Skip to content

Google Workspace / ChromeOS

Overview

  • Vendor: Google
  • Supported environment: SaaS
  • Detection based on: Telemetry
  • Supported application or feature: Application Logs

Google Workspace, formerly known as G Suite, is a cloud-based productivity and collaboration platform developed by Google, featuring tools like Gmail, Google Drive, and Google Docs. It allows users to create, communicate, and collaborate in real-time from any location, promoting efficient teamwork and secure file management. Complementing this, ChromeOS is a Linux-based operating system designed for Chromebooks, focusing on delivering a fast and secure user experience centered around web applications and cloud services. Together, Google Workspace and ChromeOS provide an integrated environment that enhances productivity and collaboration in the digital age.

Supported applications

This integration can collect activities from the following GSuite applications:

  • admin to collect activities on the Admin console
  • calendar to collect events from Google calendar
  • chat to collect Chat activities
  • drive to supervise Google Drive events
  • gcp for the Google Cloud platform activiaties
  • groups to collect Google groups events
  • groups_entreprise to collect Entreprise groups events
  • jamboard to collect Jamboard activities
  • login to monitor authentication in Google applications
  • meet to supervise Google meet events
  • token for authentication supervision
  • user_accounts to monitor Users accounts activities
  • keep to supervices Google Keep activities
  • vault to collect vault activities
  • rules to collect Rules activities
  • saml to collect SAML activities
  • context_aware_access to collect Context-aware access activities
  • chrome lists various types of Chrome Audit activity events

Limitation

Only activities from one applications can be collected from one playbook. To collect activities from several Google Application, create as many playbooks as applications to collect.

Configure

Prerequisites

  • Google licence Enterprise standard or higher
  • Access to Sekoia.io Intakes and Playbook pages with write permissions
  • Administrator access to the Google Cloud console and to Google Workspace

Create a dedicated service account

To create a service account you have to :

  1. Create a project
  2. Turn on the APIs for the service account a. In your project, select APIs & Services and then Library b. Select the Admin SDK API and click on Enable (you can write the name in the search box to find it more easily)
  3. Under APIs & Services, set up the OAuth consent screen
    • Click on OAuth consent screen
    • For User type, select Internal
    • Write an App Name, a User support email and an email address for the Developer contact information
    • Select the following scopes (see Choose Reports API scopes):
      • https://www.googleapis.com/auth/admin.reports.audit.readonly
      • https://www.googleapis.com/auth/admin.reports.usage.readonly
  4. Create the service account
    • Under IAM & Admins, click on Service Accounts and click on Create Service Account
    • Specify the Service Account details
    • Click on Done (no need to Grant this service account access to project and Grant users access to this service account)
  5. Create a delegation
    • Find your new Service Account and select Managed details
    • Click on Advanced settings
    • Under "Domain-wide delegation" find your service account's Client ID. Copy the client ID value to your clipboard.
    • Click on View Google Workspace Admin Console, then sign in using a super administrator user account and continue following these steps.
    • In the Google Admin console, go to Menu > Security > Access and data control > API controls.
    • Click Manage Domain Wide Delegation.
    • Click Add new.
    • In the "Client ID" field, paste the client ID that you previously copied.
    • In the "OAuth Scopes" field, enter a comma-delimited list of the scopes required by your application. This is the same set of scopes you defined when configuring the OAuth consent screen.
      • https://www.googleapis.com/auth/admin.reports.audit.readonly
      • https://www.googleapis.com/auth/admin.reports.usage.readonly
    • Click Authorize

For more details in each steps please read this Documentation and this one about delegation

Create and download JSON keys (service account credentials)

To use a service account from outside of Google Cloud, such as on Sekoia.io, you must first establish the identity of the service account. Public/private key pairs provide a secure way of accomplishing this goal. When you create a service account key, the public portion is stored on Google Cloud, while the private portion is available only to you.

Note

By default, service account keys never expire.

  1. Go to the Service accounts page
  2. Select your cloud project
  3. Click the email address of the service account that you want to create a key for
  4. Click the Keys tab
  5. Click the Add key drop-down menu, then select Create new key
  6. Select JSON as the Key type and click Create

Important

Clicking Create downloads a service account key file. After you download the key file, you cannot download it again. You will need it on the following steps on Sekoia.io.

Find more information on the official google documentation.

Example of JSON key file

{
  "type": "service_account",
  "project_id": "PROJECT_ID",
  "private_key_id": "KEY_ID",
  "private_key": "-----BEGIN PRIVATE KEY-----\nPRIVATE_KEY\n-----END PRIVATE KEY-----\n",
  "client_email": "SERVICE_ACCOUNT_EMAIL",
  "client_id": "CLIENT_ID",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://accounts.google.com/o/oauth2/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/SERVICE_ACCOUNT_EMAIL"
}

Sekoia.io configuration procedure

Create your intake

  1. Go to the intake page and create a new intake from the Google Report.
  2. Edit the intake configuration with the following attribut:
    • Select the application name what you to fetch events from
    • Type the an Google workspace admin email.

Important

  • This Google workspace admin email is any user part of the domain that has the right to view de Data of Google Workspace
  • If you are uncertain whether to use a super admin or admin email, make sure you have the appropriate permissions in the email for the service you are requesting. For example, if you need to access logs on Google Vault, you will need the Access all logs permission.

Enjoy your events on the Events page

Further readings

Raw Events Samples

In this section, you will find examples of raw logs as generated natively by the source. These examples are provided to help integrators understand the data format before ingestion into Sekoia.io. It is crucial for setting up the correct parsing stages and ensuring that all relevant information is captured.

{
    "kind": "admin#reports#activity",
    "id": {
        "time": "2024-11-07T14:23:22.470Z",
        "uniqueQualifier": "-7203312395540000000",
        "applicationName": "context_aware_access",
        "customerId": "C02i38lll"
    },
    "etag": "\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\"",
    "actor": {
        "callerType": "USER",
        "email": "john.doe@test.com",
        "profileId": "117564289545555555555"
    },
    "ipAddress": "9.3.2.1",
    "events": [
        {
            "type": "CONTEXT_AWARE_ACCESS_USER_EVENT",
            "name": "MONITOR_MODE_ACCESS_DENY_EVENT",
            "parameters": [
                {
                    "name": "CAA_ACCESS_LEVEL_APPLIED",
                    "multiValue": [
                        "is admin-approved IOS",
                        "is admin-approved android",
                        "Is Corporate Device"
                    ]
                },
                {
                    "name": "CAA_ACCESS_LEVEL_UNSATISFIED",
                    "multiValue": [
                        "is admin-approved android",
                        "Crowdstrike Compliant Device",
                        "is admin-approved IOS",
                        "Is Corporate Device"
                    ]
                },
                {
                    "name": "CAA_APPLICATION",
                    "value": "GMAIL"
                },
                {
                    "name": "BLOCKED_API_ACCESS",
                    "multiValue": [
                        "GMAIL"
                    ]
                },
                {
                    "name": "CAA_DEVICE_ID",
                    "value": "UNKNOWN"
                },
                {
                    "name": "CAA_DEVICE_STATE",
                    "value": "No Device Signals"
                }
            ]
        }
    ]
}
{
    "kind": "admin#reports#activity",
    "id": {
        "time": "2024-03-12T14:50:56.780Z",
        "uniqueQualifier": "-68755428425",
        "applicationName": "admin",
        "customerId": "C03foh000"
    },
    "etag": "\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z5X0H\"",
    "actor": {
        "callerType": "USER",
        "email": "test@test.com",
        "profileId": "10125127140"
    },
    "ipAddress": "2222:000:333:1111:7777:5555:6666:ddd",
    "events": [
        {
            "type": "ALERT_CENTER",
            "name": "ALERT_CENTER_VIEW",
            "parameters": [
                {
                    "name": "ALERT_ID",
                    "value": "445831ce-36e0-44b5-aca6-0d85f7454df7,69f7ac90-44de"
                }
            ]
        }
    ]
}
{
    "kind": "admin#reports#activity",
    "id": {
        "time": "2024-03-12T14:41:33.804Z",
        "uniqueQualifier": "-4779949128172",
        "applicationName": "admin",
        "customerId": "C03foh000"
    },
    "etag": "\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z5X0\"",
    "actor": {
        "email": "test@test.com",
        "profileId": "10125127141"
    },
    "ipAddress": "2222:000:333:1111:7777:5555:6666:ddd",
    "events": [
        {
            "type": "SECURITY_SETTINGS",
            "name": "ALLOW_STRONG_AUTHENTICATION",
            "parameters": [
                {
                    "name": "OLD_VALUE",
                    "value": "INHERIT_FROM_PARENT"
                },
                {
                    "name": "NEW_VALUE",
                    "value": "true"
                },
                {
                    "name": "ORG_UNIT_NAME",
                    "value": "IT"
                }
            ]
        },
        {
            "type": "SECURITY_SETTINGS",
            "name": "ENFORCE_STRONG_AUTHENTICATION",
            "parameters": [
                {
                    "name": "OLD_VALUE",
                    "value": "INHERIT_FROM_PARENT"
                },
                {
                    "name": "NEW_VALUE",
                    "value": "true"
                },
                {
                    "name": "ORG_UNIT_NAME",
                    "value": "IT"
                }
            ]
        },
        {
            "type": "SECURITY_SETTINGS",
            "name": "CHANGE_TWO_STEP_VERIFICATION_FREQUENCY",
            "parameters": [
                {
                    "name": "OLD_VALUE",
                    "value": "INHERIT_FROM_PARENT"
                },
                {
                    "name": "NEW_VALUE",
                    "value": "DISABLE_USERS_TO_TRUST_DEVICE"
                },
                {
                    "name": "ORG_UNIT_NAME",
                    "value": "IT"
                }
            ]
        },
        {
            "type": "SECURITY_SETTINGS",
            "name": "CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION",
            "parameters": [
                {
                    "name": "OLD_VALUE",
                    "value": "INHERIT_FROM_PARENT"
                },
                {
                    "name": "NEW_VALUE",
                    "value": "1 week"
                },
                {
                    "name": "ORG_UNIT_NAME",
                    "value": "IT"
                }
            ]
        },
        {
            "type": "SECURITY_SETTINGS",
            "name": "CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION",
            "parameters": [
                {
                    "name": "OLD_VALUE",
                    "value": "INHERIT_FROM_PARENT"
                },
                {
                    "name": "NEW_VALUE",
                    "value": "1 day"
                },
                {
                    "name": "ORG_UNIT_NAME",
                    "value": "IT"
                }
            ]
        },
        {
            "type": "SECURITY_SETTINGS",
            "name": "CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS",
            "parameters": [
                {
                    "name": "ALLOWED_TWO_STEP_VERIFICATION_METHOD",
                    "value": "NO_TELEPHONY"
                },
                {
                    "name": "ORG_UNIT_NAME",
                    "value": "IT"
                }
            ]
        },
        {
            "type": "SECURITY_SETTINGS",
            "name": "CHANGE_TWO_STEP_VERIFICATION_START_DATE",
            "parameters": [
                {
                    "name": "OLD_VALUE",
                    "value": "INHERIT_FROM_PARENT"
                },
                {
                    "name": "NEW_VALUE",
                    "value": "2019-10-31"
                },
                {
                    "name": "ORG_UNIT_NAME",
                    "value": "IT"
                }
            ]
        }
    ]
}
{
    "kind": "admin#reports#activity",
    "id": {
        "time": "2024-03-13T10:25:01.859Z",
        "uniqueQualifier": "-119782077599",
        "applicationName": "calendar",
        "customerId": "C03foh000"
    },
    "etag": "\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z\"",
    "actor": {
        "email": "joe.done@test.com",
        "profileId": "1126768166"
    },
    "ownerDomain": "sekoia.io",
    "ipAddress": "1.2.3.4",
    "events": [
        {
            "type": "event_change",
            "name": "change_event",
            "parameters": [
                {
                    "name": "event_id",
                    "value": "6qr2cujo0lkfln"
                },
                {
                    "name": "organizer_calendar_id",
                    "value": "joe.done@test.com"
                },
                {
                    "name": "calendar_id",
                    "value": "joe.done@test.com"
                },
                {
                    "name": "event_title",
                    "value": "title test"
                },
                {
                    "name": "is_recurring",
                    "boolValue": false
                },
                {
                    "name": "recurring",
                    "value": "no"
                },
                {
                    "name": "client_side_encrypted",
                    "value": "no"
                },
                {
                    "name": "start_time",
                    "intValue": "63846009000"
                },
                {
                    "name": "end_time",
                    "intValue": "63846010800"
                },
                {
                    "name": "api_kind",
                    "value": "caldav"
                },
                {
                    "name": "user_agent",
                    "value": "macOS/12.5"
                }
            ]
        }
    ]
}
{
    "kind": "admin#reports#activity",
    "id": {
        "time": "2024-03-13T10:36:57.929Z",
        "uniqueQualifier": "2480088525820",
        "applicationName": "calendar",
        "customerId": "C03foh000"
    },
    "etag": "\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL\"",
    "actor": {
        "email": "joe.doe@test.com",
        "profileId": "1158856535600"
    },
    "ownerDomain": "test.com",
    "ipAddress": "ffff:2222:333:11:aa:2222:111:11",
    "events": [
        {
            "type": "event_change",
            "name": "create_event",
            "parameters": [
                {
                    "name": "event_id",
                    "value": "fksdqs5mv613b"
                },
                {
                    "name": "organizer_calendar_id",
                    "value": "joe.doe@test.com"
                },
                {
                    "name": "calendar_id",
                    "value": "jone.done@test.com"
                },
                {
                    "name": "event_title",
                    "value": "Test title"
                },
                {
                    "name": "is_recurring",
                    "boolValue": false
                },
                {
                    "name": "recurring",
                    "value": "no"
                },
                {
                    "name": "client_side_encrypted",
                    "value": "no"
                },
                {
                    "name": "start_time",
                    "intValue": "63846450000"
                },
                {
                    "name": "end_time",
                    "intValue": "63846453600"
                },
                {
                    "name": "user_agent",
                    "value": "Calendly"
                }
            ]
        },
        {
            "type": "event_change",
            "name": "add_event_guest",
            "parameters": [
                {
                    "name": "event_id",
                    "value": "fksdqs5mv613b"
                },
                {
                    "name": "organizer_calendar_id",
                    "value": "joe.doe@test.com"
                },
                {
                    "name": "calendar_id",
                    "value": "jone.done@test.com"
                },
                {
                    "name": "event_title",
                    "value": "Test title"
                },
                {
                    "name": "is_recurring",
                    "boolValue": false
                },
                {
                    "name": "recurring",
                    "value": "no"
                },
                {
                    "name": "client_side_encrypted",
                    "value": "no"
                },
                {
                    "name": "event_guest",
                    "value": "jone.done@test.com"
                },
                {
                    "name": "user_agent",
                    "value": "Calendly"
                }
            ]
        }
    ]
}
{
    "kind": "admin#reports#activity",
    "id": {
        "time": "2024-03-08T10:37:56.354Z",
        "uniqueQualifier": "-75128508411076",
        "applicationName": "chat",
        "customerId": "C03foh000"
    },
    "etag": "\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z5X0H0\"",
    "actor": {
        "callerType": "USER",
        "email": "joe.done@test.com",
        "profileId": "1160802395241"
    },
    "events": [
        {
            "type": "user_action",
            "name": "message_posted",
            "parameters": [
                {
                    "name": "room_id",
                    "value": "AAAAAAAAAA"
                },
                {
                    "name": "actor",
                    "value": "joe.done@test.com"
                },
                {
                    "name": "message_id",
                    "value": "spaces/AAAApr7T222/messages/oODWFIV2CtA"
                },
                {
                    "name": "retention_state",
                    "value": "PERMANENT"
                },
                {
                    "name": "room_name",
                    "value": "Group Chat (AAAAAAAAAA)"
                },
                {
                    "name": "dlp_scan_status",
                    "value": "DLP_NOT_APPLICABLE"
                }
            ]
        }
    ]
}
{
    "kind": "admin#reports#activity",
    "id": {
        "time": "2024-03-12T10:01:16.430Z",
        "uniqueQualifier": "-2323518099402",
        "applicationName": "chat",
        "customerId": "C03foh000"
    },
    "etag": "\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z5X0\"",
    "actor": {
        "callerType": "USER",
        "email": "joe.done@test.com",
        "profileId": "1070981817756"
    },
    "events": [
        {
            "type": "user_action",
            "name": "room_created",
            "parameters": [
                {
                    "name": "room_id",
                    "value": "AAAAAAAAA"
                },
                {
                    "name": "actor",
                    "value": "joe.done@test.com"
                },
                {
                    "name": "external_room",
                    "value": "DISABLED"
                },
                {
                    "name": "room_name",
                    "value": "Group Chat (AAAAAAAAA)"
                }
            ]
        }
    ]
}
{
    "kind": "admin#reports#activity",
    "id": {
        "time": "2024-10-15T09:11:54.000Z",
        "uniqueQualifier": "8333377333333333333",
        "applicationName": "chrome",
        "customerId": "C01000364"
    },
    "etag": "\"vj4PvLCfb9kD8ZfWJ2SmlhI/FB6vZhPRe0T5Zqobg\"",
    "actor": {
        "callerType": "USER",
        "profileId": "105250506090000000000000"
    },
    "events": [
        {
            "type": "CHROME_OS_ADD_REMOVE_USER_TYPE",
            "name": "CHROME_OS_ADD_USER",
            "parameters": [
                {
                    "name": "TIMESTAMP",
                    "intValue": "172800000000000"
                },
                {
                    "name": "EVENT_REASON",
                    "value": "CHROMEOS_AFFILIATED_USER_ADDED"
                },
                {
                    "name": "DEVICE_NAME",
                    "value": "S5NNNN00AA"
                },
                {
                    "name": "DEVICE_USER",
                    "value": "a@test.fr"
                },
                {
                    "name": "CLIENT_TYPE",
                    "value": "CHROME_OS_DEVICE"
                },
                {
                    "name": "DEVICE_PLATFORM",
                    "value": "ChromeOS 16002.51.0"
                },
                {
                    "name": "DIRECTORY_DEVICE_ID",
                    "value": "47777777-cccc-7777-7777-f16211400000000"
                }
            ]
        }
    ]
}
{
    "kind": "admin#reports#activity",
    "id": {
        "time": "2024-10-15T09:41:04.457Z",
        "uniqueQualifier": "-419957426935000000000",
        "applicationName": "chrome",
        "customerId": "C01x77777"
    },
    "etag": "\"vj4PvLCfb9kD8ZfWJ2SmlhIiA/NR0JCBuKk9DM7\"",
    "actor": {
        "callerType": "USER",
        "profileId": "1052505060000000000000"
    },
    "events": [
        {
            "type": "CHROMEOS_LOCK_UNLOCK_TYPE",
            "name": "CHROMEOS_AFFILIATED_LOCK_SUCCESS",
            "parameters": [
                {
                    "name": "TIMESTAMP",
                    "intValue": "1728984444444"
                },
                {
                    "name": "EVENT_REASON",
                    "value": "CHROMEOS_AFFILIATED_LOCK_SUCCESS"
                },
                {
                    "name": "DEVICE_NAME",
                    "value": "S5NXNZ00A66666666"
                },
                {
                    "name": "DEVICE_USER",
                    "value": "a@test.fr"
                },
                {
                    "name": "CLIENT_TYPE",
                    "value": "CHROME_OS_DEVICE"
                },
                {
                    "name": "DEVICE_PLATFORM",
                    "value": "ChromeOS 16002.51.0"
                },
                {
                    "name": "DIRECTORY_DEVICE_ID",
                    "value": "4ebc77ae-ce6b-4857-b741-f100000000000000000"
                }
            ]
        }
    ]
}
{
    "kind": "admin#reports#activity",
    "id": {
        "time": "2024-11-08T13:15:35.760Z",
        "uniqueQualifier": "-5079400007310000000",
        "applicationName": "chrome",
        "customerId": "C01xxcccc"
    },
    "etag": "\"vj4PvLCfbhIiAAGttWx4uxgdiOjzAg0/tTZpUjK2c3wFB9Uh\"",
    "actor": {
        "callerType": "KEY",
        "key": "SYSTEM"
    },
    "events": [
        {
            "type": "DEVICE_BOOT_STATE_CHANGE_TYPE",
            "name": "DEVICE_BOOT_STATE_CHANGE",
            "parameters": [
                {
                    "name": "TIMESTAMP",
                    "intValue": "1731071700000"
                },
                {
                    "name": "DEVICE_NAME",
                    "value": "M4NXCVNNNN2000000"
                },
                {
                    "name": "EVENT_REASON",
                    "value": "CHROME_OS_VERIFIED_MODE"
                },
                {
                    "name": "DIRECTORY_DEVICE_ID",
                    "value": "c4a7f0fa-e5d1-4a07-8f61-9eeeeeeeeeef"
                },
                {
                    "name": "DEVICE_PLATFORM",
                    "value": ""
                },
                {
                    "name": "PREVIOUS_BOOT_MODE",
                    "value": "UNKNOWN"
                },
                {
                    "name": "NEW_BOOT_MODE",
                    "value": "VERIFIED"
                }
            ]
        }
    ]
}
{
    "kind": "admin#reports#activity",
    "id": {
        "time": "2024-10-21T13:47:41.000Z",
        "uniqueQualifier": "-41312380982470000000",
        "applicationName": "chrome",
        "customerId": "C01x7cccc"
    },
    "etag": "\"vj4PvLCfb9kD84uxgdiOjzAg0/ydpRq7PE6Sq81YCdl1\"",
    "actor": {
        "callerType": "USER",
        "email": "a@test.fr",
        "profileId": "1032729143013"
    },
    "events": [
        {
            "type": "CHROME_OS_CRD_CLIENT_CONNECTED_TYPE",
            "name": "CHROME_OS_CRD_CLIENT_CONNECTED",
            "parameters": [
                {
                    "name": "TIMESTAMP",
                    "intValue": "17290000000"
                },
                {
                    "name": "EVENT_REASON",
                    "value": "CHROMEOS_CRD_CLIENT_CONNECTED"
                },
                {
                    "name": "DEVICE_NAME",
                    "value": "PFPFPF7T0M"
                },
                {
                    "name": "DEVICE_USER",
                    "value": "Admin"
                },
                {
                    "name": "CLIENT_TYPE",
                    "value": "CHROME_OS_DEVICE"
                },
                {
                    "name": "CONNECTION_TYPE",
                    "value": "RELAY"
                },
                {
                    "name": "DEVICE_PLATFORM",
                    "value": "ChromeOS 16002.58.0"
                },
                {
                    "name": "DIRECTORY_DEVICE_ID",
                    "value": "0f9e7f45-b777-4777-b777-c214388888888"
                },
                {
                    "name": "SESSION_ID",
                    "value": "joedoe@test.fr/chromoting_ftl_d2cd9895-eeee-5555-0000-00040059755"
                }
            ]
        }
    ]
}
{
    "kind": "admin#reports#activity",
    "id": {
        "time": "2024-10-21T13:48:12.000Z",
        "uniqueQualifier": "389668566663666666613",
        "applicationName": "chrome",
        "customerId": "C01xxcccc"
    },
    "etag": "\"vj4PvLCfb9kDttWx4uxgdiOjzAg0/k9WnQIxoNvYgDlcL8\"",
    "actor": {
        "callerType": "USER",
        "email": "a@test.fr",
        "profileId": "103276200000043013"
    },
    "events": [
        {
            "type": "CHROME_OS_CRD_CLIENT_DISCONNECTED_TYPE",
            "name": "CHROME_OS_CRD_CLIENT_DISCONNECTED",
            "parameters": [
                {
                    "name": "TIMESTAMP",
                    "intValue": "1729518000000"
                },
                {
                    "name": "EVENT_REASON",
                    "value": "CHROMEOS_CRD_CLIENT_DISCONNECTED"
                },
                {
                    "name": "DEVICE_NAME",
                    "value": "PFFF7T0M"
                },
                {
                    "name": "DEVICE_USER",
                    "value": "Admin"
                },
                {
                    "name": "CLIENT_TYPE",
                    "value": "CHROME_OS_DEVICE"
                },
                {
                    "name": "DEVICE_PLATFORM",
                    "value": "ChromeOS 16002.58.0"
                },
                {
                    "name": "DIRECTORY_DEVICE_ID",
                    "value": "0f9e7f45-7777-7777-7777-c21438884dc5"
                },
                {
                    "name": "SESSION_ID",
                    "value": "joeDoe@test.fr/chromoting_ftl_dddd9999-eeee-5555-0000-55555555555"
                }
            ]
        }
    ]
}
{
    "kind": "admin#reports#activity",
    "id": {
        "time": "2024-10-21T13:48:12.000Z",
        "uniqueQualifier": "-3822400088800088888",
        "applicationName": "chrome",
        "customerId": "C01x7cccc"
    },
    "etag": "\"vj4PvLCfb9kD8ZfWxgdiOjzAg0/ND9YlWuFYJrufwljQI\"",
    "actor": {
        "callerType": "USER",
        "email": "a@test.fr",
        "profileId": "11122222222460000000"
    },
    "events": [
        {
            "type": "CHROME_OS_CRD_HOST_ENDED_TYPE",
            "name": "CHROME_OS_CRD_HOST_ENDED",
            "parameters": [
                {
                    "name": "TIMESTAMP",
                    "intValue": "17292222222000"
                },
                {
                    "name": "EVENT_REASON",
                    "value": "CHROMEOS_CRD_HOST_ENDED"
                },
                {
                    "name": "DEVICE_NAME",
                    "value": "PFPFTT0M"
                },
                {
                    "name": "DEVICE_USER",
                    "value": "Admin"
                },
                {
                    "name": "CLIENT_TYPE",
                    "value": "CHROME_OS_DEVICE"
                },
                {
                    "name": "DEVICE_PLATFORM",
                    "value": "ChromeOS 16002.58.0"
                },
                {
                    "name": "DIRECTORY_DEVICE_ID",
                    "value": "0f9e7f45-b777-4777-b777-c21438e84dc5"
                }
            ]
        }
    ]
}
{
    "kind": "admin#reports#activity",
    "id": {
        "time": "2024-10-21T13:47:27.000Z",
        "uniqueQualifier": "6345555777799998888",
        "applicationName": "chrome",
        "customerId": "C01xxcccc"
    },
    "etag": "\"vj4PvLCfb9kDttWx4uxgdiOjzAg0/4hGqeNXoNQepbYGE\"",
    "actor": {
        "callerType": "USER",
        "email": "a@test.fr",
        "profileId": "333222222222222223333"
    },
    "events": [
        {
            "type": "CHROME_OS_CRD_HOST_STARTED_TYPE",
            "name": "CHROME_OS_CRD_HOST_STARTED",
            "parameters": [
                {
                    "name": "TIMESTAMP",
                    "intValue": "1724444440000"
                },
                {
                    "name": "EVENT_REASON",
                    "value": "CHROMEOS_CRD_HOST_STARTED"
                },
                {
                    "name": "DEVICE_NAME",
                    "value": "PFPF7T0M"
                },
                {
                    "name": "DEVICE_USER",
                    "value": "Admin"
                },
                {
                    "name": "CLIENT_TYPE",
                    "value": "CHROME_OS_DEVICE"
                },
                {
                    "name": "DEVICE_PLATFORM",
                    "value": "ChromeOS 16002.58.0"
                },
                {
                    "name": "DIRECTORY_DEVICE_ID",
                    "value": "0f9e7f45-b187-4444-7777-c23338884555"
                }
            ]
        }
    ]
}
{
    "kind": "admin#reports#activity",
    "id": {
        "time": "2024-11-08T13:20:40.000Z",
        "uniqueQualifier": "-2392455694764444444444",
        "applicationName": "chrome",
        "customerId": "C01x7c000"
    },
    "etag": "\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi\"",
    "actor": {
        "callerType": "USER",
        "profileId": "105250506097973333333333"
    },
    "events": [
        {
            "type": "CHROME_OS_LOGIN_LOGOUT_TYPE",
            "name": "CHROME_OS_LOGIN_EVENT",
            "parameters": [
                {
                    "name": "TIMESTAMP",
                    "intValue": "1731072040000"
                },
                {
                    "name": "EVENT_REASON",
                    "value": "CHROMEOS_KIOSK_SESSION_LOGIN"
                },
                {
                    "name": "DEVICE_NAME",
                    "value": "S5NXNZ00A000000"
                },
                {
                    "name": "DEVICE_USER",
                    "value": "-"
                },
                {
                    "name": "CLIENT_TYPE",
                    "value": "CHROME_OS_DEVICE"
                },
                {
                    "name": "DEVICE_PLATFORM",
                    "value": "ChromeOS 16033.51.0"
                },
                {
                    "name": "DIRECTORY_DEVICE_ID",
                    "value": "4ebc77ae-ce6b-4857"
                },
                {
                    "name": "ORG_UNIT_NAME",
                    "value": "test_org"
                }
            ]
        }
    ]
}
{
    "kind": "admin#reports#activity",
    "id": {
        "time": "2024-11-05T11:58:46.000Z",
        "uniqueQualifier": "5756634282037777777777",
        "applicationName": "chrome",
        "customerId": "C01x777777777"
    },
    "etag": "\"vj4PvLCfb9kD8ZfWJ2Smlh/sS5BbT29sC\"",
    "actor": {
        "callerType": "USER",
        "profileId": "1052505060000000000000000"
    },
    "events": [
        {
            "type": "CHROME_OS_LOGIN_LOGOUT_TYPE",
            "name": "CHROME_OS_LOGIN_FAILURE_EVENT",
            "parameters": [
                {
                    "name": "TIMESTAMP",
                    "intValue": "1730800000000"
                },
                {
                    "name": "EVENT_REASON",
                    "value": "CHROMEOS_AFFILIATED_LOGIN"
                },
                {
                    "name": "DEVICE_NAME",
                    "value": "NXEFJEF007901100000000"
                },
                {
                    "name": "DEVICE_USER",
                    "value": "y@test.fr"
                },
                {
                    "name": "CLIENT_TYPE",
                    "value": "CHROME_OS_DEVICE"
                },
                {
                    "name": "DEVICE_PLATFORM",
                    "value": "ChromeOS 16033.43.0"
                },
                {
                    "name": "DIRECTORY_DEVICE_ID",
                    "value": "cbc28748-a199-47c1-b483-000000000000000000"
                },
                {
                    "name": "LOGIN_FAILURE_REASON",
                    "value": "AUTHENTICATION_ERROR"
                },
                {
                    "name": "ORG_UNIT_NAME",
                    "value": "Microsoft"
                }
            ]
        }
    ]
}
{
    "kind": "admin#reports#activity",
    "id": {
        "time": "2024-10-15T09:00:38.000Z",
        "uniqueQualifier": "-1434962671000000000000",
        "applicationName": "chrome",
        "customerId": "C0100c000"
    },
    "etag": "\"vj4PvLCfb9kD8ZfWJ2SmlhIiAAG/lzqsleRu67H0HaxvdOJ\"",
    "actor": {
        "callerType": "USER",
        "profileId": "105250506000000000000000000"
    },
    "events": [
        {
            "type": "CHROME_OS_LOGIN_LOGOUT_TYPE",
            "name": "CHROME_OS_LOGOUT_EVENT",
            "parameters": [
                {
                    "name": "TIMESTAMP",
                    "intValue": "1728900000000"
                },
                {
                    "name": "EVENT_REASON",
                    "value": "CHROMEOS_AFFILIATED_LOGOUT"
                },
                {
                    "name": "DEVICE_NAME",
                    "value": "S5NXNZ0000000001A"
                },
                {
                    "name": "DEVICE_USER",
                    "value": "a@test.fr"
                },
                {
                    "name": "CLIENT_TYPE",
                    "value": "CHROME_OS_DEVICE"
                },
                {
                    "name": "DEVICE_PLATFORM",
                    "value": "ChromeOS 16002.51.0"
                },
                {
                    "name": "DIRECTORY_DEVICE_ID",
                    "value": "4ebc77ae-ce6b-4857-b741-f0000000000000000"
                }
            ]
        }
    ]
}
{
    "kind": "admin#reports#activity",
    "id": {
        "time": "2024-10-11T15:56:35.651Z",
        "uniqueQualifier": "2420143888886666888",
        "applicationName": "chrome",
        "customerId": "C01x7cccc"
    },
    "etag": "\"vj4PvLCfb9AGttWx4uxgdiOjzAg0/qXWA2OAs3YpjtVNEo9y\"",
    "actor": {
        "callerType": "USER",
        "email": "a@test.fr",
        "profileId": "103333222222222223333"
    },
    "events": [
        {
            "type": "CHROMEOS_PERIPHERAL_ADDED_TYPE",
            "name": "CHROMEOS_PERIPHERAL_ADDED",
            "parameters": [
                {
                    "name": "TIMESTAMP",
                    "intValue": "122222225555"
                },
                {
                    "name": "EVENT_REASON",
                    "value": "CHROMEOS_PERIPHERAL_ADDED"
                },
                {
                    "name": "DEVICE_NAME",
                    "value": "S5NNN000A66661A"
                },
                {
                    "name": "DEVICE_USER",
                    "value": "a@test.fr"
                },
                {
                    "name": "CLIENT_TYPE",
                    "value": "CHROME_OS_DEVICE"
                },
                {
                    "name": "DEVICE_PLATFORM",
                    "value": "ChromeOS 16002.44.0"
                },
                {
                    "name": "DIRECTORY_DEVICE_ID",
                    "value": "4ebc7777-cccc-8888-7777-f16211111111b"
                },
                {
                    "name": "PRODUCT_ID",
                    "value": "222234"
                },
                {
                    "name": "PRODUCT_NAME",
                    "value": "USB2.0 FHD UVC WebCam"
                },
                {
                    "name": "VENDOR_ID",
                    "value": "0x222e"
                },
                {
                    "name": "VENDOR_NAME",
                    "value": "Sonix Technology Co., Ltd."
                }
            ]
        }
    ]
}
{
    "kind": "admin#reports#activity",
    "id": {
        "time": "2024-10-11T15:56:35.351Z",
        "uniqueQualifier": "2649444888333333335",
        "applicationName": "chrome",
        "customerId": "C01x7c333"
    },
    "etag": "\"vj4PvAGttWx4uxgdiOjzAg0/DWFo8d88e_z7nQYg\"",
    "actor": {
        "callerType": "USER",
        "email": "a@test.fr",
        "profileId": "103272222224629143333"
    },
    "events": [
        {
            "type": "CHROMEOS_PERIPHERAL_REMOVED_TYPE",
            "name": "CHROMEOS_PERIPHERAL_REMOVED",
            "parameters": [
                {
                    "name": "TIMESTAMP",
                    "intValue": "1728662555333"
                },
                {
                    "name": "EVENT_REASON",
                    "value": "CHROMEOS_PERIPHERAL_REMOVED"
                },
                {
                    "name": "DEVICE_NAME",
                    "value": "S5NNN00066688AA"
                },
                {
                    "name": "DEVICE_USER",
                    "value": "a@test.fr"
                },
                {
                    "name": "CLIENT_TYPE",
                    "value": "CHROME_OS_DEVICE"
                },
                {
                    "name": "DEVICE_PLATFORM",
                    "value": "ChromeOS 16002.44.0"
                },
                {
                    "name": "DIRECTORY_DEVICE_ID",
                    "value": "4ebc77ae-cccc-5555-7777-f1111122227b"
                },
                {
                    "name": "PRODUCT_ID",
                    "value": "0x2222"
                },
                {
                    "name": "PRODUCT_NAME",
                    "value": ""
                },
                {
                    "name": "VENDOR_ID",
                    "value": "0x2222"
                },
                {
                    "name": "VENDOR_NAME",
                    "value": ""
                }
            ]
        }
    ]
}
{
    "kind": "admin#reports#activity",
    "id": {
        "time": "2024-11-08T13:17:42.050Z",
        "uniqueQualifier": "8215000000000000000",
        "applicationName": "chrome",
        "customerId": "C01x00000"
    },
    "etag": "\"M7TKrOH_7SmMcgNyv3m2zF\"",
    "actor": {
        "callerType": "USER",
        "profileId": "105250506097979777777"
    },
    "events": [
        {
            "type": "CHROMEOS_PERIPHERAL_STATUS_UPDATED_TYPE",
            "name": "CHROMEOS_PERIPHERAL_STATUS_UPDATED",
            "parameters": [
                {
                    "name": "TIMESTAMP",
                    "intValue": "1731071860000"
                },
                {
                    "name": "EVENT_REASON",
                    "value": "CHROMEOS_PERIPHERAL_STATUS_UPDATED"
                },
                {
                    "name": "DEVICE_NAME",
                    "value": "S5NXNZ00A000000"
                },
                {
                    "name": "CLIENT_TYPE",
                    "value": "CHROME_OS_DEVICE"
                },
                {
                    "name": "DEVICE_PLATFORM",
                    "value": "ChromeOS 16033.51.0"
                },
                {
                    "name": "DIRECTORY_DEVICE_ID",
                    "value": "4ebc77ae-ce6b-4857"
                },
                {
                    "name": "ORG_UNIT_NAME",
                    "value": "test_org"
                },
                {
                    "name": "PRODUCT_ID",
                    "value": "0x2"
                },
                {
                    "name": "PRODUCT_NAME",
                    "value": "2.0 root hub"
                },
                {
                    "name": "VENDOR_ID",
                    "value": "0x1ddd"
                },
                {
                    "name": "VENDOR_NAME",
                    "value": "Linux Foundation"
                }
            ]
        }
    ]
}
{
    "kind": "admin#reports#activity",
    "id": {
        "time": "2024-10-15T09:09:42.884Z",
        "uniqueQualifier": "436275460544100000000",
        "applicationName": "chrome",
        "customerId": "C01x7ccccc"
    },
    "etag": "\"vj4PvLCfbtWx4uxgdiOjzAg0/175l0NK2JBeAcg\"",
    "actor": {
        "callerType": "USER",
        "profileId": "105250506097000000000"
    },
    "events": [
        {
            "type": "CHROMEOS_POWERWASH_TYPE",
            "name": "CHROMEOS_POWERWASH_INITIATED",
            "parameters": [
                {
                    "name": "TIMESTAMP",
                    "intValue": "172898338222222"
                },
                {
                    "name": "EVENT_REASON",
                    "value": "CHROMEOS_POWERWASH_INITIATED"
                },
                {
                    "name": "DEVICE_NAME",
                    "value": "S5NXNZ00A66821A"
                },
                {
                    "name": "DEVICE_USER",
                    "value": "-"
                },
                {
                    "name": "CLIENT_TYPE",
                    "value": "CHROME_OS_DEVICE"
                },
                {
                    "name": "DEVICE_PLATFORM",
                    "value": "ChromeOS 16002.51.0"
                },
                {
                    "name": "DIRECTORY_DEVICE_ID",
                    "value": "4ebc77ae-ce6b-4857-b741-f1621111111111111"
                },
                {
                    "name": "REMOTE_REQUESTED",
                    "value": "requested"
                }
            ]
        }
    ]
}
{
    "kind": "admin#reports#activity",
    "id": {
        "time": "2024-10-15T09:31:16.000Z",
        "uniqueQualifier": "-378806042057000000000000",
        "applicationName": "chrome",
        "customerId": "C01x700000"
    },
    "etag": "\"vj4PvLCfb9kD8ZfWJ2Sml/mtgJ4U_Y-rfHYQ\"",
    "actor": {
        "callerType": "USER",
        "profileId": "105250500000000000753968"
    },
    "events": [
        {
            "type": "CHROME_OS_ADD_REMOVE_USER_TYPE",
            "name": "CHROME_OS_REMOVE_USER",
            "parameters": [
                {
                    "name": "TIMESTAMP",
                    "intValue": "1728900000000"
                },
                {
                    "name": "EVENT_REASON",
                    "value": "CHROMEOS_UNAFFILIATED_USER_REMOVED"
                },
                {
                    "name": "DEVICE_NAME",
                    "value": "S5NXNZ0000000000A"
                },
                {
                    "name": "DEVICE_USER",
                    "value": "-"
                },
                {
                    "name": "CLIENT_TYPE",
                    "value": "CHROME_OS_DEVICE"
                },
                {
                    "name": "DEVICE_PLATFORM",
                    "value": "ChromeOS 16002.51.0"
                },
                {
                    "name": "DIRECTORY_DEVICE_ID",
                    "value": "4ebc77ae-6666-7777-7777-3333333333333"
                },
                {
                    "name": "REMOVE_USER_REASON",
                    "value": "LOCAL_USER_INITIATED"
                }
            ]
        }
    ]
}
{
    "kind": "admin#reports#activity",
    "id": {
        "time": "2024-10-14T09:17:57.384Z",
        "uniqueQualifier": "68200096415770000",
        "applicationName": "chrome",
        "customerId": "C01xxcccc"
    },
    "etag": "\"vj4PvLCfiAAGttWx4uxgdiOjzAg0/bTMQuHA7m4d1RjZ8u\"",
    "actor": {
        "callerType": "USER",
        "profileId": "1052505060979"
    },
    "events": [
        {
            "type": "CHROMEOS_UPDATE_TYPE",
            "name": "CHROMEOS_UPDATE_SUCCESS",
            "parameters": [
                {
                    "name": "TIMESTAMP",
                    "intValue": "7778897477777"
                },
                {
                    "name": "EVENT_REASON",
                    "value": "CHROMEOS_UPDATE_SUCCESS"
                },
                {
                    "name": "DEVICE_NAME",
                    "value": "S50000000A668888"
                },
                {
                    "name": "DEVICE_USER",
                    "value": "-"
                },
                {
                    "name": "CLIENT_TYPE",
                    "value": "CHROME_OS_DEVICE"
                },
                {
                    "name": "CURRENT_OS_VERSION",
                    "value": "16002.51.0"
                },
                {
                    "name": "DEVICE_PLATFORM",
                    "value": "ChromeOS 16002.44.0"
                },
                {
                    "name": "DIRECTORY_DEVICE_ID",
                    "value": "4ebc77ae-ce6b-4857-b0000-f00000000000"
                },
                {
                    "name": "PREVIOUS_OS_VERSION",
                    "value": "16002.44.0"
                }
            ]
        }
    ]
}
{
    "kind": "audit#activity",
    "id": {
        "time": "2014-03-17T15:39:18.460Z",
        "uniqQualifier": "reports unique ID",
        "applicationName": "drive",
        "customerId": "ABC123xyz"
    },
    "actor": {
        "callerType": "USER",
        "email": "kim@example.com",
        "profileId": "users unique Google Workspace profile ID",
        "key": "consumer key of requestor in an OAuth 2LO request"
    },
    "ownerDomain": "domain of the source owner",
    "ipAddress": "1.2.3.4",
    "events": [
        {
            "type": "access",
            "name": "edit",
            "parameters": [
                {
                    "name": "primary_event",
                    "boolValue": true
                },
                {
                    "name": "billable",
                    "boolValue": true
                },
                {
                    "name": "owner_is_shared_drive",
                    "boolValue": true
                },
                {
                    "name": "owner_team_drive_id",
                    "value": "AAAAAALLLLLL"
                },
                {
                    "name": "owner",
                    "value": "RH "
                },
                {
                    "name": "doc_id",
                    "value": "5555763535"
                },
                {
                    "name": "doc_type",
                    "value": "folder"
                },
                {
                    "name": "is_encrypted",
                    "boolValue": false
                },
                {
                    "name": "doc_title",
                    "value": "Divers"
                },
                {
                    "name": "visibility",
                    "value": "shared_internally"
                },
                {
                    "name": "shared_drive_id",
                    "value": "112-EIUBHDIUBEBUD"
                },
                {
                    "name": "originating_app_id",
                    "value": "691301496089"
                },
                {
                    "name": "actor_is_collaborator_account",
                    "boolValue": false
                },
                {
                    "name": "owner_is_team_drive",
                    "boolValue": true
                },
                {
                    "name": "team_drive_id",
                    "value": "111-EIUBHDIUBEBUD"
                }
            ]
        }
    ]
}
{
    "kind": "audit#activity",
    "id": {
        "time": "2014-03-17T15:39:18.460Z",
        "uniqQualifier": "reports unique ID",
        "applicationName": "drive",
        "customerId": "ABC123xyz"
    },
    "actor": {
        "callerType": "USER",
        "email": "kim@example.com",
        "profileId": "users unique Google Workspace profile ID",
        "key": "consumer key of requestor in an OAuth 2LO request"
    },
    "ownerDomain": "domain of the source owner",
    "ipAddress": "1.2.3.4",
    "events": [
        {
            "type": "access",
            "name": "edit",
            "parameters": [
                {
                    "name": "primary_event",
                    "boolValue": true
                },
                {
                    "name": "owner_is_shared_drive",
                    "boolValue": false
                },
                {
                    "name": "doc_id",
                    "value": "1DWuYM3ot_sAyEQqOz0xWJ9bVMSYzOmRNeBqbgtSwuK8"
                },
                {
                    "name": "doc_title",
                    "value": "Meeting notes"
                },
                {
                    "name": "doc_type",
                    "value": "document"
                },
                {
                    "name": "owner",
                    "value": "mary@example.com"
                }
            ]
        }
    ]
}
{
    "kind": "admin#reports#activity",
    "id": {
        "time": "2025-02-18T17:10:20.317Z",
        "uniqueQualifier": "-12345678",
        "applicationName": "drive",
        "customerId": "CUSTO1"
    },
    "etag": "\"ABCDEF123\"",
    "actor": {
        "email": "",
        "profileId": "105250506097979753968"
    },
    "events": [
        {
            "type": "access",
            "name": "sheets_import_range",
            "parameters": [
                {
                    "name": "primary_event",
                    "boolValue": true
                },
                {
                    "name": "billable",
                    "boolValue": false
                },
                {
                    "name": "sheets_import_range_recipient_doc",
                    "value": "123qwerty456"
                },
                {
                    "name": "owner_is_shared_drive",
                    "boolValue": true
                },
                {
                    "name": "owner_team_drive_id",
                    "value": "asdf678"
                },
                {
                    "name": "owner",
                    "value": "johndoe"
                },
                {
                    "name": "doc_id",
                    "value": "zxcv890"
                },
                {
                    "name": "doc_type",
                    "value": "spreadsheet"
                },
                {
                    "name": "is_encrypted",
                    "boolValue": false
                },
                {
                    "name": "doc_title",
                    "value": "TPS report"
                },
                {
                    "name": "visibility",
                    "value": "people_with_link"
                },
                {
                    "name": "shared_drive_id",
                    "value": "asdf678"
                },
                {
                    "name": "actor_is_collaborator_account",
                    "boolValue": false
                },
                {
                    "name": "owner_is_team_drive",
                    "boolValue": true
                },
                {
                    "name": "team_drive_id",
                    "value": "asdf678"
                }
            ]
        }
    ]
}
{
    "kind": "admin#reports#activity",
    "id": {
        "time": "2023-09-04T08:42:51.615Z",
        "uniqueQualifier": "-2222222222222222222",
        "applicationName": "drive",
        "customerId": "111111111"
    },
    "actor": {
        "email": "john.doe@example.org",
        "profileId": "444444444444444444444"
    },
    "ipAddress": "1.2.3.4",
    "events": [
        {
            "type": "access",
            "name": "view",
            "parameters": [
                {
                    "name": "primary_event",
                    "boolValue": true
                },
                {
                    "name": "billable",
                    "boolValue": true
                },
                {
                    "name": "owner_is_shared_drive",
                    "boolValue": true
                },
                {
                    "name": "owner_team_drive_id",
                    "value": "DDD_111111111111111"
                },
                {
                    "name": "owner",
                    "value": "J.DOE"
                },
                {
                    "name": "doc_id",
                    "value": "333333333333333333333333333333333"
                },
                {
                    "name": "doc_type",
                    "value": "folder"
                },
                {
                    "name": "is_encrypted",
                    "boolValue": false
                },
                {
                    "name": "doc_title",
                    "value": "MyDocs"
                },
                {
                    "name": "visibility",
                    "value": "people_within_domain_with_link"
                },
                {
                    "name": "shared_drive_id",
                    "value": "DDD_222222222222222"
                },
                {
                    "name": "originating_app_id",
                    "value": "666666666666"
                },
                {
                    "name": "actor_is_collaborator_account",
                    "boolValue": false
                },
                {
                    "name": "owner_is_team_drive",
                    "boolValue": true
                },
                {
                    "name": "team_drive_id",
                    "value": "DDD_888888888888888"
                }
            ]
        }
    ]
}
{
    "kind": "admin#reports#activity",
    "id": {
        "time": "2024-11-14T12:07:37.366Z",
        "uniqueQualifier": "-3853857772415670247",
        "applicationName": "meet",
        "customerId": "C030x4pai"
    },
    "etag": "\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ/t2tqco4M6QzgpdeZHhmJy_6yJUU\"",
    "actor": {
        "callerType": "KEY",
        "key": "HANGOUTS_EXTERNAL_OR_ANONYMOUS"
    },
    "events": [
        {
            "type": "call",
            "name": "call_ended",
            "parameters": [
                {
                    "name": "video_send_seconds",
                    "intValue": "173"
                },
                {
                    "name": "screencast_recv_bitrate_kbps_mean",
                    "intValue": "61"
                },
                {
                    "name": "location_country",
                    "value": "FR"
                },
                {
                    "name": "identifier_type",
                    "value": "device_id"
                },
                {
                    "name": "audio_send_bitrate_kbps_mean",
                    "intValue": "0"
                },
                {
                    "name": "video_send_packet_loss_max",
                    "intValue": "2"
                },
                {
                    "name": "endpoint_id",
                    "value": "boq_hlane_QGKxiQcCZvF"
                },
                {
                    "name": "device_type",
                    "value": "meet_hardware"
                },
                {
                    "name": "video_send_packet_loss_mean",
                    "intValue": "0"
                },
                {
                    "name": "screencast_recv_long_side_median_pixels",
                    "intValue": "1568"
                },
                {
                    "name": "calendar_event_id",
                    "value": "3ckjqg60dq5j4eu9cgjtdb396c"
                },
                {
                    "name": "screencast_send_seconds",
                    "intValue": "0"
                },
                {
                    "name": "video_send_fps_mean",
                    "intValue": "30"
                },
                {
                    "name": "audio_send_packet_loss_max",
                    "intValue": "0"
                },
                {
                    "name": "network_send_jitter_msec_mean",
                    "intValue": "1"
                },
                {
                    "name": "screencast_recv_fps_mean",
                    "intValue": "29"
                },
                {
                    "name": "audio_recv_seconds",
                    "intValue": "33"
                },
                {
                    "name": "network_congestion",
                    "intValue": "0"
                },
                {
                    "name": "network_estimated_download_kbps_mean",
                    "intValue": "74"
                },
                {
                    "name": "audio_send_packet_loss_mean",
                    "intValue": "0"
                },
                {
                    "name": "network_transport_protocol",
                    "value": "udp"
                },
                {
                    "name": "duration_seconds",
                    "intValue": "15317"
                },
                {
                    "name": "video_send_bitrate_kbps_mean",
                    "intValue": "19"
                },
                {
                    "name": "identifier",
                    "value": "644e7990-c69d-4e09-8cd2-6ae52406c21c"
                },
                {
                    "name": "location_region",
                    "value": "Paris"
                },
                {
                    "name": "audio_recv_packet_loss_max",
                    "intValue": "0"
                },
                {
                    "name": "audio_recv_packet_loss_mean",
                    "intValue": "0"
                },
                {
                    "name": "network_recv_jitter_msec_max",
                    "intValue": "2"
                },
                {
                    "name": "organizer_email",
                    "value": "tt.test@test.fr"
                },
                {
                    "name": "screencast_recv_short_side_median_pixels",
                    "intValue": "980"
                },
                {
                    "name": "is_external",
                    "boolValue": false
                },
                {
                    "name": "network_recv_jitter_msec_mean",
                    "intValue": "1"
                },
                {
                    "name": "ip_address",
                    "value": "1.2.3.4"
                },
                {
                    "name": "audio_send_seconds",
                    "intValue": "15316"
                },
                {
                    "name": "display_name",
                    "value": "OLYMPUS (Paris-106T, 8)"
                },
                {
                    "name": "screencast_recv_packet_loss_max",
                    "intValue": "0"
                },
                {
                    "name": "video_recv_seconds",
                    "intValue": "0"
                },
                {
                    "name": "network_rtt_msec_mean",
                    "intValue": "8"
                },
                {
                    "name": "video_send_long_side_median_pixels",
                    "intValue": "320"
                },
                {
                    "name": "screencast_recv_packet_loss_mean",
                    "intValue": "0"
                },
                {
                    "name": "conference_id",
                    "value": "rJ7fsV2IE2eFwTlTZ88tDxIQOAIIigIgABgDCA"
                },
                {
                    "name": "screencast_recv_seconds",
                    "intValue": "14874"
                },
                {
                    "name": "product_type",
                    "value": "meet"
                },
                {
                    "name": "network_estimated_upload_kbps_mean",
                    "intValue": "7"
                },
                {
                    "name": "video_send_short_side_median_pixels",
                    "intValue": "180"
                },
                {
                    "name": "meeting_code",
                    "value": "ABCDEFGHIJ"
                }
            ]
        }
    ]
}
{
    "kind": "admin#reports#activity",
    "id": {
        "time": "2024-11-14T11:32:12.301Z",
        "uniqueQualifier": "-6765941919309710661",
        "applicationName": "meet",
        "customerId": "C030x4pai"
    },
    "etag": "\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ/kViPYXKeNuJj3LiW54AIt7GLiR4\"",
    "actor": {
        "callerType": "KEY",
        "key": "HANGOUTS_EXTERNAL_OR_ANONYMOUS"
    },
    "events": [
        {
            "type": "call",
            "name": "call_ended",
            "parameters": [
                {
                    "name": "video_send_seconds",
                    "intValue": "725"
                },
                {
                    "name": "audio_send_bitrate_kbps_mean",
                    "intValue": "13"
                },
                {
                    "name": "video_send_packet_loss_max",
                    "intValue": "0"
                },
                {
                    "name": "endpoint_id",
                    "value": "boq_hlane_UJtqXZcvBo3"
                },
                {
                    "name": "device_type",
                    "value": "web"
                },
                {
                    "name": "video_send_packet_loss_mean",
                    "intValue": "0"
                },
                {
                    "name": "video_recv_long_side_median_pixels",
                    "intValue": "480"
                },
                {
                    "name": "calendar_event_id",
                    "value": "6cm94j8lp55a9880oj2o0rb3e6"
                },
                {
                    "name": "screencast_send_seconds",
                    "intValue": "0"
                },
                {
                    "name": "video_send_fps_mean",
                    "intValue": "30"
                },
                {
                    "name": "audio_send_packet_loss_max",
                    "intValue": "0"
                },
                {
                    "name": "video_recv_short_side_median_pixels",
                    "intValue": "270"
                },
                {
                    "name": "video_recv_packet_loss_mean",
                    "intValue": "0"
                },
                {
                    "name": "network_send_jitter_msec_mean",
                    "intValue": "1"
                },
                {
                    "name": "audio_recv_seconds",
                    "intValue": "3647"
                },
                {
                    "name": "network_congestion",
                    "intValue": "0"
                },
                {
                    "name": "network_estimated_download_kbps_mean",
                    "intValue": "1158"
                },
                {
                    "name": "audio_send_packet_loss_mean",
                    "intValue": "0"
                },
                {
                    "name": "network_transport_protocol",
                    "value": "tcp"
                },
                {
                    "name": "duration_seconds",
                    "intValue": "3651"
                },
                {
                    "name": "video_send_bitrate_kbps_mean",
                    "intValue": "375"
                },
                {
                    "name": "audio_recv_packet_loss_max",
                    "intValue": "9"
                },
                {
                    "name": "video_recv_fps_mean",
                    "intValue": "23"
                },
                {
                    "name": "audio_recv_packet_loss_mean",
                    "intValue": "0"
                },
                {
                    "name": "network_recv_jitter_msec_max",
                    "intValue": "98"
                },
                {
                    "name": "organizer_email",
                    "value": "tt.test@test.fr"
                },
                {
                    "name": "is_external",
                    "boolValue": true
                },
                {
                    "name": "network_recv_jitter_msec_mean",
                    "intValue": "3"
                },
                {
                    "name": "audio_send_seconds",
                    "intValue": "3647"
                },
                {
                    "name": "display_name",
                    "value": "Yuki"
                },
                {
                    "name": "video_recv_seconds",
                    "intValue": "3638"
                },
                {
                    "name": "network_rtt_msec_mean",
                    "intValue": "11"
                },
                {
                    "name": "video_send_long_side_median_pixels",
                    "intValue": "480"
                },
                {
                    "name": "conference_id",
                    "value": "aSABpyKZtlKN_wqM98PaDxIXOAIIigIgABgDCA"
                },
                {
                    "name": "screencast_recv_seconds",
                    "intValue": "3627"
                },
                {
                    "name": "product_type",
                    "value": "meet"
                },
                {
                    "name": "network_estimated_upload_kbps_mean",
                    "intValue": "105"
                },
                {
                    "name": "video_send_short_side_median_pixels",
                    "intValue": "270"
                },
                {
                    "name": "video_recv_packet_loss_max",
                    "intValue": "0"
                },
                {
                    "name": "meeting_code",
                    "value": "BUSOHGFTVB"
                }
            ]
        }
    ]
}
{
    "kind": "admin#reports#activity",
    "id": {
        "time": "2025-02-18T16:00:24.311Z",
        "uniqueQualifier": "-123456",
        "applicationName": "groups_enterprise",
        "customerId": "CUSTOMER1"
    },
    "etag": "\"ABCDEF123\"",
    "actor": {
        "callerType": "KEY",
        "key": "SYSTEM"
    },
    "events": [
        {
            "type": "moderator_action",
            "name": "remove_user",
            "parameters": [
                {
                    "name": "member_id",
                    "value": "john.doe@example.com"
                },
                {
                    "name": "group_id",
                    "value": "team@example.com"
                },
                {
                    "name": "member_type",
                    "value": "user"
                }
            ]
        },
        {
            "type": "moderator_action",
            "name": "remove_member",
            "parameters": [
                {
                    "name": "member_id",
                    "value": "john.doe@example.com"
                },
                {
                    "name": "group_id",
                    "value": "team@example.com"
                },
                {
                    "name": "member_type",
                    "value": "user"
                }
            ]
        }
    ]
}
{
    "kind": "admin#reports#activity",
    "id": {
        "time": "2024-03-11T15:20:33.157Z",
        "uniqueQualifier": "-92180609786",
        "applicationName": "groups_enterprise",
        "customerId": "C03foh000"
    },
    "etag": "\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL\"",
    "actor": {
        "callerType": "USER",
        "email": "joe.done@test.com",
        "profileId": "109472445"
    },
    "events": [
        {
            "type": "moderator_action",
            "name": "delete_group",
            "parameters": [
                {
                    "name": "group_id",
                    "value": "testgroup@test.com"
                }
            ]
        }
    ]
}
{
    "kind": "admin#reports#activity",
    "id": {
        "time": "2024-03-13T11:02:40.037Z",
        "uniqueQualifier": "235176017661",
        "applicationName": "meet",
        "customerId": "C03foh000"
    },
    "etag": "\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL\"",
    "actor": {
        "callerType": "USER",
        "email": "jone.doe@test.com",
        "profileId": "1098488062555"
    },
    "events": [
        {
            "type": "call",
            "name": "call_ended",
            "parameters": [
                {
                    "name": "video_send_seconds",
                    "intValue": "0"
                },
                {
                    "name": "location_country",
                    "value": "FR"
                },
                {
                    "name": "identifier_type",
                    "value": "email_address"
                },
                {
                    "name": "endpoint_id",
                    "value": "dSzi5ZfqD8I"
                },
                {
                    "name": "device_type",
                    "value": "web"
                },
                {
                    "name": "screencast_send_packet_loss_mean",
                    "intValue": "0"
                },
                {
                    "name": "calendar_event_id",
                    "value": "glb41ldt739tcf0bun7p9htaqr"
                },
                {
                    "name": "screencast_send_seconds",
                    "intValue": "83"
                },
                {
                    "name": "screencast_send_short_side_median_pixels",
                    "intValue": "1080"
                },
                {
                    "name": "screencast_send_packet_loss_max",
                    "intValue": "1"
                },
                {
                    "name": "screencast_send_fps_mean",
                    "intValue": "29"
                },
                {
                    "name": "audio_recv_seconds",
                    "intValue": "0"
                },
                {
                    "name": "network_congestion",
                    "intValue": "0"
                },
                {
                    "name": "network_estimated_download_kbps_mean",
                    "intValue": "1"
                },
                {
                    "name": "network_transport_protocol",
                    "value": "udp"
                },
                {
                    "name": "duration_seconds",
                    "intValue": "1498"
                },
                {
                    "name": "identifier",
                    "value": "jone.doe@test.com"
                },
                {
                    "name": "location_region",
                    "value": "Argenteuil"
                },
                {
                    "name": "screencast_send_bitrate_kbps_mean",
                    "intValue": "791"
                },
                {
                    "name": "organizer_email",
                    "value": "joe.done@test.com"
                },
                {
                    "name": "ip_address",
                    "value": "5555:333:333:5555:5555:5555:5555:5555"
                },
                {
                    "name": "audio_send_seconds",
                    "intValue": "0"
                },
                {
                    "name": "display_name",
                    "value": "Test SEGLA"
                },
                {
                    "name": "video_recv_seconds",
                    "intValue": "0"
                },
                {
                    "name": "screencast_send_long_side_median_pixels",
                    "intValue": "1920"
                },
                {
                    "name": "network_rtt_msec_mean",
                    "intValue": "12"
                },
                {
                    "name": "conference_id",
                    "value": "SQEGZkIp70zCVuvX_PtXDxI"
                },
                {
                    "name": "screencast_recv_seconds",
                    "intValue": "0"
                },
                {
                    "name": "product_type",
                    "value": "meet"
                },
                {
                    "name": "network_estimated_upload_kbps_mean",
                    "intValue": "0"
                },
                {
                    "name": "meeting_code",
                    "value": "GMGSZDDDDD"
                },
                {
                    "name": "is_external",
                    "boolValue": false
                }
            ]
        }
    ]
}
{
    "kind": "admin#reports#activity",
    "id": {
        "time": "2024-03-13T10:31:23.630Z",
        "uniqueQualifier": "47501654195",
        "applicationName": "meet",
        "customerId": "C03foh000"
    },
    "etag": "\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL\"",
    "actor": {
        "callerType": "USER",
        "email": "jone.done@test.com",
        "profileId": "1070981817756"
    },
    "events": [
        {
            "type": "conference_action",
            "name": "presentation_started",
            "parameters": [
                {
                    "name": "is_external",
                    "boolValue": false
                },
                {
                    "name": "meeting_code",
                    "value": "BWXXZYNUUU"
                },
                {
                    "name": "conference_id",
                    "value": "iVYNZWWtL3-mwtWyAGIeDxIWOAkI"
                },
                {
                    "name": "action_time",
                    "value": "2024-03-13T10:31:23.630220Z"
                },
                {
                    "name": "identifier",
                    "value": "jone.done@test.com"
                },
                {
                    "name": "identifier_type",
                    "value": "email_address"
                }
            ]
        }
    ]
}
{
    "kind": "admin#reports#activity",
    "id": {
        "time": "2024-11-07T14:21:46.270Z",
        "uniqueQualifier": "233165468629800000000",
        "applicationName": "rules",
        "customerId": "C02i38888"
    },
    "etag": "\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\"",
    "actor": {
        "email": "john.doe@test.com",
        "profileId": "113328670183616666666"
    },
    "events": [
        {
            "type": "action_complete_type",
            "name": "action_complete",
            "parameters": [
                {
                    "name": "data_source",
                    "value": "DRIVE"
                },
                {
                    "name": "resource_id",
                    "value": "1K23Am8JmHL9vgGwUjUPaq0000000"
                },
                {
                    "name": "resource_owner_email",
                    "value": "john.doe@test.com"
                },
                {
                    "name": "rule_resource_name",
                    "value": "policies/aka00000000000"
                },
                {
                    "name": "rule_name",
                    "value": "DLP [Drive] - D\u00e9tecter le partage de International - Num\u00e9ro IBAN"
                },
                {
                    "name": "rule_type",
                    "value": "DLP"
                },
                {
                    "name": "matched_detectors",
                    "multiMessageValue": [
                        {
                            "parameter": [
                                {
                                    "name": "detector_id",
                                    "value": "IBAN_CODE"
                                },
                                {
                                    "name": "detector_type",
                                    "value": "PREDEFINED_DLP"
                                },
                                {
                                    "name": "display_name",
                                    "value": "IBAN_CODE"
                                }
                            ]
                        }
                    ]
                },
                {
                    "name": "triggered_actions",
                    "multiMessageValue": [
                        {
                            "parameter": [
                                {
                                    "name": "action_type",
                                    "value": "DRIVE_WARN_ON_EXTERNAL_SHARING"
                                }
                            ]
                        }
                    ]
                },
                {
                    "name": "resource_recipients",
                    "multiValue": [
                        "john.doe@test.com"
                    ]
                },
                {
                    "name": "scan_type",
                    "value": "DRIVE_ONLINE_SCAN"
                },
                {
                    "name": "matched_trigger",
                    "value": "DRIVE_SHARE"
                },
                {
                    "name": "severity",
                    "value": "LOW"
                },
                {
                    "name": "resource_type",
                    "value": "DOCUMENT"
                },
                {
                    "name": "resource_title",
                    "value": "8157822-2024-11-7-15-21-0"
                }
            ]
        }
    ]
}
{
    "kind": "admin#reports#activity",
    "id": {
        "time": "2024-11-07T14:21:46.270Z",
        "uniqueQualifier": "-49907177521610000000",
        "applicationName": "rules",
        "customerId": "C02i38888"
    },
    "etag": "\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ/\"",
    "actor": {
        "email": "john.doe@test.com",
        "profileId": "11332867018361686666666"
    },
    "events": [
        {
            "type": "content_matched_type",
            "name": "content_matched",
            "parameters": [
                {
                    "name": "data_source",
                    "value": "DRIVE"
                },
                {
                    "name": "resource_id",
                    "value": "1K23Am8JmHL9vgGwUjUPaqDZV"
                },
                {
                    "name": "resource_owner_email",
                    "value": "john.doe@test.com"
                },
                {
                    "name": "rule_resource_name",
                    "value": "policies/aka000000000"
                },
                {
                    "name": "rule_name",
                    "value": "DLP [Drive] - D\u00e9tecter le partage de International - Num\u00e9ro IBAN"
                },
                {
                    "name": "rule_type",
                    "value": "DLP"
                },
                {
                    "name": "matched_detectors",
                    "multiMessageValue": [
                        {
                            "parameter": [
                                {
                                    "name": "detector_id",
                                    "value": "IBAN_CODE"
                                },
                                {
                                    "name": "detector_type",
                                    "value": "PREDEFINED_DLP"
                                },
                                {
                                    "name": "display_name",
                                    "value": "IBAN_CODE"
                                }
                            ]
                        }
                    ]
                },
                {
                    "name": "triggered_actions",
                    "multiMessageValue": [
                        {
                            "parameter": [
                                {
                                    "name": "action_type",
                                    "value": "DRIVE_WARN_ON_EXTERNAL_SHARING"
                                }
                            ]
                        }
                    ]
                },
                {
                    "name": "resource_recipients",
                    "multiValue": [
                        "john.doe@test.com"
                    ]
                },
                {
                    "name": "scan_type",
                    "value": "DRIVE_ONLINE_SCAN"
                },
                {
                    "name": "severity",
                    "value": "LOW"
                },
                {
                    "name": "resource_type",
                    "value": "DOCUMENT"
                },
                {
                    "name": "resource_title",
                    "value": "8157822-2024-11-7-15-21-0"
                }
            ]
        }
    ]
}
{
    "kind": "admin#reports#activity",
    "id": {
        "time": "2024-11-07T14:26:15.515Z",
        "uniqueQualifier": "4091348940000000",
        "applicationName": "saml",
        "customerId": "C00000000"
    },
    "etag": "\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\"",
    "actor": {
        "email": "John.doe@test.com",
        "profileId": "10344515534360000000"
    },
    "ipAddress": "2.1.3.2",
    "events": [
        {
            "type": "login",
            "name": "login_success",
            "parameters": [
                {
                    "name": "orgunit_path",
                    "value": "/test/implementation"
                },
                {
                    "name": "initiated_by",
                    "value": "sp"
                },
                {
                    "name": "application_name",
                    "value": "AWS"
                },
                {
                    "name": "saml_status_code",
                    "value": "SUCCESS_URI"
                }
            ]
        }
    ]
}
{
    "kind": "admin#reports#activity",
    "id": {
        "time": "2024-11-07T14:24:58.191Z",
        "uniqueQualifier": "-318965716033600000",
        "applicationName": "saml",
        "customerId": "C000000000"
    },
    "etag": "\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\"",
    "actor": {
        "email": "John.doe@test.com",
        "profileId": "113844576558700000000"
    },
    "ipAddress": "8.6.15.1",
    "events": [
        {
            "type": "login",
            "name": "login_success",
            "parameters": [
                {
                    "name": "orgunit_path",
                    "value": "/test/dev"
                },
                {
                    "name": "initiated_by",
                    "value": "sp"
                },
                {
                    "name": "application_name",
                    "value": "AWS Client VPN"
                },
                {
                    "name": "saml_status_code",
                    "value": "SUCCESS_URI"
                }
            ]
        }
    ]
}
{
    "kind": "admin#reports#activity",
    "id": {
        "time": "2024-07-09T14:05:42.528Z",
        "uniqueQualifier": "0123456789101112131",
        "applicationName": "admin",
        "customerId": "C03foh000"
    },
    "etag": "BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z5X0",
    "actor": {
        "callerType": "USER",
        "email": "john.doe@test.fr",
        "profileId": "102788027662650927386"
    },
    "ipAddress": "1.2.3.4",
    "events": [
        {
            "type": "USER_SETTINGS",
            "name": "SUSPEND_USER",
            "parameters": [
                {
                    "name": "USER_EMAIL",
                    "value": "jdoe@test.fr"
                }
            ]
        }
    ]
}
{
    "kind": "admin#reports#activity",
    "id": {
        "time": "2024-01-17T11:09:39.840Z",
        "uniqueQualifier": "111111",
        "applicationName": "drive",
        "customerId": "XXXXXX"
    },
    "etag": "aaa-aaa/aaa",
    "actor": {
        "email": "senduser@test.com",
        "profileId": "11111"
    },
    "ipAddress": "0.0.0.0",
    "events": [
        {
            "type": "access",
            "name": "edit",
            "parameters": [
                {
                    "name": "primary_event",
                    "boolValue": false
                },
                {
                    "name": "billable",
                    "boolValue": true
                },
                {
                    "name": "owner_is_shared_drive",
                    "boolValue": false
                },
                {
                    "name": "owner",
                    "value": "owner@test.com"
                },
                {
                    "name": "doc_id",
                    "value": "1111111111"
                },
                {
                    "name": "doc_type",
                    "value": "document"
                },
                {
                    "name": "is_encrypted",
                    "boolValue": false
                },
                {
                    "name": "doc_title",
                    "value": "Doc Temp"
                },
                {
                    "name": "visibility",
                    "value": "shared_externally"
                },
                {
                    "name": "originating_app_id",
                    "value": "111111"
                },
                {
                    "name": "actor_is_collaborator_account",
                    "boolValue": false
                },
                {
                    "name": "owner_is_team_drive",
                    "boolValue": false
                }
            ]
        },
        {
            "type": "acl_change",
            "name": "change_user_access",
            "parameters": [
                {
                    "name": "primary_event",
                    "boolValue": true
                },
                {
                    "name": "billable",
                    "boolValue": true
                },
                {
                    "name": "visibility_change",
                    "value": "external"
                },
                {
                    "name": "target_user",
                    "value": "targetuser@test.fr"
                },
                {
                    "name": "old_value",
                    "multiValue": [
                        "none"
                    ]
                },
                {
                    "name": "new_value",
                    "multiValue": [
                        "can_edit"
                    ]
                },
                {
                    "name": "old_visibility",
                    "value": "shared_internally"
                },
                {
                    "name": "owner_is_shared_drive",
                    "boolValue": false
                },
                {
                    "name": "owner",
                    "value": "owner@test.com"
                },
                {
                    "name": "doc_id",
                    "value": "11111"
                },
                {
                    "name": "doc_type",
                    "value": "document"
                },
                {
                    "name": "is_encrypted",
                    "boolValue": false
                },
                {
                    "name": "doc_title",
                    "value": "Doc Temp"
                },
                {
                    "name": "visibility",
                    "value": "shared_externally"
                },
                {
                    "name": "originating_app_id",
                    "value": "11111"
                },
                {
                    "name": "actor_is_collaborator_account",
                    "boolValue": false
                },
                {
                    "name": "owner_is_team_drive",
                    "boolValue": false
                }
            ]
        }
    ]
}
{
    "kind": "admin#reports#activity",
    "id": {
        "time": "2024-03-13T11:24:59.810Z",
        "uniqueQualifier": "515960775816012389",
        "applicationName": "token",
        "customerId": "C03foh04q"
    },
    "etag": "\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z5X0H\"",
    "actor": {
        "email": "JONE.DOE@test.com",
        "profileId": "109472445"
    },
    "ipAddress": "1.2.3.4",
    "events": [
        {
            "name": "authorize",
            "parameters": [
                {
                    "name": "client_id",
                    "value": "11057316681905"
                },
                {
                    "name": "app_name",
                    "value": "Test Log Workspace"
                },
                {
                    "name": "client_type",
                    "value": "WEB"
                },
                {
                    "name": "scope_data",
                    "multiMessageValue": [
                        {
                            "parameter": [
                                {
                                    "name": "scope_name",
                                    "value": "https://www.googleapis.com/auth/admin.reports.audit.readonly"
                                },
                                {
                                    "name": "product_bucket",
                                    "multiValue": [
                                        "GSUITE_ADMIN"
                                    ]
                                }
                            ]
                        },
                        {
                            "parameter": [
                                {
                                    "name": "scope_name",
                                    "value": "https://www.googleapis.com/auth/admin.reports.usage.readonly"
                                },
                                {
                                    "name": "product_bucket",
                                    "multiValue": [
                                        "GSUITE_ADMIN"
                                    ]
                                }
                            ]
                        }
                    ]
                },
                {
                    "name": "scope",
                    "multiValue": [
                        "https://www.googleapis.com/auth/admin.reports.audit.readonly",
                        "https://www.googleapis.com/auth/admin.reports.usage.readonly"
                    ]
                }
            ]
        }
    ]
}
{
    "kind": "admin#reports#activity",
    "id": {
        "time": "2024-03-13T11:25:23.391Z",
        "uniqueQualifier": "-38605878274",
        "applicationName": "token",
        "customerId": "C03foh5555"
    },
    "etag": "\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z5X0H0/t\"",
    "actor": {
        "email": "JOE.DONE@test.com",
        "profileId": "1094724450"
    },
    "ipAddress": "1.1.1.1",
    "events": [
        {
            "type": "auth",
            "name": "activity",
            "parameters": [
                {
                    "name": "api_name",
                    "value": "admin"
                },
                {
                    "name": "method_name",
                    "value": "reports.activities.list"
                },
                {
                    "name": "client_id",
                    "value": "110573166819"
                },
                {
                    "name": "num_response_bytes",
                    "intValue": "7"
                },
                {
                    "name": "product_bucket",
                    "value": "GSUITE_ADMIN"
                },
                {
                    "name": "app_name",
                    "value": "Test Log Workspace"
                },
                {
                    "name": "client_type",
                    "value": "WEB"
                }
            ]
        }
    ]
}
{
    "kind": "admin#reports#activity",
    "id": {
        "time": "2024-10-24T12:15:09.887Z",
        "uniqueQualifier": "38392508037850000000",
        "applicationName": "vault",
        "customerId": "C020000000"
    },
    "etag": "\"v9u8pSCZPl3C66fdSWYRyXweF216RQ7SWqFaenjlgO0/aMkDQ5g3000000000000000000000\"",
    "actor": {
        "callerType": "USER",
        "email": "joe.done@test.cloud",
        "profileId": "10055276727227777777777"
    },
    "events": [
        {
            "type": "user_action",
            "name": "view_cross_matter_litigation_hold_report"
        }
    ]
}

Detection section

The following section provides information for those who wish to learn more about the detection capabilities enabled by collecting this intake. It includes details about the built-in rule catalog, event categories, and ECS fields extracted from raw events. This is essential for users aiming to create custom detection rules, perform hunting activities, or pivot in the events page.

The following Sekoia.io built-in rules match the intake Google Workspace / ChromeOS. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.

SEKOIA.IO x Google Workspace / ChromeOS on ATT&CK Navigator

Advanced IP Scanner

Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.

  • Effort: master
Certify Or Certipy

Detects the use of certify and certipy which are two different tools used to enumerate and abuse Active Directory Certificate Services.

  • Effort: advanced
Cobalt Strike Default Beacons Names

Detects the default names of Cobalt Strike beacons / payloads.

  • Effort: intermediate
Credential Dump Tools Related Files

Detects processes or file names related to credential dumping tools and the dropped files they generate by default.

  • Effort: advanced
Cryptomining

Detection of domain names potentially related to cryptomining activities.

  • Effort: master
Dynamic DNS Contacted

Detect communication with dynamic dns domain. This kind of domain is often used by attackers. This rule can trigger false positive in non-controlled environment because dynamic dns is not always malicious.

  • Effort: master
Exfiltration Domain

Detects traffic toward a domain flagged as a possible exfiltration vector.

  • Effort: master
Google Workspace Account Warning

Detects a suspicious login, leaked password, or account disabled following suspicious activity.

  • Effort: elementary
Google Workspace Admin Creation

Detects when an admin is created or when his role is changed.

  • Effort: master
Google Workspace Admin Deletion

Detects when an admin is deleted or when his role is unassigned.

  • Effort: master
Google Workspace Admin Modification

Detects when an admin is modified.

  • Effort: master
Google Workspace App Script Scheduled Task

Detects when a scheduled task is launched by Google App Script. This product is used to create scripts and integrate applications within Google Workspace.

  • Effort: advanced
Google Workspace Blocked Sender

Detects when a user is blocked by google workspace.

  • Effort: advanced
Google Workspace Bypass 2FA

Detects when user tries to bypass the 2FA.

  • Effort: master
Google Workspace Domain Delegation

Detects when a domain delegation is granted.

  • Effort: master
Google Workspace Email Forwarding

Detects when a user enables email forwarding out of the domain

  • Effort: advanced
Google Workspace External Sharing

Detects a large number of external sharing.

  • Effort: master
Google Workspace Login Brute-Force

Detects when a user failed to login multiple times before a successful login.

  • Effort: master
Google Workspace MFA changed

Detects when the settings for the MFA are modified.

  • Effort: master
Google Workspace Password Change

Detects when a password is changed. An attacker can perform this action to impact the availability of the account.

  • Effort: master
Google Workspace User Creation

Detects when a new user is created.

  • Effort: master
Google Workspace User Deletion

Detects when an user is deleted.

  • Effort: master
Google Workspace User Suspended

Detects when an user is suspended. An attacker can use this to remove an account used during the intrusion.

  • Effort: master
HTA Infection Chains

Detect the creation of a ZIP file and an HTA file as it is often used in infection chains. Furthermore it also detects the use of suspicious processes launched by explorer.exe combined with the creation of an HTA file, since it is also often used in infection chains (LNK - HTA for instance).

  • Effort: advanced
HTML Smuggling Suspicious Usage

Based on several samples from different botnets, this rule aims at detecting HTML infection chain by looking for HTML created files followed by suspicious files being executed.

  • Effort: intermediate
HackTools Suspicious Names

Quick-win rule to detect the default process names or file names of several HackTools.

  • Effort: elementary
ISO LNK Infection Chain

Detection of an ISO (or any other similar archive file) downloaded file, followed by a child-process of explorer, which is characteristic of an infection using an ISO containing an LNK file. For events with host.name.

  • Effort: intermediate
Internet Scanner

Detects known scanner IP addresses. Alert is only raised when the scan hits an opened port, on TCP or UDP. This could be a very noisy rule, so be careful to check your detection perimeter before activation.

  • Effort: master
Internet Scanner Target

Detects known scanner IP addresses. Alert is only raised when the scan hits an opened port, on TCP or UDP and group by target address. This could be a very noisy rule, so be careful to check your detection perimeter before activation.

  • Effort: master
PasswordDump SecurityXploded Tool

Detects the execution of the PasswordDump SecurityXploded Tool

  • Effort: elementary
RTLO Character

Detects RTLO (Right-To-Left character) in file and process names.

  • Effort: elementary
Remote Access Tool Domain

Detects traffic toward a domain flagged as a Remote Administration Tool (RAT).

  • Effort: master
Remote Monitoring and Management Software - AnyDesk

Detect artifacts related to the installation or execution of the Remote Monitoring and Management tool AnyDesk.

  • Effort: master
SEKOIA.IO Intelligence Feed

Detect threats based on indicators of compromise (IOCs) collected by SEKOIA's Threat and Detection Research team.

  • Effort: elementary
Sekoia.io EICAR Detection

Detects observables in Sekoia.io CTI tagged as EICAR, which are fake samples meant to test detection.

  • Effort: master
Sign-In Via Known AiTM Phishing Kit

Detects a sign-in attempt from an IP address belonging to a known adversary-in-the-middle phishing kit.

  • Effort: elementary
Suspicious File Name

Detects suspicious file name possibly linked to malicious tool.

  • Effort: advanced
Suspicious PROCEXP152.sys File Created In Tmp

Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder. This driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU. Note - Clever attackers may easily bypass this detection by just renaming the driver filename. Therefore just Medium-level and don't rely on it.

  • Effort: advanced
TOR Usage Generic Rule

Detects TOR usage globally, whether the IP is a destination or source. TOR is short for The Onion Router, and it gets its name from how it works. TOR intercepts the network traffic from one or more apps on user’s computer, usually the user web browser, and shuffles it through a number of randomly-chosen computers before passing it on to its destination. This disguises user location, and makes it harder for servers to pick him/her out on repeat visits, or to tie together separate visits to different sites, this making tracking and surveillance more difficult. Before a network packet starts its journey, user’s computer chooses a random list of relays and repeatedly encrypts the data in multiple layers, like an onion. Each relay knows only enough to strip off the outermost layer of encryption, before passing what’s left on to the next relay in the list.

  • Effort: master
WCE wceaux.dll Creation

Detects wceaux.dll creation while Windows Credentials Editor (WCE) is executed.

  • Effort: intermediate
ZIP LNK Infection Chain

Detection of an ZIP download followed by a child-process of explorer, followed by multiple Windows processes.This is widely used as an infection chain mechanism.

  • Effort: advanced

Event Categories

The following table lists the data source offered by this integration.

Data Source Description
GCP audit logs Google Cloud Audit contains logs from multiple Google Cloud source such as Google Workspace.

In details, the following table denotes the type of events produced by this integration.

Name Values
Kind ``
Category authentication, configuration, file, host, iam, session
Type access, admin, allowed, change, connection, creation, deletion, denied, end, info, start

Transformed Events Samples after Ingestion

This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the built-in detection rules and hunting activities in the events page. Understanding these transformations is essential for analysts to create effective detection mechanisms with custom detection rules and to leverage the full potential of the collected data.

{
    "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:23:22.470Z\",\"uniqueQualifier\":\"-7203312395540000000\",\"applicationName\":\"context_aware_access\",\"customerId\":\"C02i38lll\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"john.doe@test.com\",\"profileId\":\"117564289545555555555\"},\"ipAddress\":\"9.3.2.1\",\"events\":[{\"type\":\"CONTEXT_AWARE_ACCESS_USER_EVENT\",\"name\":\"MONITOR_MODE_ACCESS_DENY_EVENT\",\"parameters\":[{\"name\":\"CAA_ACCESS_LEVEL_APPLIED\",\"multiValue\":[\"is admin-approved IOS\",\"is admin-approved android\",\"Is Corporate Device\"]},{\"name\":\"CAA_ACCESS_LEVEL_UNSATISFIED\",\"multiValue\":[\"is admin-approved android\",\"Crowdstrike Compliant Device\",\"is admin-approved IOS\",\"Is Corporate Device\"]},{\"name\":\"CAA_APPLICATION\",\"value\":\"GMAIL\"},{\"name\":\"BLOCKED_API_ACCESS\",\"multiValue\":[\"GMAIL\"]},{\"name\":\"CAA_DEVICE_ID\",\"value\":\"UNKNOWN\"},{\"name\":\"CAA_DEVICE_STATE\",\"value\":\"No Device Signals\"}]}]}",
    "event": {
        "action": "MONITOR_MODE_ACCESS_DENY_EVENT",
        "dataset": "admin#reports#activity",
        "type": [
            "denied"
        ]
    },
    "@timestamp": "2024-11-07T14:23:22.470000Z",
    "cloud": {
        "account": {
            "id": "C02i38lll"
        }
    },
    "google": {
        "report": {
            "access": {
                "application": "GMAIL"
            },
            "actor": {
                "email": "john.doe@test.com"
            }
        }
    },
    "network": {
        "application": "context_aware_access"
    },
    "related": {
        "ip": [
            "9.3.2.1"
        ],
        "user": [
            "john.doe"
        ]
    },
    "source": {
        "address": "9.3.2.1",
        "ip": "9.3.2.1"
    },
    "user": {
        "domain": "test.com",
        "email": "john.doe@test.com",
        "id": "117564289545555555555",
        "name": "john.doe"
    }
}
{
    "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-03-12T14:50:56.780Z\",\"uniqueQualifier\":\"-68755428425\",\"applicationName\":\"admin\",\"customerId\":\"C03foh000\"},\"etag\":\"\\\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z5X0H\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"test@test.com\",\"profileId\":\"10125127140\"},\"ipAddress\":\"2222:000:333:1111:7777:5555:6666:ddd\",\"events\":[{\"type\":\"ALERT_CENTER\",\"name\":\"ALERT_CENTER_VIEW\",\"parameters\":[{\"name\":\"ALERT_ID\",\"value\":\"445831ce-36e0-44b5-aca6-0d85f7454df7,69f7ac90-44de\"}]}]}",
    "event": {
        "action": "ALERT_CENTER_VIEW",
        "category": [
            "configuration"
        ],
        "dataset": "admin#reports#activity",
        "type": [
            "info"
        ]
    },
    "@timestamp": "2024-03-12T14:50:56.780000Z",
    "cloud": {
        "account": {
            "id": "C03foh000"
        }
    },
    "google": {
        "report": {
            "actor": {
                "email": "test@test.com"
            }
        }
    },
    "network": {
        "application": "admin"
    },
    "related": {
        "ip": [
            "2222:0:333:1111:7777:5555:6666:ddd"
        ],
        "user": [
            "test"
        ]
    },
    "source": {
        "address": "2222:0:333:1111:7777:5555:6666:ddd",
        "ip": "2222:0:333:1111:7777:5555:6666:ddd"
    },
    "user": {
        "domain": "test.com",
        "email": "test@test.com",
        "id": "10125127140",
        "name": "test"
    }
}
{
    "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-03-12T14:41:33.804Z\",\"uniqueQualifier\":\"-4779949128172\",\"applicationName\":\"admin\",\"customerId\":\"C03foh000\"},\"etag\":\"\\\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z5X0\\\"\",\"actor\":{\"email\":\"test@test.com\",\"profileId\":\"10125127141\"},\"ipAddress\":\"2222:000:333:1111:7777:5555:6666:ddd\",\"events\":[{\"type\":\"SECURITY_SETTINGS\",\"name\":\"ALLOW_STRONG_AUTHENTICATION\",\"parameters\":[{\"name\":\"OLD_VALUE\",\"value\":\"INHERIT_FROM_PARENT\"},{\"name\":\"NEW_VALUE\",\"value\":\"true\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"IT\"}]},{\"type\":\"SECURITY_SETTINGS\",\"name\":\"ENFORCE_STRONG_AUTHENTICATION\",\"parameters\":[{\"name\":\"OLD_VALUE\",\"value\":\"INHERIT_FROM_PARENT\"},{\"name\":\"NEW_VALUE\",\"value\":\"true\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"IT\"}]},{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_TWO_STEP_VERIFICATION_FREQUENCY\",\"parameters\":[{\"name\":\"OLD_VALUE\",\"value\":\"INHERIT_FROM_PARENT\"},{\"name\":\"NEW_VALUE\",\"value\":\"DISABLE_USERS_TO_TRUST_DEVICE\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"IT\"}]},{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION\",\"parameters\":[{\"name\":\"OLD_VALUE\",\"value\":\"INHERIT_FROM_PARENT\"},{\"name\":\"NEW_VALUE\",\"value\":\"1 week\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"IT\"}]},{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION\",\"parameters\":[{\"name\":\"OLD_VALUE\",\"value\":\"INHERIT_FROM_PARENT\"},{\"name\":\"NEW_VALUE\",\"value\":\"1 day\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"IT\"}]},{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS\",\"parameters\":[{\"name\":\"ALLOWED_TWO_STEP_VERIFICATION_METHOD\",\"value\":\"NO_TELEPHONY\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"IT\"}]},{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_TWO_STEP_VERIFICATION_START_DATE\",\"parameters\":[{\"name\":\"OLD_VALUE\",\"value\":\"INHERIT_FROM_PARENT\"},{\"name\":\"NEW_VALUE\",\"value\":\"2019-10-31\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"IT\"}]}]}",
    "event": {
        "action": [
            "ALLOW_STRONG_AUTHENTICATION",
            "CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS",
            "CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION",
            "CHANGE_TWO_STEP_VERIFICATION_FREQUENCY",
            "CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION",
            "CHANGE_TWO_STEP_VERIFICATION_START_DATE",
            "ENFORCE_STRONG_AUTHENTICATION"
        ],
        "category": [
            "configuration"
        ],
        "dataset": "admin#reports#activity",
        "type": [
            "access",
            "change"
        ]
    },
    "@timestamp": "2024-03-12T14:41:33.804000Z",
    "cloud": {
        "account": {
            "id": "C03foh000"
        }
    },
    "google": {
        "report": {
            "actor": {
                "email": "test@test.com"
            }
        }
    },
    "network": {
        "application": "admin"
    },
    "related": {
        "ip": [
            "2222:0:333:1111:7777:5555:6666:ddd"
        ],
        "user": [
            "test"
        ]
    },
    "source": {
        "address": "2222:0:333:1111:7777:5555:6666:ddd",
        "ip": "2222:0:333:1111:7777:5555:6666:ddd"
    },
    "user": {
        "domain": "test.com",
        "email": "test@test.com",
        "id": "10125127141",
        "name": "test"
    }
}
{
    "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-03-13T10:25:01.859Z\",\"uniqueQualifier\":\"-119782077599\",\"applicationName\":\"calendar\",\"customerId\":\"C03foh000\"},\"etag\":\"\\\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z\\\"\",\"actor\":{\"email\":\"joe.done@test.com\",\"profileId\":\"1126768166\"},\"ownerDomain\":\"sekoia.io\",\"ipAddress\":\"1.2.3.4\",\"events\":[{\"type\":\"event_change\",\"name\":\"change_event\",\"parameters\":[{\"name\":\"event_id\",\"value\":\"6qr2cujo0lkfln\"},{\"name\":\"organizer_calendar_id\",\"value\":\"joe.done@test.com\"},{\"name\":\"calendar_id\",\"value\":\"joe.done@test.com\"},{\"name\":\"event_title\",\"value\":\"title test\"},{\"name\":\"is_recurring\",\"boolValue\":false},{\"name\":\"recurring\",\"value\":\"no\"},{\"name\":\"client_side_encrypted\",\"value\":\"no\"},{\"name\":\"start_time\",\"intValue\":\"63846009000\"},{\"name\":\"end_time\",\"intValue\":\"63846010800\"},{\"name\":\"api_kind\",\"value\":\"caldav\"},{\"name\":\"user_agent\",\"value\":\"macOS/12.5\"}]}]}",
    "event": {
        "action": "change_event",
        "category": [
            "configuration"
        ],
        "dataset": "admin#reports#activity",
        "type": [
            "change"
        ]
    },
    "@timestamp": "2024-03-13T10:25:01.859000Z",
    "cloud": {
        "account": {
            "id": "C03foh000"
        }
    },
    "google": {
        "report": {
            "actor": {
                "email": "joe.done@test.com"
            }
        }
    },
    "network": {
        "application": "calendar"
    },
    "related": {
        "ip": [
            "1.2.3.4"
        ],
        "user": [
            "joe.done"
        ]
    },
    "source": {
        "address": "1.2.3.4",
        "ip": "1.2.3.4"
    },
    "user": {
        "domain": "test.com",
        "email": "joe.done@test.com",
        "id": "1126768166",
        "name": "joe.done"
    }
}
{
    "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-03-13T10:36:57.929Z\",\"uniqueQualifier\":\"2480088525820\",\"applicationName\":\"calendar\",\"customerId\":\"C03foh000\"},\"etag\":\"\\\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL\\\"\",\"actor\":{\"email\":\"joe.doe@test.com\",\"profileId\":\"1158856535600\"},\"ownerDomain\":\"test.com\",\"ipAddress\":\"ffff:2222:333:11:aa:2222:111:11\",\"events\":[{\"type\":\"event_change\",\"name\":\"create_event\",\"parameters\":[{\"name\":\"event_id\",\"value\":\"fksdqs5mv613b\"},{\"name\":\"organizer_calendar_id\",\"value\":\"joe.doe@test.com\"},{\"name\":\"calendar_id\",\"value\":\"jone.done@test.com\"},{\"name\":\"event_title\",\"value\":\"Test title\"},{\"name\":\"is_recurring\",\"boolValue\":false},{\"name\":\"recurring\",\"value\":\"no\"},{\"name\":\"client_side_encrypted\",\"value\":\"no\"},{\"name\":\"start_time\",\"intValue\":\"63846450000\"},{\"name\":\"end_time\",\"intValue\":\"63846453600\"},{\"name\":\"user_agent\",\"value\":\"Calendly\"}]},{\"type\":\"event_change\",\"name\":\"add_event_guest\",\"parameters\":[{\"name\":\"event_id\",\"value\":\"fksdqs5mv613b\"},{\"name\":\"organizer_calendar_id\",\"value\":\"joe.doe@test.com\"},{\"name\":\"calendar_id\",\"value\":\"jone.done@test.com\"},{\"name\":\"event_title\",\"value\":\"Test title\"},{\"name\":\"is_recurring\",\"boolValue\":false},{\"name\":\"recurring\",\"value\":\"no\"},{\"name\":\"client_side_encrypted\",\"value\":\"no\"},{\"name\":\"event_guest\",\"value\":\"jone.done@test.com\"},{\"name\":\"user_agent\",\"value\":\"Calendly\"}]}]}",
    "event": {
        "action": [
            "add_event_guest",
            "create_event"
        ],
        "category": [
            "configuration"
        ],
        "dataset": "admin#reports#activity",
        "type": [
            "change",
            "creation"
        ]
    },
    "@timestamp": "2024-03-13T10:36:57.929000Z",
    "cloud": {
        "account": {
            "id": "C03foh000"
        }
    },
    "destination": {
        "user": {
            "email": "jone.done@test.com"
        }
    },
    "google": {
        "report": {
            "actor": {
                "email": "joe.doe@test.com"
            }
        }
    },
    "network": {
        "application": "calendar"
    },
    "related": {
        "ip": [
            "ffff:2222:333:11:aa:2222:111:11"
        ],
        "user": [
            "joe.doe"
        ]
    },
    "source": {
        "address": "ffff:2222:333:11:aa:2222:111:11",
        "ip": "ffff:2222:333:11:aa:2222:111:11"
    },
    "user": {
        "domain": "test.com",
        "email": "joe.doe@test.com",
        "id": "1158856535600",
        "name": "joe.doe"
    }
}
{
    "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-03-08T10:37:56.354Z\",\"uniqueQualifier\":\"-75128508411076\",\"applicationName\":\"chat\",\"customerId\":\"C03foh000\"},\"etag\":\"\\\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z5X0H0\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"joe.done@test.com\",\"profileId\":\"1160802395241\"},\"events\":[{\"type\":\"user_action\",\"name\":\"message_posted\",\"parameters\":[{\"name\":\"room_id\",\"value\":\"AAAAAAAAAA\"},{\"name\":\"actor\",\"value\":\"joe.done@test.com\"},{\"name\":\"message_id\",\"value\":\"spaces/AAAApr7T222/messages/oODWFIV2CtA\"},{\"name\":\"retention_state\",\"value\":\"PERMANENT\"},{\"name\":\"room_name\",\"value\":\"Group Chat (AAAAAAAAAA)\"},{\"name\":\"dlp_scan_status\",\"value\":\"DLP_NOT_APPLICABLE\"}]}]}",
    "event": {
        "action": "message_posted",
        "category": [
            "session"
        ],
        "dataset": "admin#reports#activity",
        "type": [
            "connection"
        ]
    },
    "@timestamp": "2024-03-08T10:37:56.354000Z",
    "cloud": {
        "account": {
            "id": "C03foh000"
        }
    },
    "google": {
        "report": {
            "actor": {
                "email": "joe.done@test.com"
            },
            "chat": {
                "message": {
                    "id": "spaces/AAAApr7T222/messages/oODWFIV2CtA"
                },
                "room": {
                    "name": "Group Chat (AAAAAAAAAA)"
                }
            }
        }
    },
    "network": {
        "application": "chat"
    },
    "related": {
        "user": [
            "joe.done"
        ]
    },
    "user": {
        "domain": "test.com",
        "email": "joe.done@test.com",
        "id": "1160802395241",
        "name": "joe.done"
    }
}
{
    "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-03-12T10:01:16.430Z\",\"uniqueQualifier\":\"-2323518099402\",\"applicationName\":\"chat\",\"customerId\":\"C03foh000\"},\"etag\":\"\\\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z5X0\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"joe.done@test.com\",\"profileId\":\"1070981817756\"},\"events\":[{\"type\":\"user_action\",\"name\":\"room_created\",\"parameters\":[{\"name\":\"room_id\",\"value\":\"AAAAAAAAA\"},{\"name\":\"actor\",\"value\":\"joe.done@test.com\"},{\"name\":\"external_room\",\"value\":\"DISABLED\"},{\"name\":\"room_name\",\"value\":\"Group Chat (AAAAAAAAA)\"}]}]}",
    "event": {
        "action": "room_created",
        "category": [
            "session"
        ],
        "dataset": "admin#reports#activity",
        "type": [
            "connection"
        ]
    },
    "@timestamp": "2024-03-12T10:01:16.430000Z",
    "cloud": {
        "account": {
            "id": "C03foh000"
        }
    },
    "google": {
        "report": {
            "actor": {
                "email": "joe.done@test.com"
            },
            "chat": {
                "room": {
                    "name": "Group Chat (AAAAAAAAA)"
                }
            }
        }
    },
    "network": {
        "application": "chat"
    },
    "related": {
        "user": [
            "joe.done"
        ]
    },
    "user": {
        "domain": "test.com",
        "email": "joe.done@test.com",
        "id": "1070981817756",
        "name": "joe.done"
    }
}
{
    "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-10-15T09:11:54.000Z\",\"uniqueQualifier\":\"8333377333333333333\",\"applicationName\":\"chrome\",\"customerId\":\"C01000364\"},\"etag\":\"\\\"vj4PvLCfb9kD8ZfWJ2SmlhI/FB6vZhPRe0T5Zqobg\\\"\",\"actor\":{\"callerType\":\"USER\",\"profileId\":\"105250506090000000000000\"},\"events\":[{\"type\":\"CHROME_OS_ADD_REMOVE_USER_TYPE\",\"name\":\"CHROME_OS_ADD_USER\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"172800000000000\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_AFFILIATED_USER_ADDED\"},{\"name\":\"DEVICE_NAME\",\"value\":\"S5NNNN00AA\"},{\"name\":\"DEVICE_USER\",\"value\":\"a@test.fr\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16002.51.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"47777777-cccc-7777-7777-f16211400000000\"}]}]}",
    "event": {
        "action": "CHROME_OS_ADD_USER",
        "category": [
            "iam"
        ],
        "dataset": "admin#reports#activity",
        "reason": "CHROMEOS_AFFILIATED_USER_ADDED",
        "type": [
            "creation"
        ]
    },
    "@timestamp": "2024-10-15T09:11:54Z",
    "cloud": {
        "account": {
            "id": "C01000364"
        }
    },
    "device": {
        "id": "47777777-cccc-7777-7777-f16211400000000"
    },
    "host": {
        "name": "S5NNNN00AA",
        "os": {
            "full": "ChromeOS 16002.51.0"
        }
    },
    "network": {
        "application": "chrome"
    },
    "user": {
        "email": "a@test.fr",
        "id": "105250506090000000000000"
    }
}
{
    "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-10-15T09:41:04.457Z\",\"uniqueQualifier\":\"-419957426935000000000\",\"applicationName\":\"chrome\",\"customerId\":\"C01x77777\"},\"etag\":\"\\\"vj4PvLCfb9kD8ZfWJ2SmlhIiA/NR0JCBuKk9DM7\\\"\",\"actor\":{\"callerType\":\"USER\",\"profileId\":\"1052505060000000000000\"},\"events\":[{\"type\":\"CHROMEOS_LOCK_UNLOCK_TYPE\",\"name\":\"CHROMEOS_AFFILIATED_LOCK_SUCCESS\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"1728984444444\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_AFFILIATED_LOCK_SUCCESS\"},{\"name\":\"DEVICE_NAME\",\"value\":\"S5NXNZ00A66666666\"},{\"name\":\"DEVICE_USER\",\"value\":\"a@test.fr\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16002.51.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"4ebc77ae-ce6b-4857-b741-f100000000000000000\"}]}]}",
    "event": {
        "action": "CHROMEOS_AFFILIATED_LOCK_SUCCESS",
        "category": [
            "authentication"
        ],
        "dataset": "admin#reports#activity",
        "reason": "CHROMEOS_AFFILIATED_LOCK_SUCCESS",
        "type": [
            "end"
        ]
    },
    "@timestamp": "2024-10-15T09:41:04.457000Z",
    "cloud": {
        "account": {
            "id": "C01x77777"
        }
    },
    "device": {
        "id": "4ebc77ae-ce6b-4857-b741-f100000000000000000"
    },
    "host": {
        "name": "S5NXNZ00A66666666",
        "os": {
            "full": "ChromeOS 16002.51.0"
        }
    },
    "network": {
        "application": "chrome"
    },
    "user": {
        "email": "a@test.fr",
        "id": "1052505060000000000000"
    }
}
{
    "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-08T13:15:35.760Z\",\"uniqueQualifier\":\"-5079400007310000000\",\"applicationName\":\"chrome\",\"customerId\":\"C01xxcccc\"},\"etag\":\"\\\"vj4PvLCfbhIiAAGttWx4uxgdiOjzAg0/tTZpUjK2c3wFB9Uh\\\"\",\"actor\":{\"callerType\":\"KEY\",\"key\":\"SYSTEM\"},\"events\":[{\"type\":\"DEVICE_BOOT_STATE_CHANGE_TYPE\",\"name\":\"DEVICE_BOOT_STATE_CHANGE\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"1731071700000\"},{\"name\":\"DEVICE_NAME\",\"value\":\"M4NXCVNNNN2000000\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROME_OS_VERIFIED_MODE\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"c4a7f0fa-e5d1-4a07-8f61-9eeeeeeeeeef\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"\"},{\"name\":\"PREVIOUS_BOOT_MODE\",\"value\":\"UNKNOWN\"},{\"name\":\"NEW_BOOT_MODE\",\"value\":\"VERIFIED\"}]}]}",
    "event": {
        "action": "DEVICE_BOOT_STATE_CHANGE",
        "category": [
            "host"
        ],
        "dataset": "admin#reports#activity",
        "reason": "CHROME_OS_VERIFIED_MODE",
        "type": [
            "change"
        ]
    },
    "@timestamp": "2024-11-08T13:15:35.760000Z",
    "cloud": {
        "account": {
            "id": "C01xxcccc"
        }
    },
    "device": {
        "id": "c4a7f0fa-e5d1-4a07-8f61-9eeeeeeeeeef"
    },
    "google": {
        "report": {
            "boot_mode": {
                "new": "VERIFIED"
            }
        }
    },
    "host": {
        "name": "M4NXCVNNNN2000000"
    },
    "network": {
        "application": "chrome"
    }
}
{
    "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-10-21T13:47:41.000Z\",\"uniqueQualifier\":\"-41312380982470000000\",\"applicationName\":\"chrome\",\"customerId\":\"C01x7cccc\"},\"etag\":\"\\\"vj4PvLCfb9kD84uxgdiOjzAg0/ydpRq7PE6Sq81YCdl1\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"a@test.fr\",\"profileId\":\"1032729143013\"},\"events\":[{\"type\":\"CHROME_OS_CRD_CLIENT_CONNECTED_TYPE\",\"name\":\"CHROME_OS_CRD_CLIENT_CONNECTED\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"17290000000\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_CRD_CLIENT_CONNECTED\"},{\"name\":\"DEVICE_NAME\",\"value\":\"PFPFPF7T0M\"},{\"name\":\"DEVICE_USER\",\"value\":\"Admin\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"CONNECTION_TYPE\",\"value\":\"RELAY\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16002.58.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"0f9e7f45-b777-4777-b777-c214388888888\"},{\"name\":\"SESSION_ID\",\"value\":\"joedoe@test.fr/chromoting_ftl_d2cd9895-eeee-5555-0000-00040059755\"}]}]}",
    "event": {
        "action": "CHROME_OS_CRD_CLIENT_CONNECTED",
        "category": [
            "session"
        ],
        "dataset": "admin#reports#activity",
        "reason": "CHROMEOS_CRD_CLIENT_CONNECTED",
        "type": [
            "start"
        ]
    },
    "@timestamp": "2024-10-21T13:47:41Z",
    "cloud": {
        "account": {
            "id": "C01x7cccc"
        }
    },
    "device": {
        "id": "0f9e7f45-b777-4777-b777-c214388888888"
    },
    "google": {
        "report": {
            "actor": {
                "email": "a@test.fr"
            },
            "session": {
                "id": "joedoe@test.fr/chromoting_ftl_d2cd9895-eeee-5555-0000-00040059755"
            }
        }
    },
    "host": {
        "name": "PFPFPF7T0M",
        "os": {
            "full": "ChromeOS 16002.58.0"
        }
    },
    "network": {
        "application": "chrome"
    },
    "related": {
        "user": [
            "Admin"
        ]
    },
    "user": {
        "domain": "test.fr",
        "email": "a@test.fr",
        "id": "1032729143013",
        "name": "Admin"
    }
}
{
    "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-10-21T13:48:12.000Z\",\"uniqueQualifier\":\"389668566663666666613\",\"applicationName\":\"chrome\",\"customerId\":\"C01xxcccc\"},\"etag\":\"\\\"vj4PvLCfb9kDttWx4uxgdiOjzAg0/k9WnQIxoNvYgDlcL8\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"a@test.fr\",\"profileId\":\"103276200000043013\"},\"events\":[{\"type\":\"CHROME_OS_CRD_CLIENT_DISCONNECTED_TYPE\",\"name\":\"CHROME_OS_CRD_CLIENT_DISCONNECTED\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"1729518000000\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_CRD_CLIENT_DISCONNECTED\"},{\"name\":\"DEVICE_NAME\",\"value\":\"PFFF7T0M\"},{\"name\":\"DEVICE_USER\",\"value\":\"Admin\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16002.58.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"0f9e7f45-7777-7777-7777-c21438884dc5\"},{\"name\":\"SESSION_ID\",\"value\":\"joeDoe@test.fr/chromoting_ftl_dddd9999-eeee-5555-0000-55555555555\"}]}]}",
    "event": {
        "action": "CHROME_OS_CRD_CLIENT_DISCONNECTED",
        "category": [
            "session"
        ],
        "dataset": "admin#reports#activity",
        "reason": "CHROMEOS_CRD_CLIENT_DISCONNECTED",
        "type": [
            "end"
        ]
    },
    "@timestamp": "2024-10-21T13:48:12Z",
    "cloud": {
        "account": {
            "id": "C01xxcccc"
        }
    },
    "device": {
        "id": "0f9e7f45-7777-7777-7777-c21438884dc5"
    },
    "google": {
        "report": {
            "actor": {
                "email": "a@test.fr"
            },
            "session": {
                "id": "joeDoe@test.fr/chromoting_ftl_dddd9999-eeee-5555-0000-55555555555"
            }
        }
    },
    "host": {
        "name": "PFFF7T0M",
        "os": {
            "full": "ChromeOS 16002.58.0"
        }
    },
    "network": {
        "application": "chrome"
    },
    "related": {
        "user": [
            "Admin"
        ]
    },
    "user": {
        "domain": "test.fr",
        "email": "a@test.fr",
        "id": "103276200000043013",
        "name": "Admin"
    }
}
{
    "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-10-21T13:48:12.000Z\",\"uniqueQualifier\":\"-3822400088800088888\",\"applicationName\":\"chrome\",\"customerId\":\"C01x7cccc\"},\"etag\":\"\\\"vj4PvLCfb9kD8ZfWxgdiOjzAg0/ND9YlWuFYJrufwljQI\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"a@test.fr\",\"profileId\":\"11122222222460000000\"},\"events\":[{\"type\":\"CHROME_OS_CRD_HOST_ENDED_TYPE\",\"name\":\"CHROME_OS_CRD_HOST_ENDED\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"17292222222000\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_CRD_HOST_ENDED\"},{\"name\":\"DEVICE_NAME\",\"value\":\"PFPFTT0M\"},{\"name\":\"DEVICE_USER\",\"value\":\"Admin\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16002.58.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"0f9e7f45-b777-4777-b777-c21438e84dc5\"}]}]}",
    "event": {
        "action": "CHROME_OS_CRD_HOST_ENDED",
        "category": [
            "host"
        ],
        "dataset": "admin#reports#activity",
        "reason": "CHROMEOS_CRD_HOST_ENDED",
        "type": [
            "end"
        ]
    },
    "@timestamp": "2024-10-21T13:48:12Z",
    "cloud": {
        "account": {
            "id": "C01x7cccc"
        }
    },
    "device": {
        "id": "0f9e7f45-b777-4777-b777-c21438e84dc5"
    },
    "google": {
        "report": {
            "actor": {
                "email": "a@test.fr"
            }
        }
    },
    "host": {
        "name": "PFPFTT0M",
        "os": {
            "full": "ChromeOS 16002.58.0"
        }
    },
    "network": {
        "application": "chrome"
    },
    "related": {
        "user": [
            "Admin"
        ]
    },
    "user": {
        "domain": "test.fr",
        "email": "a@test.fr",
        "id": "11122222222460000000",
        "name": "Admin"
    }
}
{
    "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-10-21T13:47:27.000Z\",\"uniqueQualifier\":\"6345555777799998888\",\"applicationName\":\"chrome\",\"customerId\":\"C01xxcccc\"},\"etag\":\"\\\"vj4PvLCfb9kDttWx4uxgdiOjzAg0/4hGqeNXoNQepbYGE\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"a@test.fr\",\"profileId\":\"333222222222222223333\"},\"events\":[{\"type\":\"CHROME_OS_CRD_HOST_STARTED_TYPE\",\"name\":\"CHROME_OS_CRD_HOST_STARTED\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"1724444440000\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_CRD_HOST_STARTED\"},{\"name\":\"DEVICE_NAME\",\"value\":\"PFPF7T0M\"},{\"name\":\"DEVICE_USER\",\"value\":\"Admin\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16002.58.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"0f9e7f45-b187-4444-7777-c23338884555\"}]}]}",
    "event": {
        "action": "CHROME_OS_CRD_HOST_STARTED",
        "category": [
            "host"
        ],
        "dataset": "admin#reports#activity",
        "reason": "CHROMEOS_CRD_HOST_STARTED",
        "type": [
            "start"
        ]
    },
    "@timestamp": "2024-10-21T13:47:27Z",
    "cloud": {
        "account": {
            "id": "C01xxcccc"
        }
    },
    "device": {
        "id": "0f9e7f45-b187-4444-7777-c23338884555"
    },
    "google": {
        "report": {
            "actor": {
                "email": "a@test.fr"
            }
        }
    },
    "host": {
        "name": "PFPF7T0M",
        "os": {
            "full": "ChromeOS 16002.58.0"
        }
    },
    "network": {
        "application": "chrome"
    },
    "related": {
        "user": [
            "Admin"
        ]
    },
    "user": {
        "domain": "test.fr",
        "email": "a@test.fr",
        "id": "333222222222222223333",
        "name": "Admin"
    }
}
{
    "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-08T13:20:40.000Z\",\"uniqueQualifier\":\"-2392455694764444444444\",\"applicationName\":\"chrome\",\"customerId\":\"C01x7c000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi\\\"\",\"actor\":{\"callerType\":\"USER\",\"profileId\":\"105250506097973333333333\"},\"events\":[{\"type\":\"CHROME_OS_LOGIN_LOGOUT_TYPE\",\"name\":\"CHROME_OS_LOGIN_EVENT\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"1731072040000\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_KIOSK_SESSION_LOGIN\"},{\"name\":\"DEVICE_NAME\",\"value\":\"S5NXNZ00A000000\"},{\"name\":\"DEVICE_USER\",\"value\":\"-\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16033.51.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"4ebc77ae-ce6b-4857\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"test_org\"}]}]}",
    "event": {
        "action": "CHROME_OS_LOGIN_EVENT",
        "category": [
            "authentication"
        ],
        "dataset": "admin#reports#activity",
        "reason": "CHROMEOS_KIOSK_SESSION_LOGIN",
        "type": [
            "start"
        ]
    },
    "@timestamp": "2024-11-08T13:20:40Z",
    "cloud": {
        "account": {
            "id": "C01x7c000"
        }
    },
    "device": {
        "id": "4ebc77ae-ce6b-4857"
    },
    "host": {
        "name": "S5NXNZ00A000000",
        "os": {
            "full": "ChromeOS 16033.51.0"
        }
    },
    "network": {
        "application": "chrome"
    },
    "organization": {
        "name": "test_org"
    },
    "user": {
        "id": "105250506097973333333333"
    }
}
{
    "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-05T11:58:46.000Z\",\"uniqueQualifier\":\"5756634282037777777777\",\"applicationName\":\"chrome\",\"customerId\":\"C01x777777777\"},\"etag\":\"\\\"vj4PvLCfb9kD8ZfWJ2Smlh/sS5BbT29sC\\\"\",\"actor\":{\"callerType\":\"USER\",\"profileId\":\"1052505060000000000000000\"},\"events\":[{\"type\":\"CHROME_OS_LOGIN_LOGOUT_TYPE\",\"name\":\"CHROME_OS_LOGIN_FAILURE_EVENT\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"1730800000000\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_AFFILIATED_LOGIN\"},{\"name\":\"DEVICE_NAME\",\"value\":\"NXEFJEF007901100000000\"},{\"name\":\"DEVICE_USER\",\"value\":\"y@test.fr\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16033.43.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"cbc28748-a199-47c1-b483-000000000000000000\"},{\"name\":\"LOGIN_FAILURE_REASON\",\"value\":\"AUTHENTICATION_ERROR\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"Microsoft\"}]}]}",
    "event": {
        "action": "CHROME_OS_LOGIN_FAILURE_EVENT",
        "category": [
            "authentication"
        ],
        "dataset": "admin#reports#activity",
        "outcome": "failure",
        "reason": "CHROMEOS_AFFILIATED_LOGIN",
        "type": [
            "start"
        ]
    },
    "@timestamp": "2024-11-05T11:58:46Z",
    "cloud": {
        "account": {
            "id": "C01x777777777"
        }
    },
    "device": {
        "id": "cbc28748-a199-47c1-b483-000000000000000000"
    },
    "google": {
        "report": {
            "login": {
                "failure": {
                    "reason": "AUTHENTICATION_ERROR"
                }
            }
        }
    },
    "host": {
        "name": "NXEFJEF007901100000000",
        "os": {
            "full": "ChromeOS 16033.43.0"
        }
    },
    "network": {
        "application": "chrome"
    },
    "organization": {
        "name": "Microsoft"
    },
    "user": {
        "email": "y@test.fr",
        "id": "1052505060000000000000000"
    }
}
{
    "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-10-15T09:00:38.000Z\",\"uniqueQualifier\":\"-1434962671000000000000\",\"applicationName\":\"chrome\",\"customerId\":\"C0100c000\"},\"etag\":\"\\\"vj4PvLCfb9kD8ZfWJ2SmlhIiAAG/lzqsleRu67H0HaxvdOJ\\\"\",\"actor\":{\"callerType\":\"USER\",\"profileId\":\"105250506000000000000000000\"},\"events\":[{\"type\":\"CHROME_OS_LOGIN_LOGOUT_TYPE\",\"name\":\"CHROME_OS_LOGOUT_EVENT\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"1728900000000\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_AFFILIATED_LOGOUT\"},{\"name\":\"DEVICE_NAME\",\"value\":\"S5NXNZ0000000001A\"},{\"name\":\"DEVICE_USER\",\"value\":\"a@test.fr\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16002.51.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"4ebc77ae-ce6b-4857-b741-f0000000000000000\"}]}]}",
    "event": {
        "action": "CHROME_OS_LOGOUT_EVENT",
        "category": [
            "authentication"
        ],
        "dataset": "admin#reports#activity",
        "reason": "CHROMEOS_AFFILIATED_LOGOUT",
        "type": [
            "end"
        ]
    },
    "@timestamp": "2024-10-15T09:00:38Z",
    "cloud": {
        "account": {
            "id": "C0100c000"
        }
    },
    "device": {
        "id": "4ebc77ae-ce6b-4857-b741-f0000000000000000"
    },
    "host": {
        "name": "S5NXNZ0000000001A",
        "os": {
            "full": "ChromeOS 16002.51.0"
        }
    },
    "network": {
        "application": "chrome"
    },
    "user": {
        "email": "a@test.fr",
        "id": "105250506000000000000000000"
    }
}
{
    "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-10-11T15:56:35.651Z\",\"uniqueQualifier\":\"2420143888886666888\",\"applicationName\":\"chrome\",\"customerId\":\"C01x7cccc\"},\"etag\":\"\\\"vj4PvLCfb9AGttWx4uxgdiOjzAg0/qXWA2OAs3YpjtVNEo9y\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"a@test.fr\",\"profileId\":\"103333222222222223333\"},\"events\":[{\"type\":\"CHROMEOS_PERIPHERAL_ADDED_TYPE\",\"name\":\"CHROMEOS_PERIPHERAL_ADDED\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"122222225555\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_PERIPHERAL_ADDED\"},{\"name\":\"DEVICE_NAME\",\"value\":\"S5NNN000A66661A\"},{\"name\":\"DEVICE_USER\",\"value\":\"a@test.fr\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16002.44.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"4ebc7777-cccc-8888-7777-f16211111111b\"},{\"name\":\"PRODUCT_ID\",\"value\":\"222234\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"USB2.0 FHD UVC WebCam\"},{\"name\":\"VENDOR_ID\",\"value\":\"0x222e\"},{\"name\":\"VENDOR_NAME\",\"value\":\"Sonix Technology Co., Ltd.\"}]}]}",
    "event": {
        "action": "CHROMEOS_PERIPHERAL_ADDED",
        "category": [
            "file"
        ],
        "dataset": "admin#reports#activity",
        "reason": "CHROMEOS_PERIPHERAL_ADDED",
        "type": [
            "creation"
        ]
    },
    "@timestamp": "2024-10-11T15:56:35.651000Z",
    "cloud": {
        "account": {
            "id": "C01x7cccc"
        }
    },
    "device": {
        "id": "4ebc7777-cccc-8888-7777-f16211111111b",
        "manufacturer": "Sonix Technology Co., Ltd.",
        "model": {
            "identifier": "222234",
            "name": "USB2.0 FHD UVC WebCam"
        }
    },
    "google": {
        "report": {
            "actor": {
                "email": "a@test.fr"
            }
        }
    },
    "host": {
        "name": "S5NNN000A66661A",
        "os": {
            "full": "ChromeOS 16002.44.0"
        }
    },
    "network": {
        "application": "chrome"
    },
    "related": {
        "user": [
            "a"
        ]
    },
    "user": {
        "domain": "test.fr",
        "email": "a@test.fr",
        "id": "103333222222222223333",
        "name": "a"
    }
}
{
    "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-10-11T15:56:35.351Z\",\"uniqueQualifier\":\"2649444888333333335\",\"applicationName\":\"chrome\",\"customerId\":\"C01x7c333\"},\"etag\":\"\\\"vj4PvAGttWx4uxgdiOjzAg0/DWFo8d88e_z7nQYg\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"a@test.fr\",\"profileId\":\"103272222224629143333\"},\"events\":[{\"type\":\"CHROMEOS_PERIPHERAL_REMOVED_TYPE\",\"name\":\"CHROMEOS_PERIPHERAL_REMOVED\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"1728662555333\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_PERIPHERAL_REMOVED\"},{\"name\":\"DEVICE_NAME\",\"value\":\"S5NNN00066688AA\"},{\"name\":\"DEVICE_USER\",\"value\":\"a@test.fr\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16002.44.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"4ebc77ae-cccc-5555-7777-f1111122227b\"},{\"name\":\"PRODUCT_ID\",\"value\":\"0x2222\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"\"},{\"name\":\"VENDOR_ID\",\"value\":\"0x2222\"},{\"name\":\"VENDOR_NAME\",\"value\":\"\"}]}]}",
    "event": {
        "action": "CHROMEOS_PERIPHERAL_REMOVED",
        "category": [
            "file"
        ],
        "dataset": "admin#reports#activity",
        "reason": "CHROMEOS_PERIPHERAL_REMOVED",
        "type": [
            "deletion"
        ]
    },
    "@timestamp": "2024-10-11T15:56:35.351000Z",
    "cloud": {
        "account": {
            "id": "C01x7c333"
        }
    },
    "device": {
        "id": "4ebc77ae-cccc-5555-7777-f1111122227b",
        "model": {
            "identifier": "0x2222"
        }
    },
    "google": {
        "report": {
            "actor": {
                "email": "a@test.fr"
            }
        }
    },
    "host": {
        "name": "S5NNN00066688AA",
        "os": {
            "full": "ChromeOS 16002.44.0"
        }
    },
    "network": {
        "application": "chrome"
    },
    "related": {
        "user": [
            "a"
        ]
    },
    "user": {
        "domain": "test.fr",
        "email": "a@test.fr",
        "id": "103272222224629143333",
        "name": "a"
    }
}
{
    "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-08T13:17:42.050Z\",\"uniqueQualifier\":\"8215000000000000000\",\"applicationName\":\"chrome\",\"customerId\":\"C01x00000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zF\\\"\",\"actor\":{\"callerType\":\"USER\",\"profileId\":\"105250506097979777777\"},\"events\":[{\"type\":\"CHROMEOS_PERIPHERAL_STATUS_UPDATED_TYPE\",\"name\":\"CHROMEOS_PERIPHERAL_STATUS_UPDATED\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"1731071860000\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_PERIPHERAL_STATUS_UPDATED\"},{\"name\":\"DEVICE_NAME\",\"value\":\"S5NXNZ00A000000\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16033.51.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"4ebc77ae-ce6b-4857\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"test_org\"},{\"name\":\"PRODUCT_ID\",\"value\":\"0x2\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"2.0 root hub\"},{\"name\":\"VENDOR_ID\",\"value\":\"0x1ddd\"},{\"name\":\"VENDOR_NAME\",\"value\":\"Linux Foundation\"}]}]}",
    "event": {
        "action": "CHROMEOS_PERIPHERAL_STATUS_UPDATED",
        "category": [
            "file"
        ],
        "dataset": "admin#reports#activity",
        "reason": "CHROMEOS_PERIPHERAL_STATUS_UPDATED",
        "type": [
            "change"
        ]
    },
    "@timestamp": "2024-11-08T13:17:42.050000Z",
    "cloud": {
        "account": {
            "id": "C01x00000"
        }
    },
    "device": {
        "id": "4ebc77ae-ce6b-4857",
        "manufacturer": "Linux Foundation",
        "model": {
            "identifier": "0x2",
            "name": "2.0 root hub"
        }
    },
    "host": {
        "name": "S5NXNZ00A000000",
        "os": {
            "full": "ChromeOS 16033.51.0"
        }
    },
    "network": {
        "application": "chrome"
    },
    "organization": {
        "name": "test_org"
    },
    "user": {
        "id": "105250506097979777777"
    }
}
{
    "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-10-15T09:09:42.884Z\",\"uniqueQualifier\":\"436275460544100000000\",\"applicationName\":\"chrome\",\"customerId\":\"C01x7ccccc\"},\"etag\":\"\\\"vj4PvLCfbtWx4uxgdiOjzAg0/175l0NK2JBeAcg\\\"\",\"actor\":{\"callerType\":\"USER\",\"profileId\":\"105250506097000000000\"},\"events\":[{\"type\":\"CHROMEOS_POWERWASH_TYPE\",\"name\":\"CHROMEOS_POWERWASH_INITIATED\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"172898338222222\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_POWERWASH_INITIATED\"},{\"name\":\"DEVICE_NAME\",\"value\":\"S5NXNZ00A66821A\"},{\"name\":\"DEVICE_USER\",\"value\":\"-\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16002.51.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"4ebc77ae-ce6b-4857-b741-f1621111111111111\"},{\"name\":\"REMOTE_REQUESTED\",\"value\":\"requested\"}]}]}",
    "event": {
        "action": "CHROMEOS_POWERWASH_INITIATED",
        "category": [
            "host"
        ],
        "dataset": "admin#reports#activity",
        "reason": "CHROMEOS_POWERWASH_INITIATED",
        "type": [
            "change"
        ]
    },
    "@timestamp": "2024-10-15T09:09:42.884000Z",
    "cloud": {
        "account": {
            "id": "C01x7ccccc"
        }
    },
    "device": {
        "id": "4ebc77ae-ce6b-4857-b741-f1621111111111111"
    },
    "host": {
        "name": "S5NXNZ00A66821A",
        "os": {
            "full": "ChromeOS 16002.51.0"
        }
    },
    "network": {
        "application": "chrome"
    },
    "user": {
        "id": "105250506097000000000"
    }
}
{
    "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-10-15T09:31:16.000Z\",\"uniqueQualifier\":\"-378806042057000000000000\",\"applicationName\":\"chrome\",\"customerId\":\"C01x700000\"},\"etag\":\"\\\"vj4PvLCfb9kD8ZfWJ2Sml/mtgJ4U_Y-rfHYQ\\\"\",\"actor\":{\"callerType\":\"USER\",\"profileId\":\"105250500000000000753968\"},\"events\":[{\"type\":\"CHROME_OS_ADD_REMOVE_USER_TYPE\",\"name\":\"CHROME_OS_REMOVE_USER\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"1728900000000\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_UNAFFILIATED_USER_REMOVED\"},{\"name\":\"DEVICE_NAME\",\"value\":\"S5NXNZ0000000000A\"},{\"name\":\"DEVICE_USER\",\"value\":\"-\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16002.51.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"4ebc77ae-6666-7777-7777-3333333333333\"},{\"name\":\"REMOVE_USER_REASON\",\"value\":\"LOCAL_USER_INITIATED\"}]}]}",
    "event": {
        "action": "CHROME_OS_REMOVE_USER",
        "category": [
            "iam"
        ],
        "dataset": "admin#reports#activity",
        "reason": "CHROMEOS_UNAFFILIATED_USER_REMOVED",
        "type": [
            "deletion"
        ]
    },
    "@timestamp": "2024-10-15T09:31:16Z",
    "cloud": {
        "account": {
            "id": "C01x700000"
        }
    },
    "device": {
        "id": "4ebc77ae-6666-7777-7777-3333333333333"
    },
    "google": {
        "report": {
            "remove": {
                "user": {
                    "reason": "LOCAL_USER_INITIATED"
                }
            }
        }
    },
    "host": {
        "name": "S5NXNZ0000000000A",
        "os": {
            "full": "ChromeOS 16002.51.0"
        }
    },
    "network": {
        "application": "chrome"
    },
    "user": {
        "id": "105250500000000000753968"
    }
}
{
    "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-10-14T09:17:57.384Z\",\"uniqueQualifier\":\"68200096415770000\",\"applicationName\":\"chrome\",\"customerId\":\"C01xxcccc\"},\"etag\":\"\\\"vj4PvLCfiAAGttWx4uxgdiOjzAg0/bTMQuHA7m4d1RjZ8u\\\"\",\"actor\":{\"callerType\":\"USER\",\"profileId\":\"1052505060979\"},\"events\":[{\"type\":\"CHROMEOS_UPDATE_TYPE\",\"name\":\"CHROMEOS_UPDATE_SUCCESS\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"7778897477777\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_UPDATE_SUCCESS\"},{\"name\":\"DEVICE_NAME\",\"value\":\"S50000000A668888\"},{\"name\":\"DEVICE_USER\",\"value\":\"-\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"CURRENT_OS_VERSION\",\"value\":\"16002.51.0\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16002.44.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"4ebc77ae-ce6b-4857-b0000-f00000000000\"},{\"name\":\"PREVIOUS_OS_VERSION\",\"value\":\"16002.44.0\"}]}]}",
    "event": {
        "action": "CHROMEOS_UPDATE_SUCCESS",
        "category": [
            "host"
        ],
        "dataset": "admin#reports#activity",
        "reason": "CHROMEOS_UPDATE_SUCCESS",
        "type": [
            "change"
        ]
    },
    "@timestamp": "2024-10-14T09:17:57.384000Z",
    "cloud": {
        "account": {
            "id": "C01xxcccc"
        }
    },
    "device": {
        "id": "4ebc77ae-ce6b-4857-b0000-f00000000000"
    },
    "google": {
        "report": {
            "host": {
                "os": {
                    "old_version": "16002.44.0"
                }
            }
        }
    },
    "host": {
        "name": "S50000000A668888",
        "os": {
            "full": "ChromeOS 16002.44.0",
            "version": "16002.51.0"
        }
    },
    "network": {
        "application": "chrome"
    },
    "user": {
        "id": "1052505060979"
    }
}
{
    "message": "{\"kind\":\"audit#activity\",\"id\":{\"time\":\"2014-03-17T15:39:18.460Z\",\"uniqQualifier\":\"reports unique ID\",\"applicationName\":\"drive\",\"customerId\":\"ABC123xyz\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"kim@example.com\",\"profileId\":\"users unique Google Workspace profile ID\",\"key\":\"consumer key of requestor in an OAuth 2LO request\"},\"ownerDomain\":\"domain of the source owner\",\"ipAddress\":\"1.2.3.4\",\"events\":[{\"type\":\"access\",\"name\":\"edit\",\"parameters\":[{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"billable\",\"boolValue\":true},{\"name\":\"owner_is_shared_drive\",\"boolValue\":true},{\"name\":\"owner_team_drive_id\",\"value\":\"AAAAAALLLLLL\"},{\"name\":\"owner\",\"value\":\"RH \"},{\"name\":\"doc_id\",\"value\":\"5555763535\"},{\"name\":\"doc_type\",\"value\":\"folder\"},{\"name\":\"is_encrypted\",\"boolValue\":false},{\"name\":\"doc_title\",\"value\":\"Divers\"},{\"name\":\"visibility\",\"value\":\"shared_internally\"},{\"name\":\"shared_drive_id\",\"value\":\"112-EIUBHDIUBEBUD\"},{\"name\":\"originating_app_id\",\"value\":\"691301496089\"},{\"name\":\"actor_is_collaborator_account\",\"boolValue\":false},{\"name\":\"owner_is_team_drive\",\"boolValue\":true},{\"name\":\"team_drive_id\",\"value\":\"111-EIUBHDIUBEBUD\"}]}]}",
    "event": {
        "action": "edit",
        "category": [
            "file"
        ],
        "dataset": "audit#activity",
        "type": [
            "access",
            "change"
        ]
    },
    "@timestamp": "2014-03-17T15:39:18.460000Z",
    "cloud": {
        "account": {
            "id": "ABC123xyz"
        }
    },
    "file": {
        "gid": "AAAAAALLLLLL",
        "name": "Divers",
        "owner": "RH ",
        "type": "folder"
    },
    "google": {
        "report": {
            "actor": {
                "email": "kim@example.com"
            },
            "parameters": {
                "visibility": "shared_internally"
            }
        }
    },
    "network": {
        "application": "drive"
    },
    "related": {
        "ip": [
            "1.2.3.4"
        ],
        "user": [
            "RH ",
            "kim"
        ]
    },
    "source": {
        "address": "1.2.3.4",
        "ip": "1.2.3.4"
    },
    "user": {
        "domain": "example.com",
        "email": "kim@example.com",
        "id": "users unique Google Workspace profile ID",
        "name": "kim"
    }
}
{
    "message": "{\"kind\":\"audit#activity\",\"id\":{\"time\":\"2014-03-17T15:39:18.460Z\",\"uniqQualifier\":\"reports unique ID\",\"applicationName\":\"drive\",\"customerId\":\"ABC123xyz\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"kim@example.com\",\"profileId\":\"users unique Google Workspace profile ID\",\"key\":\"consumer key of requestor in an OAuth 2LO request\"},\"ownerDomain\":\"domain of the source owner\",\"ipAddress\":\"1.2.3.4\",\"events\":[{\"type\":\"access\",\"name\":\"edit\",\"parameters\":[{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1DWuYM3ot_sAyEQqOz0xWJ9bVMSYzOmRNeBqbgtSwuK8\"},{\"name\":\"doc_title\",\"value\":\"Meeting notes\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"owner\",\"value\":\"mary@example.com\"}]}]}",
    "event": {
        "action": "edit",
        "category": [
            "file"
        ],
        "dataset": "audit#activity",
        "type": [
            "access",
            "change"
        ]
    },
    "@timestamp": "2014-03-17T15:39:18.460000Z",
    "cloud": {
        "account": {
            "id": "ABC123xyz"
        }
    },
    "file": {
        "name": "Meeting notes",
        "owner": "mary@example.com",
        "type": "document"
    },
    "google": {
        "report": {
            "actor": {
                "email": "kim@example.com"
            }
        }
    },
    "network": {
        "application": "drive"
    },
    "related": {
        "ip": [
            "1.2.3.4"
        ],
        "user": [
            "kim",
            "mary@example.com"
        ]
    },
    "source": {
        "address": "1.2.3.4",
        "ip": "1.2.3.4"
    },
    "user": {
        "domain": "example.com",
        "email": "kim@example.com",
        "id": "users unique Google Workspace profile ID",
        "name": "kim"
    }
}
{
    "message": "{\"kind\": \"admin#reports#activity\", \"id\": {\"time\": \"2025-02-18T17:10:20.317Z\", \"uniqueQualifier\": \"-12345678\", \"applicationName\": \"drive\", \"customerId\": \"CUSTO1\"}, \"etag\": \"\\\"ABCDEF123\\\"\", \"actor\": {\"email\": \"\", \"profileId\": \"105250506097979753968\"}, \"events\": [{\"type\": \"access\", \"name\": \"sheets_import_range\", \"parameters\": [{\"name\": \"primary_event\", \"boolValue\": true}, {\"name\": \"billable\", \"boolValue\": false}, {\"name\": \"sheets_import_range_recipient_doc\", \"value\": \"123qwerty456\"}, {\"name\": \"owner_is_shared_drive\", \"boolValue\": true}, {\"name\": \"owner_team_drive_id\", \"value\": \"asdf678\"}, {\"name\": \"owner\", \"value\": \"johndoe\"}, {\"name\": \"doc_id\", \"value\": \"zxcv890\"}, {\"name\": \"doc_type\", \"value\": \"spreadsheet\"}, {\"name\": \"is_encrypted\", \"boolValue\": false}, {\"name\": \"doc_title\", \"value\": \"TPS report\"}, {\"name\": \"visibility\", \"value\": \"people_with_link\"}, {\"name\": \"shared_drive_id\", \"value\": \"asdf678\"}, {\"name\": \"actor_is_collaborator_account\", \"boolValue\": false}, {\"name\": \"owner_is_team_drive\", \"boolValue\": true}, {\"name\": \"team_drive_id\", \"value\": \"asdf678\"}]}]}",
    "event": {
        "action": "sheets_import_range",
        "category": [
            "file"
        ],
        "dataset": "admin#reports#activity",
        "type": [
            "access"
        ]
    },
    "@timestamp": "2025-02-18T17:10:20.317000Z",
    "cloud": {
        "account": {
            "id": "CUSTO1"
        }
    },
    "file": {
        "gid": "asdf678",
        "name": "TPS report",
        "owner": "johndoe",
        "type": "spreadsheet"
    },
    "google": {
        "report": {
            "parameters": {
                "visibility": "people_with_link"
            }
        }
    },
    "network": {
        "application": "drive"
    },
    "related": {
        "user": [
            "johndoe"
        ]
    }
}
{
    "message": "{\n  \"kind\": \"admin#reports#activity\",\n  \"id\": {\n    \"time\": \"2023-09-04T08:42:51.615Z\",\n    \"uniqueQualifier\": \"-2222222222222222222\",\n    \"applicationName\": \"drive\",\n    \"customerId\": \"111111111\"\n  },\n  \"actor\": {\n    \"email\": \"john.doe@example.org\",\n    \"profileId\": \"444444444444444444444\"\n  },\n  \"ipAddress\": \"1.2.3.4\",\n  \"events\": [\n    {\n      \"type\": \"access\",\n      \"name\": \"view\",\n      \"parameters\": [\n        {\n          \"name\": \"primary_event\",\n          \"boolValue\": true\n        },\n        {\n          \"name\": \"billable\",\n          \"boolValue\": true\n        },\n        {\n          \"name\": \"owner_is_shared_drive\",\n          \"boolValue\": true\n        },\n        {\n          \"name\": \"owner_team_drive_id\",\n          \"value\": \"DDD_111111111111111\"\n        },\n        {\n          \"name\": \"owner\",\n          \"value\": \"J.DOE\"\n        },\n        {\n          \"name\": \"doc_id\",\n          \"value\": \"333333333333333333333333333333333\"\n        },\n        {\n          \"name\": \"doc_type\",\n          \"value\": \"folder\"\n        },\n        {\n          \"name\": \"is_encrypted\",\n          \"boolValue\": false\n        },\n        {\n          \"name\": \"doc_title\",\n          \"value\": \"MyDocs\"\n        },\n        {\n          \"name\": \"visibility\",\n          \"value\": \"people_within_domain_with_link\"\n        },\n        {\n          \"name\": \"shared_drive_id\",\n          \"value\": \"DDD_222222222222222\"\n        },\n        {\n          \"name\": \"originating_app_id\",\n          \"value\": \"666666666666\"\n        },\n        {\n          \"name\": \"actor_is_collaborator_account\",\n          \"boolValue\": false\n        },\n        {\n          \"name\": \"owner_is_team_drive\",\n          \"boolValue\": true\n        },\n        {\n          \"name\": \"team_drive_id\",\n          \"value\": \"DDD_888888888888888\"\n        }\n      ]\n    }\n  ]\n}\n",
    "event": {
        "action": "view",
        "category": [
            "file"
        ],
        "dataset": "admin#reports#activity",
        "type": [
            "access"
        ]
    },
    "@timestamp": "2023-09-04T08:42:51.615000Z",
    "cloud": {
        "account": {
            "id": "111111111"
        }
    },
    "file": {
        "gid": "DDD_111111111111111",
        "name": "MyDocs",
        "owner": "J.DOE",
        "type": "folder"
    },
    "google": {
        "report": {
            "actor": {
                "email": "john.doe@example.org"
            },
            "parameters": {
                "visibility": "people_within_domain_with_link"
            }
        }
    },
    "network": {
        "application": "drive"
    },
    "related": {
        "ip": [
            "1.2.3.4"
        ],
        "user": [
            "J.DOE",
            "john.doe"
        ]
    },
    "source": {
        "address": "1.2.3.4",
        "ip": "1.2.3.4"
    },
    "user": {
        "domain": "example.org",
        "email": "john.doe@example.org",
        "id": "444444444444444444444",
        "name": "john.doe"
    }
}
{
    "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-14T12:07:37.366Z\",\"uniqueQualifier\":\"-3853857772415670247\",\"applicationName\":\"meet\",\"customerId\":\"C030x4pai\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ/t2tqco4M6QzgpdeZHhmJy_6yJUU\\\"\",\"actor\":{\"callerType\":\"KEY\",\"key\":\"HANGOUTS_EXTERNAL_OR_ANONYMOUS\"},\"events\":[{\"type\":\"call\",\"name\":\"call_ended\",\"parameters\":[{\"name\":\"video_send_seconds\",\"intValue\":\"173\"},{\"name\":\"screencast_recv_bitrate_kbps_mean\",\"intValue\":\"61\"},{\"name\":\"location_country\",\"value\":\"FR\"},{\"name\":\"identifier_type\",\"value\":\"device_id\"},{\"name\":\"audio_send_bitrate_kbps_mean\",\"intValue\":\"0\"},{\"name\":\"video_send_packet_loss_max\",\"intValue\":\"2\"},{\"name\":\"endpoint_id\",\"value\":\"boq_hlane_QGKxiQcCZvF\"},{\"name\":\"device_type\",\"value\":\"meet_hardware\"},{\"name\":\"video_send_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"screencast_recv_long_side_median_pixels\",\"intValue\":\"1568\"},{\"name\":\"calendar_event_id\",\"value\":\"3ckjqg60dq5j4eu9cgjtdb396c\"},{\"name\":\"screencast_send_seconds\",\"intValue\":\"0\"},{\"name\":\"video_send_fps_mean\",\"intValue\":\"30\"},{\"name\":\"audio_send_packet_loss_max\",\"intValue\":\"0\"},{\"name\":\"network_send_jitter_msec_mean\",\"intValue\":\"1\"},{\"name\":\"screencast_recv_fps_mean\",\"intValue\":\"29\"},{\"name\":\"audio_recv_seconds\",\"intValue\":\"33\"},{\"name\":\"network_congestion\",\"intValue\":\"0\"},{\"name\":\"network_estimated_download_kbps_mean\",\"intValue\":\"74\"},{\"name\":\"audio_send_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"network_transport_protocol\",\"value\":\"udp\"},{\"name\":\"duration_seconds\",\"intValue\":\"15317\"},{\"name\":\"video_send_bitrate_kbps_mean\",\"intValue\":\"19\"},{\"name\":\"identifier\",\"value\":\"644e7990-c69d-4e09-8cd2-6ae52406c21c\"},{\"name\":\"location_region\",\"value\":\"Paris\"},{\"name\":\"audio_recv_packet_loss_max\",\"intValue\":\"0\"},{\"name\":\"audio_recv_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"network_recv_jitter_msec_max\",\"intValue\":\"2\"},{\"name\":\"organizer_email\",\"value\":\"tt.test@test.fr\"},{\"name\":\"screencast_recv_short_side_median_pixels\",\"intValue\":\"980\"},{\"name\":\"is_external\",\"boolValue\":false},{\"name\":\"network_recv_jitter_msec_mean\",\"intValue\":\"1\"},{\"name\":\"ip_address\",\"value\":\"1.2.3.4\"},{\"name\":\"audio_send_seconds\",\"intValue\":\"15316\"},{\"name\":\"display_name\",\"value\":\"OLYMPUS (Paris-106T, 8)\"},{\"name\":\"screencast_recv_packet_loss_max\",\"intValue\":\"0\"},{\"name\":\"video_recv_seconds\",\"intValue\":\"0\"},{\"name\":\"network_rtt_msec_mean\",\"intValue\":\"8\"},{\"name\":\"video_send_long_side_median_pixels\",\"intValue\":\"320\"},{\"name\":\"screencast_recv_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"conference_id\",\"value\":\"rJ7fsV2IE2eFwTlTZ88tDxIQOAIIigIgABgDCA\"},{\"name\":\"screencast_recv_seconds\",\"intValue\":\"14874\"},{\"name\":\"product_type\",\"value\":\"meet\"},{\"name\":\"network_estimated_upload_kbps_mean\",\"intValue\":\"7\"},{\"name\":\"video_send_short_side_median_pixels\",\"intValue\":\"180\"},{\"name\":\"meeting_code\",\"value\":\"ABCDEFGHIJ\"}]}]}",
    "event": {
        "action": "call_ended",
        "category": [
            "session"
        ],
        "dataset": "admin#reports#activity",
        "type": [
            "connection"
        ]
    },
    "@timestamp": "2024-11-14T12:07:37.366000Z",
    "client": {
        "geo": {
            "country_iso_code": "FR",
            "region_name": "Paris"
        }
    },
    "cloud": {
        "account": {
            "id": "C030x4pai"
        }
    },
    "google": {
        "report": {
            "meet": {
                "code": "ABCDEFGHIJ"
            }
        }
    },
    "network": {
        "application": "meet",
        "transport": "udp"
    },
    "related": {
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "1.2.3.4",
        "ip": "1.2.3.4"
    },
    "user": {
        "email": "tt.test@test.fr"
    }
}
{
    "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-14T11:32:12.301Z\",\"uniqueQualifier\":\"-6765941919309710661\",\"applicationName\":\"meet\",\"customerId\":\"C030x4pai\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ/kViPYXKeNuJj3LiW54AIt7GLiR4\\\"\",\"actor\":{\"callerType\":\"KEY\",\"key\":\"HANGOUTS_EXTERNAL_OR_ANONYMOUS\"},\"events\":[{\"type\":\"call\",\"name\":\"call_ended\",\"parameters\":[{\"name\":\"video_send_seconds\",\"intValue\":\"725\"},{\"name\":\"audio_send_bitrate_kbps_mean\",\"intValue\":\"13\"},{\"name\":\"video_send_packet_loss_max\",\"intValue\":\"0\"},{\"name\":\"endpoint_id\",\"value\":\"boq_hlane_UJtqXZcvBo3\"},{\"name\":\"device_type\",\"value\":\"web\"},{\"name\":\"video_send_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"video_recv_long_side_median_pixels\",\"intValue\":\"480\"},{\"name\":\"calendar_event_id\",\"value\":\"6cm94j8lp55a9880oj2o0rb3e6\"},{\"name\":\"screencast_send_seconds\",\"intValue\":\"0\"},{\"name\":\"video_send_fps_mean\",\"intValue\":\"30\"},{\"name\":\"audio_send_packet_loss_max\",\"intValue\":\"0\"},{\"name\":\"video_recv_short_side_median_pixels\",\"intValue\":\"270\"},{\"name\":\"video_recv_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"network_send_jitter_msec_mean\",\"intValue\":\"1\"},{\"name\":\"audio_recv_seconds\",\"intValue\":\"3647\"},{\"name\":\"network_congestion\",\"intValue\":\"0\"},{\"name\":\"network_estimated_download_kbps_mean\",\"intValue\":\"1158\"},{\"name\":\"audio_send_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"network_transport_protocol\",\"value\":\"tcp\"},{\"name\":\"duration_seconds\",\"intValue\":\"3651\"},{\"name\":\"video_send_bitrate_kbps_mean\",\"intValue\":\"375\"},{\"name\":\"audio_recv_packet_loss_max\",\"intValue\":\"9\"},{\"name\":\"video_recv_fps_mean\",\"intValue\":\"23\"},{\"name\":\"audio_recv_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"network_recv_jitter_msec_max\",\"intValue\":\"98\"},{\"name\":\"organizer_email\",\"value\":\"tt.test@test.fr\"},{\"name\":\"is_external\",\"boolValue\":true},{\"name\":\"network_recv_jitter_msec_mean\",\"intValue\":\"3\"},{\"name\":\"audio_send_seconds\",\"intValue\":\"3647\"},{\"name\":\"display_name\",\"value\":\"Yuki\"},{\"name\":\"video_recv_seconds\",\"intValue\":\"3638\"},{\"name\":\"network_rtt_msec_mean\",\"intValue\":\"11\"},{\"name\":\"video_send_long_side_median_pixels\",\"intValue\":\"480\"},{\"name\":\"conference_id\",\"value\":\"aSABpyKZtlKN_wqM98PaDxIXOAIIigIgABgDCA\"},{\"name\":\"screencast_recv_seconds\",\"intValue\":\"3627\"},{\"name\":\"product_type\",\"value\":\"meet\"},{\"name\":\"network_estimated_upload_kbps_mean\",\"intValue\":\"105\"},{\"name\":\"video_send_short_side_median_pixels\",\"intValue\":\"270\"},{\"name\":\"video_recv_packet_loss_max\",\"intValue\":\"0\"},{\"name\":\"meeting_code\",\"value\":\"BUSOHGFTVB\"}]}]}",
    "event": {
        "action": "call_ended",
        "category": [
            "session"
        ],
        "dataset": "admin#reports#activity",
        "type": [
            "connection"
        ]
    },
    "@timestamp": "2024-11-14T11:32:12.301000Z",
    "cloud": {
        "account": {
            "id": "C030x4pai"
        }
    },
    "google": {
        "report": {
            "meet": {
                "code": "BUSOHGFTVB"
            }
        }
    },
    "network": {
        "application": "meet",
        "transport": "tcp"
    },
    "user": {
        "email": "tt.test@test.fr"
    }
}
{
    "message": "{\"kind\": \"admin#reports#activity\", \"id\": {\"time\": \"2025-02-18T16:00:24.311Z\", \"uniqueQualifier\": \"-123456\", \"applicationName\": \"groups_enterprise\", \"customerId\": \"CUSTOMER1\"}, \"etag\": \"\\\"ABCDEF123\\\"\", \"actor\": {\"callerType\": \"KEY\", \"key\": \"SYSTEM\"}, \"events\": [{\"type\": \"moderator_action\", \"name\": \"remove_user\", \"parameters\": [{\"name\": \"member_id\", \"value\": \"john.doe@example.com\"}, {\"name\": \"group_id\", \"value\": \"team@example.com\"}, {\"name\": \"member_type\", \"value\": \"user\"}]}, {\"type\": \"moderator_action\", \"name\": \"remove_member\", \"parameters\": [{\"name\": \"member_id\", \"value\": \"john.doe@example.com\"}, {\"name\": \"group_id\", \"value\": \"team@example.com\"}, {\"name\": \"member_type\", \"value\": \"user\"}]}]}",
    "event": {
        "action": [
            "remove_member",
            "remove_user"
        ],
        "category": [
            "iam"
        ],
        "dataset": "admin#reports#activity",
        "type": [
            "admin"
        ]
    },
    "@timestamp": "2025-02-18T16:00:24.311000Z",
    "cloud": {
        "account": {
            "id": "CUSTOMER1"
        }
    },
    "network": {
        "application": "groups_enterprise"
    },
    "user": {
        "email": "john.doe@example.com",
        "group": {
            "id": "team@example.com"
        }
    }
}
{
    "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-03-11T15:20:33.157Z\",\"uniqueQualifier\":\"-92180609786\",\"applicationName\":\"groups_enterprise\",\"customerId\":\"C03foh000\"},\"etag\":\"\\\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"joe.done@test.com\",\"profileId\":\"109472445\"},\"events\":[{\"type\":\"moderator_action\",\"name\":\"delete_group\",\"parameters\":[{\"name\":\"group_id\",\"value\":\"testgroup@test.com\"}]}]}",
    "event": {
        "action": "delete_group",
        "category": [
            "iam"
        ],
        "dataset": "admin#reports#activity",
        "type": [
            "admin"
        ]
    },
    "@timestamp": "2024-03-11T15:20:33.157000Z",
    "cloud": {
        "account": {
            "id": "C03foh000"
        }
    },
    "google": {
        "report": {
            "actor": {
                "email": "joe.done@test.com"
            }
        }
    },
    "network": {
        "application": "groups_enterprise"
    },
    "related": {
        "user": [
            "joe.done"
        ]
    },
    "user": {
        "domain": "test.com",
        "email": "joe.done@test.com",
        "group": {
            "id": "testgroup@test.com"
        },
        "id": "109472445",
        "name": "joe.done"
    }
}
{
    "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-03-13T11:02:40.037Z\",\"uniqueQualifier\":\"235176017661\",\"applicationName\":\"meet\",\"customerId\":\"C03foh000\"},\"etag\":\"\\\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"jone.doe@test.com\",\"profileId\":\"1098488062555\"},\"events\":[{\"type\":\"call\",\"name\":\"call_ended\",\"parameters\":[{\"name\":\"video_send_seconds\",\"intValue\":\"0\"},{\"name\":\"location_country\",\"value\":\"FR\"},{\"name\":\"identifier_type\",\"value\":\"email_address\"},{\"name\":\"endpoint_id\",\"value\":\"dSzi5ZfqD8I\"},{\"name\":\"device_type\",\"value\":\"web\"},{\"name\":\"screencast_send_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"calendar_event_id\",\"value\":\"glb41ldt739tcf0bun7p9htaqr\"},{\"name\":\"screencast_send_seconds\",\"intValue\":\"83\"},{\"name\":\"screencast_send_short_side_median_pixels\",\"intValue\":\"1080\"},{\"name\":\"screencast_send_packet_loss_max\",\"intValue\":\"1\"},{\"name\":\"screencast_send_fps_mean\",\"intValue\":\"29\"},{\"name\":\"audio_recv_seconds\",\"intValue\":\"0\"},{\"name\":\"network_congestion\",\"intValue\":\"0\"},{\"name\":\"network_estimated_download_kbps_mean\",\"intValue\":\"1\"},{\"name\":\"network_transport_protocol\",\"value\":\"udp\"},{\"name\":\"duration_seconds\",\"intValue\":\"1498\"},{\"name\":\"identifier\",\"value\":\"jone.doe@test.com\"},{\"name\":\"location_region\",\"value\":\"Argenteuil\"},{\"name\":\"screencast_send_bitrate_kbps_mean\",\"intValue\":\"791\"},{\"name\":\"organizer_email\",\"value\":\"joe.done@test.com\"},{\"name\":\"ip_address\",\"value\":\"5555:333:333:5555:5555:5555:5555:5555\"},{\"name\":\"audio_send_seconds\",\"intValue\":\"0\"},{\"name\":\"display_name\",\"value\":\"Test SEGLA\"},{\"name\":\"video_recv_seconds\",\"intValue\":\"0\"},{\"name\":\"screencast_send_long_side_median_pixels\",\"intValue\":\"1920\"},{\"name\":\"network_rtt_msec_mean\",\"intValue\":\"12\"},{\"name\":\"conference_id\",\"value\":\"SQEGZkIp70zCVuvX_PtXDxI\"},{\"name\":\"screencast_recv_seconds\",\"intValue\":\"0\"},{\"name\":\"product_type\",\"value\":\"meet\"},{\"name\":\"network_estimated_upload_kbps_mean\",\"intValue\":\"0\"},{\"name\":\"meeting_code\",\"value\":\"GMGSZDDDDD\"},{\"name\":\"is_external\",\"boolValue\":false}]}]}",
    "event": {
        "action": "call_ended",
        "category": [
            "session"
        ],
        "dataset": "admin#reports#activity",
        "type": [
            "connection"
        ]
    },
    "@timestamp": "2024-03-13T11:02:40.037000Z",
    "client": {
        "geo": {
            "country_iso_code": "FR",
            "region_name": "Argenteuil"
        }
    },
    "cloud": {
        "account": {
            "id": "C03foh000"
        }
    },
    "google": {
        "report": {
            "actor": {
                "email": "jone.doe@test.com"
            },
            "meet": {
                "code": "GMGSZDDDDD"
            }
        }
    },
    "network": {
        "application": "meet",
        "transport": "udp"
    },
    "related": {
        "ip": [
            "5555:333:333:5555:5555:5555:5555:5555"
        ],
        "user": [
            "jone.doe"
        ]
    },
    "source": {
        "address": "5555:333:333:5555:5555:5555:5555:5555",
        "ip": "5555:333:333:5555:5555:5555:5555:5555"
    },
    "user": {
        "domain": "test.com",
        "email": "joe.done@test.com",
        "id": "1098488062555",
        "name": "jone.doe"
    }
}
{
    "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-03-13T10:31:23.630Z\",\"uniqueQualifier\":\"47501654195\",\"applicationName\":\"meet\",\"customerId\":\"C03foh000\"},\"etag\":\"\\\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"jone.done@test.com\",\"profileId\":\"1070981817756\"},\"events\":[{\"type\":\"conference_action\",\"name\":\"presentation_started\",\"parameters\":[{\"name\":\"is_external\",\"boolValue\":false},{\"name\":\"meeting_code\",\"value\":\"BWXXZYNUUU\"},{\"name\":\"conference_id\",\"value\":\"iVYNZWWtL3-mwtWyAGIeDxIWOAkI\"},{\"name\":\"action_time\",\"value\":\"2024-03-13T10:31:23.630220Z\"},{\"name\":\"identifier\",\"value\":\"jone.done@test.com\"},{\"name\":\"identifier_type\",\"value\":\"email_address\"}]}]}",
    "event": {
        "action": "presentation_started",
        "category": [
            "session"
        ],
        "dataset": "admin#reports#activity",
        "type": [
            "connection"
        ]
    },
    "@timestamp": "2024-03-13T10:31:23.630000Z",
    "cloud": {
        "account": {
            "id": "C03foh000"
        }
    },
    "google": {
        "report": {
            "actor": {
                "email": "jone.done@test.com"
            },
            "meet": {
                "code": "BWXXZYNUUU"
            }
        }
    },
    "network": {
        "application": "meet"
    },
    "related": {
        "user": [
            "jone.done"
        ]
    },
    "user": {
        "domain": "test.com",
        "email": "jone.done@test.com",
        "id": "1070981817756",
        "name": "jone.done"
    }
}
{
    "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:21:46.270Z\",\"uniqueQualifier\":\"233165468629800000000\",\"applicationName\":\"rules\",\"customerId\":\"C02i38888\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\\\"\",\"actor\":{\"email\":\"john.doe@test.com\",\"profileId\":\"113328670183616666666\"},\"events\":[{\"type\":\"action_complete_type\",\"name\":\"action_complete\",\"parameters\":[{\"name\":\"data_source\",\"value\":\"DRIVE\"},{\"name\":\"resource_id\",\"value\":\"1K23Am8JmHL9vgGwUjUPaq0000000\"},{\"name\":\"resource_owner_email\",\"value\":\"john.doe@test.com\"},{\"name\":\"rule_resource_name\",\"value\":\"policies/aka00000000000\"},{\"name\":\"rule_name\",\"value\":\"DLP [Drive] - D\u00e9tecter le partage de International - Num\u00e9ro IBAN\"},{\"name\":\"rule_type\",\"value\":\"DLP\"},{\"name\":\"matched_detectors\",\"multiMessageValue\":[{\"parameter\":[{\"name\":\"detector_id\",\"value\":\"IBAN_CODE\"},{\"name\":\"detector_type\",\"value\":\"PREDEFINED_DLP\"},{\"name\":\"display_name\",\"value\":\"IBAN_CODE\"}]}]},{\"name\":\"triggered_actions\",\"multiMessageValue\":[{\"parameter\":[{\"name\":\"action_type\",\"value\":\"DRIVE_WARN_ON_EXTERNAL_SHARING\"}]}]},{\"name\":\"resource_recipients\",\"multiValue\":[\"john.doe@test.com\"]},{\"name\":\"scan_type\",\"value\":\"DRIVE_ONLINE_SCAN\"},{\"name\":\"matched_trigger\",\"value\":\"DRIVE_SHARE\"},{\"name\":\"severity\",\"value\":\"LOW\"},{\"name\":\"resource_type\",\"value\":\"DOCUMENT\"},{\"name\":\"resource_title\",\"value\":\"8157822-2024-11-7-15-21-0\"}]}]}",
    "event": {
        "action": "action_complete",
        "dataset": "admin#reports#activity",
        "type": [
            "info"
        ]
    },
    "@timestamp": "2024-11-07T14:21:46.270000Z",
    "cloud": {
        "account": {
            "id": "C02i38888"
        }
    },
    "google": {
        "report": {
            "actor": {
                "email": "john.doe@test.com"
            },
            "rule": {
                "data_source": "DRIVE",
                "name": "DLP [Drive] - D\u00e9tecter le partage de International - Num\u00e9ro IBAN",
                "scan_type": "DRIVE_ONLINE_SCAN",
                "severity": "LOW",
                "type": "DLP"
            }
        }
    },
    "network": {
        "application": "rules"
    },
    "related": {
        "user": [
            "john.doe"
        ]
    },
    "user": {
        "domain": "test.com",
        "email": "john.doe@test.com",
        "id": "113328670183616666666",
        "name": "john.doe"
    }
}
{
    "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:21:46.270Z\",\"uniqueQualifier\":\"-49907177521610000000\",\"applicationName\":\"rules\",\"customerId\":\"C02i38888\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ/\\\"\",\"actor\":{\"email\":\"john.doe@test.com\",\"profileId\":\"11332867018361686666666\"},\"events\":[{\"type\":\"content_matched_type\",\"name\":\"content_matched\",\"parameters\":[{\"name\":\"data_source\",\"value\":\"DRIVE\"},{\"name\":\"resource_id\",\"value\":\"1K23Am8JmHL9vgGwUjUPaqDZV\"},{\"name\":\"resource_owner_email\",\"value\":\"john.doe@test.com\"},{\"name\":\"rule_resource_name\",\"value\":\"policies/aka000000000\"},{\"name\":\"rule_name\",\"value\":\"DLP [Drive] - D\u00e9tecter le partage de International - Num\u00e9ro IBAN\"},{\"name\":\"rule_type\",\"value\":\"DLP\"},{\"name\":\"matched_detectors\",\"multiMessageValue\":[{\"parameter\":[{\"name\":\"detector_id\",\"value\":\"IBAN_CODE\"},{\"name\":\"detector_type\",\"value\":\"PREDEFINED_DLP\"},{\"name\":\"display_name\",\"value\":\"IBAN_CODE\"}]}]},{\"name\":\"triggered_actions\",\"multiMessageValue\":[{\"parameter\":[{\"name\":\"action_type\",\"value\":\"DRIVE_WARN_ON_EXTERNAL_SHARING\"}]}]},{\"name\":\"resource_recipients\",\"multiValue\":[\"john.doe@test.com\"]},{\"name\":\"scan_type\",\"value\":\"DRIVE_ONLINE_SCAN\"},{\"name\":\"severity\",\"value\":\"LOW\"},{\"name\":\"resource_type\",\"value\":\"DOCUMENT\"},{\"name\":\"resource_title\",\"value\":\"8157822-2024-11-7-15-21-0\"}]}]}",
    "event": {
        "action": "content_matched",
        "dataset": "admin#reports#activity",
        "type": [
            "info"
        ]
    },
    "@timestamp": "2024-11-07T14:21:46.270000Z",
    "cloud": {
        "account": {
            "id": "C02i38888"
        }
    },
    "google": {
        "report": {
            "actor": {
                "email": "john.doe@test.com"
            },
            "rule": {
                "data_source": "DRIVE",
                "name": "DLP [Drive] - D\u00e9tecter le partage de International - Num\u00e9ro IBAN",
                "scan_type": "DRIVE_ONLINE_SCAN",
                "severity": "LOW",
                "type": "DLP"
            }
        }
    },
    "network": {
        "application": "rules"
    },
    "related": {
        "user": [
            "john.doe"
        ]
    },
    "user": {
        "domain": "test.com",
        "email": "john.doe@test.com",
        "id": "11332867018361686666666",
        "name": "john.doe"
    }
}
{
    "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:26:15.515Z\",\"uniqueQualifier\":\"4091348940000000\",\"applicationName\":\"saml\",\"customerId\":\"C00000000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\\\"\",\"actor\":{\"email\":\"John.doe@test.com\",\"profileId\":\"10344515534360000000\"},\"ipAddress\":\"2.1.3.2\",\"events\":[{\"type\":\"login\",\"name\":\"login_success\",\"parameters\":[{\"name\":\"orgunit_path\",\"value\":\"/test/implementation\"},{\"name\":\"initiated_by\",\"value\":\"sp\"},{\"name\":\"application_name\",\"value\":\"AWS\"},{\"name\":\"saml_status_code\",\"value\":\"SUCCESS_URI\"}]}]}",
    "event": {
        "action": "login_success",
        "category": [
            "authentication"
        ],
        "dataset": "admin#reports#activity",
        "type": [
            "allowed"
        ]
    },
    "@timestamp": "2024-11-07T14:26:15.515000Z",
    "cloud": {
        "account": {
            "id": "C00000000"
        }
    },
    "google": {
        "report": {
            "actor": {
                "email": "John.doe@test.com"
            },
            "saml": {
                "application_name": "AWS",
                "initiator": "sp",
                "status_code": "SUCCESS_URI"
            }
        }
    },
    "network": {
        "application": "saml"
    },
    "related": {
        "ip": [
            "2.1.3.2"
        ],
        "user": [
            "John.doe"
        ]
    },
    "source": {
        "address": "2.1.3.2",
        "ip": "2.1.3.2"
    },
    "user": {
        "domain": "test.com",
        "email": "John.doe@test.com",
        "id": "10344515534360000000",
        "name": "John.doe"
    }
}
{
    "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:24:58.191Z\",\"uniqueQualifier\":\"-318965716033600000\",\"applicationName\":\"saml\",\"customerId\":\"C000000000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\\\"\",\"actor\":{\"email\":\"John.doe@test.com\",\"profileId\":\"113844576558700000000\"},\"ipAddress\":\"8.6.15.1\",\"events\":[{\"type\":\"login\",\"name\":\"login_success\",\"parameters\":[{\"name\":\"orgunit_path\",\"value\":\"/test/dev\"},{\"name\":\"initiated_by\",\"value\":\"sp\"},{\"name\":\"application_name\",\"value\":\"AWS Client VPN\"},{\"name\":\"saml_status_code\",\"value\":\"SUCCESS_URI\"}]}]}",
    "event": {
        "action": "login_success",
        "category": [
            "authentication"
        ],
        "dataset": "admin#reports#activity",
        "type": [
            "allowed"
        ]
    },
    "@timestamp": "2024-11-07T14:24:58.191000Z",
    "cloud": {
        "account": {
            "id": "C000000000"
        }
    },
    "google": {
        "report": {
            "actor": {
                "email": "John.doe@test.com"
            },
            "saml": {
                "application_name": "AWS Client VPN",
                "initiator": "sp",
                "status_code": "SUCCESS_URI"
            }
        }
    },
    "network": {
        "application": "saml"
    },
    "related": {
        "ip": [
            "8.6.15.1"
        ],
        "user": [
            "John.doe"
        ]
    },
    "source": {
        "address": "8.6.15.1",
        "ip": "8.6.15.1"
    },
    "user": {
        "domain": "test.com",
        "email": "John.doe@test.com",
        "id": "113844576558700000000",
        "name": "John.doe"
    }
}
{
    "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-07-09T14:05:42.528Z\",\"uniqueQualifier\":\"0123456789101112131\",\"applicationName\":\"admin\",\"customerId\":\"C03foh000\"},\"etag\":\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z5X0\",\"actor\":{\"callerType\":\"USER\",\"email\":\"john.doe@test.fr\",\"profileId\":\"102788027662650927386\"},\"ipAddress\":\"1.2.3.4\",\"events\":[{\"type\":\"USER_SETTINGS\",\"name\":\"SUSPEND_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"jdoe@test.fr\"}]}]}",
    "event": {
        "action": "SUSPEND_USER",
        "category": [
            "configuration"
        ],
        "dataset": "admin#reports#activity",
        "type": [
            "change"
        ]
    },
    "@timestamp": "2024-07-09T14:05:42.528000Z",
    "cloud": {
        "account": {
            "id": "C03foh000"
        }
    },
    "google": {
        "report": {
            "actor": {
                "email": "john.doe@test.fr"
            },
            "parameters": {
                "name": "USER_EMAIL",
                "value": "jdoe@test.fr"
            }
        }
    },
    "network": {
        "application": "admin"
    },
    "related": {
        "ip": [
            "1.2.3.4"
        ],
        "user": [
            "john.doe"
        ]
    },
    "source": {
        "address": "1.2.3.4",
        "ip": "1.2.3.4"
    },
    "user": {
        "domain": "test.fr",
        "email": "john.doe@test.fr",
        "id": "102788027662650927386",
        "name": "john.doe"
    }
}
{
    "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-01-17T11:09:39.840Z\",\"uniqueQualifier\":\"111111\",\"applicationName\":\"drive\",\"customerId\":\"XXXXXX\"},\"etag\":\"aaa-aaa/aaa\",\"actor\":{\"email\":\"senduser@test.com\",\"profileId\":\"11111\"},\"ipAddress\":\"0.0.0.0\",\"events\":[{\"type\":\"access\",\"name\":\"edit\",\"parameters\":[{\"name\":\"primary_event\",\"boolValue\":false},{\"name\":\"billable\",\"boolValue\":true},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"owner\",\"value\":\"owner@test.com\"},{\"name\":\"doc_id\",\"value\":\"1111111111\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"is_encrypted\",\"boolValue\":false},{\"name\":\"doc_title\",\"value\":\"Doc Temp\"},{\"name\":\"visibility\",\"value\":\"shared_externally\"},{\"name\":\"originating_app_id\",\"value\":\"111111\"},{\"name\":\"actor_is_collaborator_account\",\"boolValue\":false},{\"name\":\"owner_is_team_drive\",\"boolValue\":false}]},{\"type\":\"acl_change\",\"name\":\"change_user_access\",\"parameters\":[{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"billable\",\"boolValue\":true},{\"name\":\"visibility_change\",\"value\":\"external\"},{\"name\":\"target_user\",\"value\":\"targetuser@test.fr\"},{\"name\":\"old_value\",\"multiValue\":[\"none\"]},{\"name\":\"new_value\",\"multiValue\":[\"can_edit\"]},{\"name\":\"old_visibility\",\"value\":\"shared_internally\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"owner\",\"value\":\"owner@test.com\"},{\"name\":\"doc_id\",\"value\":\"11111\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"is_encrypted\",\"boolValue\":false},{\"name\":\"doc_title\",\"value\":\"Doc Temp\"},{\"name\":\"visibility\",\"value\":\"shared_externally\"},{\"name\":\"originating_app_id\",\"value\":\"11111\"},{\"name\":\"actor_is_collaborator_account\",\"boolValue\":false},{\"name\":\"owner_is_team_drive\",\"boolValue\":false}]}]}",
    "event": {
        "action": [
            "change_user_access",
            "edit"
        ],
        "category": [
            "file"
        ],
        "dataset": "admin#reports#activity",
        "type": [
            "access",
            "change"
        ]
    },
    "@timestamp": "2024-01-17T11:09:39.840000Z",
    "cloud": {
        "account": {
            "id": "XXXXXX"
        }
    },
    "file": {
        "name": "Doc Temp",
        "owner": "owner@test.com",
        "type": "document"
    },
    "google": {
        "report": {
            "actor": {
                "email": "senduser@test.com"
            },
            "parameters": {
                "visibility": "shared_externally"
            }
        }
    },
    "network": {
        "application": "drive"
    },
    "related": {
        "ip": [
            "0.0.0.0"
        ],
        "user": [
            "owner@test.com",
            "senduser"
        ]
    },
    "source": {
        "address": "0.0.0.0",
        "ip": "0.0.0.0"
    },
    "user": {
        "domain": "test.com",
        "email": "senduser@test.com",
        "id": "11111",
        "name": "senduser",
        "target": {
            "email": "targetuser@test.fr"
        }
    }
}
{
    "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-03-13T11:24:59.810Z\",\"uniqueQualifier\":\"515960775816012389\",\"applicationName\":\"token\",\"customerId\":\"C03foh04q\"},\"etag\":\"\\\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z5X0H\\\"\",\"actor\":{\"email\":\"JONE.DOE@test.com\",\"profileId\":\"109472445\"},\"ipAddress\":\"1.2.3.4\",\"events\":[{\"name\":\"authorize\",\"parameters\":[{\"name\":\"client_id\",\"value\":\"11057316681905\"},{\"name\":\"app_name\",\"value\":\"Test Log Workspace\"},{\"name\":\"client_type\",\"value\":\"WEB\"},{\"name\":\"scope_data\",\"multiMessageValue\":[{\"parameter\":[{\"name\":\"scope_name\",\"value\":\"https://www.googleapis.com/auth/admin.reports.audit.readonly\"},{\"name\":\"product_bucket\",\"multiValue\":[\"GSUITE_ADMIN\"]}]},{\"parameter\":[{\"name\":\"scope_name\",\"value\":\"https://www.googleapis.com/auth/admin.reports.usage.readonly\"},{\"name\":\"product_bucket\",\"multiValue\":[\"GSUITE_ADMIN\"]}]}]},{\"name\":\"scope\",\"multiValue\":[\"https://www.googleapis.com/auth/admin.reports.audit.readonly\",\"https://www.googleapis.com/auth/admin.reports.usage.readonly\"]}]}]}",
    "event": {
        "action": "authorize",
        "category": [
            "authentication"
        ],
        "dataset": "admin#reports#activity",
        "type": [
            "access",
            "connection"
        ]
    },
    "@timestamp": "2024-03-13T11:24:59.810000Z",
    "client": {
        "user": {
            "id": "11057316681905"
        }
    },
    "cloud": {
        "account": {
            "id": "C03foh04q"
        }
    },
    "google": {
        "report": {
            "actor": {
                "email": "JONE.DOE@test.com"
            },
            "token": {
                "app_name": "Test Log Workspace",
                "type": "WEB"
            }
        }
    },
    "network": {
        "application": "token"
    },
    "related": {
        "ip": [
            "1.2.3.4"
        ],
        "user": [
            "JONE.DOE"
        ]
    },
    "source": {
        "address": "1.2.3.4",
        "ip": "1.2.3.4"
    },
    "user": {
        "domain": "test.com",
        "email": "JONE.DOE@test.com",
        "id": "109472445",
        "name": "JONE.DOE"
    }
}
{
    "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-03-13T11:25:23.391Z\",\"uniqueQualifier\":\"-38605878274\",\"applicationName\":\"token\",\"customerId\":\"C03foh5555\"},\"etag\":\"\\\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z5X0H0/t\\\"\",\"actor\":{\"email\":\"JOE.DONE@test.com\",\"profileId\":\"1094724450\"},\"ipAddress\":\"1.1.1.1\",\"events\":[{\"type\":\"auth\",\"name\":\"activity\",\"parameters\":[{\"name\":\"api_name\",\"value\":\"admin\"},{\"name\":\"method_name\",\"value\":\"reports.activities.list\"},{\"name\":\"client_id\",\"value\":\"110573166819\"},{\"name\":\"num_response_bytes\",\"intValue\":\"7\"},{\"name\":\"product_bucket\",\"value\":\"GSUITE_ADMIN\"},{\"name\":\"app_name\",\"value\":\"Test Log Workspace\"},{\"name\":\"client_type\",\"value\":\"WEB\"}]}]}",
    "event": {
        "action": "activity",
        "category": [
            "authentication"
        ],
        "dataset": "admin#reports#activity",
        "type": [
            "access",
            "connection"
        ]
    },
    "@timestamp": "2024-03-13T11:25:23.391000Z",
    "client": {
        "user": {
            "id": "110573166819"
        }
    },
    "cloud": {
        "account": {
            "id": "C03foh5555"
        }
    },
    "google": {
        "report": {
            "actor": {
                "email": "JOE.DONE@test.com"
            },
            "token": {
                "app_name": "Test Log Workspace",
                "type": "WEB"
            }
        }
    },
    "network": {
        "application": "token"
    },
    "related": {
        "ip": [
            "1.1.1.1"
        ],
        "user": [
            "JOE.DONE"
        ]
    },
    "source": {
        "address": "1.1.1.1",
        "ip": "1.1.1.1"
    },
    "user": {
        "domain": "test.com",
        "email": "JOE.DONE@test.com",
        "id": "1094724450",
        "name": "JOE.DONE"
    }
}
{
    "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-10-24T12:15:09.887Z\",\"uniqueQualifier\":\"38392508037850000000\",\"applicationName\":\"vault\",\"customerId\":\"C020000000\"},\"etag\":\"\\\"v9u8pSCZPl3C66fdSWYRyXweF216RQ7SWqFaenjlgO0/aMkDQ5g3000000000000000000000\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"joe.done@test.cloud\",\"profileId\":\"10055276727227777777777\"},\"events\":[{\"type\":\"user_action\",\"name\":\"view_cross_matter_litigation_hold_report\"}]}",
    "event": {
        "action": "view_cross_matter_litigation_hold_report",
        "dataset": "admin#reports#activity",
        "type": [
            "access"
        ]
    },
    "@timestamp": "2024-10-24T12:15:09.887000Z",
    "cloud": {
        "account": {
            "id": "C020000000"
        }
    },
    "google": {
        "report": {
            "actor": {
                "email": "joe.done@test.cloud"
            }
        }
    },
    "network": {
        "application": "vault"
    },
    "related": {
        "user": [
            "joe.done"
        ]
    },
    "user": {
        "domain": "test.cloud",
        "email": "joe.done@test.cloud",
        "id": "10055276727227777777777",
        "name": "joe.done"
    }
}

Extracted Fields

The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.

Name Type Description
@timestamp date Date/time when the event originated.
client.geo.country_iso_code keyword Country ISO code.
client.geo.region_name keyword Region name.
client.user.id keyword Unique identifier of the user.
cloud.account.id keyword The cloud account or organization id.
destination.user.email keyword User email address.
event.action keyword The action captured by the event.
event.category keyword Event category. The second categorization field in the hierarchy.
event.dataset keyword Name of the dataset.
event.outcome keyword The outcome of the event. The lowest level categorization field in the hierarchy.
event.reason keyword Reason why this event happened, according to the source
event.type keyword Event type. The third categorization field in the hierarchy.
file.gid keyword Primary group ID (GID) of the file.
file.name keyword Name of the file including the extension, without the directory.
file.owner keyword File owner's username.
file.type keyword File type (file, dir, or symlink).
google.report.access.application keyword Application name
google.report.actor.email keyword
google.report.boot_mode.new keyword New boot mode
google.report.boot_mode.old keyword Old boot mode
google.report.chat.message.id keyword Message id
google.report.chat.room.name keyword Room name
google.report.host.os.old_version keyword Previous OS version
google.report.login.failure.reason keyword Login failure reason
google.report.meet.code keyword Meet code
google.report.parameters.name keyword Name of the item associated with the activity
google.report.parameters.value keyword Value of the item associated with the activity
google.report.parameters.visibility keyword Visibility of the Drive item associated with the activity
google.report.remove.user.reason keyword Remove user reason
google.report.rule.data_source keyword Data source
google.report.rule.name keyword Name of the rule
google.report.rule.scan_type keyword Scan type
google.report.rule.severity keyword Severity of the rule
google.report.rule.type keyword Rule type
google.report.saml.application_name keyword Saml SP application name
google.report.saml.initiator keyword SAML requester of saml authentication
google.report.saml.status_code keyword SAML response status
google.report.session.id keyword Session ID
google.report.token.app_name keyword Token authorization application name
google.report.token.type keyword Token type
host.name keyword Name of the host.
host.os.full keyword Operating system name, including the version or code name.
host.os.version keyword Operating system version as a raw string.
network.application keyword Application level protocol name.
network.transport keyword Protocol Name corresponding to the field iana_number.
organization.name keyword Organization name.
source.ip ip IP address of the source.
user.domain keyword Name of the directory the user is a member of.
user.email keyword User email address.
user.group.id keyword Unique identifier for the group on the system/platform.
user.id keyword Unique identifier of the user.
user.name keyword Short name or login of the user.
user.target.email keyword User email address.

For more information on the Intake Format, please find the code of the Parser, Smart Descriptions, and Supported Events here.