The SIEM API allows you to query security-related events associated with your users and organisation in Workvivo. This helps you monitor login activity, user actions, and key system changes for security and auditing purposes.
Device(s): Desktop
Roles / Permissions: Developer
Availability: API's must be enabled on the platform
Using the SIEM API
Where to access the feature
The SIEM API is accessed via Workvivo’s API endpoints. You can find full documentation and access details here:
Workvivo SIEM API Developer Docs
How to use
You can query the API to retrieve security-related events. Each event contains detailed metadata to help you understand what action occurred, when it happened, and which user was involved.
Each event includes the following fields:
- created_at_timestamp – The date and time the event occurred
- event – The type of event recorded
- ip_address – The IP address associated with the event
- user_agent – The device/browser used
- workvivo_id – The Workvivo user ID
- user_email – The email address of the user involved
- note – Additional context (where applicable)
Event Types
Below is a list of supported SIEM events. Availability may vary depending on your organisation’s configuration.
Authentication Events
-
login
Indicates a user logged in via password-based authentication. -
loginMobile
Indicates a user logged in via password-based authentication on a mobile device. -
loginSaml
Indicates a user logged in via SAML (SSO) authentication. -
loginSamlFailed
Indicates a failed SAML login attempt. The note field includes the impacted user’s email. -
loginSamlMobile
Indicates a user logged in via SAML authentication on a mobile device. -
logout
Indicates a user logged out from a web browser. -
logoutMobile
Indicates a user logged out from a mobile device.
MFA (Multi-Factor Authentication) Events
-
MFA reset
Indicates an administrator reset a user’s MFA token. The user_email reflects the admin performing the action. -
User setup MFA successfully
Indicates a user successfully completed MFA setup.
Password Events
-
user changed password
Indicates a user changed their password (password-based authentication only). -
password
Indicates an administrator updated a user’s password. The note field identifies the affected user. -
password reset request successful
Indicates a successful password reset request. -
password reset request failure
Indicates a failed password reset attempt, typically due to an unrecognized email address.
User Switching Events
-
switch user
Indicates a user has switched into another account (delegation). The real_user field represents the original user. -
switch user reverted
Indicates the user has switched back to their original account.
System and Configuration Events
-
organisation
Indicates a system setting has been changed (e.g. timezone, branding). The user_email identifies who made the change. -
App\OrganisationSettings
Indicates updates to organisation-level application settings. -
permissions
Indicates a change to user roles or permissions.
Reporting Events
-
User Requested Report activeUsers
Indicates a report for active users was generated. -
User Requested Report inactiveUsers
Indicates a report for inactive users was generated.
Content Events
-
Data Classification
Indicates a user applied a data classification label to content such as an Update, Shout-out, Article, Page, or Event.
Additional Information
- Some events may not appear depending on your authentication setup (e.g. SAML vs password-based login).
- MFA-related events only apply if MFA is enabled within Workvivo (not via your external identity provider).