WitnessAI¶
About¶
WitnessAI is a comprehensive Secure AI Enablement Platform designed to help enterprises safely adopt and scale generative AI (GenAI) and Large Language Models (LLMs). As a "Confidence Layer" for the modern enterprise, it provides a unified platform for the visibility, governance, and protection of all AI interactions across the organization.
Product Details¶
Product Type: AI Security Posture Management (AISPM)
Product Tier: Tier III
Integration URL: WitnessAI
Integration Method: API
Parser Details¶
Log Format: JSON
Expected Normalization Rate: 99%-100%
Data Label: WITNESS_AI_CONTROL
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| host | principal.hostname |
| time | metadata.event_timestamp |
| auth.identifier | principal.user.userid |
| auth.email | principal.user.email_addresses |
| auth.roles.0 | principal.user.attribute.roles |
| auth.token_id | additional.fields |
| auth.token_type | additional.fields |
| status | security_result.action |
| metadata.changes | additional.fields |
Product Event Types¶
| Product Event | UDM Event |
|---|---|
| Prompt | GENERIC_EVENT |
| Audit | USER_LOGIN |
Log Sample¶
{"event":{"audit":"{\"action\":\"login\",\"auth\":{\"email\":\"j.doe@acme.com\",\"first_name\":\"John\",\"identifier\":\"11111111-2222-3333-4444-555555555555\",\"last_name\":\"Doe\",\"roles\":[\"admin\"],\"token_id\":\"11111111-2222-3333-4444-555555555555\",\"token_type\":\"user\",\"username\":\"j.doe@acme.com\"},\"created_at\":\"2025-12-23T16:24:38.231782Z\",\"id\":\"aaaa1111-bbbb-2222-cccc-3333dddd4444\",\"initiated_by_id\":\"11111111-2222-3333-4444-555555555555\",\"initiated_by_type\":\"user\",\"metadata\":{\"changes\":[{\"label\":\"Login User Id\",\"new\":{\"value\":\"11111111-2222-3333-4444-555555555555\"},\"old\":{\"value\":null},\"path\":\"user.id\"},{\"label\":\"Login User First Name\",\"new\":{\"value\":\"John\"},\"old\":{\"value\":null},\"path\":\"user.first_name\"},{\"label\":\"Login User Last Name\",\"new\":{\"value\":\"Doe\"},\"old\":{\"value\":null},\"path\":\"user.last_name\"},{\"label\":\"Login User Email\",\"new\":{\"value\":\"j.doe@acme.com\"},\"old\":{\"value\":null},\"path\":\"user.email\"},{\"label\":\"Login User Current Signin At\",\"new\":{\"value\":\"2025-12-23T16:24:38.203621Z\"},\"old\":{\"value\":null},\"path\":\"user.current_signin_at\"}],\"title\":\"j.doe@acme.com\"},\"record_alias\":\"user\",\"record_id\":\"11111111-2222-3333-4444-555555555555\",\"record_name\":\"user\",\"status\":\"success\",\"updated_at\":\"2025-12-23T16:24:38.231782Z\"}"},"host":"siem-abc123.usw2.witness.ai","index":"null","source":"witness-source","sourcetype":"json","time":1766507196}
Sample Parsing¶
```text principal.hostname = "siem-abc123.usw2.witness.ai" principal.user.userid = "11111111-2222-3333-4444-555555555555" principal.user.attribute.roles = "admin" principal.user.email_addresses = "j.doe@acme.com"" security_result.action = "ALLOW" metadata.event_timestamp = "1766507196" principal.application = "Test App" additional.fields["Token ID"] = "11111111-2222-3333-4444-555555555555" additional.fields["Token Type"] = "user" additional.fields["user.current_signin_at"] = "2025-12-23T16:24:38.203621Z" additional.fields["user.email"] = "j.doe@acme.com" additional.fields["user.first_name"] = "John" additional.fields["user.last_name"] = "Doe" additional.fields["user.id"] = "11111111-2222-3333-4444-555555555555" ````