Retool

About

Retool is a low-code platform designed to help developers and non-developers alike quickly build custom internal tools and dashboards. It provides a drag-and-drop interface, pre-built UI components, and the ability to connect to databases, APIs, and other services, enabling rapid application development.

Product Details

Vendor URL: Retool

Product Type: SaaS

Product Tier: Tier II

Integration Method: Webhook

Log Guide: Audit Logs

Parser Details

Log Format: JSON

Expected Normalization Rate: 100%

Data Label: RETOOL

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field	UDM Field
event.actionType	metadata.product_event_type
event.ipAddress	principal.ip
event.metadata.method	security_result.action_details
event.metadata.query.errorTransformer	security_result.detection_fields
event.metadata.query.event.type	target.resource_ancestors.resource_subtype
event.metadata.query.events.event	security_result.action_details
event.metadata.query.events.method	security_result.detection_fields
event.metadata.query.events.pluginId	target.resource_ancestors.name
event.metadata.query.query	additional.fields
event.metadata.query.retoolVersion	metadata.product_version
event.metadata.query.transformer	additional.fields
event.metadata.query.workflowRunBodyType	additional.fields
event.metadata.query.workflowRunExecutionType	additional.fields
event.metadata.status	security_result.action_details
event.metadata.triggerType	additional.fields
event.metadata.workflowId	target.resource.id
event.metadata.workflowName	target.resource.name
event.metadata.workflowReleaseId	target.resource.product_object_id
event.pageName	target.application
event.queryName	target.resource.name
event.resourceName	target.resource.resource_subtype
event.resourceName	target.resource.product_object_id
event.user.emailIsVerified	principal.user.attribute.labels
event.user.enabled	principal.user.attribute.labels
event.user.firstName	principal.user.first_name
event.user.lastLoggedIn	principal.user.last_login_time
event.user.lastName	principal.user.last_name
event.user.userName	principal.user.user_display_name
event.user.userType	principal.user.attribute.roles.name
event.userAgent	network.http.user_agent
event.userEmail	principal.user.email_addresses
event.userId	principal.user.userid
event.userSid	principal.user.product_object_id
host	observer.hostname
source	observer.resource.name

Product Event Types

Event	UDM Event Classification
CREATE_WORKFLOW	USER_RESOURCE_CREATION
DELETE_WORKFLOW	USER_RESOURCE_DELETION
Generic	GENERIC_EVENT
LOGIN	USER_LOGIN
PAGE_VIEW,VIEW_WORKFLOW	RESOURCE_READ
QUERY_RUN,RUN_WORKFLOW_BLOCK,PLAYGROUND_QUERY_RUN,WORFLOW	USER_RESOURCE_ACCESS

Log Sample

<13>Apr 10 20:30:06 10.25.5.234 {"host":"https://retool.mig.saturnenterprise.io","source":"retool-audit-log","event":{"hostname":"https://retool.mig.saturnenterprise.io","userEmail":"jdoe@example.com","userSid":"user_f62a2deb1698459381bb21a95cdb9962","user":{"id":5,"email":"jdoe@example.com","firstName":"John","lastName":"Doe","profilePhotoUrl":null,"organizationId":1,"lastLoggedIn":"2025-01-22T12:47:38.669Z","enabled":true,"sid":"user_f62a2deb1698459381bb21a95cdb9962","userName":null,"twoFactorAuthEnabled":null,"lastActive":"2025-04-11T03:29:42.289Z","passwordExpiresAt":null,"userType":"default","metadata":{},"externalIdentifier":null,"emailIsVerified":false},"userId":5,"organizationId":1,"ipAddress":"10.32.240.162","userAgent":null,"geoLocation":null,"actionType":"QUERY_RUN","pageName":"Data Sync Logs","queryName":"qry_redshift_tables","resourceName":"d818eb6f-3bd6-4965-8cc1-d4ce2122fa70","metadata":{"pageVersion":"latest","parameters":{"queryParams":{},"databaseNameOverrideParams":{},"databaseHostOverrideParams":{},"databaseUsernameOverrideParams":{},"databasePasswordOverrideParams":{}},"query":{"queryRefreshTime":"","allowedGroupIds":[],"streamResponse":false,"records":"","lastReceivedFromResourceAt":null,"databasePasswordOverride":"","queryDisabledMessage":"","servedFromCache":false,"offlineUserQueryInputs":"","successMessage":"","queryDisabled":"","playgroundQuerySaveId":"latest","workflowParams":null,"resourceNameOverride":"","runWhenModelUpdates":true,"workflowRunExecutionType":"sync","showFailureToaster":true,"query":"select database_name, schema_name, table_name from SVV_REDSHIFT_TABLES","playgroundQueryUuid":"","playgroundQueryId":null,"error":null,"workflowRunBodyType":"raw","privateParams":[],"queryRunOnSelectorUpdate":false,"runWhenPageLoadsDelay":"","warningCodes":[],"data":null,"recordId":"","importedQueryInputs":{},"_additionalScope":[],"isImported":false,"showSuccessToaster":false,"dataArray":[],"cacheKeyTtl":"","filterBy":"","requestSentTimestamp":null,"databaseHostOverride":"","metadata":null,"editorMode":"sql","queryRunTime":null,"actionType":"","changesetObject":"","shouldUseLegacySql":false,"offlineOptimisticResponse":null,"errorTransformer":"return data.error","finished":null,"databaseNameOverride":"","confirmationMessage":null,"isFetching":false,"changeset":"","rawData":null,"queryTriggerDelay":"0","resourceTypeOverride":null,"watchedParams":[],"enableErrorTransformer":false,"isHidden":false,"databaseWarehouseOverride":"","enableBulkUpdates":false,"showLatestVersionUpdatedWarning":false,"timestamp":0,"importedQueryDefaults":{},"enableTransformer":true,"showUpdateSetValueDynamicallyToggle":false,"overrideOrgCacheForUserCache":false,"bulkUpdatePrimaryKey":"","runWhenPageLoads":false,"transformer":"const databases = _.uniq(data.database_name);\n\nconst items = formatDataAsArray(data);\n\nconst schemaes = _.mapValues(_.groupBy(items, (entry) => {\n  return entry.database_name;\n}), (values) => _.uniq(values.map(v => v.schema_name)));\n\nconst tables = _.groupBy(items, (entry) => {\n  return `${entry.database_name}.${entry.schema_name}`;\n});\n\nreturn {\n  databases, schemaes, tables\n};","events":[],"tableName":"","queryTimeout":"10000","workflowId":null,"requireConfirmation":false,"queryFailureConditions":"","changesetIsObject":false,"enableCaching":false,"allowedGroups":[],"databaseUsernameOverride":"","databaseRoleOverride":"","shouldEnableBatchQuerying":false,"doNotThrowOnNoOp":false,"offlineQueryType":"None","queryThrottleTime":"750","updateSetValueDynamically":true,"notificationDuration":4.5}},"responseTimeMs":8417}}

Sample Parsing

additional.fields["query"] = "select database_name, schema_name, table_name from SVV_REDSHIFT_TABLES"
additional.fields["transformer"] = "const databases = _.uniq(data.database_name);\n\nconst items = formatDataAsArray(data);\n\nconst schemaes = _.mapValues(_.groupBy(items, (entry) => {\n  return entry.database_name;\n}), (values) => _.uniq(values.map(v => v.schema_name)));\n\nconst tables = _.groupBy(items, (entry) => {\n  return `${entry.database_name}.${entry.schema_name}`;\n});\n\nreturn {\n  databases, schemaes, tables\n};"
additional.fields["workflowRunBodyType"] = "raw"
additional.fields["workflowRunExecutionType"] = "sync"
metadata.event_type = "USER_RESOURCE_ACCESS"
metadata.log_type = "RETOOL"
metadata.product_event_type = "QUERY_RUN"
metadata.product_name = "Retool"
metadata.vendor_name = "Retool"
observer.hostname = "https://retool.mig.saturnenterprise.io"
observer.ip = "10.25.5.234"
observer.resource.name = "retool-audit-log"
principal.ip = "10.32.240.162"
principal.user.attribute.labels.key = "accountEnabled"
principal.user.attribute.labels.value = "true"
principal.user.attribute.labels.key = "onPremisesSamAccountName"
principal.user.attribute.labels.value = "jdoe"
principal.user.attribute.roles.name = "Member"
principal.user.email_addresses = "jdoe@example.com"
principal.user.first_name = "John"
principal.user.last_login_time.seconds = 1737550058
principal.user.last_login_time.nanos = 669000000
principal.user.last_name = "Doe"
principal.user.product_object_id = "user_f62a2deb1698459381bb21a95cdb9962"
principal.user.userid = "5"
security_result.detection_fields.key = "errorTransformer"
security_result.detection_fields.value = "return data.error"
target.application = "Data Sync Logs"
target.resource.name = "qry_redshift_tables"
target.resource.product_object_id = "d818eb6f-3bd6-4965-8cc1-d4ce2122fa70"