UserActivityLog
Comprehensive audit trail that records every significant action performed by users in the system. This entity serves as the forensic backbone for security monitoring, compliance reporting, and user behavior analysis. It captures not just what happened, but the full context - who did it, when, from where, what changed, and whether it succeeded or failed. Every login attempt, password change, profile update, permission modification, and data access is logged with enough detail to reconstruct events during security incidents. The log includes both successful and failed actions, which is crucial for detecting attack patterns like credential stuffing or privilege escalation attempts. Risk scoring helps identify suspicious activities automatically, while the preserved old and new values enable rollback capabilities. This audit trail is essential for compliance with regulations like GDPR, HIPAA, and SOX that require detailed activity logs. It's also valuable for user support, helping administrators understand what a user did before encountering an issue. The logs are typically retained for extended periods (years for compliance) and can be analyzed to detect insider threats, unusual access patterns, or systemic security issues.
Properties
| Property | Type | Mode | Description | Required |
|---|---|---|---|---|
| logId | uuid | stored | Unique identifier for this log entry | Required |
| userId | uuid | stored | User who performed the action | Required |
| activityType | string | enum | Category of activity performed Values: | Required |
| timestamp | DateTime | stored | Exact time when the activity occurred | Required |
| ipAddress | string | stored | IP address from which the action was performed | Optional |
| userAgent | string | stored | Browser or application identifier | Optional |
| deviceId | uuid | stored | Trusted device identifier if applicable | Optional |
| sessionId | uuid | stored | Session during which this activity occurred | Optional |
| result | string | enum | Outcome of the activity Values: | Required |
| errorCode | string | stored | Specific error code if the action failed | Optional |
| errorMessage | string | stored | Human-readable error description | Optional |
| changedFields | string | stored | JSON array of fields that were modified | Optional |
| oldValues | string | stored | Encrypted JSON of previous values for rollback | Optional |
| newValues | string | stored | Encrypted JSON of new values after change | Optional |
| riskScore | integer | stored | Calculated risk level of this activity (0-100) | Optional |
| riskFactors | string | stored | JSON array of risk indicators detected | Optional |
| location | string | stored | Geographic location based on IP | Optional |
| transactionId | uuid | stored | Related transaction for grouped operations | Optional |
| metadata | string | stored | Additional context in JSON format | Optional |
Examples
Example 1
{
"@type": "UserActivityLog",
"logId": "log_abc123",
"userId": "user_550e8400",
"activityType": "password_change",
"timestamp": "2024-03-15T14:30:00Z",
"ipAddress": "192.168.1.100",
"userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) Chrome/121.0",
"sessionId": "sess_xyz789",
"result": "success",
"changedFields": "[\"passwordHash\", \"passwordLastChangedAt\"]",
"riskScore": 5,
"riskFactors": "[\"known_device\", \"usual_location\"]",
"location": "New York, NY, USA",
"metadata": "{\"passwordStrength\": 85, \"method\": \"user_initiated\"}"
}Example 2
{
"@type": "UserActivityLog",
"logId": "log_def456",
"userId": "user_6ba7b810",
"activityType": "login",
"timestamp": "2024-03-15T09:00:00Z",
"ipAddress": "203.0.113.45",
"userAgent": "MyApp/2.1.0 (iPhone; iOS 17.0)",
"deviceId": "dev_mobile_789",
"result": "failure",
"errorCode": "ACCOUNT_LOCKED",
"errorMessage": "Account temporarily locked due to multiple failed login attempts",
"riskScore": 75,
"riskFactors": "[\"multiple_failures\", \"new_location\", \"vpn_detected\"]",
"location": "Singapore",
"metadata": "{\"attemptNumber\": 6, \"vpnProvider\": \"NordVPN\"}"
}