Skip to content

Google Reports

Overview

  • Vendor: Google
  • Supported environment: SaaS
  • Detection based on: Telemetry
  • Supported application or feature: Application Logs

Google Reports is a data reporting and analysis platform offered by Google for Google Workspace services, designed to provide insights and metrics about user activities and interactions within various Google services. It allows organizations to track and visualize user engagement, application usage, and other relevant data points, enabling informed decision-making and optimization of digital experiences.

Supported applications

This integration can collect activities from the following GSuite applications:

  • admin to collect activities on the Admin console
  • calendar to collect events from Google calendar
  • chat to collect Chat activities
  • drive to supervise Google Drive events
  • gcp for the Google Cloud platform activiaties
  • groups to collect Google groups events
  • groups_entreprise to collect Entreprise groups events
  • jamboard to collect Jamboard activities
  • login to monitor authentication in Google applications
  • meet to supervise Google meet events
  • token for authentication supervision
  • user_accounts to monitor Users accounts activities
  • keep to supervices Google Keep activities

Limitation

Only activities from one applications can be collected from one playbook. To collect activities from several Google Application, create as many playbooks as applications to collect.

Configure

Prerequisites

  • Google licence Enterprise standard or higher
  • Access to Sekoia.io Intakes and Playbook pages with write permissions
  • Administrator access to the Google Cloud console and to Google Workspace

Create a dedicated service account

To create a service account you have to :

  1. Create a project
  2. Turn on the APIs for the service account a. In your project, select APIs & Services and then Library b. Select the Admin SDK API and click on Enable (you can write the name in the search box to find it more easily)
  3. Under APIs & Services, set up the OAuth consent screen
    • Click on OAuth consent screen
    • For User type, select Internal
    • Write an App Name, a User support email and an email address for the Developer contact information
    • Select the following scopes (see Choose Reports API scopes):
      • https://www.googleapis.com/auth/admin.reports.audit.readonly
      • https://www.googleapis.com/auth/admin.reports.usage.readonly
  4. Create the service account
    • Under IAM & Admins, click on Service Accounts and click on Create Service Account
    • Specify the Service Account details
    • Click on Done (no need to Grant this service account access to project and Grant users access to this service account)
  5. Create a delegation
    • Find your new Service Account and select Managed details
    • Click on Advanced settings
    • Under "Domain-wide delegation" find your service account's Client ID. Copy the client ID value to your clipboard.
    • Click on View Google Workspace Admin Console, then sign in using a super administrator user account and continue following these steps.
    • In the Google Admin console, go to Menu > Security > Access and data control > API controls.
    • Click Manage Domain Wide Delegation.
    • Click Add new.
    • In the "Client ID" field, paste the client ID that you previously copied.
    • In the "OAuth Scopes" field, enter a comma-delimited list of the scopes required by your application. This is the same set of scopes you defined when configuring the OAuth consent screen.
      • https://www.googleapis.com/auth/admin.reports.audit.readonly
      • https://www.googleapis.com/auth/admin.reports.usage.readonly
    • Click Authorize

For more details in each steps please read this Documentation and this one about delegation

Create and download JSON keys (service account credentials)

To use a service account from outside of Google Cloud, such as on Sekoia.io, you must first establish the identity of the service account. Public/private key pairs provide a secure way of accomplishing this goal. When you create a service account key, the public portion is stored on Google Cloud, while the private portion is available only to you.

Note

By default, service account keys never expire.

  1. Go to the Service accounts page
  2. Select your cloud project
  3. Click the email address of the service account that you want to create a key for
  4. Click the Keys tab
  5. Click the Add key drop-down menu, then select Create new key
  6. Select JSON as the Key type and click Create

Important

Clicking Create downloads a service account key file. After you download the key file, you cannot download it again. You will need it on the following steps on Sekoia.io.

Find more information on the official google documentation.

Example of JSON key file

{
  "type": "service_account",
  "project_id": "PROJECT_ID",
  "private_key_id": "KEY_ID",
  "private_key": "-----BEGIN PRIVATE KEY-----\nPRIVATE_KEY\n-----END PRIVATE KEY-----\n",
  "client_email": "SERVICE_ACCOUNT_EMAIL",
  "client_id": "CLIENT_ID",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://accounts.google.com/o/oauth2/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/SERVICE_ACCOUNT_EMAIL"
}

Sekoia.io configuration procedure

Create your intake

  1. Go to the intake page and create a new intake from the Google Report.
  2. Copy the associated Intake key

Pull the logs to collect them on Sekoia.io

Go to the Sekoia.io playbook page, and follow these steps:

  • Click on + PLAYBOOK button to create a new one
  • Select Create a playbook from scratch
  • Give it a name in the field Name
  • Open the left panel, click Google then select the trigger Get user activities
  • Click on Create

  • Create a Module configuration using your service account credentials from your Google Cloud environment extracted on a JSON file. Name the module configuration as you wish

  • Create a Trigger configuration using:

    • Type the Intake key created on the previous
    • Select the application name what you to fetch events from
    • Type the an Google workspace admin email.

Important

This Google workspace admin email is any user part of the domain that has the right to view de Data of Google Workspace

  • Click on the Save button
  • Activate the playbook with the toggle button on the top right corner of the page

Enjoy your events on the Events page

Further readings

Raw Events Samples

In this section, you will find examples of raw logs as generated natively by the source. These examples are provided to help integrators understand the data format before ingestion into Sekoia.io. It is crucial for setting up the correct parsing stages and ensuring that all relevant information is captured.

{
    "kind": "admin#reports#activity",
    "id": {
        "time": "2024-03-12T14:50:56.780Z",
        "uniqueQualifier": "-68755428425",
        "applicationName": "admin",
        "customerId": "C03foh000"
    },
    "etag": "\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z5X0H\"",
    "actor": {
        "callerType": "USER",
        "email": "test@test.com",
        "profileId": "10125127140"
    },
    "ipAddress": "2222:000:333:1111:7777:5555:6666:ddd",
    "events": [
        {
            "type": "ALERT_CENTER",
            "name": "ALERT_CENTER_VIEW",
            "parameters": [
                {
                    "name": "ALERT_ID",
                    "value": "445831ce-36e0-44b5-aca6-0d85f7454df7,69f7ac90-44de"
                }
            ]
        }
    ]
}
{
    "kind": "admin#reports#activity",
    "id": {
        "time": "2024-03-12T14:41:33.804Z",
        "uniqueQualifier": "-4779949128172",
        "applicationName": "admin",
        "customerId": "C03foh000"
    },
    "etag": "\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z5X0\"",
    "actor": {
        "email": "test@test.com",
        "profileId": "10125127141"
    },
    "ipAddress": "2222:000:333:1111:7777:5555:6666:ddd",
    "events": [
        {
            "type": "SECURITY_SETTINGS",
            "name": "ALLOW_STRONG_AUTHENTICATION",
            "parameters": [
                {
                    "name": "OLD_VALUE",
                    "value": "INHERIT_FROM_PARENT"
                },
                {
                    "name": "NEW_VALUE",
                    "value": "true"
                },
                {
                    "name": "ORG_UNIT_NAME",
                    "value": "IT"
                }
            ]
        },
        {
            "type": "SECURITY_SETTINGS",
            "name": "ENFORCE_STRONG_AUTHENTICATION",
            "parameters": [
                {
                    "name": "OLD_VALUE",
                    "value": "INHERIT_FROM_PARENT"
                },
                {
                    "name": "NEW_VALUE",
                    "value": "true"
                },
                {
                    "name": "ORG_UNIT_NAME",
                    "value": "IT"
                }
            ]
        },
        {
            "type": "SECURITY_SETTINGS",
            "name": "CHANGE_TWO_STEP_VERIFICATION_FREQUENCY",
            "parameters": [
                {
                    "name": "OLD_VALUE",
                    "value": "INHERIT_FROM_PARENT"
                },
                {
                    "name": "NEW_VALUE",
                    "value": "DISABLE_USERS_TO_TRUST_DEVICE"
                },
                {
                    "name": "ORG_UNIT_NAME",
                    "value": "IT"
                }
            ]
        },
        {
            "type": "SECURITY_SETTINGS",
            "name": "CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION",
            "parameters": [
                {
                    "name": "OLD_VALUE",
                    "value": "INHERIT_FROM_PARENT"
                },
                {
                    "name": "NEW_VALUE",
                    "value": "1 week"
                },
                {
                    "name": "ORG_UNIT_NAME",
                    "value": "IT"
                }
            ]
        },
        {
            "type": "SECURITY_SETTINGS",
            "name": "CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION",
            "parameters": [
                {
                    "name": "OLD_VALUE",
                    "value": "INHERIT_FROM_PARENT"
                },
                {
                    "name": "NEW_VALUE",
                    "value": "1 day"
                },
                {
                    "name": "ORG_UNIT_NAME",
                    "value": "IT"
                }
            ]
        },
        {
            "type": "SECURITY_SETTINGS",
            "name": "CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS",
            "parameters": [
                {
                    "name": "ALLOWED_TWO_STEP_VERIFICATION_METHOD",
                    "value": "NO_TELEPHONY"
                },
                {
                    "name": "ORG_UNIT_NAME",
                    "value": "IT"
                }
            ]
        },
        {
            "type": "SECURITY_SETTINGS",
            "name": "CHANGE_TWO_STEP_VERIFICATION_START_DATE",
            "parameters": [
                {
                    "name": "OLD_VALUE",
                    "value": "INHERIT_FROM_PARENT"
                },
                {
                    "name": "NEW_VALUE",
                    "value": "2019-10-31"
                },
                {
                    "name": "ORG_UNIT_NAME",
                    "value": "IT"
                }
            ]
        }
    ]
}
{
    "kind": "admin#reports#activity",
    "id": {
        "time": "2024-03-13T10:25:01.859Z",
        "uniqueQualifier": "-119782077599",
        "applicationName": "calendar",
        "customerId": "C03foh000"
    },
    "etag": "\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z\"",
    "actor": {
        "email": "joe.done@test.com",
        "profileId": "1126768166"
    },
    "ownerDomain": "sekoia.io",
    "ipAddress": "1.2.3.4",
    "events": [
        {
            "type": "event_change",
            "name": "change_event",
            "parameters": [
                {
                    "name": "event_id",
                    "value": "6qr2cujo0lkfln"
                },
                {
                    "name": "organizer_calendar_id",
                    "value": "joe.done@test.com"
                },
                {
                    "name": "calendar_id",
                    "value": "joe.done@test.com"
                },
                {
                    "name": "event_title",
                    "value": "title test"
                },
                {
                    "name": "is_recurring",
                    "boolValue": false
                },
                {
                    "name": "recurring",
                    "value": "no"
                },
                {
                    "name": "client_side_encrypted",
                    "value": "no"
                },
                {
                    "name": "start_time",
                    "intValue": "63846009000"
                },
                {
                    "name": "end_time",
                    "intValue": "63846010800"
                },
                {
                    "name": "api_kind",
                    "value": "caldav"
                },
                {
                    "name": "user_agent",
                    "value": "macOS/12.5"
                }
            ]
        }
    ]
}
{
    "kind": "admin#reports#activity",
    "id": {
        "time": "2024-03-13T10:36:57.929Z",
        "uniqueQualifier": "2480088525820",
        "applicationName": "calendar",
        "customerId": "C03foh000"
    },
    "etag": "\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL\"",
    "actor": {
        "email": "joe.doe@test.com",
        "profileId": "1158856535600"
    },
    "ownerDomain": "test.com",
    "ipAddress": "ffff:2222:333:11:aa:2222:111:11",
    "events": [
        {
            "type": "event_change",
            "name": "create_event",
            "parameters": [
                {
                    "name": "event_id",
                    "value": "fksdqs5mv613b"
                },
                {
                    "name": "organizer_calendar_id",
                    "value": "joe.doe@test.com"
                },
                {
                    "name": "calendar_id",
                    "value": "jone.done@test.com"
                },
                {
                    "name": "event_title",
                    "value": "Test title"
                },
                {
                    "name": "is_recurring",
                    "boolValue": false
                },
                {
                    "name": "recurring",
                    "value": "no"
                },
                {
                    "name": "client_side_encrypted",
                    "value": "no"
                },
                {
                    "name": "start_time",
                    "intValue": "63846450000"
                },
                {
                    "name": "end_time",
                    "intValue": "63846453600"
                },
                {
                    "name": "user_agent",
                    "value": "Calendly"
                }
            ]
        },
        {
            "type": "event_change",
            "name": "add_event_guest",
            "parameters": [
                {
                    "name": "event_id",
                    "value": "fksdqs5mv613b"
                },
                {
                    "name": "organizer_calendar_id",
                    "value": "joe.doe@test.com"
                },
                {
                    "name": "calendar_id",
                    "value": "jone.done@test.com"
                },
                {
                    "name": "event_title",
                    "value": "Test title"
                },
                {
                    "name": "is_recurring",
                    "boolValue": false
                },
                {
                    "name": "recurring",
                    "value": "no"
                },
                {
                    "name": "client_side_encrypted",
                    "value": "no"
                },
                {
                    "name": "event_guest",
                    "value": "jone.done@test.com"
                },
                {
                    "name": "user_agent",
                    "value": "Calendly"
                }
            ]
        }
    ]
}
{
    "kind": "admin#reports#activity",
    "id": {
        "time": "2024-03-08T10:37:56.354Z",
        "uniqueQualifier": "-75128508411076",
        "applicationName": "chat",
        "customerId": "C03foh000"
    },
    "etag": "\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z5X0H0\"",
    "actor": {
        "callerType": "USER",
        "email": "joe.done@test.com",
        "profileId": "1160802395241"
    },
    "events": [
        {
            "type": "user_action",
            "name": "message_posted",
            "parameters": [
                {
                    "name": "room_id",
                    "value": "AAAAAAAAAA"
                },
                {
                    "name": "actor",
                    "value": "joe.done@test.com"
                },
                {
                    "name": "message_id",
                    "value": "spaces/AAAApr7T222/messages/oODWFIV2CtA"
                },
                {
                    "name": "retention_state",
                    "value": "PERMANENT"
                },
                {
                    "name": "room_name",
                    "value": "Group Chat (AAAAAAAAAA)"
                },
                {
                    "name": "dlp_scan_status",
                    "value": "DLP_NOT_APPLICABLE"
                }
            ]
        }
    ]
}
{
    "kind": "admin#reports#activity",
    "id": {
        "time": "2024-03-12T10:01:16.430Z",
        "uniqueQualifier": "-2323518099402",
        "applicationName": "chat",
        "customerId": "C03foh000"
    },
    "etag": "\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z5X0\"",
    "actor": {
        "callerType": "USER",
        "email": "joe.done@test.com",
        "profileId": "1070981817756"
    },
    "events": [
        {
            "type": "user_action",
            "name": "room_created",
            "parameters": [
                {
                    "name": "room_id",
                    "value": "AAAAAAAAA"
                },
                {
                    "name": "actor",
                    "value": "joe.done@test.com"
                },
                {
                    "name": "external_room",
                    "value": "DISABLED"
                },
                {
                    "name": "room_name",
                    "value": "Group Chat (AAAAAAAAA)"
                }
            ]
        }
    ]
}
{
    "kind": "audit#activity",
    "id": {
        "time": "2014-03-17T15:39:18.460Z",
        "uniqQualifier": "reports unique ID",
        "applicationName": "drive",
        "customerId": "ABC123xyz"
    },
    "actor": {
        "callerType": "USER",
        "email": "kim@example.com",
        "profileId": "users unique Google Workspace profile ID",
        "key": "consumer key of requestor in an OAuth 2LO request"
    },
    "ownerDomain": "domain of the source owner",
    "ipAddress": "1.2.3.4",
    "events": [
        {
            "type": "access",
            "name": "edit",
            "parameters": [
                {
                    "name": "primary_event",
                    "boolValue": true
                },
                {
                    "name": "billable",
                    "boolValue": true
                },
                {
                    "name": "owner_is_shared_drive",
                    "boolValue": true
                },
                {
                    "name": "owner_team_drive_id",
                    "value": "AAAAAALLLLLL"
                },
                {
                    "name": "owner",
                    "value": "RH "
                },
                {
                    "name": "doc_id",
                    "value": "5555763535"
                },
                {
                    "name": "doc_type",
                    "value": "folder"
                },
                {
                    "name": "is_encrypted",
                    "boolValue": false
                },
                {
                    "name": "doc_title",
                    "value": "Divers"
                },
                {
                    "name": "visibility",
                    "value": "shared_internally"
                },
                {
                    "name": "shared_drive_id",
                    "value": "112-EIUBHDIUBEBUD"
                },
                {
                    "name": "originating_app_id",
                    "value": "691301496089"
                },
                {
                    "name": "actor_is_collaborator_account",
                    "boolValue": false
                },
                {
                    "name": "owner_is_team_drive",
                    "boolValue": true
                },
                {
                    "name": "team_drive_id",
                    "value": "111-EIUBHDIUBEBUD"
                }
            ]
        }
    ]
}
{
    "kind": "audit#activity",
    "id": {
        "time": "2014-03-17T15:39:18.460Z",
        "uniqQualifier": "reports unique ID",
        "applicationName": "drive",
        "customerId": "ABC123xyz"
    },
    "actor": {
        "callerType": "USER",
        "email": "kim@example.com",
        "profileId": "users unique Google Workspace profile ID",
        "key": "consumer key of requestor in an OAuth 2LO request"
    },
    "ownerDomain": "domain of the source owner",
    "ipAddress": "1.2.3.4",
    "events": [
        {
            "type": "access",
            "name": "edit",
            "parameters": [
                {
                    "name": "primary_event",
                    "boolValue": true
                },
                {
                    "name": "owner_is_shared_drive",
                    "boolValue": false
                },
                {
                    "name": "doc_id",
                    "value": "1DWuYM3ot_sAyEQqOz0xWJ9bVMSYzOmRNeBqbgtSwuK8"
                },
                {
                    "name": "doc_title",
                    "value": "Meeting notes"
                },
                {
                    "name": "doc_type",
                    "value": "document"
                },
                {
                    "name": "owner",
                    "value": "mary@example.com"
                }
            ]
        }
    ]
}
{
    "kind": "admin#reports#activity",
    "id": {
        "time": "2023-09-04T08:42:51.615Z",
        "uniqueQualifier": "-2222222222222222222",
        "applicationName": "drive",
        "customerId": "111111111"
    },
    "actor": {
        "email": "john.doe@example.org",
        "profileId": "444444444444444444444"
    },
    "ipAddress": "1.2.3.4",
    "events": [
        {
            "type": "access",
            "name": "view",
            "parameters": [
                {
                    "name": "primary_event",
                    "boolValue": true
                },
                {
                    "name": "billable",
                    "boolValue": true
                },
                {
                    "name": "owner_is_shared_drive",
                    "boolValue": true
                },
                {
                    "name": "owner_team_drive_id",
                    "value": "DDD_111111111111111"
                },
                {
                    "name": "owner",
                    "value": "J.DOE"
                },
                {
                    "name": "doc_id",
                    "value": "333333333333333333333333333333333"
                },
                {
                    "name": "doc_type",
                    "value": "folder"
                },
                {
                    "name": "is_encrypted",
                    "boolValue": false
                },
                {
                    "name": "doc_title",
                    "value": "MyDocs"
                },
                {
                    "name": "visibility",
                    "value": "people_within_domain_with_link"
                },
                {
                    "name": "shared_drive_id",
                    "value": "DDD_222222222222222"
                },
                {
                    "name": "originating_app_id",
                    "value": "666666666666"
                },
                {
                    "name": "actor_is_collaborator_account",
                    "boolValue": false
                },
                {
                    "name": "owner_is_team_drive",
                    "boolValue": true
                },
                {
                    "name": "team_drive_id",
                    "value": "DDD_888888888888888"
                }
            ]
        }
    ]
}
{
    "kind": "admin#reports#activity",
    "id": {
        "time": "2024-03-11T15:20:33.157Z",
        "uniqueQualifier": "-92180609786",
        "applicationName": "groups_enterprise",
        "customerId": "C03foh000"
    },
    "etag": "\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL\"",
    "actor": {
        "callerType": "USER",
        "email": "joe.done@test.com",
        "profileId": "109472445"
    },
    "events": [
        {
            "type": "moderator_action",
            "name": "delete_group",
            "parameters": [
                {
                    "name": "group_id",
                    "value": "testgroup@test.com"
                }
            ]
        }
    ]
}
{
    "kind": "admin#reports#activity",
    "id": {
        "time": "2024-03-13T11:02:40.037Z",
        "uniqueQualifier": "235176017661",
        "applicationName": "meet",
        "customerId": "C03foh000"
    },
    "etag": "\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL\"",
    "actor": {
        "callerType": "USER",
        "email": "jone.doe@test.com",
        "profileId": "1098488062555"
    },
    "events": [
        {
            "type": "call",
            "name": "call_ended",
            "parameters": [
                {
                    "name": "video_send_seconds",
                    "intValue": "0"
                },
                {
                    "name": "location_country",
                    "value": "FR"
                },
                {
                    "name": "identifier_type",
                    "value": "email_address"
                },
                {
                    "name": "endpoint_id",
                    "value": "dSzi5ZfqD8I"
                },
                {
                    "name": "device_type",
                    "value": "web"
                },
                {
                    "name": "screencast_send_packet_loss_mean",
                    "intValue": "0"
                },
                {
                    "name": "calendar_event_id",
                    "value": "glb41ldt739tcf0bun7p9htaqr"
                },
                {
                    "name": "screencast_send_seconds",
                    "intValue": "83"
                },
                {
                    "name": "screencast_send_short_side_median_pixels",
                    "intValue": "1080"
                },
                {
                    "name": "screencast_send_packet_loss_max",
                    "intValue": "1"
                },
                {
                    "name": "screencast_send_fps_mean",
                    "intValue": "29"
                },
                {
                    "name": "audio_recv_seconds",
                    "intValue": "0"
                },
                {
                    "name": "network_congestion",
                    "intValue": "0"
                },
                {
                    "name": "network_estimated_download_kbps_mean",
                    "intValue": "1"
                },
                {
                    "name": "network_transport_protocol",
                    "value": "udp"
                },
                {
                    "name": "duration_seconds",
                    "intValue": "1498"
                },
                {
                    "name": "identifier",
                    "value": "jone.doe@test.com"
                },
                {
                    "name": "location_region",
                    "value": "Argenteuil"
                },
                {
                    "name": "screencast_send_bitrate_kbps_mean",
                    "intValue": "791"
                },
                {
                    "name": "organizer_email",
                    "value": "joe.done@test.com"
                },
                {
                    "name": "ip_address",
                    "value": "5555:333:333:5555:5555:5555:5555:5555"
                },
                {
                    "name": "audio_send_seconds",
                    "intValue": "0"
                },
                {
                    "name": "display_name",
                    "value": "Test SEGLA"
                },
                {
                    "name": "video_recv_seconds",
                    "intValue": "0"
                },
                {
                    "name": "screencast_send_long_side_median_pixels",
                    "intValue": "1920"
                },
                {
                    "name": "network_rtt_msec_mean",
                    "intValue": "12"
                },
                {
                    "name": "conference_id",
                    "value": "SQEGZkIp70zCVuvX_PtXDxI"
                },
                {
                    "name": "screencast_recv_seconds",
                    "intValue": "0"
                },
                {
                    "name": "product_type",
                    "value": "meet"
                },
                {
                    "name": "network_estimated_upload_kbps_mean",
                    "intValue": "0"
                },
                {
                    "name": "meeting_code",
                    "value": "GMGSZDDDDD"
                },
                {
                    "name": "is_external",
                    "boolValue": false
                }
            ]
        }
    ]
}
{
    "kind": "admin#reports#activity",
    "id": {
        "time": "2024-03-13T10:31:23.630Z",
        "uniqueQualifier": "47501654195",
        "applicationName": "meet",
        "customerId": "C03foh000"
    },
    "etag": "\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL\"",
    "actor": {
        "callerType": "USER",
        "email": "jone.done@test.com",
        "profileId": "1070981817756"
    },
    "events": [
        {
            "type": "conference_action",
            "name": "presentation_started",
            "parameters": [
                {
                    "name": "is_external",
                    "boolValue": false
                },
                {
                    "name": "meeting_code",
                    "value": "BWXXZYNUUU"
                },
                {
                    "name": "conference_id",
                    "value": "iVYNZWWtL3-mwtWyAGIeDxIWOAkI"
                },
                {
                    "name": "action_time",
                    "value": "2024-03-13T10:31:23.630220Z"
                },
                {
                    "name": "identifier",
                    "value": "jone.done@test.com"
                },
                {
                    "name": "identifier_type",
                    "value": "email_address"
                }
            ]
        }
    ]
}
{
    "kind": "admin#reports#activity",
    "id": {
        "time": "2024-07-09T14:05:42.528Z",
        "uniqueQualifier": "0123456789101112131",
        "applicationName": "admin",
        "customerId": "C03foh000"
    },
    "etag": "BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z5X0",
    "actor": {
        "callerType": "USER",
        "email": "john.doe@test.fr",
        "profileId": "102788027662650927386"
    },
    "ipAddress": "1.2.3.4",
    "events": [
        {
            "type": "USER_SETTINGS",
            "name": "SUSPEND_USER",
            "parameters": [
                {
                    "name": "USER_EMAIL",
                    "value": "jdoe@test.fr"
                }
            ]
        }
    ]
}
{
    "kind": "admin#reports#activity",
    "id": {
        "time": "2024-01-17T11:09:39.840Z",
        "uniqueQualifier": "111111",
        "applicationName": "drive",
        "customerId": "XXXXXX"
    },
    "etag": "aaa-aaa/aaa",
    "actor": {
        "email": "senduser@test.com",
        "profileId": "11111"
    },
    "ipAddress": "0.0.0.0",
    "events": [
        {
            "type": "access",
            "name": "edit",
            "parameters": [
                {
                    "name": "primary_event",
                    "boolValue": false
                },
                {
                    "name": "billable",
                    "boolValue": true
                },
                {
                    "name": "owner_is_shared_drive",
                    "boolValue": false
                },
                {
                    "name": "owner",
                    "value": "owner@test.com"
                },
                {
                    "name": "doc_id",
                    "value": "1111111111"
                },
                {
                    "name": "doc_type",
                    "value": "document"
                },
                {
                    "name": "is_encrypted",
                    "boolValue": false
                },
                {
                    "name": "doc_title",
                    "value": "Doc Temp"
                },
                {
                    "name": "visibility",
                    "value": "shared_externally"
                },
                {
                    "name": "originating_app_id",
                    "value": "111111"
                },
                {
                    "name": "actor_is_collaborator_account",
                    "boolValue": false
                },
                {
                    "name": "owner_is_team_drive",
                    "boolValue": false
                }
            ]
        },
        {
            "type": "acl_change",
            "name": "change_user_access",
            "parameters": [
                {
                    "name": "primary_event",
                    "boolValue": true
                },
                {
                    "name": "billable",
                    "boolValue": true
                },
                {
                    "name": "visibility_change",
                    "value": "external"
                },
                {
                    "name": "target_user",
                    "value": "targetuser@test.fr"
                },
                {
                    "name": "old_value",
                    "multiValue": [
                        "none"
                    ]
                },
                {
                    "name": "new_value",
                    "multiValue": [
                        "can_edit"
                    ]
                },
                {
                    "name": "old_visibility",
                    "value": "shared_internally"
                },
                {
                    "name": "owner_is_shared_drive",
                    "boolValue": false
                },
                {
                    "name": "owner",
                    "value": "owner@test.com"
                },
                {
                    "name": "doc_id",
                    "value": "11111"
                },
                {
                    "name": "doc_type",
                    "value": "document"
                },
                {
                    "name": "is_encrypted",
                    "boolValue": false
                },
                {
                    "name": "doc_title",
                    "value": "Doc Temp"
                },
                {
                    "name": "visibility",
                    "value": "shared_externally"
                },
                {
                    "name": "originating_app_id",
                    "value": "11111"
                },
                {
                    "name": "actor_is_collaborator_account",
                    "boolValue": false
                },
                {
                    "name": "owner_is_team_drive",
                    "boolValue": false
                }
            ]
        }
    ]
}
{
    "kind": "admin#reports#activity",
    "id": {
        "time": "2024-03-13T11:24:59.810Z",
        "uniqueQualifier": "515960775816012389",
        "applicationName": "token",
        "customerId": "C03foh04q"
    },
    "etag": "\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z5X0H\"",
    "actor": {
        "email": "JONE.DOE@test.com",
        "profileId": "109472445"
    },
    "ipAddress": "1.2.3.4",
    "events": [
        {
            "name": "authorize",
            "parameters": [
                {
                    "name": "client_id",
                    "value": "11057316681905"
                },
                {
                    "name": "app_name",
                    "value": "Test Log Workspace"
                },
                {
                    "name": "client_type",
                    "value": "WEB"
                },
                {
                    "name": "scope_data",
                    "multiMessageValue": [
                        {
                            "parameter": [
                                {
                                    "name": "scope_name",
                                    "value": "https://www.googleapis.com/auth/admin.reports.audit.readonly"
                                },
                                {
                                    "name": "product_bucket",
                                    "multiValue": [
                                        "GSUITE_ADMIN"
                                    ]
                                }
                            ]
                        },
                        {
                            "parameter": [
                                {
                                    "name": "scope_name",
                                    "value": "https://www.googleapis.com/auth/admin.reports.usage.readonly"
                                },
                                {
                                    "name": "product_bucket",
                                    "multiValue": [
                                        "GSUITE_ADMIN"
                                    ]
                                }
                            ]
                        }
                    ]
                },
                {
                    "name": "scope",
                    "multiValue": [
                        "https://www.googleapis.com/auth/admin.reports.audit.readonly",
                        "https://www.googleapis.com/auth/admin.reports.usage.readonly"
                    ]
                }
            ]
        }
    ]
}
{
    "kind": "admin#reports#activity",
    "id": {
        "time": "2024-03-13T11:25:23.391Z",
        "uniqueQualifier": "-38605878274",
        "applicationName": "token",
        "customerId": "C03foh5555"
    },
    "etag": "\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z5X0H0/t\"",
    "actor": {
        "email": "JOE.DONE@test.com",
        "profileId": "1094724450"
    },
    "ipAddress": "1.1.1.1",
    "events": [
        {
            "type": "auth",
            "name": "activity",
            "parameters": [
                {
                    "name": "api_name",
                    "value": "admin"
                },
                {
                    "name": "method_name",
                    "value": "reports.activities.list"
                },
                {
                    "name": "client_id",
                    "value": "110573166819"
                },
                {
                    "name": "num_response_bytes",
                    "intValue": "7"
                },
                {
                    "name": "product_bucket",
                    "value": "GSUITE_ADMIN"
                },
                {
                    "name": "app_name",
                    "value": "Test Log Workspace"
                },
                {
                    "name": "client_type",
                    "value": "WEB"
                }
            ]
        }
    ]
}

Detection section

The following section provides information for those who wish to learn more about the detection capabilities enabled by collecting this intake. It includes details about the built-in rule catalog, event categories, and ECS fields extracted from raw events. This is essential for users aiming to create custom detection rules, perform hunting activities, or pivot in the events page.

The following Sekoia.io built-in rules match the intake Google Report. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.

SEKOIA.IO x Google Report on ATT&CK Navigator

Advanced IP Scanner

Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.

  • Effort: master
Certify Or Certipy

Detects the use of certify and certipy which are two different tools used to enumerate and abuse Active Directory Certificate Services.

  • Effort: advanced
Cobalt Strike Default Beacons Names

Detects the default names of Cobalt Strike beacons / payloads.

  • Effort: intermediate
Credential Dump Tools Related Files

Detects processes or file names related to credential dumping tools and the dropped files they generate by default.

  • Effort: advanced
Cryptomining

Detection of domain names potentially related to cryptomining activities.

  • Effort: master
Dynamic DNS Contacted

Detect communication with dynamic dns domain. This kind of domain is often used by attackers. This rule can trigger false positive in non-controlled environment because dynamic dns is not always malicious.

  • Effort: master
Entra ID Sign-In Via Known AiTM Phishing Kit

Detects a sign-in attempt from an IP address belonging to a known adversary-in-the-middle phishing kit.

  • Effort: elementary
Exfiltration Domain

Detects traffic toward a domain flagged as a possible exfiltration vector.

  • Effort: master
Google Workspace Account Warning

Detects a suspicious login, leaked password, or account disabled following suspicious activity.

  • Effort: elementary
Google Workspace Admin Creation

Detects when an admin is created or when his role is changed.

  • Effort: master
Google Workspace Admin Deletion

Detects when an admin is deleted or when his role is unassigned.

  • Effort: master
Google Workspace Admin Modification

Detects when an admin is modified.

  • Effort: master
Google Workspace App Script Scheduled Task

Detects when a scheduled task is launched by Google App Script. This product is used to create scripts and integrate applications within Google Workspace.

  • Effort: advanced
Google Workspace Blocked Sender

Detects when a user is blocked by google workspace.

  • Effort: advanced
Google Workspace Bypass 2FA

Detects when user tries to bypass the 2FA.

  • Effort: master
Google Workspace Domain Delegation

Detects when a domain delegation is granted.

  • Effort: master
Google Workspace Email Forwarding

Detects when a user enables email forwarding out of the domain

  • Effort: advanced
Google Workspace External Sharing

Detects a large number of external sharing.

  • Effort: master
Google Workspace Login Brute-Force

Detects when a user failed to login multiple times before a successful login.

  • Effort: master
Google Workspace MFA changed

Detects when the settings for the MFA are modified.

  • Effort: master
Google Workspace Password Change

Detects when a password is changed. An attacker can perform this action to impact the availability of the account.

  • Effort: master
Google Workspace User Creation

Detects when a new user is created.

  • Effort: master
Google Workspace User Deletion

Detects when an user is deleted.

  • Effort: master
Google Workspace User Suspended

Detects when an user is suspended. An attacker can use this to remove an account used during the intrusion.

  • Effort: master
HackTools Suspicious Names

Quick-win rule to detect the default process names or file names of several HackTools.

  • Effort: elementary
Internet Scanner

Detects known scanner IP addresses. Alert is only raised when the scan hits an opened port, on TCP or UDP. This could be a very noisy rule, so be careful to check your detection perimeter before activation.

  • Effort: master
Internet Scanner Target

Detects known scanner IP addresses. Alert is only raised when the scan hits an opened port, on TCP or UDP and group by target address. This could be a very noisy rule, so be careful to check your detection perimeter before activation.

  • Effort: master
PasswordDump SecurityXploded Tool

Detects the execution of the PasswordDump SecurityXploded Tool

  • Effort: elementary
RTLO Character

Detects RTLO (Right-To-Left character) in file and process names.

  • Effort: elementary
Remote Access Tool Domain

Detects traffic toward a domain flagged as a Remote Administration Tool (RAT).

  • Effort: master
Remote Monitoring and Management Software - AnyDesk

Detect artifacts related to the installation or execution of the Remote Monitoring and Management tool AnyDesk.

  • Effort: master
SEKOIA.IO Intelligence Feed

Detect threats based on indicators of compromise (IOCs) collected by SEKOIA's Threat and Detection Research team.

  • Effort: elementary
Sekoia.io EICAR Detection

Detects observables in Sekoia.io CTI tagged as EICAR, which are fake samples meant to test detection.

  • Effort: master
Suspicious File Name

Detects suspicious file name possibly linked to malicious tool.

  • Effort: advanced
Suspicious PROCEXP152.sys File Created In Tmp

Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder. This driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU. Note - Clever attackers may easily bypass this detection by just renaming the driver filename. Therefore just Medium-level and don't rely on it.

  • Effort: advanced
TOR Usage Generic Rule

Detects TOR usage globally, whether the IP is a destination or source. TOR is short for The Onion Router, and it gets its name from how it works. TOR intercepts the network traffic from one or more apps on user’s computer, usually the user web browser, and shuffles it through a number of randomly-chosen computers before passing it on to its destination. This disguises user location, and makes it harder for servers to pick him/her out on repeat visits, or to tie together separate visits to different sites, this making tracking and surveillance more difficult. Before a network packet starts its journey, user’s computer chooses a random list of relays and repeatedly encrypts the data in multiple layers, like an onion. Each relay knows only enough to strip off the outermost layer of encryption, before passing what’s left on to the next relay in the list.

  • Effort: master
WCE wceaux.dll Creation

Detects wceaux.dll creation while Windows Credentials Editor (WCE) is executed.

  • Effort: intermediate

Event Categories

The following table lists the data source offered by this integration.

Data Source Description
GCP audit logs Google Cloud Audit contains logs from multiple Google Cloud source such as Google Workspace.

In details, the following table denotes the type of events produced by this integration.

Name Values
Kind ``
Category authentication, configuration, file, iam, session
Type access, admin, change, connection

Transformed Events Samples after Ingestion

This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the built-in detection rules and hunting activities in the events page. Understanding these transformations is essential for analysts to create effective detection mechanisms with custom detection rules and to leverage the full potential of the collected data.

{
    "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-03-12T14:50:56.780Z\",\"uniqueQualifier\":\"-68755428425\",\"applicationName\":\"admin\",\"customerId\":\"C03foh000\"},\"etag\":\"\\\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z5X0H\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"test@test.com\",\"profileId\":\"10125127140\"},\"ipAddress\":\"2222:000:333:1111:7777:5555:6666:ddd\",\"events\":[{\"type\":\"ALERT_CENTER\",\"name\":\"ALERT_CENTER_VIEW\",\"parameters\":[{\"name\":\"ALERT_ID\",\"value\":\"445831ce-36e0-44b5-aca6-0d85f7454df7,69f7ac90-44de\"}]}]}",
    "event": {
        "action": "ALERT_CENTER_VIEW",
        "category": [
            "configuration"
        ],
        "dataset": "admin#reports#activity",
        "type": [
            "info"
        ]
    },
    "@timestamp": "2024-03-12T14:50:56.780000Z",
    "cloud": {
        "account": {
            "id": "C03foh000"
        }
    },
    "google": {
        "report": {
            "actor": {
                "email": "test@test.com"
            }
        }
    },
    "network": {
        "application": "admin"
    },
    "related": {
        "ip": [
            "2222:0:333:1111:7777:5555:6666:ddd"
        ],
        "user": [
            "test"
        ]
    },
    "source": {
        "address": "2222:0:333:1111:7777:5555:6666:ddd",
        "ip": "2222:0:333:1111:7777:5555:6666:ddd"
    },
    "user": {
        "domain": "test.com",
        "email": "test@test.com",
        "id": "10125127140",
        "name": "test"
    }
}
{
    "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-03-12T14:41:33.804Z\",\"uniqueQualifier\":\"-4779949128172\",\"applicationName\":\"admin\",\"customerId\":\"C03foh000\"},\"etag\":\"\\\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z5X0\\\"\",\"actor\":{\"email\":\"test@test.com\",\"profileId\":\"10125127141\"},\"ipAddress\":\"2222:000:333:1111:7777:5555:6666:ddd\",\"events\":[{\"type\":\"SECURITY_SETTINGS\",\"name\":\"ALLOW_STRONG_AUTHENTICATION\",\"parameters\":[{\"name\":\"OLD_VALUE\",\"value\":\"INHERIT_FROM_PARENT\"},{\"name\":\"NEW_VALUE\",\"value\":\"true\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"IT\"}]},{\"type\":\"SECURITY_SETTINGS\",\"name\":\"ENFORCE_STRONG_AUTHENTICATION\",\"parameters\":[{\"name\":\"OLD_VALUE\",\"value\":\"INHERIT_FROM_PARENT\"},{\"name\":\"NEW_VALUE\",\"value\":\"true\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"IT\"}]},{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_TWO_STEP_VERIFICATION_FREQUENCY\",\"parameters\":[{\"name\":\"OLD_VALUE\",\"value\":\"INHERIT_FROM_PARENT\"},{\"name\":\"NEW_VALUE\",\"value\":\"DISABLE_USERS_TO_TRUST_DEVICE\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"IT\"}]},{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION\",\"parameters\":[{\"name\":\"OLD_VALUE\",\"value\":\"INHERIT_FROM_PARENT\"},{\"name\":\"NEW_VALUE\",\"value\":\"1 week\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"IT\"}]},{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION\",\"parameters\":[{\"name\":\"OLD_VALUE\",\"value\":\"INHERIT_FROM_PARENT\"},{\"name\":\"NEW_VALUE\",\"value\":\"1 day\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"IT\"}]},{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS\",\"parameters\":[{\"name\":\"ALLOWED_TWO_STEP_VERIFICATION_METHOD\",\"value\":\"NO_TELEPHONY\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"IT\"}]},{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_TWO_STEP_VERIFICATION_START_DATE\",\"parameters\":[{\"name\":\"OLD_VALUE\",\"value\":\"INHERIT_FROM_PARENT\"},{\"name\":\"NEW_VALUE\",\"value\":\"2019-10-31\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"IT\"}]}]}",
    "event": {
        "action": [
            "ALLOW_STRONG_AUTHENTICATION",
            "CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS",
            "CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION",
            "CHANGE_TWO_STEP_VERIFICATION_FREQUENCY",
            "CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION",
            "CHANGE_TWO_STEP_VERIFICATION_START_DATE",
            "ENFORCE_STRONG_AUTHENTICATION"
        ],
        "category": [
            "configuration"
        ],
        "dataset": "admin#reports#activity",
        "type": [
            "access",
            "change"
        ]
    },
    "@timestamp": "2024-03-12T14:41:33.804000Z",
    "cloud": {
        "account": {
            "id": "C03foh000"
        }
    },
    "google": {
        "report": {
            "actor": {
                "email": "test@test.com"
            }
        }
    },
    "network": {
        "application": "admin"
    },
    "related": {
        "ip": [
            "2222:0:333:1111:7777:5555:6666:ddd"
        ],
        "user": [
            "test"
        ]
    },
    "source": {
        "address": "2222:0:333:1111:7777:5555:6666:ddd",
        "ip": "2222:0:333:1111:7777:5555:6666:ddd"
    },
    "user": {
        "domain": "test.com",
        "email": "test@test.com",
        "id": "10125127141",
        "name": "test"
    }
}
{
    "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-03-13T10:25:01.859Z\",\"uniqueQualifier\":\"-119782077599\",\"applicationName\":\"calendar\",\"customerId\":\"C03foh000\"},\"etag\":\"\\\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z\\\"\",\"actor\":{\"email\":\"joe.done@test.com\",\"profileId\":\"1126768166\"},\"ownerDomain\":\"sekoia.io\",\"ipAddress\":\"1.2.3.4\",\"events\":[{\"type\":\"event_change\",\"name\":\"change_event\",\"parameters\":[{\"name\":\"event_id\",\"value\":\"6qr2cujo0lkfln\"},{\"name\":\"organizer_calendar_id\",\"value\":\"joe.done@test.com\"},{\"name\":\"calendar_id\",\"value\":\"joe.done@test.com\"},{\"name\":\"event_title\",\"value\":\"title test\"},{\"name\":\"is_recurring\",\"boolValue\":false},{\"name\":\"recurring\",\"value\":\"no\"},{\"name\":\"client_side_encrypted\",\"value\":\"no\"},{\"name\":\"start_time\",\"intValue\":\"63846009000\"},{\"name\":\"end_time\",\"intValue\":\"63846010800\"},{\"name\":\"api_kind\",\"value\":\"caldav\"},{\"name\":\"user_agent\",\"value\":\"macOS/12.5\"}]}]}",
    "event": {
        "action": "change_event",
        "category": [
            "configuration"
        ],
        "dataset": "admin#reports#activity",
        "type": [
            "change"
        ]
    },
    "@timestamp": "2024-03-13T10:25:01.859000Z",
    "cloud": {
        "account": {
            "id": "C03foh000"
        }
    },
    "google": {
        "report": {
            "actor": {
                "email": "joe.done@test.com"
            }
        }
    },
    "network": {
        "application": "calendar"
    },
    "related": {
        "ip": [
            "1.2.3.4"
        ],
        "user": [
            "joe.done"
        ]
    },
    "source": {
        "address": "1.2.3.4",
        "ip": "1.2.3.4"
    },
    "user": {
        "domain": "test.com",
        "email": "joe.done@test.com",
        "id": "1126768166",
        "name": "joe.done"
    }
}
{
    "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-03-13T10:36:57.929Z\",\"uniqueQualifier\":\"2480088525820\",\"applicationName\":\"calendar\",\"customerId\":\"C03foh000\"},\"etag\":\"\\\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL\\\"\",\"actor\":{\"email\":\"joe.doe@test.com\",\"profileId\":\"1158856535600\"},\"ownerDomain\":\"test.com\",\"ipAddress\":\"ffff:2222:333:11:aa:2222:111:11\",\"events\":[{\"type\":\"event_change\",\"name\":\"create_event\",\"parameters\":[{\"name\":\"event_id\",\"value\":\"fksdqs5mv613b\"},{\"name\":\"organizer_calendar_id\",\"value\":\"joe.doe@test.com\"},{\"name\":\"calendar_id\",\"value\":\"jone.done@test.com\"},{\"name\":\"event_title\",\"value\":\"Test title\"},{\"name\":\"is_recurring\",\"boolValue\":false},{\"name\":\"recurring\",\"value\":\"no\"},{\"name\":\"client_side_encrypted\",\"value\":\"no\"},{\"name\":\"start_time\",\"intValue\":\"63846450000\"},{\"name\":\"end_time\",\"intValue\":\"63846453600\"},{\"name\":\"user_agent\",\"value\":\"Calendly\"}]},{\"type\":\"event_change\",\"name\":\"add_event_guest\",\"parameters\":[{\"name\":\"event_id\",\"value\":\"fksdqs5mv613b\"},{\"name\":\"organizer_calendar_id\",\"value\":\"joe.doe@test.com\"},{\"name\":\"calendar_id\",\"value\":\"jone.done@test.com\"},{\"name\":\"event_title\",\"value\":\"Test title\"},{\"name\":\"is_recurring\",\"boolValue\":false},{\"name\":\"recurring\",\"value\":\"no\"},{\"name\":\"client_side_encrypted\",\"value\":\"no\"},{\"name\":\"event_guest\",\"value\":\"jone.done@test.com\"},{\"name\":\"user_agent\",\"value\":\"Calendly\"}]}]}",
    "event": {
        "action": [
            "add_event_guest",
            "create_event"
        ],
        "category": [
            "configuration"
        ],
        "dataset": "admin#reports#activity",
        "type": [
            "change",
            "creation"
        ]
    },
    "@timestamp": "2024-03-13T10:36:57.929000Z",
    "cloud": {
        "account": {
            "id": "C03foh000"
        }
    },
    "destination": {
        "user": {
            "email": "jone.done@test.com"
        }
    },
    "google": {
        "report": {
            "actor": {
                "email": "joe.doe@test.com"
            }
        }
    },
    "network": {
        "application": "calendar"
    },
    "related": {
        "ip": [
            "ffff:2222:333:11:aa:2222:111:11"
        ],
        "user": [
            "joe.doe"
        ]
    },
    "source": {
        "address": "ffff:2222:333:11:aa:2222:111:11",
        "ip": "ffff:2222:333:11:aa:2222:111:11"
    },
    "user": {
        "domain": "test.com",
        "email": "joe.doe@test.com",
        "id": "1158856535600",
        "name": "joe.doe"
    }
}
{
    "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-03-08T10:37:56.354Z\",\"uniqueQualifier\":\"-75128508411076\",\"applicationName\":\"chat\",\"customerId\":\"C03foh000\"},\"etag\":\"\\\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z5X0H0\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"joe.done@test.com\",\"profileId\":\"1160802395241\"},\"events\":[{\"type\":\"user_action\",\"name\":\"message_posted\",\"parameters\":[{\"name\":\"room_id\",\"value\":\"AAAAAAAAAA\"},{\"name\":\"actor\",\"value\":\"joe.done@test.com\"},{\"name\":\"message_id\",\"value\":\"spaces/AAAApr7T222/messages/oODWFIV2CtA\"},{\"name\":\"retention_state\",\"value\":\"PERMANENT\"},{\"name\":\"room_name\",\"value\":\"Group Chat (AAAAAAAAAA)\"},{\"name\":\"dlp_scan_status\",\"value\":\"DLP_NOT_APPLICABLE\"}]}]}",
    "event": {
        "action": "message_posted",
        "category": [
            "session"
        ],
        "dataset": "admin#reports#activity",
        "type": [
            "connection"
        ]
    },
    "@timestamp": "2024-03-08T10:37:56.354000Z",
    "cloud": {
        "account": {
            "id": "C03foh000"
        }
    },
    "google": {
        "report": {
            "actor": {
                "email": "joe.done@test.com"
            },
            "chat": {
                "message": {
                    "id": "spaces/AAAApr7T222/messages/oODWFIV2CtA"
                },
                "room": {
                    "name": "Group Chat (AAAAAAAAAA)"
                }
            }
        }
    },
    "network": {
        "application": "chat"
    },
    "related": {
        "user": [
            "joe.done"
        ]
    },
    "user": {
        "domain": "test.com",
        "email": "joe.done@test.com",
        "id": "1160802395241",
        "name": "joe.done"
    }
}
{
    "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-03-12T10:01:16.430Z\",\"uniqueQualifier\":\"-2323518099402\",\"applicationName\":\"chat\",\"customerId\":\"C03foh000\"},\"etag\":\"\\\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z5X0\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"joe.done@test.com\",\"profileId\":\"1070981817756\"},\"events\":[{\"type\":\"user_action\",\"name\":\"room_created\",\"parameters\":[{\"name\":\"room_id\",\"value\":\"AAAAAAAAA\"},{\"name\":\"actor\",\"value\":\"joe.done@test.com\"},{\"name\":\"external_room\",\"value\":\"DISABLED\"},{\"name\":\"room_name\",\"value\":\"Group Chat (AAAAAAAAA)\"}]}]}",
    "event": {
        "action": "room_created",
        "category": [
            "session"
        ],
        "dataset": "admin#reports#activity",
        "type": [
            "connection"
        ]
    },
    "@timestamp": "2024-03-12T10:01:16.430000Z",
    "cloud": {
        "account": {
            "id": "C03foh000"
        }
    },
    "google": {
        "report": {
            "actor": {
                "email": "joe.done@test.com"
            },
            "chat": {
                "room": {
                    "name": "Group Chat (AAAAAAAAA)"
                }
            }
        }
    },
    "network": {
        "application": "chat"
    },
    "related": {
        "user": [
            "joe.done"
        ]
    },
    "user": {
        "domain": "test.com",
        "email": "joe.done@test.com",
        "id": "1070981817756",
        "name": "joe.done"
    }
}
{
    "message": "{\"kind\":\"audit#activity\",\"id\":{\"time\":\"2014-03-17T15:39:18.460Z\",\"uniqQualifier\":\"reports unique ID\",\"applicationName\":\"drive\",\"customerId\":\"ABC123xyz\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"kim@example.com\",\"profileId\":\"users unique Google Workspace profile ID\",\"key\":\"consumer key of requestor in an OAuth 2LO request\"},\"ownerDomain\":\"domain of the source owner\",\"ipAddress\":\"1.2.3.4\",\"events\":[{\"type\":\"access\",\"name\":\"edit\",\"parameters\":[{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"billable\",\"boolValue\":true},{\"name\":\"owner_is_shared_drive\",\"boolValue\":true},{\"name\":\"owner_team_drive_id\",\"value\":\"AAAAAALLLLLL\"},{\"name\":\"owner\",\"value\":\"RH \"},{\"name\":\"doc_id\",\"value\":\"5555763535\"},{\"name\":\"doc_type\",\"value\":\"folder\"},{\"name\":\"is_encrypted\",\"boolValue\":false},{\"name\":\"doc_title\",\"value\":\"Divers\"},{\"name\":\"visibility\",\"value\":\"shared_internally\"},{\"name\":\"shared_drive_id\",\"value\":\"112-EIUBHDIUBEBUD\"},{\"name\":\"originating_app_id\",\"value\":\"691301496089\"},{\"name\":\"actor_is_collaborator_account\",\"boolValue\":false},{\"name\":\"owner_is_team_drive\",\"boolValue\":true},{\"name\":\"team_drive_id\",\"value\":\"111-EIUBHDIUBEBUD\"}]}]}",
    "event": {
        "action": "edit",
        "category": [
            "file"
        ],
        "dataset": "audit#activity",
        "type": [
            "access",
            "change"
        ]
    },
    "@timestamp": "2014-03-17T15:39:18.460000Z",
    "cloud": {
        "account": {
            "id": "ABC123xyz"
        }
    },
    "file": {
        "gid": "AAAAAALLLLLL",
        "name": "Divers",
        "owner": "RH ",
        "type": "folder"
    },
    "google": {
        "report": {
            "actor": {
                "email": "kim@example.com"
            },
            "parameters": {
                "visibility": "shared_internally"
            }
        }
    },
    "network": {
        "application": "drive"
    },
    "related": {
        "ip": [
            "1.2.3.4"
        ],
        "user": [
            "RH ",
            "kim"
        ]
    },
    "source": {
        "address": "1.2.3.4",
        "ip": "1.2.3.4"
    },
    "user": {
        "domain": "example.com",
        "email": "kim@example.com",
        "id": "users unique Google Workspace profile ID",
        "name": "kim"
    }
}
{
    "message": "{\"kind\":\"audit#activity\",\"id\":{\"time\":\"2014-03-17T15:39:18.460Z\",\"uniqQualifier\":\"reports unique ID\",\"applicationName\":\"drive\",\"customerId\":\"ABC123xyz\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"kim@example.com\",\"profileId\":\"users unique Google Workspace profile ID\",\"key\":\"consumer key of requestor in an OAuth 2LO request\"},\"ownerDomain\":\"domain of the source owner\",\"ipAddress\":\"1.2.3.4\",\"events\":[{\"type\":\"access\",\"name\":\"edit\",\"parameters\":[{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1DWuYM3ot_sAyEQqOz0xWJ9bVMSYzOmRNeBqbgtSwuK8\"},{\"name\":\"doc_title\",\"value\":\"Meeting notes\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"owner\",\"value\":\"mary@example.com\"}]}]}",
    "event": {
        "action": "edit",
        "category": [
            "file"
        ],
        "dataset": "audit#activity",
        "type": [
            "access",
            "change"
        ]
    },
    "@timestamp": "2014-03-17T15:39:18.460000Z",
    "cloud": {
        "account": {
            "id": "ABC123xyz"
        }
    },
    "file": {
        "name": "Meeting notes",
        "owner": "mary@example.com",
        "type": "document"
    },
    "google": {
        "report": {
            "actor": {
                "email": "kim@example.com"
            }
        }
    },
    "network": {
        "application": "drive"
    },
    "related": {
        "ip": [
            "1.2.3.4"
        ],
        "user": [
            "kim",
            "mary@example.com"
        ]
    },
    "source": {
        "address": "1.2.3.4",
        "ip": "1.2.3.4"
    },
    "user": {
        "domain": "example.com",
        "email": "kim@example.com",
        "id": "users unique Google Workspace profile ID",
        "name": "kim"
    }
}
{
    "message": "{\n  \"kind\": \"admin#reports#activity\",\n  \"id\": {\n    \"time\": \"2023-09-04T08:42:51.615Z\",\n    \"uniqueQualifier\": \"-2222222222222222222\",\n    \"applicationName\": \"drive\",\n    \"customerId\": \"111111111\"\n  },\n  \"actor\": {\n    \"email\": \"john.doe@example.org\",\n    \"profileId\": \"444444444444444444444\"\n  },\n  \"ipAddress\": \"1.2.3.4\",\n  \"events\": [\n    {\n      \"type\": \"access\",\n      \"name\": \"view\",\n      \"parameters\": [\n        {\n          \"name\": \"primary_event\",\n          \"boolValue\": true\n        },\n        {\n          \"name\": \"billable\",\n          \"boolValue\": true\n        },\n        {\n          \"name\": \"owner_is_shared_drive\",\n          \"boolValue\": true\n        },\n        {\n          \"name\": \"owner_team_drive_id\",\n          \"value\": \"DDD_111111111111111\"\n        },\n        {\n          \"name\": \"owner\",\n          \"value\": \"J.DOE\"\n        },\n        {\n          \"name\": \"doc_id\",\n          \"value\": \"333333333333333333333333333333333\"\n        },\n        {\n          \"name\": \"doc_type\",\n          \"value\": \"folder\"\n        },\n        {\n          \"name\": \"is_encrypted\",\n          \"boolValue\": false\n        },\n        {\n          \"name\": \"doc_title\",\n          \"value\": \"MyDocs\"\n        },\n        {\n          \"name\": \"visibility\",\n          \"value\": \"people_within_domain_with_link\"\n        },\n        {\n          \"name\": \"shared_drive_id\",\n          \"value\": \"DDD_222222222222222\"\n        },\n        {\n          \"name\": \"originating_app_id\",\n          \"value\": \"666666666666\"\n        },\n        {\n          \"name\": \"actor_is_collaborator_account\",\n          \"boolValue\": false\n        },\n        {\n          \"name\": \"owner_is_team_drive\",\n          \"boolValue\": true\n        },\n        {\n          \"name\": \"team_drive_id\",\n          \"value\": \"DDD_888888888888888\"\n        }\n      ]\n    }\n  ]\n}\n",
    "event": {
        "action": "view",
        "category": [
            "file"
        ],
        "dataset": "admin#reports#activity",
        "type": [
            "access"
        ]
    },
    "@timestamp": "2023-09-04T08:42:51.615000Z",
    "cloud": {
        "account": {
            "id": "111111111"
        }
    },
    "file": {
        "gid": "DDD_111111111111111",
        "name": "MyDocs",
        "owner": "J.DOE",
        "type": "folder"
    },
    "google": {
        "report": {
            "actor": {
                "email": "john.doe@example.org"
            },
            "parameters": {
                "visibility": "people_within_domain_with_link"
            }
        }
    },
    "network": {
        "application": "drive"
    },
    "related": {
        "ip": [
            "1.2.3.4"
        ],
        "user": [
            "J.DOE",
            "john.doe"
        ]
    },
    "source": {
        "address": "1.2.3.4",
        "ip": "1.2.3.4"
    },
    "user": {
        "domain": "example.org",
        "email": "john.doe@example.org",
        "id": "444444444444444444444",
        "name": "john.doe"
    }
}
{
    "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-03-11T15:20:33.157Z\",\"uniqueQualifier\":\"-92180609786\",\"applicationName\":\"groups_enterprise\",\"customerId\":\"C03foh000\"},\"etag\":\"\\\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"joe.done@test.com\",\"profileId\":\"109472445\"},\"events\":[{\"type\":\"moderator_action\",\"name\":\"delete_group\",\"parameters\":[{\"name\":\"group_id\",\"value\":\"testgroup@test.com\"}]}]}",
    "event": {
        "action": "delete_group",
        "category": [
            "iam"
        ],
        "dataset": "admin#reports#activity",
        "type": [
            "admin"
        ]
    },
    "@timestamp": "2024-03-11T15:20:33.157000Z",
    "cloud": {
        "account": {
            "id": "C03foh000"
        }
    },
    "google": {
        "report": {
            "actor": {
                "email": "joe.done@test.com"
            }
        }
    },
    "network": {
        "application": "groups_enterprise"
    },
    "related": {
        "user": [
            "joe.done"
        ]
    },
    "user": {
        "domain": "test.com",
        "email": "joe.done@test.com",
        "group": {
            "id": "testgroup@test.com"
        },
        "id": "109472445",
        "name": "joe.done"
    }
}
{
    "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-03-13T11:02:40.037Z\",\"uniqueQualifier\":\"235176017661\",\"applicationName\":\"meet\",\"customerId\":\"C03foh000\"},\"etag\":\"\\\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"jone.doe@test.com\",\"profileId\":\"1098488062555\"},\"events\":[{\"type\":\"call\",\"name\":\"call_ended\",\"parameters\":[{\"name\":\"video_send_seconds\",\"intValue\":\"0\"},{\"name\":\"location_country\",\"value\":\"FR\"},{\"name\":\"identifier_type\",\"value\":\"email_address\"},{\"name\":\"endpoint_id\",\"value\":\"dSzi5ZfqD8I\"},{\"name\":\"device_type\",\"value\":\"web\"},{\"name\":\"screencast_send_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"calendar_event_id\",\"value\":\"glb41ldt739tcf0bun7p9htaqr\"},{\"name\":\"screencast_send_seconds\",\"intValue\":\"83\"},{\"name\":\"screencast_send_short_side_median_pixels\",\"intValue\":\"1080\"},{\"name\":\"screencast_send_packet_loss_max\",\"intValue\":\"1\"},{\"name\":\"screencast_send_fps_mean\",\"intValue\":\"29\"},{\"name\":\"audio_recv_seconds\",\"intValue\":\"0\"},{\"name\":\"network_congestion\",\"intValue\":\"0\"},{\"name\":\"network_estimated_download_kbps_mean\",\"intValue\":\"1\"},{\"name\":\"network_transport_protocol\",\"value\":\"udp\"},{\"name\":\"duration_seconds\",\"intValue\":\"1498\"},{\"name\":\"identifier\",\"value\":\"jone.doe@test.com\"},{\"name\":\"location_region\",\"value\":\"Argenteuil\"},{\"name\":\"screencast_send_bitrate_kbps_mean\",\"intValue\":\"791\"},{\"name\":\"organizer_email\",\"value\":\"joe.done@test.com\"},{\"name\":\"ip_address\",\"value\":\"5555:333:333:5555:5555:5555:5555:5555\"},{\"name\":\"audio_send_seconds\",\"intValue\":\"0\"},{\"name\":\"display_name\",\"value\":\"Test SEGLA\"},{\"name\":\"video_recv_seconds\",\"intValue\":\"0\"},{\"name\":\"screencast_send_long_side_median_pixels\",\"intValue\":\"1920\"},{\"name\":\"network_rtt_msec_mean\",\"intValue\":\"12\"},{\"name\":\"conference_id\",\"value\":\"SQEGZkIp70zCVuvX_PtXDxI\"},{\"name\":\"screencast_recv_seconds\",\"intValue\":\"0\"},{\"name\":\"product_type\",\"value\":\"meet\"},{\"name\":\"network_estimated_upload_kbps_mean\",\"intValue\":\"0\"},{\"name\":\"meeting_code\",\"value\":\"GMGSZDDDDD\"},{\"name\":\"is_external\",\"boolValue\":false}]}]}",
    "event": {
        "action": "call_ended",
        "category": [
            "session"
        ],
        "dataset": "admin#reports#activity",
        "type": [
            "connection"
        ]
    },
    "@timestamp": "2024-03-13T11:02:40.037000Z",
    "client": {
        "geo": {
            "country_iso_code": "FR",
            "region_name": "Argenteuil"
        }
    },
    "cloud": {
        "account": {
            "id": "C03foh000"
        }
    },
    "google": {
        "report": {
            "actor": {
                "email": "jone.doe@test.com"
            },
            "meet": {
                "code": "GMGSZDDDDD"
            }
        }
    },
    "network": {
        "application": "meet",
        "transport": "udp"
    },
    "related": {
        "user": [
            "jone.doe"
        ]
    },
    "user": {
        "domain": "test.com",
        "email": "jone.doe@test.com",
        "id": "1098488062555",
        "name": "jone.doe"
    }
}
{
    "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-03-13T10:31:23.630Z\",\"uniqueQualifier\":\"47501654195\",\"applicationName\":\"meet\",\"customerId\":\"C03foh000\"},\"etag\":\"\\\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"jone.done@test.com\",\"profileId\":\"1070981817756\"},\"events\":[{\"type\":\"conference_action\",\"name\":\"presentation_started\",\"parameters\":[{\"name\":\"is_external\",\"boolValue\":false},{\"name\":\"meeting_code\",\"value\":\"BWXXZYNUUU\"},{\"name\":\"conference_id\",\"value\":\"iVYNZWWtL3-mwtWyAGIeDxIWOAkI\"},{\"name\":\"action_time\",\"value\":\"2024-03-13T10:31:23.630220Z\"},{\"name\":\"identifier\",\"value\":\"jone.done@test.com\"},{\"name\":\"identifier_type\",\"value\":\"email_address\"}]}]}",
    "event": {
        "action": "presentation_started",
        "category": [
            "session"
        ],
        "dataset": "admin#reports#activity",
        "type": [
            "connection"
        ]
    },
    "@timestamp": "2024-03-13T10:31:23.630000Z",
    "cloud": {
        "account": {
            "id": "C03foh000"
        }
    },
    "google": {
        "report": {
            "actor": {
                "email": "jone.done@test.com"
            },
            "meet": {
                "code": "BWXXZYNUUU"
            }
        }
    },
    "network": {
        "application": "meet"
    },
    "related": {
        "user": [
            "jone.done"
        ]
    },
    "user": {
        "domain": "test.com",
        "email": "jone.done@test.com",
        "id": "1070981817756",
        "name": "jone.done"
    }
}
{
    "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-07-09T14:05:42.528Z\",\"uniqueQualifier\":\"0123456789101112131\",\"applicationName\":\"admin\",\"customerId\":\"C03foh000\"},\"etag\":\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z5X0\",\"actor\":{\"callerType\":\"USER\",\"email\":\"john.doe@test.fr\",\"profileId\":\"102788027662650927386\"},\"ipAddress\":\"1.2.3.4\",\"events\":[{\"type\":\"USER_SETTINGS\",\"name\":\"SUSPEND_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"jdoe@test.fr\"}]}]}",
    "event": {
        "action": "SUSPEND_USER",
        "category": [
            "configuration"
        ],
        "dataset": "admin#reports#activity",
        "type": [
            "change"
        ]
    },
    "@timestamp": "2024-07-09T14:05:42.528000Z",
    "cloud": {
        "account": {
            "id": "C03foh000"
        }
    },
    "google": {
        "report": {
            "actor": {
                "email": "john.doe@test.fr"
            },
            "parameters": {
                "name": "USER_EMAIL",
                "value": "jdoe@test.fr"
            }
        }
    },
    "network": {
        "application": "admin"
    },
    "related": {
        "ip": [
            "1.2.3.4"
        ],
        "user": [
            "john.doe"
        ]
    },
    "source": {
        "address": "1.2.3.4",
        "ip": "1.2.3.4"
    },
    "user": {
        "domain": "test.fr",
        "email": "john.doe@test.fr",
        "id": "102788027662650927386",
        "name": "john.doe"
    }
}
{
    "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-01-17T11:09:39.840Z\",\"uniqueQualifier\":\"111111\",\"applicationName\":\"drive\",\"customerId\":\"XXXXXX\"},\"etag\":\"aaa-aaa/aaa\",\"actor\":{\"email\":\"senduser@test.com\",\"profileId\":\"11111\"},\"ipAddress\":\"0.0.0.0\",\"events\":[{\"type\":\"access\",\"name\":\"edit\",\"parameters\":[{\"name\":\"primary_event\",\"boolValue\":false},{\"name\":\"billable\",\"boolValue\":true},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"owner\",\"value\":\"owner@test.com\"},{\"name\":\"doc_id\",\"value\":\"1111111111\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"is_encrypted\",\"boolValue\":false},{\"name\":\"doc_title\",\"value\":\"Doc Temp\"},{\"name\":\"visibility\",\"value\":\"shared_externally\"},{\"name\":\"originating_app_id\",\"value\":\"111111\"},{\"name\":\"actor_is_collaborator_account\",\"boolValue\":false},{\"name\":\"owner_is_team_drive\",\"boolValue\":false}]},{\"type\":\"acl_change\",\"name\":\"change_user_access\",\"parameters\":[{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"billable\",\"boolValue\":true},{\"name\":\"visibility_change\",\"value\":\"external\"},{\"name\":\"target_user\",\"value\":\"targetuser@test.fr\"},{\"name\":\"old_value\",\"multiValue\":[\"none\"]},{\"name\":\"new_value\",\"multiValue\":[\"can_edit\"]},{\"name\":\"old_visibility\",\"value\":\"shared_internally\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"owner\",\"value\":\"owner@test.com\"},{\"name\":\"doc_id\",\"value\":\"11111\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"is_encrypted\",\"boolValue\":false},{\"name\":\"doc_title\",\"value\":\"Doc Temp\"},{\"name\":\"visibility\",\"value\":\"shared_externally\"},{\"name\":\"originating_app_id\",\"value\":\"11111\"},{\"name\":\"actor_is_collaborator_account\",\"boolValue\":false},{\"name\":\"owner_is_team_drive\",\"boolValue\":false}]}]}",
    "event": {
        "action": [
            "change_user_access",
            "edit"
        ],
        "category": [
            "file"
        ],
        "dataset": "admin#reports#activity",
        "type": [
            "access",
            "change"
        ]
    },
    "@timestamp": "2024-01-17T11:09:39.840000Z",
    "cloud": {
        "account": {
            "id": "XXXXXX"
        }
    },
    "file": {
        "name": "Doc Temp",
        "owner": "owner@test.com",
        "type": "document"
    },
    "google": {
        "report": {
            "actor": {
                "email": "senduser@test.com"
            },
            "parameters": {
                "visibility": "shared_externally"
            }
        }
    },
    "network": {
        "application": "drive"
    },
    "related": {
        "ip": [
            "0.0.0.0"
        ],
        "user": [
            "owner@test.com",
            "senduser"
        ]
    },
    "source": {
        "address": "0.0.0.0",
        "ip": "0.0.0.0"
    },
    "user": {
        "domain": "test.com",
        "email": "senduser@test.com",
        "id": "11111",
        "name": "senduser",
        "target": {
            "email": "targetuser@test.fr"
        }
    }
}
{
    "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-03-13T11:24:59.810Z\",\"uniqueQualifier\":\"515960775816012389\",\"applicationName\":\"token\",\"customerId\":\"C03foh04q\"},\"etag\":\"\\\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z5X0H\\\"\",\"actor\":{\"email\":\"JONE.DOE@test.com\",\"profileId\":\"109472445\"},\"ipAddress\":\"1.2.3.4\",\"events\":[{\"name\":\"authorize\",\"parameters\":[{\"name\":\"client_id\",\"value\":\"11057316681905\"},{\"name\":\"app_name\",\"value\":\"Test Log Workspace\"},{\"name\":\"client_type\",\"value\":\"WEB\"},{\"name\":\"scope_data\",\"multiMessageValue\":[{\"parameter\":[{\"name\":\"scope_name\",\"value\":\"https://www.googleapis.com/auth/admin.reports.audit.readonly\"},{\"name\":\"product_bucket\",\"multiValue\":[\"GSUITE_ADMIN\"]}]},{\"parameter\":[{\"name\":\"scope_name\",\"value\":\"https://www.googleapis.com/auth/admin.reports.usage.readonly\"},{\"name\":\"product_bucket\",\"multiValue\":[\"GSUITE_ADMIN\"]}]}]},{\"name\":\"scope\",\"multiValue\":[\"https://www.googleapis.com/auth/admin.reports.audit.readonly\",\"https://www.googleapis.com/auth/admin.reports.usage.readonly\"]}]}]}",
    "event": {
        "action": "authorize",
        "category": [
            "authentication"
        ],
        "dataset": "admin#reports#activity",
        "type": [
            "access",
            "connection"
        ]
    },
    "@timestamp": "2024-03-13T11:24:59.810000Z",
    "client": {
        "user": {
            "id": "11057316681905"
        }
    },
    "cloud": {
        "account": {
            "id": "C03foh04q"
        }
    },
    "google": {
        "report": {
            "actor": {
                "email": "JONE.DOE@test.com"
            },
            "token": {
                "app_name": "Test Log Workspace",
                "type": "WEB"
            }
        }
    },
    "network": {
        "application": "token"
    },
    "related": {
        "ip": [
            "1.2.3.4"
        ],
        "user": [
            "JONE.DOE"
        ]
    },
    "source": {
        "address": "1.2.3.4",
        "ip": "1.2.3.4"
    },
    "user": {
        "domain": "test.com",
        "email": "JONE.DOE@test.com",
        "id": "109472445",
        "name": "JONE.DOE"
    }
}
{
    "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-03-13T11:25:23.391Z\",\"uniqueQualifier\":\"-38605878274\",\"applicationName\":\"token\",\"customerId\":\"C03foh5555\"},\"etag\":\"\\\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z5X0H0/t\\\"\",\"actor\":{\"email\":\"JOE.DONE@test.com\",\"profileId\":\"1094724450\"},\"ipAddress\":\"1.1.1.1\",\"events\":[{\"type\":\"auth\",\"name\":\"activity\",\"parameters\":[{\"name\":\"api_name\",\"value\":\"admin\"},{\"name\":\"method_name\",\"value\":\"reports.activities.list\"},{\"name\":\"client_id\",\"value\":\"110573166819\"},{\"name\":\"num_response_bytes\",\"intValue\":\"7\"},{\"name\":\"product_bucket\",\"value\":\"GSUITE_ADMIN\"},{\"name\":\"app_name\",\"value\":\"Test Log Workspace\"},{\"name\":\"client_type\",\"value\":\"WEB\"}]}]}",
    "event": {
        "action": "activity",
        "category": [
            "authentication"
        ],
        "dataset": "admin#reports#activity",
        "type": [
            "access",
            "connection"
        ]
    },
    "@timestamp": "2024-03-13T11:25:23.391000Z",
    "client": {
        "user": {
            "id": "110573166819"
        }
    },
    "cloud": {
        "account": {
            "id": "C03foh5555"
        }
    },
    "google": {
        "report": {
            "actor": {
                "email": "JOE.DONE@test.com"
            },
            "token": {
                "app_name": "Test Log Workspace",
                "type": "WEB"
            }
        }
    },
    "network": {
        "application": "token"
    },
    "related": {
        "ip": [
            "1.1.1.1"
        ],
        "user": [
            "JOE.DONE"
        ]
    },
    "source": {
        "address": "1.1.1.1",
        "ip": "1.1.1.1"
    },
    "user": {
        "domain": "test.com",
        "email": "JOE.DONE@test.com",
        "id": "1094724450",
        "name": "JOE.DONE"
    }
}

Extracted Fields

The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.

Name Type Description
@timestamp date Date/time when the event originated.
client.geo.country_iso_code keyword Country ISO code.
client.geo.region_name keyword Region name.
client.user.id keyword Unique identifier of the user.
cloud.account.id keyword The cloud account or organization id.
destination.user.email keyword User email address.
event.action keyword The action captured by the event.
event.category keyword Event category. The second categorization field in the hierarchy.
event.dataset keyword Name of the dataset.
event.type keyword Event type. The third categorization field in the hierarchy.
file.gid keyword Primary group ID (GID) of the file.
file.name keyword Name of the file including the extension, without the directory.
file.owner keyword File owner's username.
file.type keyword File type (file, dir, or symlink).
google.report.actor.email keyword
google.report.chat.message.id keyword Message id
google.report.chat.room.name keyword Room name
google.report.meet.code keyword Meet code
google.report.parameters.name keyword Name of the item associated with the activity
google.report.parameters.value keyword Value of the item associated with the activity
google.report.parameters.visibility keyword Visibility of the Drive item associated with the activity
google.report.token.app_name keyword Token authorization application name
google.report.token.type keyword Token type
network.application keyword Application level protocol name.
network.transport keyword Protocol Name corresponding to the field iana_number.
source.ip ip IP address of the source.
user.domain keyword Name of the directory the user is a member of.
user.email keyword User email address.
user.group.id keyword Unique identifier for the group on the system/platform.
user.id keyword Unique identifier of the user.
user.name keyword Short name or login of the user.
user.target.email keyword User email address.

For more information on the Intake Format, please find the code of the Parser, Smart Descriptions, and Supported Events here.