Thrive Pro+ subscribers can now leverage centralised security information and event management (SIEM) logging. This feature provides comprehensive visibility into security-relevant activity across the platform, delivering structured audit events directly to your external security tooling for monitoring, investigation, and compliance.
Note:
To discuss purchasing this feature, contact your Thrive Account Director.
Key Benefits
Centralised visibility: Monitor authentication, authorisation, and configuration changes from a single source.
Seamless integration: Stream logs directly into industry-standard platforms like Splunk, Sentinel, or Datadog via Amazon Web Services (AWS) managed services.
Data integrity: Logs are captured at the source and processed through a controlled pipeline to ensure reliability and timely delivery.
Customer control: You maintain full ownership over how logs are ingested, analysed, and retained in your own security environment.
Designed for a balance of security, operational resilience, and ease of integration, SIEM logging enables near real-time data consumption with predictable retention and clearly defined access controls. This architecture minimises operational overhead by delivering structured audit events directly to your environment, ensuring you can satisfy rigorous security monitoring and compliance requirements without needing direct access to Thrive’s internal systems or infrastructure.
Logged Event Types
Thrive logs are categorised by the area of the platform they impact below. Each log entry is delivered in a structured JSON format following the OpenTelemetry (OTEL) standard, ensuring seamless compatibility with all major SIEM tools.
User Activity and Transaction Logging
These events track individual user interactions and profile modifications.
Events captured:
Profile: Created, updated, deleted, avatar uploaded.
Onboarding: Terms agreed, onboarding completed, activation code verified/generated, user activated.
Social: User followed/unfollowed, tags followed/unfollowed.
Fields and positions: Custom fields (v1/v2) created/updated/deleted, user positions created/updated/removed.
Example:
{
"resourceLogs": [
{
"resource": {
"attributes": [
{
"key": "service.name",
"value": {
"stringValue": "user-service"
}
},
{
"key": "service.version",
"value": {
"stringValue": "26.224.0"
}
},
{
"key": "host.name",
"value": {
"stringValue": "ip-10-187-39-137.eu-west-2.compute.internal"
}
},
{
"key": "tenant.id",
"value": {
"stringValue": "eu-west-2_wsc5Rc5b4"
}
}
]
},
"scopeLogs": [
{
"logRecords": [
{
"timeUnixNano": "1768244683006000000",
"observedTimeUnixNano": "1768244683644000000",
"severityNumber": 10,
"severityText": "INFO2",
"body": {
"stringValue": "User position created"
},
"attributes": [
{
"key": "http.request.method",
"value": {
"stringValue": "POST"
}
},
{
"key": "http.url",
"value": {
"stringValue": "/user"
}
},
{
"key": "http.operation",
"value": {
"stringValue": "mutation createPosition"
}
},
{
"key": "client.address",
"value": {
"stringValue": "18.171.51.239"
}
},
{
"key": "user.id",
"value": {
"stringValue": "6006b9469145130011ec8497"
}
},
{
"key": "user.roles",
"value": {
"arrayValue": [
"administrator"
]
}
},
{
"key": "user_agent.original",
"value": {
"stringValue": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/143.0.0.0 Safari/537.36"
}
},
{
"key": "payload.user.id",
"value": {
"stringValue": "696545caf05e6ac6bc70c098"
}
},
{
"key": "payload.user.position.manager",
"value": {
"stringValue": "696545c8f05e6ac6bc70c077"
}
},
{
"key": "payload.user.position.isActive",
"value": {
"boolValue": true
}
},
{
"key": "payload.user.position.title",
"value": {
"stringValue": ""
}
},
{
"key": "payload.user.position.startDate",
"value": {
"stringValue": "2019-02-22T00:00:00.000Z"
}
},
{
"key": "correlation.id",
"value": {
"stringValue": "Complete Goal with Manager Approval and Evidence Required"
}
}
],
"droppedAttributesCount": 0,
"traceId": "1e47addff4d86322eb51230892ffa6e3",
"spanId": "b5774431ee7650a5"
}
]
}
]
}
]
}Application Changes Logging
Tracks administrative changes to the platform’s global state, including visual branding and security policies.
Events captured:
Global configuration changes
Platform settings changes (e.g. theme/UI mutations)
Policy changes
Example:
{
"resourceLogs": [
{
"resource": {
"attributes": [
{
"key": "service.name",
"value": {
"stringValue": "tenant-service"
}
},
{
"key": "service.version",
"value": {
"stringValue": "2.94.0"
}
},
{
"key": "host.name",
"value": {
"stringValue": "ip-10-187-48-174.eu-west-2.compute.internal"
}
},
{
"key": "tenant.id",
"value": {
"stringValue": "eu-west-2_eAkPBhZ36"
}
}
]
},
"scopeLogs": [
{
"logRecords": [
{
"timeUnixNano": "1768280934047000000",
"observedTimeUnixNano": "1768280934825000000",
"severityNumber": 10,
"severityText": "INFO2",
"body": {
"stringValue": "Secure config updated"
},
"attributes": [
{
"key": "http.request.method",
"value": {
"stringValue": "POST"
}
},
{
"key": "http.url",
"value": {
"stringValue": "/config"
}
},
{
"key": "http.operation",
"value": {
"stringValue": "mutation setSecureConfig"
}
},
{
"key": "client.address",
"value": {
"stringValue": "18.171.139.17"
}
},
{
"key": "user.roles",
"value": {
"arrayValue": [
"merge-service"
]
}
},
{
"key": "user_agent.original",
"value": {
"stringValue": "axios/1.11.0"
}
},
{
"key": "payload.category",
"value": {
"stringValue": "concurrency-state"
}
},
{
"key": "payload.key",
"value": {
"stringValue": "concurrency-concurrency-merge"
}
},
{
"key": "correlation.id",
"value": {
"stringValue": "f3e7bfca-c6c1-4ed6-b1c1-75a4d6637f6b"
}
}
],
"droppedAttributesCount": 0
}
]
}
]
}
]
}Object Access and Content Auditing
Logs related to the lifecycle of content and how users interact with specific resources.
Events Captured:
Lifecycle: Content created, updated, published, archived, restored, or deleted.
Interaction: Page access, content shared/unshared, CPD category set.
Governance: "Is official" toggled, comments toggled, data exports, and downloads.
Example:
{
"resourceLogs": [
{
"resource": {
"attributes": [
{
"key": "service.name",
"value": {
"stringValue": "content-service"
}
},
{
"key": "service.version",
"value": {
"stringValue": "23.125.0"
}
},
{
"key": "host.name",
"value": {
"stringValue": "ip-10-187-31-106.eu-west-2.compute.internal"
}
},
{
"key": "tenant.id",
"value": {
"stringValue": "eu-west-2_wsc5Rc5b4"
}
}
]
},
"scopeLogs": [
{
"logRecords": [
{
"timeUnixNano": "1768244116487000000",
"observedTimeUnixNano": "1768244117028000000",
"severityNumber": 10,
"severityText": "INFO2",
"body": {
"stringValue": "Content shared"
},
"attributes": [
{
"key": "http.request.method",
"value": {
"stringValue": "POST"
}
},
{
"key": "http.url",
"value": {
"stringValue": "/content?ShareContent"
}
},
{
"key": "http.operation",
"value": {
"stringValue": "mutation shareContent"
}
},
{
"key": "client.address",
"value": {
"stringValue": "18.171.51.239"
}
},
{
"key": "user.id",
"value": {
"stringValue": "6006b9469145130011ec8497"
}
},
{
"key": "user.roles",
"value": {
"arrayValue": [
"administrator"
]
}
},
{
"key": "user_agent.original",
"value": {
"stringValue": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/143.0.0.0 Safari/537.36"
}
},
{
"key": "payload.contentId",
"value": {
"stringValue": "69654378d02d885ba3095102"
}
},
{
"key": "payload.users",
"value": {
"arrayValue": [
"69654376bf1309f750aa15f8"
]
}
},
{
"key": "payload.audiences",
"value": {
"arrayValue": []
}
},
{
"key": "payload.shareType",
"value": {
"stringValue": "standard"
}
},
{
"key": "payload.title",
"value": {
"stringValue": "Article-title-1768244085350"
}
},
{
"key": "payload.type",
"value": {
"stringValue": "article"
}
},
{
"key": "correlation.id",
"value": {
"stringValue": "9a190982-a4c2-4f22-acd8-1561eb467364"
}
}
],
"droppedAttributesCount": 0
}
]
}
]
}
]
}Role/Group/Privilege Management Logging
Events captured:
Roles: User role changes (e.g., Learner to Administrator).
Example:
{
"resourceLogs": [
{
"resource": {
"attributes": [
{
"key": "service.name",
"value": {
"stringValue": "user-service"
}
},
{
"key": "service.version",
"value": {
"stringValue": "26.224.0"
}
},
{
"key": "host.name",
"value": {
"stringValue": "ip-10-187-55-210.eu-west-2.compute.internal"
}
},
{
"key": "tenant.id",
"value": {
"stringValue": "eu-west-2_eAkPBhZ36"
}
}
]
},
"scopeLogs": [
{
"logRecords": [
{
"timeUnixNano": "1768299211361000000",
"observedTimeUnixNano": "1768299213147000000",
"severityNumber": 10,
"severityText": "INFO2",
"body": {
"stringValue": "User role changed"
},
"attributes": [
{
"key": "http.request.method",
"value": {
"stringValue": "POST"
}
},
{
"key": "http.url",
"value": {
"stringValue": "/user"
}
},
{
"key": "http.operation",
"value": {
"stringValue": "mutation setRole"
}
},
{
"key": "client.address",
"value": {
"stringValue": "18.132.91.160"
}
},
{
"key": "user.id",
"value": {
"stringValue": "66bebd8f286a9d0011adc4c0"
}
},
{
"key": "user.roles",
"value": {
"arrayValue": [
"administrator"
]
}
},
{
"key": "user_agent.original",
"value": {
"stringValue": "insomnia/9.2.0"
}
},
{
"key": "payload.user.id",
"value": {
"stringValue": "686fa9da6174ed47c6a6c16a"
}
},
{
"key": "payload.user.newRole",
"value": {
"stringValue": "learner"
}
},
{
"key": "payload.user.previousRole",
"value": {
"stringValue": "administrator"
}
},
{
"key": "correlation.id",
"value": {
"stringValue": "insomnia-manualtest"
}
}
],
"droppedAttributesCount": 0,
"traceId": "cadaf5815aa88838d7524ad547a288c9",
"spanId": "95480456e5b7826c"
}
]
}
]
}
]
}Account Management Logging
These events capture the lifecycle and state changes of user accounts, providing a critical audit trail for identity governance.
Account lifecycle events:
New Account Creation
Account Modification
Account Deletion
Access and status events:
Account Enablement / Disablement
Password Change
User status changed (e.g., active to inactive)
Example:
{
"resourceLogs": [
{
"resource": {
"attributes": [
{
"key": "service.name",
"value": {
"stringValue": "user-service"
}
},
{
"key": "service.version",
"value": {
"stringValue": "26.224.0"
}
},
{
"key": "host.name",
"value": {
"stringValue": "ip-10-187-50-182.eu-west-2.compute.internal"
}
},
{
"key": "tenant.id",
"value": {
"stringValue": "eu-west-2_wsc5Rc5b4"
}
}
]
},
"scopeLogs": [
{
"logRecords": [
{
"timeUnixNano": "1768243727461000000",
"observedTimeUnixNano": "1768243727511000000",
"severityNumber": 10,
"severityText": "INFO2",
"body": {
"stringValue": "User status changed"
},
"attributes": [
{
"key": "http.request.method",
"value": {
"stringValue": "POST"
}
},
{
"key": "http.url",
"value": {
"stringValue": "/user"
}
},
{
"key": "http.operation",
"value": {
"stringValue": "mutation toggleDisable"
}
},
{
"key": "client.address",
"value": {
"stringValue": "18.171.51.239"
}
},
{
"key": "user.id",
"value": {
"stringValue": "6006b9469145130011ec8497"
}
},
{
"key": "user.roles",
"value": {
"arrayValue": [
"administrator"
]
}
},
{
"key": "user_agent.original",
"value": {
"stringValue": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/143.0.0.0 Safari/537.36"
}
},
{
"key": "payload.user.id",
"value": {
"stringValue": "6965420e7561d78215aac366"
}
},
{
"key": "payload.user.status",
"value": {
"stringValue": "inactive"
}
},
{
"key": "correlation.id",
"value": {
"stringValue": "Toggling on suspended users shows suspended users in the list"
}
}
],
"droppedAttributesCount": 0,
"traceId": "0f6b2179dbb6f1a029683acd15e7d8e6",
"spanId": "d8ad9cc7be60c27e"
}
]
}
]
}
]
}Authentication Logging
These events track user access sessions, essential for monitoring security perimeters and verifying active user presence.
Session management events:
Log on: Captures when a user successfully authenticates and establishes a session.
Log off: Captures when a user terminates their session or is logged out by the system.
Example:
{
"resourceLogs": [
{
"resource": {
"attributes": [
{
"key": "service.name",
"value": {
"stringValue": "record-store-service"
}
},
{
"key": "service.version",
"value": {
"stringValue": "8.117.0"
}
},
{
"key": "host.name",
"value": {
"stringValue": "ip-10-187-54-195.eu-west-2.compute.internal"
}
},
{
"key": "tenant.id",
"value": {
"stringValue": "eu-west-2_eAkPBhZ36"
}
}
]
},
"scopeLogs": [
{
"logRecords": [
{
"timeUnixNano": "1768295312195000000",
"observedTimeUnixNano": "1768295314050000000",
"severityNumber": 10,
"severityText": "INFO2",
"body": {
"stringValue": "User loggedin"
},
"attributes": [
{
"key": "http.request.method",
"value": {
"stringValue": "POST"
}
},
{
"key": "http.url",
"value": {
"stringValue": "/statement?AddStatement"
}
},
{
"key": "http.operation",
"value": {
"stringValue": "mutation addStatement"
}
},
{
"key": "client.address",
"value": {
"stringValue": "18.132.91.160"
}
},
{
"key": "user.id",
"value": {
"stringValue": "66bebd8f286a9d0011adc4c0"
}
},
{
"key": "user.roles",
"value": {
"arrayValue": [
"administrator"
]
}
},
{
"key": "user_agent.original",
"value": {
"stringValue": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36"
}
},
{
"key": "payload.action",
"value": {
"stringValue": "loggedin"
}
},
{
"key": "payload.userId",
"value": {
"stringValue": "66bebd8f286a9d0011adc4c0"
}
},
{
"key": "correlation.id",
"value": {
"stringValue": "672f0ec1-4c79-4582-8d80-80667bb5969b"
}
}
],
"droppedAttributesCount": 0,
"traceId": "9c3e854ccab89fb70e409ffc8ca8190d",
"spanId": "8420eb0c76017b5f"
}
]
}
]
}
]
}