Google Workspace and Google Cloud Audit Logs

Overview

• Vendor: Google
• Supported environment: SaaS
• Detection based on: Audit
• Supported application or feature: Application Logs

Google Cloud Logging centralizes logs from Google Cloud products.

In this documentation, you will learn how to collect and send Google Workspace and Google Cloud audit logs to Sekoia.io.

Google Cloud configuration procedure

Prerequisites

• Google licence Enterprise standard or higher
• Access to Sekoia.io Intakes and Playbook pages with write permissions
• Administrator access to the Google Cloud console

Warning

The administrator that proceeds to the configuration MUST explicitly have the role "Logging Admin" activated. This is not the case by default even for administrator users.

Centralise Google Workspace logs on your Google Cloud

Create a topic

This topic will hold messages to be delivered.

1. In the Google Cloud console available at console.cloud.google.com, go to your Pub/Sub page
2. Click Create topic
3. In the window that opens, enter sekoia-gca-topic in the Topic ID field
4. Click Create topic

Create a subscription to query the topic

To add a subscription to the topic you just created, complete these steps:

1. Click the Subscriptions tab
2. Click Create subscription
3. Enter sekoia-gca-subscription in the Subscription ID field
4. Leave the default values for the remaining options
5. Click Create
6. Return to the Topics page and click sekoia-gca-topic.

Note

The sekoia-gca-subscription subscription is now attached to the topic sekoia-gca-topic. Google Pub/Sub will deliver all messages sent to sekoia-gca-topic to this subscription.

More information on this procedure is available in the official google documentation.

Create a project-level log sink

This will be used to capture all logs across this project that should be sent to the Pub/Sub topic created above.

Important

Your account should have the role logging.admin explicitly set on your account which is not the case of administrator accounts by default. For more information, see associated documentation.

On the left panel, go to Logs Router then click on Create Sink

• Sink details

  • Name: sekoia-gca-sink
  • Description: Routing sink to forward audit logs to Sekoia.io

• Sink destination

  • Select sink service: Cloud Pub/Sub topic
  • Select Cloud Pub/Sub topic: Use a Cloud Pub/Sub topic in a project

Note

Replace [PROJECT_ID] by its value according to your context and [TOPIC_ID] by sekoia-gca-topic.

• Choose logs to include in sink
  • Choose Include only logs ingested by this organisation
  • In the section "Build inclusion filter", enter the following query:

LOG_ID("cloudaudit.googleapis.com/activity") 
OR LOG_ID("cloudaudit.googleapis.com/data_access")

• Choose logs to filter out of sink

  • If you have other products on Google Cloud such as virtual machines or Kubernetes that are part of the project, you should apply a filter that excludes these components to avoid collecting their logs in the process

• Click on CREATE SINK

This should add an entry in the log router sinks list named sekoia-gca-sink with status Enabled and type Cloud Pub/Sub topic.

Note

You cannot create aggregated sinks through the Google Cloud Console. They must be configured and managed through either the API or gcloud CLI tool. Only project-level (non-aggregated) sinks show up in Google Cloud Console. This is what we configured here.

Confirm the logs are received in your Pub/Sub

By following these steps, you should see events appearing on the list

1. Go to your Pub/Sub page, then click on Topics on the left panel
2. Click on your sekoia sekoia-gca-topic topic previously configured
3. On the bottom of the page, click on the Message tab
4. Select your project
5. Click on Pull button

Create a dedicated service account

The service account will be used on Sekoia.io to pull logs available on your Google Cloud instance.

1. Go to the Create service account page
2. Select your cloud project
3. Enter sekoia-gca-service-account as a service account name
4. Click Create and continue
5. Set the role Pub/Sub Subscriber
6. Click Continue, then click Done to finish creating the service account

Note

Ensure that this user has the role Pub/Sub Subscriber in both Topic and Subsciption pages. Otherwise, you will have an error with status 403 when you will activate the playbook detailed on the bottom of this page.

Find more information on the official google documentation.

Create and download JSON keys (service account credentials)

To use a service account from outside of Google Cloud, such as on Sekoia.io, you must first establish the identity of the service account. Public/private key pairs provide a secure way of accomplishing this goal. When you create a service account key, the public portion is stored on Google Cloud, while the private portion is available only to you.

Note

By default, service account keys never expire.

1. Go to the Service accounts page
2. Select your cloud project
3. Click the email address of the service account that you want to create a key for
4. Click the Keys tab
5. Click the Add key drop-down menu, then select Create new key
6. Select JSON as the Key type and click Create

Important

Clicking Create downloads a service account key file. After you download the key file, you cannot download it again. You will need it on the following steps on Sekoia.io.

Find more information on the official google documentation.

Example of JSON key file

{
  "type": "service_account",
  "project_id": "PROJECT_ID",
  "private_key_id": "KEY_ID",
  "private_key": "-----BEGIN PRIVATE KEY-----\nPRIVATE_KEY\n-----END PRIVATE KEY-----\n",
  "client_email": "SERVICE_ACCOUNT_EMAIL",
  "client_id": "CLIENT_ID",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://accounts.google.com/o/oauth2/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/SERVICE_ACCOUNT_EMAIL"
}

Sekoia.io configuration procedure

Create your intake

Go to your Sekoia.io Intakes page, and follow these steps:

1. Click on + Intake button to create a new one
2. Choose Google Cloud Audit Logs, give it a name and choose the relevant Entity
3. Click on Create button
4. Configure your intake with
   • The project ID
   • The suject ID that is sekoia-gca-subscription

Enjoy your events on the Events page

Raw Events Samples

In this section, you will find examples of raw logs as generated natively by the source. These examples are provided to help integrators understand the data format before ingestion into Sekoia.io. It is crucial for setting up the correct parsing stages and ensuring that all relevant information is captured.

2sv_disable2sv_enrollaccount_disabled_genericaccount_disabled_hijackedaccount_disabled_password_leakaccount_disabled_spammingaccount_disabled_spamming_through_relayattack_warningemail_forwarding_out_of_domaingke_container_runtimegov_attack_warningk8s_clusterk8s_delete_clusterlogin_challengelogin_failurelogin_successlogin_verificationlogoutpassword_editrecovery_email_editrecovery_phone_editrecovery_secret_qa_editsuspicious_loginsuspicious_login_less_secure_appsuspicious_programmatic_logintitanium_enrolltitanium_unenroll

{
    "protoPayload": {
        "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
        "authenticationInfo": {
            "principalEmail": "test-user@example.com"
        },
        "requestMetadata": {
            "callerIp": "203.0.113.255",
            "requestAttributes": {},
            "destinationAttributes": {}
        },
        "serviceName": "login.googleapis.com",
        "methodName": "google.login.LoginService.2svDisable",
        "resourceName": "organizations/123",
        "metadata": {
            "activityId": {
                "uniqQualifier": "-7789616625639281959",
                "timeUsec": "1632459962686000"
            },
            "event": [
                {
                    "status": {
                        "success": true
                    },
                    "parameter": [
                        {
                            "type": "TYPE_STRING",
                            "label": "LABEL_OPTIONAL",
                            "value": "INfDlrzP9IH8_QE",
                            "name": "dusi"
                        }
                    ],
                    "eventName": "2sv_disable",
                    "eventType": "2sv_change"
                }
            ],
            "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
        }
    },
    "insertId": "-tn3jrd3lko",
    "resource": {
        "type": "audited_resource",
        "labels": {
            "service": "login.googleapis.com",
            "method": "google.login.LoginService.2svDisable"
        }
    },
    "timestamp": "2021-09-24T05:06:02.686Z",
    "severity": "NOTICE",
    "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
    "receiveTimestamp": "2021-09-24T05:06:03.845372592Z"
}

{
    "protoPayload": {
        "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
        "authenticationInfo": {
            "principalEmail": "test-user@example.com"
        },
        "requestMetadata": {
            "callerIp": "203.0.113.255",
            "requestAttributes": {},
            "destinationAttributes": {}
        },
        "serviceName": "login.googleapis.com",
        "methodName": "google.login.LoginService.2svEnroll",
        "resourceName": "organizations/123",
        "metadata": {
            "activityId": {
                "uniqQualifier": "1624031130844323135",
                "timeUsec": "1632458745769000"
            },
            "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto",
            "event": [
                {
                    "eventType": "2sv_change",
                    "status": {
                        "success": true
                    },
                    "eventName": "2sv_enroll",
                    "parameter": [
                        {
                            "value": "INfDlrzP9IH8_QE",
                            "type": "TYPE_STRING",
                            "label": "LABEL_OPTIONAL",
                            "name": "dusi"
                        }
                    ]
                }
            ]
        }
    },
    "insertId": "g3k8gid3b3p",
    "resource": {
        "type": "audited_resource",
        "labels": {
            "method": "google.login.LoginService.2svEnroll",
            "service": "login.googleapis.com"
        }
    },
    "timestamp": "2021-09-24T04:45:45.769Z",
    "severity": "NOTICE",
    "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
    "receiveTimestamp": "2021-09-24T04:45:46.331843829Z"
}

{
    "protoPayload": {
        "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
        "authenticationInfo": {},
        "requestMetadata": {
            "callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
        },
        "serviceName": "login.googleapis.com",
        "methodName": "google.login.LoginService.accountDisabledGeneric",
        "resourceName": "organizations/123",
        "metadata": {
            "activityId": {
                "timeUsec": "1619825589352000",
                "uniqQualifier": "-3303614929287073633"
            },
            "event": [
                {
                    "eventType": "account_warning",
                    "eventName": "account_disabled_generic",
                    "parameter": [
                        {
                            "name": "affected_email_address",
                            "value": "test-user@example.com",
                            "label": "LABEL_OPTIONAL",
                            "type": "TYPE_STRING"
                        }
                    ],
                    "status": {
                        "success": true
                    }
                }
            ],
            "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
        }
    },
    "insertId": "nlgrf8d6ygj",
    "resource": {
        "type": "audited_resource",
        "labels": {
            "method": "google.login.LoginService.accountDisabledGeneric",
            "service": "login.googleapis.com"
        }
    },
    "timestamp": "2021-04-30T23:33:09.352Z",
    "severity": "NOTICE",
    "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
    "receiveTimestamp": "2021-04-30T23:33:10.673412983Z"
}

{
    "protoPayload": {
        "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
        "authenticationInfo": {},
        "requestMetadata": {
            "callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
        },
        "serviceName": "login.googleapis.com",
        "methodName": "google.login.LoginService.accountDisabledHijacked",
        "resourceName": "organizations/123",
        "metadata": {
            "activityId": {
                "timeUsec": "1619825589352000",
                "uniqQualifier": "-3303614929287073633"
            },
            "event": [
                {
                    "eventType": "account_warning",
                    "eventName": "account_disabled_hijacked",
                    "parameter": [
                        {
                            "name": "affected_email_address",
                            "value": "test-user@example.com",
                            "label": "LABEL_OPTIONAL",
                            "type": "TYPE_STRING"
                        }
                    ],
                    "status": {
                        "success": true
                    }
                }
            ],
            "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
        }
    },
    "insertId": "nlgrf8d6ygj",
    "resource": {
        "type": "audited_resource",
        "labels": {
            "method": "google.login.LoginService.accountDisabledHijacked",
            "service": "login.googleapis.com"
        }
    },
    "timestamp": "2021-04-30T23:33:09.352Z",
    "severity": "NOTICE",
    "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
    "receiveTimestamp": "2021-04-30T23:33:10.673412983Z"
}

{
    "protoPayload": {
        "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
        "authenticationInfo": {},
        "requestMetadata": {
            "callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
        },
        "serviceName": "login.googleapis.com",
        "methodName": "google.login.LoginService.accountDisabledPasswordLeak",
        "resourceName": "organizations/123",
        "metadata": {
            "activityId": {
                "timeUsec": "1619808083475000",
                "uniqQualifier": "6286848759980589624"
            },
            "event": [
                {
                    "eventType": "account_warning",
                    "eventName": "account_disabled_password_leak",
                    "parameter": [
                        {
                            "name": "affected_email_address",
                            "value": "test-user@example.com",
                            "label": "LABEL_OPTIONAL",
                            "type": "TYPE_STRING"
                        }
                    ],
                    "status": {
                        "success": true
                    }
                }
            ],
            "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
        }
    },
    "insertId": "-xkklkzcxkl",
    "resource": {
        "type": "audited_resource",
        "labels": {
            "method": "google.login.LoginService.accountDisabledPasswordLeak",
            "service": "login.googleapis.com"
        }
    },
    "timestamp": "2021-04-30T18:41:23.475Z",
    "severity": "NOTICE",
    "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
    "receiveTimestamp": "2021-04-30T18:41:24.650965796Z"
}

{
    "protoPayload": {
        "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
        "authenticationInfo": {},
        "requestMetadata": {
            "callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
        },
        "serviceName": "login.googleapis.com",
        "methodName": "google.login.LoginService.accountDisabledSpamming",
        "resourceName": "organizations/123",
        "metadata": {
            "activityId": {
                "timeUsec": "1619808083475000",
                "uniqQualifier": "6286848759980589624"
            },
            "event": [
                {
                    "eventType": "account_warning",
                    "eventName": "account_disabled_spamming",
                    "parameter": [
                        {
                            "name": "affected_email_address",
                            "value": "test-user@example.com",
                            "label": "LABEL_OPTIONAL",
                            "type": "TYPE_STRING"
                        }
                    ],
                    "status": {
                        "success": true
                    }
                }
            ],
            "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
        }
    },
    "insertId": "-xkklkzcxkl",
    "resource": {
        "type": "audited_resource",
        "labels": {
            "method": "google.login.LoginService.accountDisabledSpamming",
            "service": "login.googleapis.com"
        }
    },
    "timestamp": "2021-04-30T18:41:23.475Z",
    "severity": "NOTICE",
    "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
    "receiveTimestamp": "2021-04-30T18:41:24.650965796Z"
}

{
    "protoPayload": {
        "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
        "authenticationInfo": {},
        "requestMetadata": {
            "callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
        },
        "serviceName": "login.googleapis.com",
        "methodName": "google.login.LoginService.accountDisabledSpammingThroughRelay",
        "resourceName": "organizations/123",
        "metadata": {
            "activityId": {
                "timeUsec": "1619808083475000",
                "uniqQualifier": "6286848759980589624"
            },
            "event": [
                {
                    "eventType": "account_warning",
                    "eventName": "account_disabled_spamming_through_relay",
                    "parameter": [
                        {
                            "name": "affected_email_address",
                            "value": "test-user@example.com",
                            "label": "LABEL_OPTIONAL",
                            "type": "TYPE_STRING"
                        }
                    ],
                    "status": {
                        "success": true
                    }
                }
            ],
            "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
        }
    },
    "insertId": "-xkklkzcxkl",
    "resource": {
        "type": "audited_resource",
        "labels": {
            "method": "google.login.LoginService.accountDisabledSpammingThroughRelay",
            "service": "login.googleapis.com"
        }
    },
    "timestamp": "2021-04-30T18:41:23.475Z",
    "severity": "NOTICE",
    "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
    "receiveTimestamp": "2021-04-30T18:41:24.650965796Z"
}

{
    "protoPayload": {
        "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
        "authenticationInfo": {
            "principalEmail": "test-user@example.com"
        },
        "requestMetadata": {
            "callerIp": "203.0.113.255",
            "requestAttributes": {},
            "destinationAttributes": {}
        },
        "serviceName": "login.googleapis.com",
        "methodName": "google.login.LoginService.2svDisable",
        "resourceName": "organizations/123",
        "metadata": {
            "activityId": {
                "uniqQualifier": "-7789616625639281959",
                "timeUsec": "1632459962686000"
            },
            "event": [
                {
                    "status": {
                        "success": true
                    },
                    "parameter": [
                        {
                            "type": "TYPE_STRING",
                            "label": "LABEL_OPTIONAL",
                            "value": "INfDlrzP9IH8_QE",
                            "name": "dusi"
                        }
                    ],
                    "eventName": "2sv_disable",
                    "eventType": "2sv_change"
                }
            ],
            "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
        }
    },
    "insertId": "-tn3jrd3lko",
    "resource": {
        "type": "audited_resource",
        "labels": {
            "service": "login.googleapis.com",
            "method": "google.login.LoginService.2svDisable"
        }
    },
    "timestamp": "2021-09-24T05:06:02.686Z",
    "severity": "NOTICE",
    "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
    "receiveTimestamp": "2021-09-24T05:06:03.845372592Z"
}

{
    "protoPayload": {
        "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
        "authenticationInfo": {
            "principalEmail": "test-user@example.com"
        },
        "requestMetadata": {
            "callerIp": "203.0.113.255",
            "requestAttributes": {},
            "destinationAttributes": {}
        },
        "serviceName": "login.googleapis.com",
        "methodName": "google.login.LoginService.emailForwardingOutOfDomain",
        "resourceName": "organizations/123",
        "metadata": {
            "activityId": {
                "uniqQualifier": "-5683698025624301037",
                "timeUsec": "1632501152256000"
            },
            "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto",
            "event": [
                {
                    "eventName": "email_forwarding_out_of_domain",
                    "status": {
                        "success": true
                    },
                    "parameter": [
                        {
                            "name": "dusi",
                            "type": "TYPE_STRING",
                            "value": "INfDlrzP9IH8_QE",
                            "label": "LABEL_OPTIONAL"
                        },
                        {
                            "type": "TYPE_STRING",
                            "label": "LABEL_OPTIONAL",
                            "value": "test-user@google.com",
                            "name": "email_forwarding_destination_address"
                        }
                    ],
                    "eventType": "email_forwarding_change"
                }
            ]
        }
    },
    "insertId": "rrcp9gd3y2f",
    "resource": {
        "type": "audited_resource",
        "labels": {
            "method": "google.login.LoginService.emailForwardingOutOfDomain",
            "service": "login.googleapis.com"
        }
    },
    "timestamp": "2021-09-24T16:32:32.256Z",
    "severity": "NOTICE",
    "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
    "receiveTimestamp": "2021-09-24T16:32:33.319260836Z"
}

{
    "insertId": "2f93b0a6-f932-4d91-ad61-785ae9587360",
    "labels": {
        "authorization.k8s.io/decision": "allow",
        "authorization.k8s.io/reason": "RBAC: allowed by ClusterRoleBinding \"system:kube-scheduler\" of ClusterRole \"system:kube-scheduler\" to User \"system:kube-scheduler\""
    },
    "logName": "projects/hazel-aria-348413/logs/cloudaudit.googleapis.com%2Factivity",
    "operation": {
        "first": true,
        "id": "2f93b0a6-f932-4d91-ad61-785ae9587360",
        "last": true,
        "producer": "k8s.io"
    },
    "protoPayload": {
        "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
        "authenticationInfo": {
            "principalEmail": "system:kube-scheduler"
        },
        "authorizationInfo": [
            {
                "granted": true,
                "permission": "io.k8s.coordination.v1.leases.update",
                "resource": "coordination.k8s.io/v1/namespaces/kube-system/leases/kube-scheduler"
            }
        ],
        "methodName": "io.k8s.coordination.v1.leases.update",
        "requestMetadata": {
            "callerIp": "10.186.0.146",
            "callerSuppliedUserAgent": "kube-scheduler/v1.22.8 (linux/amd64) kubernetes/2dca91e/leader-election"
        },
        "resourceName": "coordination.k8s.io/v1/namespaces/kube-system/leases/kube-scheduler",
        "serviceName": "k8s.io",
        "status": {}
    },
    "receiveTimestamp": "2022-06-14T14:32:10.838967694Z",
    "resource": {
        "labels": {
            "cluster_name": "cluster-1",
            "location": "europe-central2-a",
            "project_id": "hazel-aria-348413"
        },
        "type": "k8s_cluster"
    },
    "timestamp": "2022-06-14T14:32:09.910723Z"
}

{
    "protoPayload": {
        "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
        "authenticationInfo": {
            "principalEmail": "test-user@example.com"
        },
        "requestMetadata": {
            "callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff",
            "requestAttributes": {},
            "destinationAttributes": {}
        },
        "serviceName": "login.googleapis.com",
        "methodName": "google.login.LoginService.govAttackWarning",
        "resourceName": "organizations/123",
        "metadata": {
            "activityId": {
                "timeUsec": "1619825837106000",
                "uniqQualifier": "7230131091737932677"
            },
            "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto",
            "event": [
                {
                    "eventName": "gov_attack_warning",
                    "eventType": "attack_warning",
                    "status": {
                        "success": true
                    }
                }
            ]
        }
    },
    "insertId": "bxuophd1vlw",
    "resource": {
        "type": "audited_resource",
        "labels": {
            "service": "login.googleapis.com",
            "method": "google.login.LoginService.govAttackWarning"
        }
    },
    "timestamp": "2021-04-30T23:37:17.106Z",
    "severity": "NOTICE",
    "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
    "receiveTimestamp": "2021-04-30T23:37:18.488559815Z"
}

{
    "insertId": "9d92cd5d-5043-4c8d-9a3b-92c0be113704",
    "labels": {
        "authorization.k8s.io/decision": "allow",
        "authorization.k8s.io/reason": "RBAC: allowed by ClusterRoleBinding \"system:kubestore-collector\" of ClusterRole \"system:kubestore-collector\" to User \"system:kubestore-collector\""
    },
    "logName": "projects/hazel-aria-348413/logs/cloudaudit.googleapis.com%2Factivity",
    "operation": {
        "first": true,
        "id": "9d92cd5d-5043-4c8d-9a3b-92c0be113704",
        "last": true,
        "producer": "k8s.io"
    },
    "protoPayload": {
        "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
        "authenticationInfo": {
            "principalEmail": "system:kubestore-collector"
        },
        "authorizationInfo": [
            {
                "granted": true,
                "permission": "io.k8s.core.v1.configmaps.update",
                "resource": "core/v1/namespaces/kube-system/configmaps/cluster-kubestore"
            }
        ],
        "methodName": "io.k8s.core.v1.configmaps.update",
        "requestMetadata": {
            "callerIp": "10.186.0.146",
            "callerSuppliedUserAgent": "kubestore_collector/v0.0.0 (linux/amd64) kubernetes/$Format"
        },
        "resourceName": "core/v1/namespaces/kube-system/configmaps/cluster-kubestore",
        "serviceName": "k8s.io",
        "status": {}
    },
    "receiveTimestamp": "2022-06-15T07:27:38.524909478Z",
    "resource": {
        "labels": {
            "cluster_name": "cluster-1",
            "location": "europe-central2-a",
            "project_id": "hazel-aria-348413"
        },
        "type": "k8s_cluster"
    },
    "timestamp": "2022-06-15T07:27:36.652663Z"
}

{
    "insertId": "ofj3qoe4mbih",
    "logName": "projects/hazel-aria-348413/logs/cloudaudit.googleapis.com%2Factivity",
    "operation": {
        "id": "operation-1655309832996-a5fd6e18",
        "last": true,
        "producer": "container.googleapis.com"
    },
    "protoPayload": {
        "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
        "metadata": {
            "operationType": "DELETE_CLUSTER"
        },
        "methodName": "google.container.v1.ClusterManager.DeleteCluster",
        "policyViolationInfo": {
            "orgPolicyViolationInfo": {}
        },
        "resourceLocation": {
            "currentLocations": [
                "europe-central2-a"
            ]
        },
        "resourceName": "projects/hazel-aria-348413/zones/europe-central2-a/clusters/cluster-1",
        "serviceName": "container.googleapis.com",
        "status": {}
    },
    "receiveTimestamp": "2022-06-15T16:19:48.068568099Z",
    "resource": {
        "labels": {
            "cluster_name": "cluster-1",
            "location": "europe-central2-a",
            "project_id": "hazel-aria-348413"
        },
        "type": "gke_cluster"
    },
    "severity": "NOTICE",
    "timestamp": "2022-06-15T16:19:47.720234784Z"
}

{
    "protoPayload": {
        "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
        "authenticationInfo": {
            "principalEmail": "test-user@example.com"
        },
        "requestMetadata": {
            "callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff",
            "requestAttributes": {},
            "destinationAttributes": {}
        },
        "serviceName": "login.googleapis.com",
        "methodName": "google.login.LoginService.loginChallenge",
        "resourceName": "organizations/123",
        "metadata": {
            "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto",
            "event": [
                {
                    "eventName": "login_challenge",
                    "parameter": [
                        {
                            "name": "login_type",
                            "value": "google_password",
                            "type": "TYPE_STRING",
                            "label": "LABEL_OPTIONAL"
                        },
                        {
                            "type": "TYPE_STRING",
                            "label": "LABEL_REPEATED",
                            "name": "login_challenge_method",
                            "multiStrValue": [
                                "idv_preregistered_phone"
                            ]
                        },
                        {
                            "label": "LABEL_OPTIONAL",
                            "type": "TYPE_STRING",
                            "value": "incorrect_answer_entered",
                            "name": "login_challenge_status"
                        },
                        {
                            "type": "TYPE_STRING",
                            "name": "dusi",
                            "label": "LABEL_OPTIONAL",
                            "value": "IOWJlfPwgvrTfg"
                        }
                    ],
                    "eventType": "login"
                }
            ],
            "activityId": {
                "timeUsec": "1632500217183211",
                "uniqQualifier": "358068855354"
            }
        }
    },
    "insertId": "-nahbepd4l2j",
    "resource": {
        "type": "audited_resource",
        "labels": {
            "service": "login.googleapis.com",
            "method": "google.login.LoginService.loginChallenge"
        }
    },
    "timestamp": "2021-09-24T16:16:57.183211Z",
    "severity": "NOTICE",
    "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
    "receiveTimestamp": "2021-09-24T17:51:28.041126044Z"
}

{
    "protoPayload": {
        "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
        "authenticationInfo": {
            "principalEmail": "test-user@example.com"
        },
        "requestMetadata": {
            "callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff",
            "requestAttributes": {},
            "destinationAttributes": {}
        },
        "serviceName": "login.googleapis.com",
        "methodName": "google.login.LoginService.loginFailure",
        "resourceName": "organizations/123",
        "metadata": {
            "event": [
                {
                    "eventName": "login_failure",
                    "eventType": "login",
                    "parameter": [
                        {
                            "value": "google_password",
                            "type": "TYPE_STRING",
                            "name": "login_type",
                            "label": "LABEL_OPTIONAL"
                        },
                        {
                            "name": "login_challenge_method",
                            "type": "TYPE_STRING",
                            "label": "LABEL_REPEATED",
                            "multiStrValue": [
                                "password",
                                "idv_preregistered_phone",
                                "idv_preregistered_phone"
                            ]
                        },
                        {
                            "label": "LABEL_OPTIONAL",
                            "name": "dusi",
                            "type": "TYPE_STRING",
                            "value": "IOWJlfPwgvrTfg"
                        }
                    ]
                }
            ],
            "activityId": {
                "uniqQualifier": "358068855354",
                "timeUsec": "1632500217183212"
            },
            "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
        }
    },
    "insertId": "-nahbepd4l1x",
    "resource": {
        "type": "audited_resource",
        "labels": {
            "method": "google.login.LoginService.loginFailure",
            "service": "login.googleapis.com"
        }
    },
    "timestamp": "2021-09-24T16:16:57.183212Z",
    "severity": "NOTICE",
    "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
    "receiveTimestamp": "2021-09-24T17:51:25.034361197Z"
}

{
    "protoPayload": {
        "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
        "authenticationInfo": {
            "principalEmail": "test-user@example.com"
        },
        "requestMetadata": {
            "callerIp": "203.0.113.255",
            "requestAttributes": {},
            "destinationAttributes": {}
        },
        "serviceName": "login.googleapis.com",
        "methodName": "google.login.LoginService.loginSuccess",
        "resourceName": "organizations/123",
        "metadata": {
            "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto",
            "activityId": {
                "timeUsec": "1632458429811809",
                "uniqQualifier": "358068855354"
            },
            "event": [
                {
                    "parameter": [
                        {
                            "type": "TYPE_STRING",
                            "value": "google_password",
                            "name": "login_type",
                            "label": "LABEL_OPTIONAL"
                        },
                        {
                            "name": "login_challenge_method",
                            "label": "LABEL_REPEATED",
                            "type": "TYPE_STRING",
                            "multiStrValue": [
                                "password"
                            ]
                        },
                        {
                            "type": "TYPE_BOOL",
                            "boolValue": false,
                            "name": "is_suspicious",
                            "label": "LABEL_OPTIONAL"
                        },
                        {
                            "value": "INfDlrzP9IH8_QE",
                            "name": "dusi",
                            "type": "TYPE_STRING",
                            "label": "LABEL_OPTIONAL"
                        }
                    ],
                    "eventType": "login",
                    "eventName": "login_success"
                }
            ]
        }
    },
    "insertId": "ci1svzd3hfk",
    "resource": {
        "type": "audited_resource",
        "labels": {
            "service": "login.googleapis.com",
            "method": "google.login.LoginService.loginSuccess"
        }
    },
    "timestamp": "2021-09-24T04:40:29.811809Z",
    "severity": "NOTICE",
    "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
    "receiveTimestamp": "2021-09-24T05:43:20.474338130Z"
}

{
    "protoPayload": {
        "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
        "authenticationInfo": {
            "principalEmail": "test-user@example.com"
        },
        "requestMetadata": {
            "callerIp": "203.0.113.255",
            "requestAttributes": {},
            "destinationAttributes": {}
        },
        "serviceName": "login.googleapis.com",
        "methodName": "google.login.LoginService.loginVerification",
        "resourceName": "organizations/123",
        "metadata": {
            "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto",
            "event": [
                {
                    "eventName": "login_verification",
                    "parameter": [
                        {
                            "name": "login_type",
                            "type": "TYPE_STRING",
                            "value": "google_password",
                            "label": "LABEL_OPTIONAL"
                        },
                        {
                            "name": "login_challenge_method",
                            "multiStrValue": [
                                "idv_preregistered_phone"
                            ],
                            "label": "LABEL_REPEATED",
                            "type": "TYPE_STRING"
                        },
                        {
                            "value": "passed",
                            "name": "login_challenge_status",
                            "type": "TYPE_STRING",
                            "label": "LABEL_OPTIONAL"
                        },
                        {
                            "value": "INfDlrzP9IH8_QE",
                            "label": "LABEL_OPTIONAL",
                            "name": "dusi",
                            "type": "TYPE_STRING"
                        },
                        {
                            "label": "LABEL_OPTIONAL",
                            "boolValue": true,
                            "type": "TYPE_BOOL",
                            "name": "is_second_factor"
                        }
                    ],
                    "eventType": "login"
                }
            ],
            "activityId": {
                "uniqQualifier": "358068855354",
                "timeUsec": "1632459936762000"
            }
        }
    },
    "insertId": "ivb9z4d41rh",
    "resource": {
        "type": "audited_resource",
        "labels": {
            "method": "google.login.LoginService.loginVerification",
            "service": "login.googleapis.com"
        }
    },
    "timestamp": "2021-09-24T05:05:36.762Z",
    "severity": "NOTICE",
    "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
    "receiveTimestamp": "2021-09-24T06:39:22.386813664Z"
}

{
    "protoPayload": {
        "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
        "authenticationInfo": {
            "principalEmail": "test-user@example.com"
        },
        "requestMetadata": {
            "callerIp": "203.0.113.255",
            "requestAttributes": {},
            "destinationAttributes": {}
        },
        "serviceName": "login.googleapis.com",
        "methodName": "google.login.LoginService.logout",
        "resourceName": "organizations/123",
        "metadata": {
            "event": [
                {
                    "eventName": "logout",
                    "eventType": "login",
                    "parameter": [
                        {
                            "type": "TYPE_STRING",
                            "label": "LABEL_OPTIONAL",
                            "name": "login_type",
                            "value": "google_password"
                        },
                        {
                            "type": "TYPE_STRING",
                            "name": "dusi",
                            "label": "LABEL_OPTIONAL",
                            "value": "INfDlrzP9IH8_QE"
                        }
                    ]
                }
            ],
            "activityId": {
                "uniqQualifier": "358068855354",
                "timeUsec": "1632459903014598"
            },
            "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
        }
    },
    "insertId": "v37ytid14th",
    "resource": {
        "type": "audited_resource",
        "labels": {
            "service": "login.googleapis.com",
            "method": "google.login.LoginService.logout"
        }
    },
    "timestamp": "2021-09-24T05:05:03.014598Z",
    "severity": "NOTICE",
    "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
    "receiveTimestamp": "2021-09-24T06:39:22.229734504Z"
}

{
    "protoPayload": {
        "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
        "authenticationInfo": {
            "principalEmail": "test-user@example.com"
        },
        "requestMetadata": {
            "callerIp": "203.0.113.255",
            "requestAttributes": {},
            "destinationAttributes": {}
        },
        "serviceName": "login.googleapis.com",
        "methodName": "google.login.LoginService.passwordEdit",
        "resourceName": "organizations/123",
        "metadata": {
            "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto",
            "event": [
                {
                    "eventName": "password_edit",
                    "status": {
                        "success": true
                    },
                    "parameter": [
                        {
                            "type": "TYPE_STRING",
                            "label": "LABEL_OPTIONAL",
                            "value": "INfDlrzP9IH8_QE",
                            "name": "dusi"
                        }
                    ],
                    "eventType": "password_change"
                }
            ],
            "activityId": {
                "uniqQualifier": "8894052787391296929",
                "timeUsec": "1632803013900566"
            }
        }
    },
    "insertId": "-u8coc0d6n78",
    "resource": {
        "type": "audited_resource",
        "labels": {
            "service": "login.googleapis.com",
            "method": "google.login.LoginService.passwordEdit"
        }
    },
    "timestamp": "2021-09-28T04:23:33.900566Z",
    "severity": "NOTICE",
    "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
    "receiveTimestamp": "2021-09-28T04:23:37.724654918Z"
}

{
    "protoPayload": {
        "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
        "authenticationInfo": {
            "principalEmail": "test-user@example.com"
        },
        "requestMetadata": {
            "callerIp": "203.0.113.255",
            "requestAttributes": {},
            "destinationAttributes": {}
        },
        "serviceName": "login.googleapis.com",
        "methodName": "google.login.LoginService.recoveryEmailEdit",
        "resourceName": "organizations/123",
        "metadata": {
            "activityId": {
                "timeUsec": "1632802942940979",
                "uniqQualifier": "-7373127890859496609"
            },
            "event": [
                {
                    "eventType": "recovery_info_change",
                    "eventName": "recovery_email_edit",
                    "parameter": [
                        {
                            "label": "LABEL_OPTIONAL",
                            "type": "TYPE_STRING",
                            "value": "INfDlrzP9IH8_QE",
                            "name": "dusi"
                        }
                    ],
                    "status": {
                        "success": true
                    }
                }
            ],
            "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
        }
    },
    "insertId": "-nkwfupd26zt",
    "resource": {
        "type": "audited_resource",
        "labels": {
            "service": "login.googleapis.com",
            "method": "google.login.LoginService.recoveryEmailEdit"
        }
    },
    "timestamp": "2021-09-28T04:22:22.940979Z",
    "severity": "NOTICE",
    "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
    "receiveTimestamp": "2021-09-28T04:22:26.523242112Z"
}

{
    "protoPayload": {
        "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
        "authenticationInfo": {
            "principalEmail": "test-user@example.com"
        },
        "requestMetadata": {
            "callerIp": "203.0.113.255",
            "requestAttributes": {},
            "destinationAttributes": {}
        },
        "serviceName": "login.googleapis.com",
        "methodName": "google.login.LoginService.recoveryPhoneEdit",
        "resourceName": "organizations/123",
        "metadata": {
            "event": [
                {
                    "status": {
                        "success": true
                    },
                    "eventType": "recovery_info_change",
                    "eventName": "recovery_phone_edit",
                    "parameter": [
                        {
                            "label": "LABEL_OPTIONAL",
                            "value": "INfDlrzP9IH8_QE",
                            "type": "TYPE_STRING",
                            "name": "dusi"
                        }
                    ]
                }
            ],
            "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto",
            "activityId": {
                "timeUsec": "1632804439611095",
                "uniqQualifier": "1470137036135837564"
            }
        }
    },
    "insertId": "-1xtrgbd2vl2",
    "resource": {
        "type": "audited_resource",
        "labels": {
            "service": "login.googleapis.com",
            "method": "google.login.LoginService.recoveryPhoneEdit"
        }
    },
    "timestamp": "2021-09-28T04:47:19.611095Z",
    "severity": "NOTICE",
    "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
    "receiveTimestamp": "2021-09-28T04:47:25.741574446Z"
}

{
    "protoPayload": {
        "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
        "authenticationInfo": {
            "principalEmail": "test-user@example.com"
        },
        "requestMetadata": {
            "callerIp": "203.0.113.255",
            "requestAttributes": {},
            "destinationAttributes": {}
        },
        "serviceName": "login.googleapis.com",
        "methodName": "google.login.LoginService.recoverySecretQaEdit",
        "resourceName": "organizations/123",
        "metadata": {
            "activityId": {
                "uniqQualifier": "8328506129139272243",
                "timeUsec": "1632804455273424"
            },
            "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto",
            "event": [
                {
                    "eventName": "recovery_secret_qa_edit",
                    "eventType": "recovery_info_change",
                    "status": {
                        "success": true
                    },
                    "parameter": [
                        {
                            "type": "TYPE_STRING",
                            "value": "INfDlrzP9IH8_QE",
                            "name": "dusi",
                            "label": "LABEL_OPTIONAL"
                        }
                    ]
                }
            ]
        }
    },
    "insertId": "vn31slcpmy",
    "resource": {
        "type": "audited_resource",
        "labels": {
            "method": "google.login.LoginService.recoverySecretQaEdit",
            "service": "login.googleapis.com"
        }
    },
    "timestamp": "2021-09-28T04:47:35.273424Z",
    "severity": "NOTICE",
    "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
    "receiveTimestamp": "2021-09-28T04:47:37.650432219Z"
}

{
    "protoPayload": {
        "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
        "authenticationInfo": {},
        "requestMetadata": {
            "callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
        },
        "serviceName": "login.googleapis.com",
        "methodName": "google.login.LoginService.suspiciousLogin",
        "resourceName": "organizations/123",
        "metadata": {
            "activityId": {
                "timeUsec": "1620095181000000",
                "uniqQualifier": "-2034771694824799453"
            },
            "event": [
                {
                    "eventType": "account_warning",
                    "eventName": "suspicious_login",
                    "parameter": [
                        {
                            "name": "affected_email_address",
                            "value": "test-user@example.com",
                            "label": "LABEL_OPTIONAL",
                            "type": "TYPE_STRING"
                        }
                    ],
                    "status": {
                        "success": true
                    }
                }
            ],
            "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
        }
    },
    "insertId": "-778d70d2n5b",
    "resource": {
        "type": "audited_resource",
        "labels": {
            "service": "login.googleapis.com",
            "method": "google.login.LoginService.suspiciousLogin"
        }
    },
    "timestamp": "2021-05-04T02:26:21Z",
    "severity": "NOTICE",
    "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
    "receiveTimestamp": "2021-05-04T02:56:23.806722355Z"
}

{
    "protoPayload": {
        "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
        "authenticationInfo": {},
        "requestMetadata": {
            "callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
        },
        "serviceName": "login.googleapis.com",
        "methodName": "google.login.LoginService.suspiciousLoginLessSecureApp",
        "resourceName": "organizations/123",
        "metadata": {
            "activityId": {
                "timeUsec": "1620095181000000",
                "uniqQualifier": "-2034771694824799453"
            },
            "event": [
                {
                    "eventType": "account_warning",
                    "eventName": "suspicious_login_less_secure_app",
                    "parameter": [
                        {
                            "name": "affected_email_address",
                            "value": "test-user@example.com",
                            "label": "LABEL_OPTIONAL",
                            "type": "TYPE_STRING"
                        }
                    ],
                    "status": {
                        "success": true
                    }
                }
            ],
            "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
        }
    },
    "insertId": "-778d70d2n5b",
    "resource": {
        "type": "audited_resource",
        "labels": {
            "service": "login.googleapis.com",
            "method": "google.login.LoginService.suspiciousLoginLessSecureApp"
        }
    },
    "timestamp": "2021-05-04T02:26:21Z",
    "severity": "NOTICE",
    "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
    "receiveTimestamp": "2021-05-04T02:56:23.806722355Z"
}

{
    "protoPayload": {
        "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
        "authenticationInfo": {},
        "requestMetadata": {
            "callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
        },
        "serviceName": "login.googleapis.com",
        "methodName": "google.login.LoginService.suspiciousProgrammaticLogin",
        "resourceName": "organizations/123",
        "metadata": {
            "activityId": {
                "timeUsec": "1620095181000000",
                "uniqQualifier": "-2034771694824799453"
            },
            "event": [
                {
                    "eventType": "account_warning",
                    "eventName": "suspicious_programmatic_login",
                    "parameter": [
                        {
                            "name": "affected_email_address",
                            "value": "test-user@example.com",
                            "label": "LABEL_OPTIONAL",
                            "type": "TYPE_STRING"
                        }
                    ],
                    "status": {
                        "success": true
                    }
                }
            ],
            "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
        }
    },
    "insertId": "-778d70d2n5b",
    "resource": {
        "type": "audited_resource",
        "labels": {
            "service": "login.googleapis.com",
            "method": "google.login.LoginService.suspiciousProgrammaticLogin"
        }
    },
    "timestamp": "2021-05-04T02:26:21Z",
    "severity": "NOTICE",
    "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
    "receiveTimestamp": "2021-05-04T02:56:23.806722355Z"
}

{
    "protoPayload": {
        "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
        "authenticationInfo": {
            "principalEmail": "test-user@example.com"
        },
        "requestMetadata": {
            "callerIp": "203.0.113.255",
            "requestAttributes": {},
            "destinationAttributes": {}
        },
        "serviceName": "login.googleapis.com",
        "methodName": "google.login.LoginService.titaniumEnroll",
        "resourceName": "organizations/123",
        "metadata": {
            "activityId": {
                "uniqQualifier": "4206430548119220064",
                "timeUsec": "1632843484846000"
            },
            "event": [
                {
                    "eventName": "titanium_enroll",
                    "status": {
                        "success": true
                    },
                    "parameter": [
                        {
                            "label": "LABEL_OPTIONAL",
                            "value": "INfDlrzP9IH8_QE",
                            "type": "TYPE_STRING",
                            "name": "dusi"
                        }
                    ],
                    "eventType": "titanium_change"
                }
            ],
            "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
        }
    },
    "insertId": "-bxbn5bd167i",
    "resource": {
        "type": "audited_resource",
        "labels": {
            "service": "login.googleapis.com",
            "method": "google.login.LoginService.titaniumEnroll"
        }
    },
    "timestamp": "2021-09-28T15:38:04.846Z",
    "severity": "NOTICE",
    "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
    "receiveTimestamp": "2021-09-28T15:38:05.969683854Z"
}

{
    "protoPayload": {
        "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
        "authenticationInfo": {
            "principalEmail": "test-user@example.com"
        },
        "requestMetadata": {
            "callerIp": "203.0.113.255",
            "requestAttributes": {},
            "destinationAttributes": {}
        },
        "serviceName": "login.googleapis.com",
        "methodName": "google.login.LoginService.titaniumUnenroll",
        "resourceName": "organizations/123",
        "metadata": {
            "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto",
            "event": [
                {
                    "eventType": "titanium_change",
                    "status": {
                        "success": true
                    },
                    "eventName": "titanium_unenroll",
                    "parameter": [
                        {
                            "type": "TYPE_STRING",
                            "label": "LABEL_OPTIONAL",
                            "value": "INfDlrzP9IH8_QE",
                            "name": "dusi"
                        }
                    ]
                }
            ],
            "activityId": {
                "timeUsec": "1632843914653434",
                "uniqQualifier": "-6706492269209711994"
            }
        }
    },
    "insertId": "-vw60qad1861",
    "resource": {
        "type": "audited_resource",
        "labels": {
            "service": "login.googleapis.com",
            "method": "google.login.LoginService.titaniumUnenroll"
        }
    },
    "timestamp": "2021-09-28T15:45:14.653434Z",
    "severity": "NOTICE",
    "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
    "receiveTimestamp": "2021-09-28T15:45:15.862755277Z"
}

Detection section

The following section provides information for those who wish to learn more about the detection capabilities enabled by collecting this intake. It includes details about the built-in rule catalog, event categories, and ECS fields extracted from raw events. This is essential for users aiming to create custom detection rules, perform hunting activities, or pivot in the events page.

Event Categories

The following table lists the data source offered by this integration.

Data Source	Description
GCP audit logs	Google Cloud Audit contains logs from multiple Google Cloud source such as Google Cloud Console and Google Workspace.

Transformed Events Samples after Ingestion

This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the built-in detection rules and hunting activities in the events page. Understanding these transformations is essential for analysts to create effective detection mechanisms with custom detection rules and to leverage the full potential of the collected data.

2sv_disable.json2sv_enroll.jsonaccount_disabled_generic.jsonaccount_disabled_hijacked.jsonaccount_disabled_password_leak.jsonaccount_disabled_spamming.jsonaccount_disabled_spamming_through_relay.jsonattack_warning.jsonemail_forwarding_out_of_domain.jsongke_container_runtime.jsongov_attack_warning.jsonk8s_cluster.jsonk8s_delete_cluster.jsonlogin_challenge.jsonlogin_failure.jsonlogin_success.jsonlogin_verification.jsonlogout.jsonpassword_edit.jsonrecovery_email_edit.jsonrecovery_phone_edit.jsonrecovery_secret_qa_edit.jsonsuspicious_login.jsonsuspicious_login_less_secure_app.jsonsuspicious_programmatic_login.jsontitanium_enroll.jsontitanium_unenroll.json

{
    "message": "{\n  \"protoPayload\": {\n    \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n    \"authenticationInfo\": {\n      \"principalEmail\": \"test-user@example.com\"\n    },\n    \"requestMetadata\": {\n      \"callerIp\": \"203.0.113.255\",\n      \"requestAttributes\": {},\n      \"destinationAttributes\": {}\n    },\n    \"serviceName\": \"login.googleapis.com\",\n    \"methodName\": \"google.login.LoginService.2svDisable\",\n    \"resourceName\": \"organizations/123\",\n    \"metadata\": {\n      \"activityId\": {\n        \"uniqQualifier\": \"-7789616625639281959\",\n        \"timeUsec\": \"1632459962686000\"\n      },\n      \"event\": [\n        {\n          \"status\": {\n            \"success\": true\n          },\n          \"parameter\": [\n            {\n              \"type\": \"TYPE_STRING\",\n              \"label\": \"LABEL_OPTIONAL\",\n              \"value\": \"INfDlrzP9IH8_QE\",\n              \"name\": \"dusi\"\n            }\n          ],\n          \"eventName\": \"2sv_disable\",\n          \"eventType\": \"2sv_change\"\n        }\n      ],\n      \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\"\n    }\n  },\n  \"insertId\": \"-tn3jrd3lko\",\n  \"resource\": {\n    \"type\": \"audited_resource\",\n    \"labels\": {\n      \"service\": \"login.googleapis.com\",\n      \"method\": \"google.login.LoginService.2svDisable\"\n    }\n  },\n  \"timestamp\": \"2021-09-24T05:06:02.686Z\",\n  \"severity\": \"NOTICE\",\n  \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n  \"receiveTimestamp\": \"2021-09-24T05:06:03.845372592Z\"\n}",
    "@timestamp": "2021-09-24T05:06:02.686000Z",
    "google_cloud_audit": {
        "insertId": "-tn3jrd3lko",
        "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
        "protoPayload": {
            "metadata": {
                "activityId": {
                    "timeUsec": "1632459962686000",
                    "uniqQualifier": "-7789616625639281959"
                },
                "event": [
                    {
                        "eventName": "2sv_disable",
                        "eventType": "2sv_change",
                        "parameter": [
                            {
                                "label": "LABEL_OPTIONAL",
                                "name": "dusi",
                                "type": "TYPE_STRING",
                                "value": "INfDlrzP9IH8_QE"
                            }
                        ],
                        "status": {
                            "success": true
                        }
                    }
                ],
                "type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
            },
            "methodName": "google.login.LoginService.2svDisable",
            "resourceName": "organizations/123",
            "type": "type.googleapis.com/google.cloud.audit.AuditLog"
        },
        "receiveTimestamp": "2021-09-24T05:06:03.845372592Z",
        "resource": {
            "labels": {
                "method": "google.login.LoginService.2svDisable",
                "service": "login.googleapis.com"
            },
            "type": "audited_resource"
        },
        "severity": "NOTICE"
    },
    "related": {
        "ip": [
            "203.0.113.255"
        ],
        "user": [
            "test-user@example.com"
        ]
    },
    "service": {
        "name": "login.googleapis.com"
    },
    "source": {
        "address": "203.0.113.255",
        "ip": "203.0.113.255"
    },
    "user": {
        "email": "test-user@example.com",
        "name": "test-user@example.com"
    }
}

{
    "message": "{\n  \"protoPayload\": {\n    \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n    \"authenticationInfo\": {\n      \"principalEmail\": \"test-user@example.com\"\n    },\n    \"requestMetadata\": {\n      \"callerIp\": \"203.0.113.255\",\n      \"requestAttributes\": {},\n      \"destinationAttributes\": {}\n    },\n    \"serviceName\": \"login.googleapis.com\",\n    \"methodName\": \"google.login.LoginService.2svEnroll\",\n    \"resourceName\": \"organizations/123\",\n    \"metadata\": {\n      \"activityId\": {\n        \"uniqQualifier\": \"1624031130844323135\",\n        \"timeUsec\": \"1632458745769000\"\n      },\n      \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\",\n      \"event\": [\n        {\n          \"eventType\": \"2sv_change\",\n          \"status\": {\n            \"success\": true\n          },\n          \"eventName\": \"2sv_enroll\",\n          \"parameter\": [\n            {\n              \"value\": \"INfDlrzP9IH8_QE\",\n              \"type\": \"TYPE_STRING\",\n              \"label\": \"LABEL_OPTIONAL\",\n              \"name\": \"dusi\"\n            }\n          ]\n        }\n      ]\n    }\n  },\n  \"insertId\": \"g3k8gid3b3p\",\n  \"resource\": {\n    \"type\": \"audited_resource\",\n    \"labels\": {\n      \"method\": \"google.login.LoginService.2svEnroll\",\n      \"service\": \"login.googleapis.com\"\n    }\n  },\n  \"timestamp\": \"2021-09-24T04:45:45.769Z\",\n  \"severity\": \"NOTICE\",\n  \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n  \"receiveTimestamp\": \"2021-09-24T04:45:46.331843829Z\"\n}",
    "@timestamp": "2021-09-24T04:45:45.769000Z",
    "google_cloud_audit": {
        "insertId": "g3k8gid3b3p",
        "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
        "protoPayload": {
            "metadata": {
                "activityId": {
                    "timeUsec": "1632458745769000",
                    "uniqQualifier": "1624031130844323135"
                },
                "event": [
                    {
                        "eventName": "2sv_enroll",
                        "eventType": "2sv_change",
                        "parameter": [
                            {
                                "label": "LABEL_OPTIONAL",
                                "name": "dusi",
                                "type": "TYPE_STRING",
                                "value": "INfDlrzP9IH8_QE"
                            }
                        ],
                        "status": {
                            "success": true
                        }
                    }
                ],
                "type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
            },
            "methodName": "google.login.LoginService.2svEnroll",
            "resourceName": "organizations/123",
            "type": "type.googleapis.com/google.cloud.audit.AuditLog"
        },
        "receiveTimestamp": "2021-09-24T04:45:46.331843829Z",
        "resource": {
            "labels": {
                "method": "google.login.LoginService.2svEnroll",
                "service": "login.googleapis.com"
            },
            "type": "audited_resource"
        },
        "severity": "NOTICE"
    },
    "related": {
        "ip": [
            "203.0.113.255"
        ],
        "user": [
            "test-user@example.com"
        ]
    },
    "service": {
        "name": "login.googleapis.com"
    },
    "source": {
        "address": "203.0.113.255",
        "ip": "203.0.113.255"
    },
    "user": {
        "email": "test-user@example.com",
        "name": "test-user@example.com"
    }
}

{
    "message": "{\n  \"protoPayload\": {\n    \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n    \"authenticationInfo\": {},\n    \"requestMetadata\": {\n      \"callerIp\": \"2001:db8:ffff:ffff:ffff:ffff:ffff:ffff\"\n    },\n    \"serviceName\": \"login.googleapis.com\",\n    \"methodName\": \"google.login.LoginService.accountDisabledGeneric\",\n    \"resourceName\": \"organizations/123\",\n    \"metadata\": {\n      \"activityId\": {\n        \"timeUsec\": \"1619825589352000\",\n        \"uniqQualifier\": \"-3303614929287073633\"\n      },\n      \"event\": [\n        {\n          \"eventType\": \"account_warning\",\n          \"eventName\": \"account_disabled_generic\",\n          \"parameter\": [\n            {\n              \"name\": \"affected_email_address\",\n              \"value\": \"test-user@example.com\",\n              \"label\": \"LABEL_OPTIONAL\",\n              \"type\": \"TYPE_STRING\"\n            }\n          ],\n          \"status\": {\n            \"success\": true\n          }\n        }\n      ],\n      \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\"\n    }\n  },\n  \"insertId\": \"nlgrf8d6ygj\",\n  \"resource\": {\n    \"type\": \"audited_resource\",\n    \"labels\": {\n      \"method\": \"google.login.LoginService.accountDisabledGeneric\",\n      \"service\": \"login.googleapis.com\"\n    }\n  },\n  \"timestamp\": \"2021-04-30T23:33:09.352Z\",\n  \"severity\": \"NOTICE\",\n  \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n  \"receiveTimestamp\": \"2021-04-30T23:33:10.673412983Z\"\n}",
    "@timestamp": "2021-04-30T23:33:09.352000Z",
    "google_cloud_audit": {
        "insertId": "nlgrf8d6ygj",
        "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
        "protoPayload": {
            "metadata": {
                "activityId": {
                    "timeUsec": "1619825589352000",
                    "uniqQualifier": "-3303614929287073633"
                },
                "event": [
                    {
                        "eventName": "account_disabled_generic",
                        "eventType": "account_warning",
                        "parameter": [
                            {
                                "label": "LABEL_OPTIONAL",
                                "name": "affected_email_address",
                                "type": "TYPE_STRING",
                                "value": "test-user@example.com"
                            }
                        ],
                        "status": {
                            "success": true
                        }
                    }
                ],
                "type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
            },
            "methodName": "google.login.LoginService.accountDisabledGeneric",
            "resourceName": "organizations/123",
            "type": "type.googleapis.com/google.cloud.audit.AuditLog"
        },
        "receiveTimestamp": "2021-04-30T23:33:10.673412983Z",
        "resource": {
            "labels": {
                "method": "google.login.LoginService.accountDisabledGeneric",
                "service": "login.googleapis.com"
            },
            "type": "audited_resource"
        },
        "severity": "NOTICE"
    },
    "related": {
        "ip": [
            "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
        ]
    },
    "service": {
        "name": "login.googleapis.com"
    },
    "source": {
        "address": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff",
        "ip": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
    },
    "user": {
        "email": "test-user@example.com"
    }
}

{
    "message": "{\n  \"protoPayload\": {\n    \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n    \"authenticationInfo\": {},\n    \"requestMetadata\": {\n      \"callerIp\": \"2001:db8:ffff:ffff:ffff:ffff:ffff:ffff\"\n    },\n    \"serviceName\": \"login.googleapis.com\",\n    \"methodName\": \"google.login.LoginService.accountDisabledHijacked\",\n    \"resourceName\": \"organizations/123\",\n    \"metadata\": {\n      \"activityId\": {\n        \"timeUsec\": \"1619825589352000\",\n        \"uniqQualifier\": \"-3303614929287073633\"\n      },\n      \"event\": [\n        {\n          \"eventType\": \"account_warning\",\n          \"eventName\": \"account_disabled_hijacked\",\n          \"parameter\": [\n            {\n              \"name\": \"affected_email_address\",\n              \"value\": \"test-user@example.com\",\n              \"label\": \"LABEL_OPTIONAL\",\n              \"type\": \"TYPE_STRING\"\n            }\n          ],\n          \"status\": {\n            \"success\": true\n          }\n        }\n      ],\n      \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\"\n    }\n  },\n  \"insertId\": \"nlgrf8d6ygj\",\n  \"resource\": {\n    \"type\": \"audited_resource\",\n    \"labels\": {\n      \"method\": \"google.login.LoginService.accountDisabledHijacked\",\n      \"service\": \"login.googleapis.com\"\n    }\n  },\n  \"timestamp\": \"2021-04-30T23:33:09.352Z\",\n  \"severity\": \"NOTICE\",\n  \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n  \"receiveTimestamp\": \"2021-04-30T23:33:10.673412983Z\"\n}",
    "@timestamp": "2021-04-30T23:33:09.352000Z",
    "google_cloud_audit": {
        "insertId": "nlgrf8d6ygj",
        "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
        "protoPayload": {
            "metadata": {
                "activityId": {
                    "timeUsec": "1619825589352000",
                    "uniqQualifier": "-3303614929287073633"
                },
                "event": [
                    {
                        "eventName": "account_disabled_hijacked",
                        "eventType": "account_warning",
                        "parameter": [
                            {
                                "label": "LABEL_OPTIONAL",
                                "name": "affected_email_address",
                                "type": "TYPE_STRING",
                                "value": "test-user@example.com"
                            }
                        ],
                        "status": {
                            "success": true
                        }
                    }
                ],
                "type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
            },
            "methodName": "google.login.LoginService.accountDisabledHijacked",
            "resourceName": "organizations/123",
            "type": "type.googleapis.com/google.cloud.audit.AuditLog"
        },
        "receiveTimestamp": "2021-04-30T23:33:10.673412983Z",
        "resource": {
            "labels": {
                "method": "google.login.LoginService.accountDisabledHijacked",
                "service": "login.googleapis.com"
            },
            "type": "audited_resource"
        },
        "severity": "NOTICE"
    },
    "related": {
        "ip": [
            "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
        ]
    },
    "service": {
        "name": "login.googleapis.com"
    },
    "source": {
        "address": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff",
        "ip": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
    },
    "user": {
        "email": "test-user@example.com"
    }
}

{
    "message": "{\n  \"protoPayload\": {\n    \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n    \"authenticationInfo\": {},\n    \"requestMetadata\": {\n      \"callerIp\": \"2001:db8:ffff:ffff:ffff:ffff:ffff:ffff\"\n    },\n    \"serviceName\": \"login.googleapis.com\",\n    \"methodName\": \"google.login.LoginService.accountDisabledPasswordLeak\",\n    \"resourceName\": \"organizations/123\",\n    \"metadata\": {\n      \"activityId\": {\n        \"timeUsec\": \"1619808083475000\",\n        \"uniqQualifier\": \"6286848759980589624\"\n      },\n      \"event\": [\n        {\n          \"eventType\": \"account_warning\",\n          \"eventName\": \"account_disabled_password_leak\",\n          \"parameter\": [\n            {\n              \"name\": \"affected_email_address\",\n              \"value\": \"test-user@example.com\",\n              \"label\": \"LABEL_OPTIONAL\",\n              \"type\": \"TYPE_STRING\"\n            }\n          ],\n          \"status\": {\n            \"success\": true\n          }\n        }\n      ],\n      \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\"\n    }\n  },\n  \"insertId\": \"-xkklkzcxkl\",\n  \"resource\": {\n    \"type\": \"audited_resource\",\n    \"labels\": {\n      \"method\": \"google.login.LoginService.accountDisabledPasswordLeak\",\n      \"service\": \"login.googleapis.com\"\n    }\n  },\n  \"timestamp\": \"2021-04-30T18:41:23.475Z\",\n  \"severity\": \"NOTICE\",\n  \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n  \"receiveTimestamp\": \"2021-04-30T18:41:24.650965796Z\"\n}",
    "@timestamp": "2021-04-30T18:41:23.475000Z",
    "google_cloud_audit": {
        "insertId": "-xkklkzcxkl",
        "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
        "protoPayload": {
            "metadata": {
                "activityId": {
                    "timeUsec": "1619808083475000",
                    "uniqQualifier": "6286848759980589624"
                },
                "event": [
                    {
                        "eventName": "account_disabled_password_leak",
                        "eventType": "account_warning",
                        "parameter": [
                            {
                                "label": "LABEL_OPTIONAL",
                                "name": "affected_email_address",
                                "type": "TYPE_STRING",
                                "value": "test-user@example.com"
                            }
                        ],
                        "status": {
                            "success": true
                        }
                    }
                ],
                "type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
            },
            "methodName": "google.login.LoginService.accountDisabledPasswordLeak",
            "resourceName": "organizations/123",
            "type": "type.googleapis.com/google.cloud.audit.AuditLog"
        },
        "receiveTimestamp": "2021-04-30T18:41:24.650965796Z",
        "resource": {
            "labels": {
                "method": "google.login.LoginService.accountDisabledPasswordLeak",
                "service": "login.googleapis.com"
            },
            "type": "audited_resource"
        },
        "severity": "NOTICE"
    },
    "related": {
        "ip": [
            "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
        ]
    },
    "service": {
        "name": "login.googleapis.com"
    },
    "source": {
        "address": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff",
        "ip": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
    },
    "user": {
        "email": "test-user@example.com"
    }
}

{
    "message": "{\n  \"protoPayload\": {\n    \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n    \"authenticationInfo\": {},\n    \"requestMetadata\": {\n      \"callerIp\": \"2001:db8:ffff:ffff:ffff:ffff:ffff:ffff\"\n    },\n    \"serviceName\": \"login.googleapis.com\",\n    \"methodName\": \"google.login.LoginService.accountDisabledSpamming\",\n    \"resourceName\": \"organizations/123\",\n    \"metadata\": {\n      \"activityId\": {\n        \"timeUsec\": \"1619808083475000\",\n        \"uniqQualifier\": \"6286848759980589624\"\n      },\n      \"event\": [\n        {\n          \"eventType\": \"account_warning\",\n          \"eventName\": \"account_disabled_spamming\",\n          \"parameter\": [\n            {\n              \"name\": \"affected_email_address\",\n              \"value\": \"test-user@example.com\",\n              \"label\": \"LABEL_OPTIONAL\",\n              \"type\": \"TYPE_STRING\"\n            }\n          ],\n          \"status\": {\n            \"success\": true\n          }\n        }\n      ],\n      \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\"\n    }\n  },\n  \"insertId\": \"-xkklkzcxkl\",\n  \"resource\": {\n    \"type\": \"audited_resource\",\n    \"labels\": {\n      \"method\": \"google.login.LoginService.accountDisabledSpamming\",\n      \"service\": \"login.googleapis.com\"\n    }\n  },\n  \"timestamp\": \"2021-04-30T18:41:23.475Z\",\n  \"severity\": \"NOTICE\",\n  \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n  \"receiveTimestamp\": \"2021-04-30T18:41:24.650965796Z\"\n}",
    "@timestamp": "2021-04-30T18:41:23.475000Z",
    "google_cloud_audit": {
        "insertId": "-xkklkzcxkl",
        "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
        "protoPayload": {
            "metadata": {
                "activityId": {
                    "timeUsec": "1619808083475000",
                    "uniqQualifier": "6286848759980589624"
                },
                "event": [
                    {
                        "eventName": "account_disabled_spamming",
                        "eventType": "account_warning",
                        "parameter": [
                            {
                                "label": "LABEL_OPTIONAL",
                                "name": "affected_email_address",
                                "type": "TYPE_STRING",
                                "value": "test-user@example.com"
                            }
                        ],
                        "status": {
                            "success": true
                        }
                    }
                ],
                "type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
            },
            "methodName": "google.login.LoginService.accountDisabledSpamming",
            "resourceName": "organizations/123",
            "type": "type.googleapis.com/google.cloud.audit.AuditLog"
        },
        "receiveTimestamp": "2021-04-30T18:41:24.650965796Z",
        "resource": {
            "labels": {
                "method": "google.login.LoginService.accountDisabledSpamming",
                "service": "login.googleapis.com"
            },
            "type": "audited_resource"
        },
        "severity": "NOTICE"
    },
    "related": {
        "ip": [
            "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
        ]
    },
    "service": {
        "name": "login.googleapis.com"
    },
    "source": {
        "address": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff",
        "ip": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
    },
    "user": {
        "email": "test-user@example.com"
    }
}

{
    "message": "{\n  \"protoPayload\": {\n    \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n    \"authenticationInfo\": {},\n    \"requestMetadata\": {\n      \"callerIp\": \"2001:db8:ffff:ffff:ffff:ffff:ffff:ffff\"\n    },\n    \"serviceName\": \"login.googleapis.com\",\n    \"methodName\": \"google.login.LoginService.accountDisabledSpammingThroughRelay\",\n    \"resourceName\": \"organizations/123\",\n    \"metadata\": {\n      \"activityId\": {\n        \"timeUsec\": \"1619808083475000\",\n        \"uniqQualifier\": \"6286848759980589624\"\n      },\n      \"event\": [\n        {\n          \"eventType\": \"account_warning\",\n          \"eventName\": \"account_disabled_spamming_through_relay\",\n          \"parameter\": [\n            {\n              \"name\": \"affected_email_address\",\n              \"value\": \"test-user@example.com\",\n              \"label\": \"LABEL_OPTIONAL\",\n              \"type\": \"TYPE_STRING\"\n            }\n          ],\n          \"status\": {\n            \"success\": true\n          }\n        }\n      ],\n      \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\"\n    }\n  },\n  \"insertId\": \"-xkklkzcxkl\",\n  \"resource\": {\n    \"type\": \"audited_resource\",\n    \"labels\": {\n      \"method\": \"google.login.LoginService.accountDisabledSpammingThroughRelay\",\n      \"service\": \"login.googleapis.com\"\n    }\n  },\n  \"timestamp\": \"2021-04-30T18:41:23.475Z\",\n  \"severity\": \"NOTICE\",\n  \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n  \"receiveTimestamp\": \"2021-04-30T18:41:24.650965796Z\"\n}",
    "@timestamp": "2021-04-30T18:41:23.475000Z",
    "google_cloud_audit": {
        "insertId": "-xkklkzcxkl",
        "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
        "protoPayload": {
            "metadata": {
                "activityId": {
                    "timeUsec": "1619808083475000",
                    "uniqQualifier": "6286848759980589624"
                },
                "event": [
                    {
                        "eventName": "account_disabled_spamming_through_relay",
                        "eventType": "account_warning",
                        "parameter": [
                            {
                                "label": "LABEL_OPTIONAL",
                                "name": "affected_email_address",
                                "type": "TYPE_STRING",
                                "value": "test-user@example.com"
                            }
                        ],
                        "status": {
                            "success": true
                        }
                    }
                ],
                "type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
            },
            "methodName": "google.login.LoginService.accountDisabledSpammingThroughRelay",
            "resourceName": "organizations/123",
            "type": "type.googleapis.com/google.cloud.audit.AuditLog"
        },
        "receiveTimestamp": "2021-04-30T18:41:24.650965796Z",
        "resource": {
            "labels": {
                "method": "google.login.LoginService.accountDisabledSpammingThroughRelay",
                "service": "login.googleapis.com"
            },
            "type": "audited_resource"
        },
        "severity": "NOTICE"
    },
    "related": {
        "ip": [
            "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
        ]
    },
    "service": {
        "name": "login.googleapis.com"
    },
    "source": {
        "address": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff",
        "ip": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
    },
    "user": {
        "email": "test-user@example.com"
    }
}

{
    "message": "{\n  \"protoPayload\": {\n    \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n    \"authenticationInfo\": {\n      \"principalEmail\": \"test-user@example.com\"\n    },\n    \"requestMetadata\": {\n      \"callerIp\": \"203.0.113.255\",\n      \"requestAttributes\": {},\n      \"destinationAttributes\": {}\n    },\n    \"serviceName\": \"login.googleapis.com\",\n    \"methodName\": \"google.login.LoginService.2svDisable\",\n    \"resourceName\": \"organizations/123\",\n    \"metadata\": {\n      \"activityId\": {\n        \"uniqQualifier\": \"-7789616625639281959\",\n        \"timeUsec\": \"1632459962686000\"\n      },\n      \"event\": [\n        {\n          \"status\": {\n            \"success\": true\n          },\n          \"parameter\": [\n            {\n              \"type\": \"TYPE_STRING\",\n              \"label\": \"LABEL_OPTIONAL\",\n              \"value\": \"INfDlrzP9IH8_QE\",\n              \"name\": \"dusi\"\n            }\n          ],\n          \"eventName\": \"2sv_disable\",\n          \"eventType\": \"2sv_change\"\n        }\n      ],\n      \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\"\n    }\n  },\n  \"insertId\": \"-tn3jrd3lko\",\n  \"resource\": {\n    \"type\": \"audited_resource\",\n    \"labels\": {\n      \"service\": \"login.googleapis.com\",\n      \"method\": \"google.login.LoginService.2svDisable\"\n    }\n  },\n  \"timestamp\": \"2021-09-24T05:06:02.686Z\",\n  \"severity\": \"NOTICE\",\n  \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n  \"receiveTimestamp\": \"2021-09-24T05:06:03.845372592Z\"\n}\n",
    "@timestamp": "2021-09-24T05:06:02.686000Z",
    "google_cloud_audit": {
        "insertId": "-tn3jrd3lko",
        "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
        "protoPayload": {
            "metadata": {
                "activityId": {
                    "timeUsec": "1632459962686000",
                    "uniqQualifier": "-7789616625639281959"
                },
                "event": [
                    {
                        "eventName": "2sv_disable",
                        "eventType": "2sv_change",
                        "parameter": [
                            {
                                "label": "LABEL_OPTIONAL",
                                "name": "dusi",
                                "type": "TYPE_STRING",
                                "value": "INfDlrzP9IH8_QE"
                            }
                        ],
                        "status": {
                            "success": true
                        }
                    }
                ],
                "type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
            },
            "methodName": "google.login.LoginService.2svDisable",
            "resourceName": "organizations/123",
            "type": "type.googleapis.com/google.cloud.audit.AuditLog"
        },
        "receiveTimestamp": "2021-09-24T05:06:03.845372592Z",
        "resource": {
            "labels": {
                "method": "google.login.LoginService.2svDisable",
                "service": "login.googleapis.com"
            },
            "type": "audited_resource"
        },
        "severity": "NOTICE"
    },
    "related": {
        "ip": [
            "203.0.113.255"
        ],
        "user": [
            "test-user@example.com"
        ]
    },
    "service": {
        "name": "login.googleapis.com"
    },
    "source": {
        "address": "203.0.113.255",
        "ip": "203.0.113.255"
    },
    "user": {
        "email": "test-user@example.com",
        "name": "test-user@example.com"
    }
}

{
    "message": "{\n  \"protoPayload\": {\n    \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n    \"authenticationInfo\": {\n      \"principalEmail\": \"test-user@example.com\"\n    },\n    \"requestMetadata\": {\n      \"callerIp\": \"203.0.113.255\",\n      \"requestAttributes\": {},\n      \"destinationAttributes\": {}\n    },\n    \"serviceName\": \"login.googleapis.com\",\n    \"methodName\": \"google.login.LoginService.emailForwardingOutOfDomain\",\n    \"resourceName\": \"organizations/123\",\n    \"metadata\": {\n      \"activityId\": {\n        \"uniqQualifier\": \"-5683698025624301037\",\n        \"timeUsec\": \"1632501152256000\"\n      },\n      \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\",\n      \"event\": [\n        {\n          \"eventName\": \"email_forwarding_out_of_domain\",\n          \"status\": {\n            \"success\": true\n          },\n          \"parameter\": [\n            {\n              \"name\": \"dusi\",\n              \"type\": \"TYPE_STRING\",\n              \"value\": \"INfDlrzP9IH8_QE\",\n              \"label\": \"LABEL_OPTIONAL\"\n            },\n            {\n              \"type\": \"TYPE_STRING\",\n              \"label\": \"LABEL_OPTIONAL\",\n              \"value\": \"test-user@google.com\",\n              \"name\": \"email_forwarding_destination_address\"\n            }\n          ],\n          \"eventType\": \"email_forwarding_change\"\n        }\n      ]\n    }\n  },\n  \"insertId\": \"rrcp9gd3y2f\",\n  \"resource\": {\n    \"type\": \"audited_resource\",\n    \"labels\": {\n      \"method\": \"google.login.LoginService.emailForwardingOutOfDomain\",\n      \"service\": \"login.googleapis.com\"\n    }\n  },\n  \"timestamp\": \"2021-09-24T16:32:32.256Z\",\n  \"severity\": \"NOTICE\",\n  \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n  \"receiveTimestamp\": \"2021-09-24T16:32:33.319260836Z\"\n}",
    "@timestamp": "2021-09-24T16:32:32.256000Z",
    "google_cloud_audit": {
        "insertId": "rrcp9gd3y2f",
        "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
        "protoPayload": {
            "metadata": {
                "activityId": {
                    "timeUsec": "1632501152256000",
                    "uniqQualifier": "-5683698025624301037"
                },
                "event": [
                    {
                        "eventName": "email_forwarding_out_of_domain",
                        "eventType": "email_forwarding_change",
                        "parameter": [
                            {
                                "label": "LABEL_OPTIONAL",
                                "name": "dusi",
                                "type": "TYPE_STRING",
                                "value": "INfDlrzP9IH8_QE"
                            },
                            {
                                "label": "LABEL_OPTIONAL",
                                "name": "email_forwarding_destination_address",
                                "type": "TYPE_STRING",
                                "value": "test-user@google.com"
                            }
                        ],
                        "status": {
                            "success": true
                        }
                    }
                ],
                "type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
            },
            "methodName": "google.login.LoginService.emailForwardingOutOfDomain",
            "resourceName": "organizations/123",
            "type": "type.googleapis.com/google.cloud.audit.AuditLog"
        },
        "receiveTimestamp": "2021-09-24T16:32:33.319260836Z",
        "resource": {
            "labels": {
                "method": "google.login.LoginService.emailForwardingOutOfDomain",
                "service": "login.googleapis.com"
            },
            "type": "audited_resource"
        },
        "severity": "NOTICE"
    },
    "related": {
        "ip": [
            "203.0.113.255"
        ],
        "user": [
            "test-user@example.com"
        ]
    },
    "service": {
        "name": "login.googleapis.com"
    },
    "source": {
        "address": "203.0.113.255",
        "ip": "203.0.113.255"
    },
    "user": {
        "email": "test-user@example.com",
        "name": "test-user@example.com"
    }
}

{
    "message": "{\"insertId\":\"2f93b0a6-f932-4d91-ad61-785ae9587360\",\"labels\":{\"authorization.k8s.io/decision\":\"allow\",\"authorization.k8s.io/reason\":\"RBAC: allowed by ClusterRoleBinding \\\"system:kube-scheduler\\\" of ClusterRole \\\"system:kube-scheduler\\\" to User \\\"system:kube-scheduler\\\"\"},\"logName\":\"projects/hazel-aria-348413/logs/cloudaudit.googleapis.com%2Factivity\",\"operation\":{\"first\":true,\"id\":\"2f93b0a6-f932-4d91-ad61-785ae9587360\",\"last\":true,\"producer\":\"k8s.io\"},\"protoPayload\":{\"@type\":\"type.googleapis.com/google.cloud.audit.AuditLog\",\"authenticationInfo\":{\"principalEmail\":\"system:kube-scheduler\"},\"authorizationInfo\":[{\"granted\":true,\"permission\":\"io.k8s.coordination.v1.leases.update\",\"resource\":\"coordination.k8s.io/v1/namespaces/kube-system/leases/kube-scheduler\"}],\"methodName\":\"io.k8s.coordination.v1.leases.update\",\"requestMetadata\":{\"callerIp\":\"10.186.0.146\",\"callerSuppliedUserAgent\":\"kube-scheduler/v1.22.8 (linux/amd64) kubernetes/2dca91e/leader-election\"},\"resourceName\":\"coordination.k8s.io/v1/namespaces/kube-system/leases/kube-scheduler\",\"serviceName\":\"k8s.io\",\"status\":{}},\"receiveTimestamp\":\"2022-06-14T14:32:10.838967694Z\",\"resource\":{\"labels\":{\"cluster_name\":\"cluster-1\",\"location\":\"europe-central2-a\",\"project_id\":\"hazel-aria-348413\"},\"type\":\"k8s_cluster\"},\"timestamp\":\"2022-06-14T14:32:09.910723Z\"}",
    "@timestamp": "2022-06-14T14:32:09.910723Z",
    "google_cloud_audit": {
        "insertId": "2f93b0a6-f932-4d91-ad61-785ae9587360",
        "logName": "projects/hazel-aria-348413/logs/cloudaudit.googleapis.com%2Factivity",
        "operation": {
            "first": true,
            "id": "2f93b0a6-f932-4d91-ad61-785ae9587360",
            "last": true,
            "producer": "k8s.io"
        },
        "protoPayload": {
            "authorizationInfo": [
                {
                    "granted": true,
                    "permission": "io.k8s.coordination.v1.leases.update",
                    "resource": "coordination.k8s.io/v1/namespaces/kube-system/leases/kube-scheduler"
                }
            ],
            "methodName": "io.k8s.coordination.v1.leases.update",
            "resourceName": "coordination.k8s.io/v1/namespaces/kube-system/leases/kube-scheduler",
            "type": "type.googleapis.com/google.cloud.audit.AuditLog"
        },
        "receiveTimestamp": "2022-06-14T14:32:10.838967694Z",
        "resource": {
            "labels": {
                "cluster_name": "cluster-1",
                "location": "europe-central2-a",
                "project_id": "hazel-aria-348413"
            },
            "type": "k8s_cluster"
        }
    },
    "related": {
        "ip": [
            "10.186.0.146"
        ],
        "user": [
            "system:kube-scheduler"
        ]
    },
    "service": {
        "name": "k8s.io"
    },
    "source": {
        "address": "10.186.0.146",
        "ip": "10.186.0.146"
    },
    "user": {
        "name": "system:kube-scheduler"
    },
    "user_agent": {
        "device": {
            "name": "Other"
        },
        "name": "Other",
        "original": "kube-scheduler/v1.22.8 (linux/amd64) kubernetes/2dca91e/leader-election",
        "os": {
            "name": "Linux"
        }
    }
}

{
    "message": "{\n  \"protoPayload\": {\n    \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n    \"authenticationInfo\": {\n      \"principalEmail\": \"test-user@example.com\"\n    },\n    \"requestMetadata\": {\n      \"callerIp\": \"2001:db8:ffff:ffff:ffff:ffff:ffff:ffff\",\n      \"requestAttributes\": {},\n      \"destinationAttributes\": {}\n    },\n    \"serviceName\": \"login.googleapis.com\",\n    \"methodName\": \"google.login.LoginService.govAttackWarning\",\n    \"resourceName\": \"organizations/123\",\n    \"metadata\": {\n      \"activityId\": {\n        \"timeUsec\": \"1619825837106000\",\n        \"uniqQualifier\": \"7230131091737932677\"\n      },\n      \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\",\n      \"event\": [\n        {\n          \"eventName\": \"gov_attack_warning\",\n          \"eventType\": \"attack_warning\",\n          \"status\": {\n            \"success\": true\n          }\n        }\n      ]\n    }\n  },\n  \"insertId\": \"bxuophd1vlw\",\n  \"resource\": {\n    \"type\": \"audited_resource\",\n    \"labels\": {\n      \"service\": \"login.googleapis.com\",\n      \"method\": \"google.login.LoginService.govAttackWarning\"\n    }\n  },\n  \"timestamp\": \"2021-04-30T23:37:17.106Z\",\n  \"severity\": \"NOTICE\",\n  \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n  \"receiveTimestamp\": \"2021-04-30T23:37:18.488559815Z\"\n}",
    "@timestamp": "2021-04-30T23:37:17.106000Z",
    "google_cloud_audit": {
        "insertId": "bxuophd1vlw",
        "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
        "protoPayload": {
            "metadata": {
                "activityId": {
                    "timeUsec": "1619825837106000",
                    "uniqQualifier": "7230131091737932677"
                },
                "event": [
                    {
                        "eventName": "gov_attack_warning",
                        "eventType": "attack_warning",
                        "status": {
                            "success": true
                        }
                    }
                ],
                "type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
            },
            "methodName": "google.login.LoginService.govAttackWarning",
            "resourceName": "organizations/123",
            "type": "type.googleapis.com/google.cloud.audit.AuditLog"
        },
        "receiveTimestamp": "2021-04-30T23:37:18.488559815Z",
        "resource": {
            "labels": {
                "method": "google.login.LoginService.govAttackWarning",
                "service": "login.googleapis.com"
            },
            "type": "audited_resource"
        },
        "severity": "NOTICE"
    },
    "related": {
        "ip": [
            "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
        ],
        "user": [
            "test-user@example.com"
        ]
    },
    "service": {
        "name": "login.googleapis.com"
    },
    "source": {
        "address": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff",
        "ip": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
    },
    "user": {
        "email": "test-user@example.com",
        "name": "test-user@example.com"
    }
}

{
    "message": "{\"insertId\":\"9d92cd5d-5043-4c8d-9a3b-92c0be113704\",\"labels\":{\"authorization.k8s.io/decision\":\"allow\",\"authorization.k8s.io/reason\":\"RBAC: allowed by ClusterRoleBinding \\\"system:kubestore-collector\\\" of ClusterRole \\\"system:kubestore-collector\\\" to User \\\"system:kubestore-collector\\\"\"},\"logName\":\"projects/hazel-aria-348413/logs/cloudaudit.googleapis.com%2Factivity\",\"operation\":{\"first\":true,\"id\":\"9d92cd5d-5043-4c8d-9a3b-92c0be113704\",\"last\":true,\"producer\":\"k8s.io\"},\"protoPayload\":{\"@type\":\"type.googleapis.com/google.cloud.audit.AuditLog\",\"authenticationInfo\":{\"principalEmail\":\"system:kubestore-collector\"},\"authorizationInfo\":[{\"granted\":true,\"permission\":\"io.k8s.core.v1.configmaps.update\",\"resource\":\"core/v1/namespaces/kube-system/configmaps/cluster-kubestore\"}],\"methodName\":\"io.k8s.core.v1.configmaps.update\",\"requestMetadata\":{\"callerIp\":\"10.186.0.146\",\"callerSuppliedUserAgent\":\"kubestore_collector/v0.0.0 (linux/amd64) kubernetes/$Format\"},\"resourceName\":\"core/v1/namespaces/kube-system/configmaps/cluster-kubestore\",\"serviceName\":\"k8s.io\",\"status\":{}},\"receiveTimestamp\":\"2022-06-15T07:27:38.524909478Z\",\"resource\":{\"labels\":{\"cluster_name\":\"cluster-1\",\"location\":\"europe-central2-a\",\"project_id\":\"hazel-aria-348413\"},\"type\":\"k8s_cluster\"},\"timestamp\":\"2022-06-15T07:27:36.652663Z\"}\n\n",
    "@timestamp": "2022-06-15T07:27:36.652663Z",
    "google_cloud_audit": {
        "insertId": "9d92cd5d-5043-4c8d-9a3b-92c0be113704",
        "logName": "projects/hazel-aria-348413/logs/cloudaudit.googleapis.com%2Factivity",
        "operation": {
            "first": true,
            "id": "9d92cd5d-5043-4c8d-9a3b-92c0be113704",
            "last": true,
            "producer": "k8s.io"
        },
        "protoPayload": {
            "authorizationInfo": [
                {
                    "granted": true,
                    "permission": "io.k8s.core.v1.configmaps.update",
                    "resource": "core/v1/namespaces/kube-system/configmaps/cluster-kubestore"
                }
            ],
            "methodName": "io.k8s.core.v1.configmaps.update",
            "resourceName": "core/v1/namespaces/kube-system/configmaps/cluster-kubestore",
            "type": "type.googleapis.com/google.cloud.audit.AuditLog"
        },
        "receiveTimestamp": "2022-06-15T07:27:38.524909478Z",
        "resource": {
            "labels": {
                "cluster_name": "cluster-1",
                "location": "europe-central2-a",
                "project_id": "hazel-aria-348413"
            },
            "type": "k8s_cluster"
        }
    },
    "related": {
        "ip": [
            "10.186.0.146"
        ],
        "user": [
            "system:kubestore-collector"
        ]
    },
    "service": {
        "name": "k8s.io"
    },
    "source": {
        "address": "10.186.0.146",
        "ip": "10.186.0.146"
    },
    "user": {
        "name": "system:kubestore-collector"
    },
    "user_agent": {
        "device": {
            "name": "Other"
        },
        "name": "Other",
        "original": "kubestore_collector/v0.0.0 (linux/amd64) kubernetes/$Format",
        "os": {
            "name": "Linux"
        }
    }
}

{
    "message": "{\"insertId\":\"ofj3qoe4mbih\",\"logName\":\"projects/hazel-aria-348413/logs/cloudaudit.googleapis.com%2Factivity\",\"operation\":{\"id\":\"operation-1655309832996-a5fd6e18\",\"last\":true,\"producer\":\"container.googleapis.com\"},\"protoPayload\":{\"@type\":\"type.googleapis.com/google.cloud.audit.AuditLog\",\"metadata\":{\"operationType\":\"DELETE_CLUSTER\"},\"methodName\":\"google.container.v1.ClusterManager.DeleteCluster\",\"policyViolationInfo\":{\"orgPolicyViolationInfo\":{}},\"resourceLocation\":{\"currentLocations\":[\"europe-central2-a\"]},\"resourceName\":\"projects/hazel-aria-348413/zones/europe-central2-a/clusters/cluster-1\",\"serviceName\":\"container.googleapis.com\",\"status\":{}},\"receiveTimestamp\":\"2022-06-15T16:19:48.068568099Z\",\"resource\":{\"labels\":{\"cluster_name\":\"cluster-1\",\"location\":\"europe-central2-a\",\"project_id\":\"hazel-aria-348413\"},\"type\":\"gke_cluster\"},\"severity\":\"NOTICE\",\"timestamp\":\"2022-06-15T16:19:47.720234784Z\"}",
    "@timestamp": "2022-06-15T16:19:47.720234Z",
    "google_cloud_audit": {
        "insertId": "ofj3qoe4mbih",
        "logName": "projects/hazel-aria-348413/logs/cloudaudit.googleapis.com%2Factivity",
        "operation": {
            "id": "operation-1655309832996-a5fd6e18",
            "last": true,
            "producer": "container.googleapis.com"
        },
        "protoPayload": {
            "metadata": {
                "operationType": "DELETE_CLUSTER"
            },
            "methodName": "google.container.v1.ClusterManager.DeleteCluster",
            "resourceLocation": {
                "currentLocations": [
                    "europe-central2-a"
                ]
            },
            "resourceName": "projects/hazel-aria-348413/zones/europe-central2-a/clusters/cluster-1",
            "type": "type.googleapis.com/google.cloud.audit.AuditLog"
        },
        "receiveTimestamp": "2022-06-15T16:19:48.068568099Z",
        "resource": {
            "labels": {
                "cluster_name": "cluster-1",
                "location": "europe-central2-a",
                "project_id": "hazel-aria-348413"
            },
            "type": "gke_cluster"
        },
        "severity": "NOTICE"
    },
    "service": {
        "name": "container.googleapis.com"
    }
}

{
    "message": "{\n  \"protoPayload\": {\n    \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n    \"authenticationInfo\": {\n      \"principalEmail\": \"test-user@example.com\"\n    },\n    \"requestMetadata\": {\n      \"callerIp\": \"2001:db8:ffff:ffff:ffff:ffff:ffff:ffff\",\n      \"requestAttributes\": {},\n      \"destinationAttributes\": {}\n    },\n    \"serviceName\": \"login.googleapis.com\",\n    \"methodName\": \"google.login.LoginService.loginChallenge\",\n    \"resourceName\": \"organizations/123\",\n    \"metadata\": {\n      \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\",\n      \"event\": [\n        {\n          \"eventName\": \"login_challenge\",\n          \"parameter\": [\n            {\n              \"name\": \"login_type\",\n              \"value\": \"google_password\",\n              \"type\": \"TYPE_STRING\",\n              \"label\": \"LABEL_OPTIONAL\"\n            },\n            {\n              \"type\": \"TYPE_STRING\",\n              \"label\": \"LABEL_REPEATED\",\n              \"name\": \"login_challenge_method\",\n              \"multiStrValue\": [\n                \"idv_preregistered_phone\"\n              ]\n            },\n            {\n              \"label\": \"LABEL_OPTIONAL\",\n              \"type\": \"TYPE_STRING\",\n              \"value\": \"incorrect_answer_entered\",\n              \"name\": \"login_challenge_status\"\n            },\n            {\n              \"type\": \"TYPE_STRING\",\n              \"name\": \"dusi\",\n              \"label\": \"LABEL_OPTIONAL\",\n              \"value\": \"IOWJlfPwgvrTfg\"\n            }\n          ],\n          \"eventType\": \"login\"\n        }\n      ],\n      \"activityId\": {\n        \"timeUsec\": \"1632500217183211\",\n        \"uniqQualifier\": \"358068855354\"\n      }\n    }\n  },\n  \"insertId\": \"-nahbepd4l2j\",\n  \"resource\": {\n    \"type\": \"audited_resource\",\n    \"labels\": {\n      \"service\": \"login.googleapis.com\",\n      \"method\": \"google.login.LoginService.loginChallenge\"\n    }\n  },\n  \"timestamp\": \"2021-09-24T16:16:57.183211Z\",\n  \"severity\": \"NOTICE\",\n  \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n  \"receiveTimestamp\": \"2021-09-24T17:51:28.041126044Z\"}",
    "@timestamp": "2021-09-24T16:16:57.183211Z",
    "google_cloud_audit": {
        "insertId": "-nahbepd4l2j",
        "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
        "protoPayload": {
            "metadata": {
                "activityId": {
                    "timeUsec": "1632500217183211",
                    "uniqQualifier": "358068855354"
                },
                "event": [
                    {
                        "eventName": "login_challenge",
                        "eventType": "login",
                        "parameter": [
                            {
                                "label": "LABEL_OPTIONAL",
                                "name": "login_type",
                                "type": "TYPE_STRING",
                                "value": "google_password"
                            },
                            {
                                "label": "LABEL_REPEATED",
                                "multiStrValue": [
                                    "idv_preregistered_phone"
                                ],
                                "name": "login_challenge_method",
                                "type": "TYPE_STRING"
                            },
                            {
                                "label": "LABEL_OPTIONAL",
                                "name": "login_challenge_status",
                                "type": "TYPE_STRING",
                                "value": "incorrect_answer_entered"
                            },
                            {
                                "label": "LABEL_OPTIONAL",
                                "name": "dusi",
                                "type": "TYPE_STRING",
                                "value": "IOWJlfPwgvrTfg"
                            }
                        ]
                    }
                ],
                "type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
            },
            "methodName": "google.login.LoginService.loginChallenge",
            "resourceName": "organizations/123",
            "type": "type.googleapis.com/google.cloud.audit.AuditLog"
        },
        "receiveTimestamp": "2021-09-24T17:51:28.041126044Z",
        "resource": {
            "labels": {
                "method": "google.login.LoginService.loginChallenge",
                "service": "login.googleapis.com"
            },
            "type": "audited_resource"
        },
        "severity": "NOTICE"
    },
    "related": {
        "ip": [
            "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
        ],
        "user": [
            "test-user@example.com"
        ]
    },
    "service": {
        "name": "login.googleapis.com"
    },
    "source": {
        "address": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff",
        "ip": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
    },
    "user": {
        "email": "test-user@example.com",
        "name": "test-user@example.com"
    }
}

{
    "message": "{\n  \"protoPayload\": {\n    \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n    \"authenticationInfo\": {\n      \"principalEmail\": \"test-user@example.com\"\n    },\n    \"requestMetadata\": {\n      \"callerIp\": \"2001:db8:ffff:ffff:ffff:ffff:ffff:ffff\",\n      \"requestAttributes\": {},\n      \"destinationAttributes\": {}\n    },\n    \"serviceName\": \"login.googleapis.com\",\n    \"methodName\": \"google.login.LoginService.loginFailure\",\n    \"resourceName\": \"organizations/123\",\n    \"metadata\": {\n      \"event\": [\n        {\n          \"eventName\": \"login_failure\",\n          \"eventType\": \"login\",\n          \"parameter\": [\n            {\n              \"value\": \"google_password\",\n              \"type\": \"TYPE_STRING\",\n              \"name\": \"login_type\",\n              \"label\": \"LABEL_OPTIONAL\"\n            },\n            {\n              \"name\": \"login_challenge_method\",\n              \"type\": \"TYPE_STRING\",\n              \"label\": \"LABEL_REPEATED\",\n              \"multiStrValue\": [\n                \"password\",\n                \"idv_preregistered_phone\",\n                \"idv_preregistered_phone\"\n              ]\n            },\n            {\n              \"label\": \"LABEL_OPTIONAL\",\n              \"name\": \"dusi\",\n              \"type\": \"TYPE_STRING\",\n              \"value\": \"IOWJlfPwgvrTfg\"\n            }\n          ]\n        }\n      ],\n      \"activityId\": {\n        \"uniqQualifier\": \"358068855354\",\n        \"timeUsec\": \"1632500217183212\"\n      },\n      \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\"\n    }\n  },\n  \"insertId\": \"-nahbepd4l1x\",\n  \"resource\": {\n    \"type\": \"audited_resource\",\n    \"labels\": {\n      \"method\": \"google.login.LoginService.loginFailure\",\n      \"service\": \"login.googleapis.com\"\n    }\n  },\n  \"timestamp\": \"2021-09-24T16:16:57.183212Z\",\n  \"severity\": \"NOTICE\",\n  \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n  \"receiveTimestamp\": \"2021-09-24T17:51:25.034361197Z\"\n}",
    "@timestamp": "2021-09-24T16:16:57.183212Z",
    "google_cloud_audit": {
        "insertId": "-nahbepd4l1x",
        "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
        "protoPayload": {
            "metadata": {
                "activityId": {
                    "timeUsec": "1632500217183212",
                    "uniqQualifier": "358068855354"
                },
                "event": [
                    {
                        "eventName": "login_failure",
                        "eventType": "login",
                        "parameter": [
                            {
                                "label": "LABEL_OPTIONAL",
                                "name": "login_type",
                                "type": "TYPE_STRING",
                                "value": "google_password"
                            },
                            {
                                "label": "LABEL_REPEATED",
                                "multiStrValue": [
                                    "password",
                                    "idv_preregistered_phone",
                                    "idv_preregistered_phone"
                                ],
                                "name": "login_challenge_method",
                                "type": "TYPE_STRING"
                            },
                            {
                                "label": "LABEL_OPTIONAL",
                                "name": "dusi",
                                "type": "TYPE_STRING",
                                "value": "IOWJlfPwgvrTfg"
                            }
                        ]
                    }
                ],
                "type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
            },
            "methodName": "google.login.LoginService.loginFailure",
            "resourceName": "organizations/123",
            "type": "type.googleapis.com/google.cloud.audit.AuditLog"
        },
        "receiveTimestamp": "2021-09-24T17:51:25.034361197Z",
        "resource": {
            "labels": {
                "method": "google.login.LoginService.loginFailure",
                "service": "login.googleapis.com"
            },
            "type": "audited_resource"
        },
        "severity": "NOTICE"
    },
    "related": {
        "ip": [
            "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
        ],
        "user": [
            "test-user@example.com"
        ]
    },
    "service": {
        "name": "login.googleapis.com"
    },
    "source": {
        "address": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff",
        "ip": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
    },
    "user": {
        "email": "test-user@example.com",
        "name": "test-user@example.com"
    }
}

{
    "message": "{\n  \"protoPayload\": {\n    \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n    \"authenticationInfo\": {\n      \"principalEmail\": \"test-user@example.com\"\n    },\n    \"requestMetadata\": {\n      \"callerIp\": \"203.0.113.255\",\n      \"requestAttributes\": {},\n      \"destinationAttributes\": {}\n    },\n    \"serviceName\": \"login.googleapis.com\",\n    \"methodName\": \"google.login.LoginService.loginSuccess\",\n    \"resourceName\": \"organizations/123\",\n    \"metadata\": {\n      \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\",\n      \"activityId\": {\n        \"timeUsec\": \"1632458429811809\",\n        \"uniqQualifier\": \"358068855354\"\n      },\n      \"event\": [\n        {\n          \"parameter\": [\n            {\n              \"type\": \"TYPE_STRING\",\n              \"value\": \"google_password\",\n              \"name\": \"login_type\",\n              \"label\": \"LABEL_OPTIONAL\"\n            },\n            {\n              \"name\": \"login_challenge_method\",\n              \"label\": \"LABEL_REPEATED\",\n              \"type\": \"TYPE_STRING\",\n              \"multiStrValue\": [\n                \"password\"\n              ]\n            },\n            {\n              \"type\": \"TYPE_BOOL\",\n              \"boolValue\": false,\n              \"name\": \"is_suspicious\",\n              \"label\": \"LABEL_OPTIONAL\"\n            },\n            {\n              \"value\": \"INfDlrzP9IH8_QE\",\n              \"name\": \"dusi\",\n              \"type\": \"TYPE_STRING\",\n              \"label\": \"LABEL_OPTIONAL\"\n            }\n          ],\n          \"eventType\": \"login\",\n          \"eventName\": \"login_success\"\n        }\n      ]\n    }\n  },\n  \"insertId\": \"ci1svzd3hfk\",\n  \"resource\": {\n    \"type\": \"audited_resource\",\n    \"labels\": {\n      \"service\": \"login.googleapis.com\",\n      \"method\": \"google.login.LoginService.loginSuccess\"\n    }\n  },\n  \"timestamp\": \"2021-09-24T04:40:29.811809Z\",\n  \"severity\": \"NOTICE\",\n  \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n  \"receiveTimestamp\": \"2021-09-24T05:43:20.474338130Z\"\n}",
    "@timestamp": "2021-09-24T04:40:29.811809Z",
    "google_cloud_audit": {
        "insertId": "ci1svzd3hfk",
        "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
        "protoPayload": {
            "metadata": {
                "activityId": {
                    "timeUsec": "1632458429811809",
                    "uniqQualifier": "358068855354"
                },
                "event": [
                    {
                        "eventName": "login_success",
                        "eventType": "login",
                        "parameter": [
                            {
                                "label": "LABEL_OPTIONAL",
                                "name": "login_type",
                                "type": "TYPE_STRING",
                                "value": "google_password"
                            },
                            {
                                "label": "LABEL_REPEATED",
                                "multiStrValue": [
                                    "password"
                                ],
                                "name": "login_challenge_method",
                                "type": "TYPE_STRING"
                            },
                            {
                                "boolValue": false,
                                "label": "LABEL_OPTIONAL",
                                "name": "is_suspicious",
                                "type": "TYPE_BOOL"
                            },
                            {
                                "label": "LABEL_OPTIONAL",
                                "name": "dusi",
                                "type": "TYPE_STRING",
                                "value": "INfDlrzP9IH8_QE"
                            }
                        ]
                    }
                ],
                "type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
            },
            "methodName": "google.login.LoginService.loginSuccess",
            "resourceName": "organizations/123",
            "type": "type.googleapis.com/google.cloud.audit.AuditLog"
        },
        "receiveTimestamp": "2021-09-24T05:43:20.474338130Z",
        "resource": {
            "labels": {
                "method": "google.login.LoginService.loginSuccess",
                "service": "login.googleapis.com"
            },
            "type": "audited_resource"
        },
        "severity": "NOTICE"
    },
    "related": {
        "ip": [
            "203.0.113.255"
        ],
        "user": [
            "test-user@example.com"
        ]
    },
    "service": {
        "name": "login.googleapis.com"
    },
    "source": {
        "address": "203.0.113.255",
        "ip": "203.0.113.255"
    },
    "user": {
        "email": "test-user@example.com",
        "name": "test-user@example.com"
    }
}

{
    "message": "{\n  \"protoPayload\": {\n    \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n    \"authenticationInfo\": {\n      \"principalEmail\": \"test-user@example.com\"\n    },\n    \"requestMetadata\": {\n      \"callerIp\": \"203.0.113.255\",\n      \"requestAttributes\": {},\n      \"destinationAttributes\": {}\n    },\n    \"serviceName\": \"login.googleapis.com\",\n    \"methodName\": \"google.login.LoginService.loginVerification\",\n    \"resourceName\": \"organizations/123\",\n    \"metadata\": {\n      \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\",\n      \"event\": [\n        {\n          \"eventName\": \"login_verification\",\n          \"parameter\": [\n            {\n              \"name\": \"login_type\",\n              \"type\": \"TYPE_STRING\",\n              \"value\": \"google_password\",\n              \"label\": \"LABEL_OPTIONAL\"\n            },\n            {\n              \"name\": \"login_challenge_method\",\n              \"multiStrValue\": [\n                \"idv_preregistered_phone\"\n              ],\n              \"label\": \"LABEL_REPEATED\",\n              \"type\": \"TYPE_STRING\"\n            },\n            {\n              \"value\": \"passed\",\n              \"name\": \"login_challenge_status\",\n              \"type\": \"TYPE_STRING\",\n              \"label\": \"LABEL_OPTIONAL\"\n            },\n            {\n              \"value\": \"INfDlrzP9IH8_QE\",\n              \"label\": \"LABEL_OPTIONAL\",\n              \"name\": \"dusi\",\n              \"type\": \"TYPE_STRING\"\n            },\n            {\n              \"label\": \"LABEL_OPTIONAL\",\n              \"boolValue\": true,\n              \"type\": \"TYPE_BOOL\",\n              \"name\": \"is_second_factor\"\n            }\n          ],\n          \"eventType\": \"login\"\n        }\n      ],\n      \"activityId\": {\n        \"uniqQualifier\": \"358068855354\",\n        \"timeUsec\": \"1632459936762000\"\n      }\n    }\n  },\n  \"insertId\": \"ivb9z4d41rh\",\n  \"resource\": {\n    \"type\": \"audited_resource\",\n    \"labels\": {\n      \"method\": \"google.login.LoginService.loginVerification\",\n      \"service\": \"login.googleapis.com\"\n    }\n  },\n  \"timestamp\": \"2021-09-24T05:05:36.762Z\",\n  \"severity\": \"NOTICE\",\n  \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n  \"receiveTimestamp\": \"2021-09-24T06:39:22.386813664Z\"\n}",
    "@timestamp": "2021-09-24T05:05:36.762000Z",
    "google_cloud_audit": {
        "insertId": "ivb9z4d41rh",
        "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
        "protoPayload": {
            "metadata": {
                "activityId": {
                    "timeUsec": "1632459936762000",
                    "uniqQualifier": "358068855354"
                },
                "event": [
                    {
                        "eventName": "login_verification",
                        "eventType": "login",
                        "parameter": [
                            {
                                "label": "LABEL_OPTIONAL",
                                "name": "login_type",
                                "type": "TYPE_STRING",
                                "value": "google_password"
                            },
                            {
                                "label": "LABEL_REPEATED",
                                "multiStrValue": [
                                    "idv_preregistered_phone"
                                ],
                                "name": "login_challenge_method",
                                "type": "TYPE_STRING"
                            },
                            {
                                "label": "LABEL_OPTIONAL",
                                "name": "login_challenge_status",
                                "type": "TYPE_STRING",
                                "value": "passed"
                            },
                            {
                                "label": "LABEL_OPTIONAL",
                                "name": "dusi",
                                "type": "TYPE_STRING",
                                "value": "INfDlrzP9IH8_QE"
                            },
                            {
                                "boolValue": true,
                                "label": "LABEL_OPTIONAL",
                                "name": "is_second_factor",
                                "type": "TYPE_BOOL"
                            }
                        ]
                    }
                ],
                "type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
            },
            "methodName": "google.login.LoginService.loginVerification",
            "resourceName": "organizations/123",
            "type": "type.googleapis.com/google.cloud.audit.AuditLog"
        },
        "receiveTimestamp": "2021-09-24T06:39:22.386813664Z",
        "resource": {
            "labels": {
                "method": "google.login.LoginService.loginVerification",
                "service": "login.googleapis.com"
            },
            "type": "audited_resource"
        },
        "severity": "NOTICE"
    },
    "related": {
        "ip": [
            "203.0.113.255"
        ],
        "user": [
            "test-user@example.com"
        ]
    },
    "service": {
        "name": "login.googleapis.com"
    },
    "source": {
        "address": "203.0.113.255",
        "ip": "203.0.113.255"
    },
    "user": {
        "email": "test-user@example.com",
        "name": "test-user@example.com"
    }
}

{
    "message": "{\n  \"protoPayload\": {\n    \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n    \"authenticationInfo\": {\n      \"principalEmail\": \"test-user@example.com\"\n    },\n    \"requestMetadata\": {\n      \"callerIp\": \"203.0.113.255\",\n      \"requestAttributes\": {},\n      \"destinationAttributes\": {}\n    },\n    \"serviceName\": \"login.googleapis.com\",\n    \"methodName\": \"google.login.LoginService.logout\",\n    \"resourceName\": \"organizations/123\",\n    \"metadata\": {\n      \"event\": [\n        {\n          \"eventName\": \"logout\",\n          \"eventType\": \"login\",\n          \"parameter\": [\n            {\n              \"type\": \"TYPE_STRING\",\n              \"label\": \"LABEL_OPTIONAL\",\n              \"name\": \"login_type\",\n              \"value\": \"google_password\"\n            },\n            {\n              \"type\": \"TYPE_STRING\",\n              \"name\": \"dusi\",\n              \"label\": \"LABEL_OPTIONAL\",\n              \"value\": \"INfDlrzP9IH8_QE\"\n            }\n          ]\n        }\n      ],\n      \"activityId\": {\n        \"uniqQualifier\": \"358068855354\",\n        \"timeUsec\": \"1632459903014598\"\n      },\n      \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\"\n    }\n  },\n  \"insertId\": \"v37ytid14th\",\n  \"resource\": {\n    \"type\": \"audited_resource\",\n    \"labels\": {\n      \"service\": \"login.googleapis.com\",\n      \"method\": \"google.login.LoginService.logout\"\n    }\n  },\n  \"timestamp\": \"2021-09-24T05:05:03.014598Z\",\n  \"severity\": \"NOTICE\",\n  \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n  \"receiveTimestamp\": \"2021-09-24T06:39:22.229734504Z\"\n}",
    "@timestamp": "2021-09-24T05:05:03.014598Z",
    "google_cloud_audit": {
        "insertId": "v37ytid14th",
        "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
        "protoPayload": {
            "metadata": {
                "activityId": {
                    "timeUsec": "1632459903014598",
                    "uniqQualifier": "358068855354"
                },
                "event": [
                    {
                        "eventName": "logout",
                        "eventType": "login",
                        "parameter": [
                            {
                                "label": "LABEL_OPTIONAL",
                                "name": "login_type",
                                "type": "TYPE_STRING",
                                "value": "google_password"
                            },
                            {
                                "label": "LABEL_OPTIONAL",
                                "name": "dusi",
                                "type": "TYPE_STRING",
                                "value": "INfDlrzP9IH8_QE"
                            }
                        ]
                    }
                ],
                "type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
            },
            "methodName": "google.login.LoginService.logout",
            "resourceName": "organizations/123",
            "type": "type.googleapis.com/google.cloud.audit.AuditLog"
        },
        "receiveTimestamp": "2021-09-24T06:39:22.229734504Z",
        "resource": {
            "labels": {
                "method": "google.login.LoginService.logout",
                "service": "login.googleapis.com"
            },
            "type": "audited_resource"
        },
        "severity": "NOTICE"
    },
    "related": {
        "ip": [
            "203.0.113.255"
        ],
        "user": [
            "test-user@example.com"
        ]
    },
    "service": {
        "name": "login.googleapis.com"
    },
    "source": {
        "address": "203.0.113.255",
        "ip": "203.0.113.255"
    },
    "user": {
        "email": "test-user@example.com",
        "name": "test-user@example.com"
    }
}

{
    "message": "{\n  \"protoPayload\": {\n    \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n    \"authenticationInfo\": {\n      \"principalEmail\": \"test-user@example.com\"\n    },\n    \"requestMetadata\": {\n      \"callerIp\": \"203.0.113.255\",\n      \"requestAttributes\": {},\n      \"destinationAttributes\": {}\n    },\n    \"serviceName\": \"login.googleapis.com\",\n    \"methodName\": \"google.login.LoginService.passwordEdit\",\n    \"resourceName\": \"organizations/123\",\n    \"metadata\": {\n      \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\",\n      \"event\": [\n        {\n          \"eventName\": \"password_edit\",\n          \"status\": {\n            \"success\": true\n          },\n          \"parameter\": [\n            {\n              \"type\": \"TYPE_STRING\",\n              \"label\": \"LABEL_OPTIONAL\",\n              \"value\": \"INfDlrzP9IH8_QE\",\n              \"name\": \"dusi\"\n            }\n          ],\n          \"eventType\": \"password_change\"\n        }\n      ],\n      \"activityId\": {\n        \"uniqQualifier\": \"8894052787391296929\",\n        \"timeUsec\": \"1632803013900566\"\n      }\n    }\n  },\n  \"insertId\": \"-u8coc0d6n78\",\n  \"resource\": {\n    \"type\": \"audited_resource\",\n    \"labels\": {\n      \"service\": \"login.googleapis.com\",\n      \"method\": \"google.login.LoginService.passwordEdit\"\n    }\n  },\n  \"timestamp\": \"2021-09-28T04:23:33.900566Z\",\n  \"severity\": \"NOTICE\",\n  \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n  \"receiveTimestamp\": \"2021-09-28T04:23:37.724654918Z\"\n}",
    "@timestamp": "2021-09-28T04:23:33.900566Z",
    "google_cloud_audit": {
        "insertId": "-u8coc0d6n78",
        "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
        "protoPayload": {
            "metadata": {
                "activityId": {
                    "timeUsec": "1632803013900566",
                    "uniqQualifier": "8894052787391296929"
                },
                "event": [
                    {
                        "eventName": "password_edit",
                        "eventType": "password_change",
                        "parameter": [
                            {
                                "label": "LABEL_OPTIONAL",
                                "name": "dusi",
                                "type": "TYPE_STRING",
                                "value": "INfDlrzP9IH8_QE"
                            }
                        ],
                        "status": {
                            "success": true
                        }
                    }
                ],
                "type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
            },
            "methodName": "google.login.LoginService.passwordEdit",
            "resourceName": "organizations/123",
            "type": "type.googleapis.com/google.cloud.audit.AuditLog"
        },
        "receiveTimestamp": "2021-09-28T04:23:37.724654918Z",
        "resource": {
            "labels": {
                "method": "google.login.LoginService.passwordEdit",
                "service": "login.googleapis.com"
            },
            "type": "audited_resource"
        },
        "severity": "NOTICE"
    },
    "related": {
        "ip": [
            "203.0.113.255"
        ],
        "user": [
            "test-user@example.com"
        ]
    },
    "service": {
        "name": "login.googleapis.com"
    },
    "source": {
        "address": "203.0.113.255",
        "ip": "203.0.113.255"
    },
    "user": {
        "email": "test-user@example.com",
        "name": "test-user@example.com"
    }
}

{
    "message": "{\n  \"protoPayload\": {\n    \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n    \"authenticationInfo\": {\n      \"principalEmail\": \"test-user@example.com\"\n    },\n    \"requestMetadata\": {\n      \"callerIp\": \"203.0.113.255\",\n      \"requestAttributes\": {},\n      \"destinationAttributes\": {}\n    },\n    \"serviceName\": \"login.googleapis.com\",\n    \"methodName\": \"google.login.LoginService.recoveryEmailEdit\",\n    \"resourceName\": \"organizations/123\",\n    \"metadata\": {\n      \"activityId\": {\n        \"timeUsec\": \"1632802942940979\",\n        \"uniqQualifier\": \"-7373127890859496609\"\n      },\n      \"event\": [\n        {\n          \"eventType\": \"recovery_info_change\",\n          \"eventName\": \"recovery_email_edit\",\n          \"parameter\": [\n            {\n              \"label\": \"LABEL_OPTIONAL\",\n              \"type\": \"TYPE_STRING\",\n              \"value\": \"INfDlrzP9IH8_QE\",\n              \"name\": \"dusi\"\n            }\n          ],\n          \"status\": {\n            \"success\": true\n          }\n        }\n      ],\n      \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\"\n    }\n  },\n  \"insertId\": \"-nkwfupd26zt\",\n  \"resource\": {\n    \"type\": \"audited_resource\",\n    \"labels\": {\n      \"service\": \"login.googleapis.com\",\n      \"method\": \"google.login.LoginService.recoveryEmailEdit\"\n    }\n  },\n  \"timestamp\": \"2021-09-28T04:22:22.940979Z\",\n  \"severity\": \"NOTICE\",\n  \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n  \"receiveTimestamp\": \"2021-09-28T04:22:26.523242112Z\"\n}",
    "@timestamp": "2021-09-28T04:22:22.940979Z",
    "google_cloud_audit": {
        "insertId": "-nkwfupd26zt",
        "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
        "protoPayload": {
            "metadata": {
                "activityId": {
                    "timeUsec": "1632802942940979",
                    "uniqQualifier": "-7373127890859496609"
                },
                "event": [
                    {
                        "eventName": "recovery_email_edit",
                        "eventType": "recovery_info_change",
                        "parameter": [
                            {
                                "label": "LABEL_OPTIONAL",
                                "name": "dusi",
                                "type": "TYPE_STRING",
                                "value": "INfDlrzP9IH8_QE"
                            }
                        ],
                        "status": {
                            "success": true
                        }
                    }
                ],
                "type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
            },
            "methodName": "google.login.LoginService.recoveryEmailEdit",
            "resourceName": "organizations/123",
            "type": "type.googleapis.com/google.cloud.audit.AuditLog"
        },
        "receiveTimestamp": "2021-09-28T04:22:26.523242112Z",
        "resource": {
            "labels": {
                "method": "google.login.LoginService.recoveryEmailEdit",
                "service": "login.googleapis.com"
            },
            "type": "audited_resource"
        },
        "severity": "NOTICE"
    },
    "related": {
        "ip": [
            "203.0.113.255"
        ],
        "user": [
            "test-user@example.com"
        ]
    },
    "service": {
        "name": "login.googleapis.com"
    },
    "source": {
        "address": "203.0.113.255",
        "ip": "203.0.113.255"
    },
    "user": {
        "email": "test-user@example.com",
        "name": "test-user@example.com"
    }
}

{
    "message": "{\n  \"protoPayload\": {\n    \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n    \"authenticationInfo\": {\n      \"principalEmail\": \"test-user@example.com\"\n    },\n    \"requestMetadata\": {\n      \"callerIp\": \"203.0.113.255\",\n      \"requestAttributes\": {},\n      \"destinationAttributes\": {}\n    },\n    \"serviceName\": \"login.googleapis.com\",\n    \"methodName\": \"google.login.LoginService.recoveryPhoneEdit\",\n    \"resourceName\": \"organizations/123\",\n    \"metadata\": {\n      \"event\": [\n        {\n          \"status\": {\n            \"success\": true\n          },\n          \"eventType\": \"recovery_info_change\",\n          \"eventName\": \"recovery_phone_edit\",\n          \"parameter\": [\n            {\n              \"label\": \"LABEL_OPTIONAL\",\n              \"value\": \"INfDlrzP9IH8_QE\",\n              \"type\": \"TYPE_STRING\",\n              \"name\": \"dusi\"\n            }\n          ]\n        }\n      ],\n      \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\",\n      \"activityId\": {\n        \"timeUsec\": \"1632804439611095\",\n        \"uniqQualifier\": \"1470137036135837564\"\n      }\n    }\n  },\n  \"insertId\": \"-1xtrgbd2vl2\",\n  \"resource\": {\n    \"type\": \"audited_resource\",\n    \"labels\": {\n      \"service\": \"login.googleapis.com\",\n      \"method\": \"google.login.LoginService.recoveryPhoneEdit\"\n    }\n  },\n  \"timestamp\": \"2021-09-28T04:47:19.611095Z\",\n  \"severity\": \"NOTICE\",\n  \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n  \"receiveTimestamp\": \"2021-09-28T04:47:25.741574446Z\"}",
    "@timestamp": "2021-09-28T04:47:19.611095Z",
    "google_cloud_audit": {
        "insertId": "-1xtrgbd2vl2",
        "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
        "protoPayload": {
            "metadata": {
                "activityId": {
                    "timeUsec": "1632804439611095",
                    "uniqQualifier": "1470137036135837564"
                },
                "event": [
                    {
                        "eventName": "recovery_phone_edit",
                        "eventType": "recovery_info_change",
                        "parameter": [
                            {
                                "label": "LABEL_OPTIONAL",
                                "name": "dusi",
                                "type": "TYPE_STRING",
                                "value": "INfDlrzP9IH8_QE"
                            }
                        ],
                        "status": {
                            "success": true
                        }
                    }
                ],
                "type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
            },
            "methodName": "google.login.LoginService.recoveryPhoneEdit",
            "resourceName": "organizations/123",
            "type": "type.googleapis.com/google.cloud.audit.AuditLog"
        },
        "receiveTimestamp": "2021-09-28T04:47:25.741574446Z",
        "resource": {
            "labels": {
                "method": "google.login.LoginService.recoveryPhoneEdit",
                "service": "login.googleapis.com"
            },
            "type": "audited_resource"
        },
        "severity": "NOTICE"
    },
    "related": {
        "ip": [
            "203.0.113.255"
        ],
        "user": [
            "test-user@example.com"
        ]
    },
    "service": {
        "name": "login.googleapis.com"
    },
    "source": {
        "address": "203.0.113.255",
        "ip": "203.0.113.255"
    },
    "user": {
        "email": "test-user@example.com",
        "name": "test-user@example.com"
    }
}

{
    "message": "{\n  \"protoPayload\": {\n    \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n    \"authenticationInfo\": {\n      \"principalEmail\": \"test-user@example.com\"\n    },\n    \"requestMetadata\": {\n      \"callerIp\": \"203.0.113.255\",\n      \"requestAttributes\": {},\n      \"destinationAttributes\": {}\n    },\n    \"serviceName\": \"login.googleapis.com\",\n    \"methodName\": \"google.login.LoginService.recoverySecretQaEdit\",\n    \"resourceName\": \"organizations/123\",\n    \"metadata\": {\n      \"activityId\": {\n        \"uniqQualifier\": \"8328506129139272243\",\n        \"timeUsec\": \"1632804455273424\"\n      },\n      \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\",\n      \"event\": [\n        {\n          \"eventName\": \"recovery_secret_qa_edit\",\n          \"eventType\": \"recovery_info_change\",\n          \"status\": {\n            \"success\": true\n          },\n          \"parameter\": [\n            {\n              \"type\": \"TYPE_STRING\",\n              \"value\": \"INfDlrzP9IH8_QE\",\n              \"name\": \"dusi\",\n              \"label\": \"LABEL_OPTIONAL\"\n            }\n          ]\n        }\n      ]\n    }\n  },\n  \"insertId\": \"vn31slcpmy\",\n  \"resource\": {\n    \"type\": \"audited_resource\",\n    \"labels\": {\n      \"method\": \"google.login.LoginService.recoverySecretQaEdit\",\n      \"service\": \"login.googleapis.com\"\n    }\n  },\n  \"timestamp\": \"2021-09-28T04:47:35.273424Z\",\n  \"severity\": \"NOTICE\",\n  \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n  \"receiveTimestamp\": \"2021-09-28T04:47:37.650432219Z\"}",
    "@timestamp": "2021-09-28T04:47:35.273424Z",
    "google_cloud_audit": {
        "insertId": "vn31slcpmy",
        "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
        "protoPayload": {
            "metadata": {
                "activityId": {
                    "timeUsec": "1632804455273424",
                    "uniqQualifier": "8328506129139272243"
                },
                "event": [
                    {
                        "eventName": "recovery_secret_qa_edit",
                        "eventType": "recovery_info_change",
                        "parameter": [
                            {
                                "label": "LABEL_OPTIONAL",
                                "name": "dusi",
                                "type": "TYPE_STRING",
                                "value": "INfDlrzP9IH8_QE"
                            }
                        ],
                        "status": {
                            "success": true
                        }
                    }
                ],
                "type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
            },
            "methodName": "google.login.LoginService.recoverySecretQaEdit",
            "resourceName": "organizations/123",
            "type": "type.googleapis.com/google.cloud.audit.AuditLog"
        },
        "receiveTimestamp": "2021-09-28T04:47:37.650432219Z",
        "resource": {
            "labels": {
                "method": "google.login.LoginService.recoverySecretQaEdit",
                "service": "login.googleapis.com"
            },
            "type": "audited_resource"
        },
        "severity": "NOTICE"
    },
    "related": {
        "ip": [
            "203.0.113.255"
        ],
        "user": [
            "test-user@example.com"
        ]
    },
    "service": {
        "name": "login.googleapis.com"
    },
    "source": {
        "address": "203.0.113.255",
        "ip": "203.0.113.255"
    },
    "user": {
        "email": "test-user@example.com",
        "name": "test-user@example.com"
    }
}

{
    "message": "{\n  \"protoPayload\": {\n    \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n    \"authenticationInfo\": {},\n    \"requestMetadata\": {\n      \"callerIp\": \"2001:db8:ffff:ffff:ffff:ffff:ffff:ffff\"\n    },\n    \"serviceName\": \"login.googleapis.com\",\n    \"methodName\": \"google.login.LoginService.suspiciousLogin\",\n    \"resourceName\": \"organizations/123\",\n    \"metadata\": {\n      \"activityId\": {\n        \"timeUsec\": \"1620095181000000\",\n        \"uniqQualifier\": \"-2034771694824799453\"\n      },\n      \"event\": [\n        {\n          \"eventType\": \"account_warning\",\n          \"eventName\": \"suspicious_login\",\n          \"parameter\": [\n            {\n              \"name\": \"affected_email_address\",\n              \"value\": \"test-user@example.com\",\n              \"label\": \"LABEL_OPTIONAL\",\n              \"type\": \"TYPE_STRING\"\n            }\n          ],\n          \"status\": {\n            \"success\": true\n          }\n        }\n      ],\n      \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\"\n    }\n  },\n  \"insertId\": \"-778d70d2n5b\",\n  \"resource\": {\n    \"type\": \"audited_resource\",\n    \"labels\": {\n      \"service\": \"login.googleapis.com\",\n      \"method\": \"google.login.LoginService.suspiciousLogin\"\n    }\n  },\n  \"timestamp\": \"2021-05-04T02:26:21Z\",\n  \"severity\": \"NOTICE\",\n  \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n  \"receiveTimestamp\": \"2021-05-04T02:56:23.806722355Z\"\n}",
    "@timestamp": "2021-05-04T02:26:21Z",
    "google_cloud_audit": {
        "insertId": "-778d70d2n5b",
        "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
        "protoPayload": {
            "metadata": {
                "activityId": {
                    "timeUsec": "1620095181000000",
                    "uniqQualifier": "-2034771694824799453"
                },
                "event": [
                    {
                        "eventName": "suspicious_login",
                        "eventType": "account_warning",
                        "parameter": [
                            {
                                "label": "LABEL_OPTIONAL",
                                "name": "affected_email_address",
                                "type": "TYPE_STRING",
                                "value": "test-user@example.com"
                            }
                        ],
                        "status": {
                            "success": true
                        }
                    }
                ],
                "type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
            },
            "methodName": "google.login.LoginService.suspiciousLogin",
            "resourceName": "organizations/123",
            "type": "type.googleapis.com/google.cloud.audit.AuditLog"
        },
        "receiveTimestamp": "2021-05-04T02:56:23.806722355Z",
        "resource": {
            "labels": {
                "method": "google.login.LoginService.suspiciousLogin",
                "service": "login.googleapis.com"
            },
            "type": "audited_resource"
        },
        "severity": "NOTICE"
    },
    "related": {
        "ip": [
            "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
        ]
    },
    "service": {
        "name": "login.googleapis.com"
    },
    "source": {
        "address": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff",
        "ip": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
    },
    "user": {
        "email": "test-user@example.com"
    }
}

{
    "message": "{\n  \"protoPayload\": {\n    \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n    \"authenticationInfo\": {},\n    \"requestMetadata\": {\n      \"callerIp\": \"2001:db8:ffff:ffff:ffff:ffff:ffff:ffff\"\n    },\n    \"serviceName\": \"login.googleapis.com\",\n    \"methodName\": \"google.login.LoginService.suspiciousLoginLessSecureApp\",\n    \"resourceName\": \"organizations/123\",\n    \"metadata\": {\n      \"activityId\": {\n        \"timeUsec\": \"1620095181000000\",\n        \"uniqQualifier\": \"-2034771694824799453\"\n      },\n      \"event\": [\n        {\n          \"eventType\": \"account_warning\",\n          \"eventName\": \"suspicious_login_less_secure_app\",\n          \"parameter\": [\n            {\n              \"name\": \"affected_email_address\",\n              \"value\": \"test-user@example.com\",\n              \"label\": \"LABEL_OPTIONAL\",\n              \"type\": \"TYPE_STRING\"\n            }\n          ],\n          \"status\": {\n            \"success\": true\n          }\n        }\n      ],\n      \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\"\n    }\n  },\n  \"insertId\": \"-778d70d2n5b\",\n  \"resource\": {\n    \"type\": \"audited_resource\",\n    \"labels\": {\n      \"service\": \"login.googleapis.com\",\n      \"method\": \"google.login.LoginService.suspiciousLoginLessSecureApp\"\n    }\n  },\n  \"timestamp\": \"2021-05-04T02:26:21Z\",\n  \"severity\": \"NOTICE\",\n  \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n  \"receiveTimestamp\": \"2021-05-04T02:56:23.806722355Z\"\n}",
    "@timestamp": "2021-05-04T02:26:21Z",
    "google_cloud_audit": {
        "insertId": "-778d70d2n5b",
        "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
        "protoPayload": {
            "metadata": {
                "activityId": {
                    "timeUsec": "1620095181000000",
                    "uniqQualifier": "-2034771694824799453"
                },
                "event": [
                    {
                        "eventName": "suspicious_login_less_secure_app",
                        "eventType": "account_warning",
                        "parameter": [
                            {
                                "label": "LABEL_OPTIONAL",
                                "name": "affected_email_address",
                                "type": "TYPE_STRING",
                                "value": "test-user@example.com"
                            }
                        ],
                        "status": {
                            "success": true
                        }
                    }
                ],
                "type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
            },
            "methodName": "google.login.LoginService.suspiciousLoginLessSecureApp",
            "resourceName": "organizations/123",
            "type": "type.googleapis.com/google.cloud.audit.AuditLog"
        },
        "receiveTimestamp": "2021-05-04T02:56:23.806722355Z",
        "resource": {
            "labels": {
                "method": "google.login.LoginService.suspiciousLoginLessSecureApp",
                "service": "login.googleapis.com"
            },
            "type": "audited_resource"
        },
        "severity": "NOTICE"
    },
    "related": {
        "ip": [
            "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
        ]
    },
    "service": {
        "name": "login.googleapis.com"
    },
    "source": {
        "address": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff",
        "ip": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
    },
    "user": {
        "email": "test-user@example.com"
    }
}

{
    "message": "{\n  \"protoPayload\": {\n    \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n    \"authenticationInfo\": {},\n    \"requestMetadata\": {\n      \"callerIp\": \"2001:db8:ffff:ffff:ffff:ffff:ffff:ffff\"\n    },\n    \"serviceName\": \"login.googleapis.com\",\n    \"methodName\": \"google.login.LoginService.suspiciousProgrammaticLogin\",\n    \"resourceName\": \"organizations/123\",\n    \"metadata\": {\n      \"activityId\": {\n        \"timeUsec\": \"1620095181000000\",\n        \"uniqQualifier\": \"-2034771694824799453\"\n      },\n      \"event\": [\n        {\n          \"eventType\": \"account_warning\",\n          \"eventName\": \"suspicious_programmatic_login\",\n          \"parameter\": [\n            {\n              \"name\": \"affected_email_address\",\n              \"value\": \"test-user@example.com\",\n              \"label\": \"LABEL_OPTIONAL\",\n              \"type\": \"TYPE_STRING\"\n            }\n          ],\n          \"status\": {\n            \"success\": true\n          }\n        }\n      ],\n      \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\"\n    }\n  },\n  \"insertId\": \"-778d70d2n5b\",\n  \"resource\": {\n    \"type\": \"audited_resource\",\n    \"labels\": {\n      \"service\": \"login.googleapis.com\",\n      \"method\": \"google.login.LoginService.suspiciousProgrammaticLogin\"\n    }\n  },\n  \"timestamp\": \"2021-05-04T02:26:21Z\",\n  \"severity\": \"NOTICE\",\n  \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n  \"receiveTimestamp\": \"2021-05-04T02:56:23.806722355Z\"\n}",
    "@timestamp": "2021-05-04T02:26:21Z",
    "google_cloud_audit": {
        "insertId": "-778d70d2n5b",
        "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
        "protoPayload": {
            "metadata": {
                "activityId": {
                    "timeUsec": "1620095181000000",
                    "uniqQualifier": "-2034771694824799453"
                },
                "event": [
                    {
                        "eventName": "suspicious_programmatic_login",
                        "eventType": "account_warning",
                        "parameter": [
                            {
                                "label": "LABEL_OPTIONAL",
                                "name": "affected_email_address",
                                "type": "TYPE_STRING",
                                "value": "test-user@example.com"
                            }
                        ],
                        "status": {
                            "success": true
                        }
                    }
                ],
                "type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
            },
            "methodName": "google.login.LoginService.suspiciousProgrammaticLogin",
            "resourceName": "organizations/123",
            "type": "type.googleapis.com/google.cloud.audit.AuditLog"
        },
        "receiveTimestamp": "2021-05-04T02:56:23.806722355Z",
        "resource": {
            "labels": {
                "method": "google.login.LoginService.suspiciousProgrammaticLogin",
                "service": "login.googleapis.com"
            },
            "type": "audited_resource"
        },
        "severity": "NOTICE"
    },
    "related": {
        "ip": [
            "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
        ]
    },
    "service": {
        "name": "login.googleapis.com"
    },
    "source": {
        "address": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff",
        "ip": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
    },
    "user": {
        "email": "test-user@example.com"
    }
}

{
    "message": "{\n  \"protoPayload\": {\n    \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n    \"authenticationInfo\": {\n      \"principalEmail\": \"test-user@example.com\"\n    },\n    \"requestMetadata\": {\n      \"callerIp\": \"203.0.113.255\",\n      \"requestAttributes\": {},\n      \"destinationAttributes\": {}\n    },\n    \"serviceName\": \"login.googleapis.com\",\n    \"methodName\": \"google.login.LoginService.titaniumEnroll\",\n    \"resourceName\": \"organizations/123\",\n    \"metadata\": {\n      \"activityId\": {\n        \"uniqQualifier\": \"4206430548119220064\",\n        \"timeUsec\": \"1632843484846000\"\n      },\n      \"event\": [\n        {\n          \"eventName\": \"titanium_enroll\",\n          \"status\": {\n            \"success\": true\n          },\n          \"parameter\": [\n            {\n              \"label\": \"LABEL_OPTIONAL\",\n              \"value\": \"INfDlrzP9IH8_QE\",\n              \"type\": \"TYPE_STRING\",\n              \"name\": \"dusi\"\n            }\n          ],\n          \"eventType\": \"titanium_change\"\n        }\n      ],\n      \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\"\n    }\n  },\n  \"insertId\": \"-bxbn5bd167i\",\n  \"resource\": {\n    \"type\": \"audited_resource\",\n    \"labels\": {\n      \"service\": \"login.googleapis.com\",\n      \"method\": \"google.login.LoginService.titaniumEnroll\"\n    }\n  },\n  \"timestamp\": \"2021-09-28T15:38:04.846Z\",\n  \"severity\": \"NOTICE\",\n  \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n  \"receiveTimestamp\": \"2021-09-28T15:38:05.969683854Z\"\n}",
    "@timestamp": "2021-09-28T15:38:04.846000Z",
    "google_cloud_audit": {
        "insertId": "-bxbn5bd167i",
        "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
        "protoPayload": {
            "metadata": {
                "activityId": {
                    "timeUsec": "1632843484846000",
                    "uniqQualifier": "4206430548119220064"
                },
                "event": [
                    {
                        "eventName": "titanium_enroll",
                        "eventType": "titanium_change",
                        "parameter": [
                            {
                                "label": "LABEL_OPTIONAL",
                                "name": "dusi",
                                "type": "TYPE_STRING",
                                "value": "INfDlrzP9IH8_QE"
                            }
                        ],
                        "status": {
                            "success": true
                        }
                    }
                ],
                "type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
            },
            "methodName": "google.login.LoginService.titaniumEnroll",
            "resourceName": "organizations/123",
            "type": "type.googleapis.com/google.cloud.audit.AuditLog"
        },
        "receiveTimestamp": "2021-09-28T15:38:05.969683854Z",
        "resource": {
            "labels": {
                "method": "google.login.LoginService.titaniumEnroll",
                "service": "login.googleapis.com"
            },
            "type": "audited_resource"
        },
        "severity": "NOTICE"
    },
    "related": {
        "ip": [
            "203.0.113.255"
        ],
        "user": [
            "test-user@example.com"
        ]
    },
    "service": {
        "name": "login.googleapis.com"
    },
    "source": {
        "address": "203.0.113.255",
        "ip": "203.0.113.255"
    },
    "user": {
        "email": "test-user@example.com",
        "name": "test-user@example.com"
    }
}

{
    "message": "{\n  \"protoPayload\": {\n    \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n    \"authenticationInfo\": {\n      \"principalEmail\": \"test-user@example.com\"\n    },\n    \"requestMetadata\": {\n      \"callerIp\": \"203.0.113.255\",\n      \"requestAttributes\": {},\n      \"destinationAttributes\": {}\n    },\n    \"serviceName\": \"login.googleapis.com\",\n    \"methodName\": \"google.login.LoginService.titaniumUnenroll\",\n    \"resourceName\": \"organizations/123\",\n    \"metadata\": {\n      \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\",\n      \"event\": [\n        {\n          \"eventType\": \"titanium_change\",\n          \"status\": {\n            \"success\": true\n          },\n          \"eventName\": \"titanium_unenroll\",\n          \"parameter\": [\n            {\n              \"type\": \"TYPE_STRING\",\n              \"label\": \"LABEL_OPTIONAL\",\n              \"value\": \"INfDlrzP9IH8_QE\",\n              \"name\": \"dusi\"\n            }\n          ]\n        }\n      ],\n      \"activityId\": {\n        \"timeUsec\": \"1632843914653434\",\n        \"uniqQualifier\": \"-6706492269209711994\"\n      }\n    }\n  },\n  \"insertId\": \"-vw60qad1861\",\n  \"resource\": {\n    \"type\": \"audited_resource\",\n    \"labels\": {\n      \"service\": \"login.googleapis.com\",\n      \"method\": \"google.login.LoginService.titaniumUnenroll\"\n    }\n  },\n  \"timestamp\": \"2021-09-28T15:45:14.653434Z\",\n  \"severity\": \"NOTICE\",\n  \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n  \"receiveTimestamp\": \"2021-09-28T15:45:15.862755277Z\"\n}",
    "@timestamp": "2021-09-28T15:45:14.653434Z",
    "google_cloud_audit": {
        "insertId": "-vw60qad1861",
        "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
        "protoPayload": {
            "metadata": {
                "activityId": {
                    "timeUsec": "1632843914653434",
                    "uniqQualifier": "-6706492269209711994"
                },
                "event": [
                    {
                        "eventName": "titanium_unenroll",
                        "eventType": "titanium_change",
                        "parameter": [
                            {
                                "label": "LABEL_OPTIONAL",
                                "name": "dusi",
                                "type": "TYPE_STRING",
                                "value": "INfDlrzP9IH8_QE"
                            }
                        ],
                        "status": {
                            "success": true
                        }
                    }
                ],
                "type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
            },
            "methodName": "google.login.LoginService.titaniumUnenroll",
            "resourceName": "organizations/123",
            "type": "type.googleapis.com/google.cloud.audit.AuditLog"
        },
        "receiveTimestamp": "2021-09-28T15:45:15.862755277Z",
        "resource": {
            "labels": {
                "method": "google.login.LoginService.titaniumUnenroll",
                "service": "login.googleapis.com"
            },
            "type": "audited_resource"
        },
        "severity": "NOTICE"
    },
    "related": {
        "ip": [
            "203.0.113.255"
        ],
        "user": [
            "test-user@example.com"
        ]
    },
    "service": {
        "name": "login.googleapis.com"
    },
    "source": {
        "address": "203.0.113.255",
        "ip": "203.0.113.255"
    },
    "user": {
        "email": "test-user@example.com",
        "name": "test-user@example.com"
    }
}

Extracted Fields

The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.

Name	Type	Description
@timestamp	date	Date/time when the event originated.
google_cloud_audit.insertId	keyword	A unique identifier for the log entry.
google_cloud_audit.logName	keyword	The resource name of the log to which this log entry belongs to.
google_cloud_audit.operation.first	bool
google_cloud_audit.operation.id	keyword
google_cloud_audit.operation.last	bool
google_cloud_audit.operation.producer	keyword
google_cloud_audit.protoPayload.authorizationInfo	object	Authorization information. If there are multiple resources or permissions involved, then there is one AuthorizationInfo element for each {resource, permission} tuple.
google_cloud_audit.protoPayload.metadata.activityId.timeUsec	keyword
google_cloud_audit.protoPayload.metadata.activityId.uniqQualifier	keyword
google_cloud_audit.protoPayload.metadata.event	object
google_cloud_audit.protoPayload.metadata.operationType	keyword
google_cloud_audit.protoPayload.metadata.type	keyword	Other service-specific data about the request, response, and other information associated with the current audited event.
google_cloud_audit.protoPayload.methodName	keyword	The name of the service method or operation. For API calls, this should be the name of the API method.
google_cloud_audit.protoPayload.request.policy.bindings	keyword
google_cloud_audit.protoPayload.request.policy.etag	keyword
google_cloud_audit.protoPayload.request.resource	keyword
google_cloud_audit.protoPayload.request.type	keyword
google_cloud_audit.protoPayload.requestMetadata.requestAttributes.time	keyword	Request attributes used in IAM condition evaluation. This field contains request attributes like request time and access levels associated with the request.
google_cloud_audit.protoPayload.resourceLocation.currentLocations	keyword
google_cloud_audit.protoPayload.resourceName	keyword	The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name.
google_cloud_audit.protoPayload.response.bindings	keyword
google_cloud_audit.protoPayload.response.etag	keyword
google_cloud_audit.protoPayload.response.type	keyword
google_cloud_audit.protoPayload.type	keyword	protoPayload is an object containing fields of an arbitrary type. An additional field '@type' contains a URI identifying the type. Example: { 'id': 1234, '@type': 'types.example.com/standard/id' }.
google_cloud_audit.receiveTimestamp	keyword	The time the log entry was received by Logging.
google_cloud_audit.resource.labels.cluster_name	keyword
google_cloud_audit.resource.labels.location	keyword
google_cloud_audit.resource.labels.method	keyword	The labels associated with the peer.
google_cloud_audit.resource.labels.node_name	keyword
google_cloud_audit.resource.labels.project_id	keyword	The labels associated with the peer.
google_cloud_audit.resource.labels.service	keyword	The labels associated with the peer.
google_cloud_audit.resource.labels.topic_id	keyword	The labels associated with the peer.
google_cloud_audit.resource.type	keyword
google_cloud_audit.severity	keyword	The severity of the log entry.
orchestrator.type	keyword	Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry).
service.name	keyword	Name of the service.
source.ip	ip	IP address of the source.
user.email	keyword	User email address.
user.name	keyword	Short name or login of the user.
user_agent.original	keyword	Unparsed user_agent string.

For more information on the Intake Format, please find the code of the Parser, Smart Descriptions, and Supported Events here.