Event Schema Reference (for SIEM Teams)
This page documents the ProfileSafeEvent JSON envelope that is delivered identically to all configured sinks — SIEM (HTTP & Syslog), Webhooks, and Windows Event Log. It is intended as a reference for SIEM engineers building parsers, correlation rules, and dashboards.
Event Envelope
Every event is a JSON object with the following top-level fields:
| Field | Type | Description |
|---|---|---|
eventId |
GUID | Unique event identifier. Serves as primary key, idempotency key, and deduplication key. |
timestampUtc |
ISO 8601 | UTC timestamp of event creation |
schemaVersion |
string | Event schema version (currently 1.0.0) |
severity |
enum | Info, Warning, Error, or Critical |
source |
string | Origin: CLI, GUI, or Core |
operationId |
GUID | Correlation ID for grouping related events (e.g. all events from one export) |
category |
string | Export, Import, Simulation, License, Preflight, Configuration, Security, DataProtection, DryRun, or System |
action |
string | Started, Completed, CompletedWithErrors, Failed, or ItemSkipped |
payloadType |
string | Discriminator for the payload object: Export, Import, Simulation, License, Preflight, or Audit |
context |
object | Execution environment: machineName, userName, domain, tenant |
payload |
object | Category-specific payload (see below) |
errorCode |
string | null | APS error code on failure, null on success |
extensions |
object | Key-value pairs for custom metadata |
Categories & Actions
The category field indicates what kind of operation produced the event. The action field indicates the lifecycle stage.
| Category | Actions | Description |
|---|---|---|
Export |
Started, Completed, CompletedWithErrors, Failed | Profile export operations |
Import |
Started, Completed, CompletedWithErrors, Failed | Profile import operations |
Simulation |
Completed | Dry-run simulation and mapping simulation |
License |
Completed, Failed | License validation events |
Preflight |
Completed, Failed | Pre-operation health checks |
Configuration |
Completed | Settings or mapping configuration changed |
Security |
Failed | Unauthorized access, integrity check failures, schema validation failures |
DataProtection |
Completed | Personal data exported or imported (GDPR tracking) |
DryRun |
Completed | Dry-run analysis executed |
System |
Completed | Log rotation, log archival, and other internal operations |
Payload Types
| payloadType | Fields |
|---|---|
| Export | profileName, targetPath*, folderCount, fileCount, registryKeyCount, registryValueCount, totalSizeBytes, appNames (array), success, errorMessage |
| Import | profileName, sourcePath*, filesImported, registryKeysImported, filesSkipped, mappingApplied, restorePointCreated, success, errorMessage |
| Simulation | profileName, totalChanges, conflicts, diffReportPath* |
| License | licenseStatus, expirationDate, validationMessage |
| Preflight | passed, warnings (array), errors (array) |
| Audit | target, success, details, durationMs, folderCount, fileCount, dataSize, registryKeyCount, registryValueCount, errorMessage, entryHash, sequenceNumber |
Fields marked with * may be subject to redaction (partial masking) before delivery to sinks.
All payloads include a version field (currently 1.0.0) for forward compatibility.
The Audit payload is used for operational events that do not fit the domain-specific payloads above (configuration changes, security events, data protection tracking, system operations). It carries the same counters (folderCount, fileCount, registryKeyCount, registryValueCount, dataSize) as the audit trail CSV and includes the chain hash (entryHash) and sequenceNumber for integrity verification.
Severity Mapping
| EventSeverity | CEF Numeric | Syslog (RFC 5424) | Windows Event Log |
|---|---|---|---|
Info |
3 (Low) | Informational | Information |
Warning |
5 (Medium) | Warning | Warning |
Error |
7 (High) | Error | Error |
Critical |
9 (Very High) | Critical | Error (Windows Event Log has no Critical level) |
Syslog Format
When delivered via Syslog (TCP/TLS), events are formatted as RFC 5424 messages:
<severity>1 2026-02-14T10:30:00.000Z WORKSTATION01 AppProfileSafe - {eventId} - {action}The severity field uses the numeric Syslog priority value (3 for Error, 6 for Info).
HTTP (JSON) Format
When delivered via HTTP (to SIEM or webhooks), the complete ProfileSafeEvent is serialized as a JSON object and sent as the request body with Content-Type: application/json. Use the eventId field for deduplication and the operationId for correlation across related events.
SIEM Parser Recommendations
- Key fields for alerting:
severity= Critical or Error,errorCodenon-null,action= Failed,category= Security - Correlation: Group events by
operationIdto reconstruct a full export/import lifecycle (Started → Completed/CompletedWithErrors/Failed) - Partial success:
action= CompletedWithErrors indicates the operation finished but some items were skipped or failed. CheckerrorMessagein the payload for details. - User tracking: Use
context.userNameandcontext.domainfor user attribution - Machine tracking: Use
context.machineNamefor per-host dashboards - Payload parsing: Use
payloadTypeto determine which payload fields are available, then parse accordingly - Integrity chain: Audit-type events include
entryHashandsequenceNumber. Use these to verify the audit trail has not been tampered with (each hash chains to the previous entry). - Data volume tracking: Use
folderCount,fileCount,registryKeyCount,registryValueCount, anddataSize/totalSizeBytesto monitor data volumes per operation.