user's account in a specific application.

{
  "identifier": str,
  "email": str,
  "given_name": str, 
  "family_name": str,
  "username": str,
  "user": {
    "email": str,
    "given_name": str,
    "family_name": str
  }
  "app": {
    "app_id": str,
    "instance_id": str
    "user_friendly_label": str
  }
}

ACCESS_REQUEST

A request for access created from the AppStore.

{
  "target_user": {
    "email": str,
    "given_name": str,
    "family_name": str
  },
  "requester_user": {
    "email": str,
    "given_name": str,
    "family_name": str
  },
  "app": {
    "app_id": str,
    "instance_id": str
    "user_friendly_label": str
  },
  "access_length": str,
  "permissions": {
    "label": str,
    "value": str,
    "type": GROUP | PERMISSION,
    "source": OKTA | ONELOGIN | ...
  },
  "business_justification": str
}

ACCESS_REVIEW

An access review.

{
  "name": str
}

ACCESS_REVIEW_DOMAIN_APP

An app within the access review.

{
  "status": IN_PREPARATION | ASSIGNING_REVIEWERS | ...,
  "review_type": ACCOUNTS | ENTITLEMENTS
}

ACCESS_REVIEW_ACCOUNT

An account in an access review app.

{
  "email": str
}

ACCESS_REVIEW_ACCOUNT_ENTITLEMENT

 

{
  "type": str,
  "label": str
}

LUMOS_GROUP

A group associated with an application (email provider, IdP).

{
  "name": str,
  "external_id": str
}

PRE_APPROVAL_RULE

A pre-approval rule for an AppStore app.

{
  "justification": str,
  "app": {
    "app_id": str,
    "instance_id": str,
    "user_friendly_label": str
  }
}

APP_GROUP_REQUEST_CONFIG

The configuration for a specific app Permission in the AppStore.

{
  "label": str,
  "value": str,
  "type": GROUP | PERMISSION,
  "source": OKTA | ONELOGIN | GSUITE | ...
}

INLINE_WEBHOOK

An inline webhook.

{
  "hook_type": PROVISION | DEPROVISION | PRE_APPROVAL | REQUEST_VALIDATION,
  "name": str,
  "description": str
}

ONBOARDING_RULE

A new hire onboarding rule.

{
"targets": str,
"owner_id": int,
"business_justification": str
}

ESCALATION_POLICY

An AppStore or Access Reviews escalation policy.

{
"name": str
}