Google Reports
Overview
- Vendor: Google
- Supported environment: SaaS
- Detection based on: Telemetry
- Supported application or feature: Application Logs
Google Reports is a data reporting and analysis platform offered by Google for Google Workspace services, designed to provide insights and metrics about user activities and interactions within various Google services. It allows organizations to track and visualize user engagement, application usage, and other relevant data points, enabling informed decision-making and optimization of digital experiences.
Supported applications
This integration can collect activities from the following GSuite applications:
admin
to collect activities on the Admin consolecalendar
to collect events from Google calendarchat
to collect Chat activitiesdrive
to supervise Google Drive eventsgcp
for the Google Cloud platform activiatiesgroups
to collect Google groups eventsgroups_entreprise
to collect Entreprise groups eventsjamboard
to collect Jamboard activitieslogin
to monitor authentication in Google applicationsmeet
to supervise Google meet eventstoken
for authentication supervisionuser_accounts
to monitor Users accounts activitieskeep
to supervices Google Keep activities
Limitation
Only activities from one applications can be collected from one playbook. To collect activities from several Google Application, create as many playbooks as applications to collect.
Configure
Prerequisites
- Google licence Enterprise standard or higher
- Access to Sekoia.io Intakes and Playbook pages with write permissions
- Administrator access to the Google Cloud console and to Google Workspace
Create a dedicated service account
To create a service account you have to :
- Create a project
- Turn on the APIs for the service account a. In your project, select APIs & Services and then Library b. Select the Admin SDK API and click on Enable (you can write the name in the search box to find it more easily)
- Under APIs & Services, set up the OAuth consent screen
- Click on OAuth consent screen
- For User type, select Internal
- Write an App Name, a User support email and an email address for the Developer contact information
- Select the following scopes (see Choose Reports API scopes):
https://www.googleapis.com/auth/admin.reports.audit.readonly
https://www.googleapis.com/auth/admin.reports.usage.readonly
- Create the service account
- Under IAM & Admins, click on Service Accounts and click on Create Service Account
- Specify the Service Account details
- Click on Done (no need to Grant this service account access to project and Grant users access to this service account)
- Create a delegation
- Find your new Service Account and select Managed details
- Click on Advanced settings
- Under "Domain-wide delegation" find your service account's Client ID. Copy the client ID value to your clipboard.
- Click on View Google Workspace Admin Console, then sign in using a super administrator user account and continue following these steps.
- In the Google Admin console, go to Menu > Security > Access and data control > API controls.
- Click Manage Domain Wide Delegation.
- Click Add new.
- In the "Client ID" field, paste the client ID that you previously copied.
- In the "OAuth Scopes" field, enter a comma-delimited list of the scopes required by your application. This is the same set of scopes you defined when configuring the OAuth consent screen.
https://www.googleapis.com/auth/admin.reports.audit.readonly
https://www.googleapis.com/auth/admin.reports.usage.readonly
- Click Authorize
For more details in each steps please read this Documentation and this one about delegation
Create and download JSON keys (service account credentials)
To use a service account from outside of Google Cloud, such as on Sekoia.io, you must first establish the identity of the service account. Public/private key pairs provide a secure way of accomplishing this goal. When you create a service account key, the public portion is stored on Google Cloud, while the private portion is available only to you.
Note
By default, service account keys never expire.
- Go to the Service accounts page
- Select your cloud project
- Click the email address of the service account that you want to create a key for
- Click the Keys tab
- Click the Add key drop-down menu, then select Create new key
- Select JSON as the Key type and click Create
Important
Clicking Create downloads a service account key file. After you download the key file, you cannot download it again. You will need it on the following steps on Sekoia.io.
Find more information on the official google documentation.
Example of JSON key file
{
"type": "service_account",
"project_id": "PROJECT_ID",
"private_key_id": "KEY_ID",
"private_key": "-----BEGIN PRIVATE KEY-----\nPRIVATE_KEY\n-----END PRIVATE KEY-----\n",
"client_email": "SERVICE_ACCOUNT_EMAIL",
"client_id": "CLIENT_ID",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://accounts.google.com/o/oauth2/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/SERVICE_ACCOUNT_EMAIL"
}
Sekoia.io configuration procedure
Create your intake
- Go to the intake page and create a new intake from the
Google Report
. - Copy the associated Intake key
Pull the logs to collect them on Sekoia.io
Go to the Sekoia.io playbook page, and follow these steps:
- Click on + PLAYBOOK button to create a new one
- Select Create a playbook from scratch
- Give it a name in the field Name
- Open the left panel, click Google then select the trigger
Get user activities
-
Click on Create
-
Create a Module configuration using your service account credentials from your Google Cloud environment extracted on a JSON file. Name the module configuration as you wish
-
Create a Trigger configuration using:
- Type the
Intake key
created on the previous - Select the
application name
what you to fetch events from - Type the
an Google workspace admin email
.
- Type the
Important
This Google workspace admin email is any user part of the domain that has the right to view de Data of Google Workspace
- Click on the Save button
- Activate the playbook with the toggle button on the top right corner of the page
Enjoy your events on the Events page
Further readings
Raw Events Samples
In this section, you will find examples of raw logs as generated natively by the source. These examples are provided to help integrators understand the data format before ingestion into Sekoia.io. It is crucial for setting up the correct parsing stages and ensuring that all relevant information is captured.
{
"kind": "admin#reports#activity",
"id": {
"time": "2024-03-12T14:50:56.780Z",
"uniqueQualifier": "-68755428425",
"applicationName": "admin",
"customerId": "C03foh000"
},
"etag": "\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z5X0H\"",
"actor": {
"callerType": "USER",
"email": "test@test.com",
"profileId": "10125127140"
},
"ipAddress": "2222:000:333:1111:7777:5555:6666:ddd",
"events": [
{
"type": "ALERT_CENTER",
"name": "ALERT_CENTER_VIEW",
"parameters": [
{
"name": "ALERT_ID",
"value": "445831ce-36e0-44b5-aca6-0d85f7454df7,69f7ac90-44de"
}
]
}
]
}
{
"kind": "admin#reports#activity",
"id": {
"time": "2024-03-12T14:41:33.804Z",
"uniqueQualifier": "-4779949128172",
"applicationName": "admin",
"customerId": "C03foh000"
},
"etag": "\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z5X0\"",
"actor": {
"email": "test@test.com",
"profileId": "10125127141"
},
"ipAddress": "2222:000:333:1111:7777:5555:6666:ddd",
"events": [
{
"type": "SECURITY_SETTINGS",
"name": "ALLOW_STRONG_AUTHENTICATION",
"parameters": [
{
"name": "OLD_VALUE",
"value": "INHERIT_FROM_PARENT"
},
{
"name": "NEW_VALUE",
"value": "true"
},
{
"name": "ORG_UNIT_NAME",
"value": "IT"
}
]
},
{
"type": "SECURITY_SETTINGS",
"name": "ENFORCE_STRONG_AUTHENTICATION",
"parameters": [
{
"name": "OLD_VALUE",
"value": "INHERIT_FROM_PARENT"
},
{
"name": "NEW_VALUE",
"value": "true"
},
{
"name": "ORG_UNIT_NAME",
"value": "IT"
}
]
},
{
"type": "SECURITY_SETTINGS",
"name": "CHANGE_TWO_STEP_VERIFICATION_FREQUENCY",
"parameters": [
{
"name": "OLD_VALUE",
"value": "INHERIT_FROM_PARENT"
},
{
"name": "NEW_VALUE",
"value": "DISABLE_USERS_TO_TRUST_DEVICE"
},
{
"name": "ORG_UNIT_NAME",
"value": "IT"
}
]
},
{
"type": "SECURITY_SETTINGS",
"name": "CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION",
"parameters": [
{
"name": "OLD_VALUE",
"value": "INHERIT_FROM_PARENT"
},
{
"name": "NEW_VALUE",
"value": "1 week"
},
{
"name": "ORG_UNIT_NAME",
"value": "IT"
}
]
},
{
"type": "SECURITY_SETTINGS",
"name": "CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION",
"parameters": [
{
"name": "OLD_VALUE",
"value": "INHERIT_FROM_PARENT"
},
{
"name": "NEW_VALUE",
"value": "1 day"
},
{
"name": "ORG_UNIT_NAME",
"value": "IT"
}
]
},
{
"type": "SECURITY_SETTINGS",
"name": "CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS",
"parameters": [
{
"name": "ALLOWED_TWO_STEP_VERIFICATION_METHOD",
"value": "NO_TELEPHONY"
},
{
"name": "ORG_UNIT_NAME",
"value": "IT"
}
]
},
{
"type": "SECURITY_SETTINGS",
"name": "CHANGE_TWO_STEP_VERIFICATION_START_DATE",
"parameters": [
{
"name": "OLD_VALUE",
"value": "INHERIT_FROM_PARENT"
},
{
"name": "NEW_VALUE",
"value": "2019-10-31"
},
{
"name": "ORG_UNIT_NAME",
"value": "IT"
}
]
}
]
}
{
"kind": "admin#reports#activity",
"id": {
"time": "2024-03-13T10:25:01.859Z",
"uniqueQualifier": "-119782077599",
"applicationName": "calendar",
"customerId": "C03foh000"
},
"etag": "\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z\"",
"actor": {
"email": "joe.done@test.com",
"profileId": "1126768166"
},
"ownerDomain": "sekoia.io",
"ipAddress": "1.2.3.4",
"events": [
{
"type": "event_change",
"name": "change_event",
"parameters": [
{
"name": "event_id",
"value": "6qr2cujo0lkfln"
},
{
"name": "organizer_calendar_id",
"value": "joe.done@test.com"
},
{
"name": "calendar_id",
"value": "joe.done@test.com"
},
{
"name": "event_title",
"value": "title test"
},
{
"name": "is_recurring",
"boolValue": false
},
{
"name": "recurring",
"value": "no"
},
{
"name": "client_side_encrypted",
"value": "no"
},
{
"name": "start_time",
"intValue": "63846009000"
},
{
"name": "end_time",
"intValue": "63846010800"
},
{
"name": "api_kind",
"value": "caldav"
},
{
"name": "user_agent",
"value": "macOS/12.5"
}
]
}
]
}
{
"kind": "admin#reports#activity",
"id": {
"time": "2024-03-13T10:36:57.929Z",
"uniqueQualifier": "2480088525820",
"applicationName": "calendar",
"customerId": "C03foh000"
},
"etag": "\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL\"",
"actor": {
"email": "joe.doe@test.com",
"profileId": "1158856535600"
},
"ownerDomain": "test.com",
"ipAddress": "ffff:2222:333:11:aa:2222:111:11",
"events": [
{
"type": "event_change",
"name": "create_event",
"parameters": [
{
"name": "event_id",
"value": "fksdqs5mv613b"
},
{
"name": "organizer_calendar_id",
"value": "joe.doe@test.com"
},
{
"name": "calendar_id",
"value": "jone.done@test.com"
},
{
"name": "event_title",
"value": "Test title"
},
{
"name": "is_recurring",
"boolValue": false
},
{
"name": "recurring",
"value": "no"
},
{
"name": "client_side_encrypted",
"value": "no"
},
{
"name": "start_time",
"intValue": "63846450000"
},
{
"name": "end_time",
"intValue": "63846453600"
},
{
"name": "user_agent",
"value": "Calendly"
}
]
},
{
"type": "event_change",
"name": "add_event_guest",
"parameters": [
{
"name": "event_id",
"value": "fksdqs5mv613b"
},
{
"name": "organizer_calendar_id",
"value": "joe.doe@test.com"
},
{
"name": "calendar_id",
"value": "jone.done@test.com"
},
{
"name": "event_title",
"value": "Test title"
},
{
"name": "is_recurring",
"boolValue": false
},
{
"name": "recurring",
"value": "no"
},
{
"name": "client_side_encrypted",
"value": "no"
},
{
"name": "event_guest",
"value": "jone.done@test.com"
},
{
"name": "user_agent",
"value": "Calendly"
}
]
}
]
}
{
"kind": "admin#reports#activity",
"id": {
"time": "2024-03-08T10:37:56.354Z",
"uniqueQualifier": "-75128508411076",
"applicationName": "chat",
"customerId": "C03foh000"
},
"etag": "\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z5X0H0\"",
"actor": {
"callerType": "USER",
"email": "joe.done@test.com",
"profileId": "1160802395241"
},
"events": [
{
"type": "user_action",
"name": "message_posted",
"parameters": [
{
"name": "room_id",
"value": "AAAAAAAAAA"
},
{
"name": "actor",
"value": "joe.done@test.com"
},
{
"name": "message_id",
"value": "spaces/AAAApr7T222/messages/oODWFIV2CtA"
},
{
"name": "retention_state",
"value": "PERMANENT"
},
{
"name": "room_name",
"value": "Group Chat (AAAAAAAAAA)"
},
{
"name": "dlp_scan_status",
"value": "DLP_NOT_APPLICABLE"
}
]
}
]
}
{
"kind": "admin#reports#activity",
"id": {
"time": "2024-03-12T10:01:16.430Z",
"uniqueQualifier": "-2323518099402",
"applicationName": "chat",
"customerId": "C03foh000"
},
"etag": "\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z5X0\"",
"actor": {
"callerType": "USER",
"email": "joe.done@test.com",
"profileId": "1070981817756"
},
"events": [
{
"type": "user_action",
"name": "room_created",
"parameters": [
{
"name": "room_id",
"value": "AAAAAAAAA"
},
{
"name": "actor",
"value": "joe.done@test.com"
},
{
"name": "external_room",
"value": "DISABLED"
},
{
"name": "room_name",
"value": "Group Chat (AAAAAAAAA)"
}
]
}
]
}
{
"kind": "audit#activity",
"id": {
"time": "2014-03-17T15:39:18.460Z",
"uniqQualifier": "reports unique ID",
"applicationName": "drive",
"customerId": "ABC123xyz"
},
"actor": {
"callerType": "USER",
"email": "kim@example.com",
"profileId": "users unique Google Workspace profile ID",
"key": "consumer key of requestor in an OAuth 2LO request"
},
"ownerDomain": "domain of the source owner",
"ipAddress": "1.2.3.4",
"events": [
{
"type": "access",
"name": "edit",
"parameters": [
{
"name": "primary_event",
"boolValue": true
},
{
"name": "billable",
"boolValue": true
},
{
"name": "owner_is_shared_drive",
"boolValue": true
},
{
"name": "owner_team_drive_id",
"value": "AAAAAALLLLLL"
},
{
"name": "owner",
"value": "RH "
},
{
"name": "doc_id",
"value": "5555763535"
},
{
"name": "doc_type",
"value": "folder"
},
{
"name": "is_encrypted",
"boolValue": false
},
{
"name": "doc_title",
"value": "Divers"
},
{
"name": "visibility",
"value": "shared_internally"
},
{
"name": "shared_drive_id",
"value": "112-EIUBHDIUBEBUD"
},
{
"name": "originating_app_id",
"value": "691301496089"
},
{
"name": "actor_is_collaborator_account",
"boolValue": false
},
{
"name": "owner_is_team_drive",
"boolValue": true
},
{
"name": "team_drive_id",
"value": "111-EIUBHDIUBEBUD"
}
]
}
]
}
{
"kind": "audit#activity",
"id": {
"time": "2014-03-17T15:39:18.460Z",
"uniqQualifier": "reports unique ID",
"applicationName": "drive",
"customerId": "ABC123xyz"
},
"actor": {
"callerType": "USER",
"email": "kim@example.com",
"profileId": "users unique Google Workspace profile ID",
"key": "consumer key of requestor in an OAuth 2LO request"
},
"ownerDomain": "domain of the source owner",
"ipAddress": "1.2.3.4",
"events": [
{
"type": "access",
"name": "edit",
"parameters": [
{
"name": "primary_event",
"boolValue": true
},
{
"name": "owner_is_shared_drive",
"boolValue": false
},
{
"name": "doc_id",
"value": "1DWuYM3ot_sAyEQqOz0xWJ9bVMSYzOmRNeBqbgtSwuK8"
},
{
"name": "doc_title",
"value": "Meeting notes"
},
{
"name": "doc_type",
"value": "document"
},
{
"name": "owner",
"value": "mary@example.com"
}
]
}
]
}
{
"kind": "admin#reports#activity",
"id": {
"time": "2023-09-04T08:42:51.615Z",
"uniqueQualifier": "-2222222222222222222",
"applicationName": "drive",
"customerId": "111111111"
},
"actor": {
"email": "john.doe@example.org",
"profileId": "444444444444444444444"
},
"ipAddress": "1.2.3.4",
"events": [
{
"type": "access",
"name": "view",
"parameters": [
{
"name": "primary_event",
"boolValue": true
},
{
"name": "billable",
"boolValue": true
},
{
"name": "owner_is_shared_drive",
"boolValue": true
},
{
"name": "owner_team_drive_id",
"value": "DDD_111111111111111"
},
{
"name": "owner",
"value": "J.DOE"
},
{
"name": "doc_id",
"value": "333333333333333333333333333333333"
},
{
"name": "doc_type",
"value": "folder"
},
{
"name": "is_encrypted",
"boolValue": false
},
{
"name": "doc_title",
"value": "MyDocs"
},
{
"name": "visibility",
"value": "people_within_domain_with_link"
},
{
"name": "shared_drive_id",
"value": "DDD_222222222222222"
},
{
"name": "originating_app_id",
"value": "666666666666"
},
{
"name": "actor_is_collaborator_account",
"boolValue": false
},
{
"name": "owner_is_team_drive",
"boolValue": true
},
{
"name": "team_drive_id",
"value": "DDD_888888888888888"
}
]
}
]
}
{
"kind": "admin#reports#activity",
"id": {
"time": "2024-03-11T15:20:33.157Z",
"uniqueQualifier": "-92180609786",
"applicationName": "groups_enterprise",
"customerId": "C03foh000"
},
"etag": "\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL\"",
"actor": {
"callerType": "USER",
"email": "joe.done@test.com",
"profileId": "109472445"
},
"events": [
{
"type": "moderator_action",
"name": "delete_group",
"parameters": [
{
"name": "group_id",
"value": "testgroup@test.com"
}
]
}
]
}
{
"kind": "admin#reports#activity",
"id": {
"time": "2024-03-13T11:02:40.037Z",
"uniqueQualifier": "235176017661",
"applicationName": "meet",
"customerId": "C03foh000"
},
"etag": "\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL\"",
"actor": {
"callerType": "USER",
"email": "jone.doe@test.com",
"profileId": "1098488062555"
},
"events": [
{
"type": "call",
"name": "call_ended",
"parameters": [
{
"name": "video_send_seconds",
"intValue": "0"
},
{
"name": "location_country",
"value": "FR"
},
{
"name": "identifier_type",
"value": "email_address"
},
{
"name": "endpoint_id",
"value": "dSzi5ZfqD8I"
},
{
"name": "device_type",
"value": "web"
},
{
"name": "screencast_send_packet_loss_mean",
"intValue": "0"
},
{
"name": "calendar_event_id",
"value": "glb41ldt739tcf0bun7p9htaqr"
},
{
"name": "screencast_send_seconds",
"intValue": "83"
},
{
"name": "screencast_send_short_side_median_pixels",
"intValue": "1080"
},
{
"name": "screencast_send_packet_loss_max",
"intValue": "1"
},
{
"name": "screencast_send_fps_mean",
"intValue": "29"
},
{
"name": "audio_recv_seconds",
"intValue": "0"
},
{
"name": "network_congestion",
"intValue": "0"
},
{
"name": "network_estimated_download_kbps_mean",
"intValue": "1"
},
{
"name": "network_transport_protocol",
"value": "udp"
},
{
"name": "duration_seconds",
"intValue": "1498"
},
{
"name": "identifier",
"value": "jone.doe@test.com"
},
{
"name": "location_region",
"value": "Argenteuil"
},
{
"name": "screencast_send_bitrate_kbps_mean",
"intValue": "791"
},
{
"name": "organizer_email",
"value": "joe.done@test.com"
},
{
"name": "ip_address",
"value": "5555:333:333:5555:5555:5555:5555:5555"
},
{
"name": "audio_send_seconds",
"intValue": "0"
},
{
"name": "display_name",
"value": "Test SEGLA"
},
{
"name": "video_recv_seconds",
"intValue": "0"
},
{
"name": "screencast_send_long_side_median_pixels",
"intValue": "1920"
},
{
"name": "network_rtt_msec_mean",
"intValue": "12"
},
{
"name": "conference_id",
"value": "SQEGZkIp70zCVuvX_PtXDxI"
},
{
"name": "screencast_recv_seconds",
"intValue": "0"
},
{
"name": "product_type",
"value": "meet"
},
{
"name": "network_estimated_upload_kbps_mean",
"intValue": "0"
},
{
"name": "meeting_code",
"value": "GMGSZDDDDD"
},
{
"name": "is_external",
"boolValue": false
}
]
}
]
}
{
"kind": "admin#reports#activity",
"id": {
"time": "2024-03-13T10:31:23.630Z",
"uniqueQualifier": "47501654195",
"applicationName": "meet",
"customerId": "C03foh000"
},
"etag": "\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL\"",
"actor": {
"callerType": "USER",
"email": "jone.done@test.com",
"profileId": "1070981817756"
},
"events": [
{
"type": "conference_action",
"name": "presentation_started",
"parameters": [
{
"name": "is_external",
"boolValue": false
},
{
"name": "meeting_code",
"value": "BWXXZYNUUU"
},
{
"name": "conference_id",
"value": "iVYNZWWtL3-mwtWyAGIeDxIWOAkI"
},
{
"name": "action_time",
"value": "2024-03-13T10:31:23.630220Z"
},
{
"name": "identifier",
"value": "jone.done@test.com"
},
{
"name": "identifier_type",
"value": "email_address"
}
]
}
]
}
{
"kind": "admin#reports#activity",
"id": {
"time": "2024-07-09T14:05:42.528Z",
"uniqueQualifier": "0123456789101112131",
"applicationName": "admin",
"customerId": "C03foh000"
},
"etag": "BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z5X0",
"actor": {
"callerType": "USER",
"email": "john.doe@test.fr",
"profileId": "102788027662650927386"
},
"ipAddress": "1.2.3.4",
"events": [
{
"type": "USER_SETTINGS",
"name": "SUSPEND_USER",
"parameters": [
{
"name": "USER_EMAIL",
"value": "jdoe@test.fr"
}
]
}
]
}
{
"kind": "admin#reports#activity",
"id": {
"time": "2024-01-17T11:09:39.840Z",
"uniqueQualifier": "111111",
"applicationName": "drive",
"customerId": "XXXXXX"
},
"etag": "aaa-aaa/aaa",
"actor": {
"email": "senduser@test.com",
"profileId": "11111"
},
"ipAddress": "0.0.0.0",
"events": [
{
"type": "access",
"name": "edit",
"parameters": [
{
"name": "primary_event",
"boolValue": false
},
{
"name": "billable",
"boolValue": true
},
{
"name": "owner_is_shared_drive",
"boolValue": false
},
{
"name": "owner",
"value": "owner@test.com"
},
{
"name": "doc_id",
"value": "1111111111"
},
{
"name": "doc_type",
"value": "document"
},
{
"name": "is_encrypted",
"boolValue": false
},
{
"name": "doc_title",
"value": "Doc Temp"
},
{
"name": "visibility",
"value": "shared_externally"
},
{
"name": "originating_app_id",
"value": "111111"
},
{
"name": "actor_is_collaborator_account",
"boolValue": false
},
{
"name": "owner_is_team_drive",
"boolValue": false
}
]
},
{
"type": "acl_change",
"name": "change_user_access",
"parameters": [
{
"name": "primary_event",
"boolValue": true
},
{
"name": "billable",
"boolValue": true
},
{
"name": "visibility_change",
"value": "external"
},
{
"name": "target_user",
"value": "targetuser@test.fr"
},
{
"name": "old_value",
"multiValue": [
"none"
]
},
{
"name": "new_value",
"multiValue": [
"can_edit"
]
},
{
"name": "old_visibility",
"value": "shared_internally"
},
{
"name": "owner_is_shared_drive",
"boolValue": false
},
{
"name": "owner",
"value": "owner@test.com"
},
{
"name": "doc_id",
"value": "11111"
},
{
"name": "doc_type",
"value": "document"
},
{
"name": "is_encrypted",
"boolValue": false
},
{
"name": "doc_title",
"value": "Doc Temp"
},
{
"name": "visibility",
"value": "shared_externally"
},
{
"name": "originating_app_id",
"value": "11111"
},
{
"name": "actor_is_collaborator_account",
"boolValue": false
},
{
"name": "owner_is_team_drive",
"boolValue": false
}
]
}
]
}
{
"kind": "admin#reports#activity",
"id": {
"time": "2024-03-13T11:24:59.810Z",
"uniqueQualifier": "515960775816012389",
"applicationName": "token",
"customerId": "C03foh04q"
},
"etag": "\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z5X0H\"",
"actor": {
"email": "JONE.DOE@test.com",
"profileId": "109472445"
},
"ipAddress": "1.2.3.4",
"events": [
{
"name": "authorize",
"parameters": [
{
"name": "client_id",
"value": "11057316681905"
},
{
"name": "app_name",
"value": "Test Log Workspace"
},
{
"name": "client_type",
"value": "WEB"
},
{
"name": "scope_data",
"multiMessageValue": [
{
"parameter": [
{
"name": "scope_name",
"value": "https://www.googleapis.com/auth/admin.reports.audit.readonly"
},
{
"name": "product_bucket",
"multiValue": [
"GSUITE_ADMIN"
]
}
]
},
{
"parameter": [
{
"name": "scope_name",
"value": "https://www.googleapis.com/auth/admin.reports.usage.readonly"
},
{
"name": "product_bucket",
"multiValue": [
"GSUITE_ADMIN"
]
}
]
}
]
},
{
"name": "scope",
"multiValue": [
"https://www.googleapis.com/auth/admin.reports.audit.readonly",
"https://www.googleapis.com/auth/admin.reports.usage.readonly"
]
}
]
}
]
}
{
"kind": "admin#reports#activity",
"id": {
"time": "2024-03-13T11:25:23.391Z",
"uniqueQualifier": "-38605878274",
"applicationName": "token",
"customerId": "C03foh5555"
},
"etag": "\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z5X0H0/t\"",
"actor": {
"email": "JOE.DONE@test.com",
"profileId": "1094724450"
},
"ipAddress": "1.1.1.1",
"events": [
{
"type": "auth",
"name": "activity",
"parameters": [
{
"name": "api_name",
"value": "admin"
},
{
"name": "method_name",
"value": "reports.activities.list"
},
{
"name": "client_id",
"value": "110573166819"
},
{
"name": "num_response_bytes",
"intValue": "7"
},
{
"name": "product_bucket",
"value": "GSUITE_ADMIN"
},
{
"name": "app_name",
"value": "Test Log Workspace"
},
{
"name": "client_type",
"value": "WEB"
}
]
}
]
}
Detection section
The following section provides information for those who wish to learn more about the detection capabilities enabled by collecting this intake. It includes details about the built-in rule catalog, event categories, and ECS fields extracted from raw events. This is essential for users aiming to create custom detection rules, perform hunting activities, or pivot in the events page.
Related Built-in Rules
The following Sekoia.io built-in rules match the intake Google Report. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
SEKOIA.IO x Google Report on ATT&CK Navigator
Advanced IP Scanner
Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.
- Effort: master
Certify Or Certipy
Detects the use of certify and certipy which are two different tools used to enumerate and abuse Active Directory Certificate Services.
- Effort: advanced
Cobalt Strike Default Beacons Names
Detects the default names of Cobalt Strike beacons / payloads.
- Effort: intermediate
Credential Dump Tools Related Files
Detects processes or file names related to credential dumping tools and the dropped files they generate by default.
- Effort: advanced
Cryptomining
Detection of domain names potentially related to cryptomining activities.
- Effort: master
Dynamic DNS Contacted
Detect communication with dynamic dns domain. This kind of domain is often used by attackers. This rule can trigger false positive in non-controlled environment because dynamic dns is not always malicious.
- Effort: master
Entra ID Sign-In Via Known AiTM Phishing Kit
Detects a sign-in attempt from an IP address belonging to a known adversary-in-the-middle phishing kit.
- Effort: elementary
Exfiltration Domain
Detects traffic toward a domain flagged as a possible exfiltration vector.
- Effort: master
Google Workspace Account Warning
Detects a suspicious login, leaked password, or account disabled following suspicious activity.
- Effort: elementary
Google Workspace Admin Creation
Detects when an admin is created or when his role is changed.
- Effort: master
Google Workspace Admin Deletion
Detects when an admin is deleted or when his role is unassigned.
- Effort: master
Google Workspace Admin Modification
Detects when an admin is modified.
- Effort: master
Google Workspace App Script Scheduled Task
Detects when a scheduled task is launched by Google App Script. This product is used to create scripts and integrate applications within Google Workspace.
- Effort: advanced
Google Workspace Blocked Sender
Detects when a user is blocked by google workspace.
- Effort: advanced
Google Workspace Bypass 2FA
Detects when user tries to bypass the 2FA.
- Effort: master
Google Workspace Domain Delegation
Detects when a domain delegation is granted.
- Effort: master
Google Workspace Email Forwarding
Detects when a user enables email forwarding out of the domain
- Effort: advanced
Google Workspace External Sharing
Detects a large number of external sharing.
- Effort: master
Google Workspace Login Brute-Force
Detects when a user failed to login multiple times before a successful login.
- Effort: master
Google Workspace MFA changed
Detects when the settings for the MFA are modified.
- Effort: master
Google Workspace Password Change
Detects when a password is changed. An attacker can perform this action to impact the availability of the account.
- Effort: master
Google Workspace User Creation
Detects when a new user is created.
- Effort: master
Google Workspace User Deletion
Detects when an user is deleted.
- Effort: master
Google Workspace User Suspended
Detects when an user is suspended. An attacker can use this to remove an account used during the intrusion.
- Effort: master
HackTools Suspicious Names
Quick-win rule to detect the default process names or file names of several HackTools.
- Effort: elementary
Internet Scanner
Detects known scanner IP addresses. Alert is only raised when the scan hits an opened port, on TCP or UDP. This could be a very noisy rule, so be careful to check your detection perimeter before activation.
- Effort: master
Internet Scanner Target
Detects known scanner IP addresses. Alert is only raised when the scan hits an opened port, on TCP or UDP and group by target address. This could be a very noisy rule, so be careful to check your detection perimeter before activation.
- Effort: master
PasswordDump SecurityXploded Tool
Detects the execution of the PasswordDump SecurityXploded Tool
- Effort: elementary
RTLO Character
Detects RTLO (Right-To-Left character) in file and process names.
- Effort: elementary
Remote Access Tool Domain
Detects traffic toward a domain flagged as a Remote Administration Tool (RAT).
- Effort: master
Remote Monitoring and Management Software - AnyDesk
Detect artifacts related to the installation or execution of the Remote Monitoring and Management tool AnyDesk.
- Effort: master
SEKOIA.IO Intelligence Feed
Detect threats based on indicators of compromise (IOCs) collected by SEKOIA's Threat and Detection Research team.
- Effort: elementary
Sekoia.io EICAR Detection
Detects observables in Sekoia.io CTI tagged as EICAR, which are fake samples meant to test detection.
- Effort: master
Suspicious File Name
Detects suspicious file name possibly linked to malicious tool.
- Effort: advanced
Suspicious PROCEXP152.sys File Created In Tmp
Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder. This driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU. Note - Clever attackers may easily bypass this detection by just renaming the driver filename. Therefore just Medium-level and don't rely on it.
- Effort: advanced
TOR Usage Generic Rule
Detects TOR usage globally, whether the IP is a destination or source. TOR is short for The Onion Router, and it gets its name from how it works. TOR intercepts the network traffic from one or more apps on user’s computer, usually the user web browser, and shuffles it through a number of randomly-chosen computers before passing it on to its destination. This disguises user location, and makes it harder for servers to pick him/her out on repeat visits, or to tie together separate visits to different sites, this making tracking and surveillance more difficult. Before a network packet starts its journey, user’s computer chooses a random list of relays and repeatedly encrypts the data in multiple layers, like an onion. Each relay knows only enough to strip off the outermost layer of encryption, before passing what’s left on to the next relay in the list.
- Effort: master
WCE wceaux.dll Creation
Detects wceaux.dll creation while Windows Credentials Editor (WCE) is executed.
- Effort: intermediate
Event Categories
The following table lists the data source offered by this integration.
Data Source | Description |
---|---|
GCP audit logs |
Google Cloud Audit contains logs from multiple Google Cloud source such as Google Workspace. |
In details, the following table denotes the type of events produced by this integration.
Name | Values |
---|---|
Kind | `` |
Category | authentication , configuration , file , iam , session |
Type | access , admin , change , connection |
Transformed Events Samples after Ingestion
This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the built-in detection rules and hunting activities in the events page. Understanding these transformations is essential for analysts to create effective detection mechanisms with custom detection rules and to leverage the full potential of the collected data.
{
"message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-03-12T14:50:56.780Z\",\"uniqueQualifier\":\"-68755428425\",\"applicationName\":\"admin\",\"customerId\":\"C03foh000\"},\"etag\":\"\\\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z5X0H\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"test@test.com\",\"profileId\":\"10125127140\"},\"ipAddress\":\"2222:000:333:1111:7777:5555:6666:ddd\",\"events\":[{\"type\":\"ALERT_CENTER\",\"name\":\"ALERT_CENTER_VIEW\",\"parameters\":[{\"name\":\"ALERT_ID\",\"value\":\"445831ce-36e0-44b5-aca6-0d85f7454df7,69f7ac90-44de\"}]}]}",
"event": {
"action": "ALERT_CENTER_VIEW",
"category": [
"configuration"
],
"dataset": "admin#reports#activity",
"type": [
"info"
]
},
"@timestamp": "2024-03-12T14:50:56.780000Z",
"cloud": {
"account": {
"id": "C03foh000"
}
},
"google": {
"report": {
"actor": {
"email": "test@test.com"
}
}
},
"network": {
"application": "admin"
},
"related": {
"ip": [
"2222:0:333:1111:7777:5555:6666:ddd"
],
"user": [
"test"
]
},
"source": {
"address": "2222:0:333:1111:7777:5555:6666:ddd",
"ip": "2222:0:333:1111:7777:5555:6666:ddd"
},
"user": {
"domain": "test.com",
"email": "test@test.com",
"id": "10125127140",
"name": "test"
}
}
{
"message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-03-12T14:41:33.804Z\",\"uniqueQualifier\":\"-4779949128172\",\"applicationName\":\"admin\",\"customerId\":\"C03foh000\"},\"etag\":\"\\\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z5X0\\\"\",\"actor\":{\"email\":\"test@test.com\",\"profileId\":\"10125127141\"},\"ipAddress\":\"2222:000:333:1111:7777:5555:6666:ddd\",\"events\":[{\"type\":\"SECURITY_SETTINGS\",\"name\":\"ALLOW_STRONG_AUTHENTICATION\",\"parameters\":[{\"name\":\"OLD_VALUE\",\"value\":\"INHERIT_FROM_PARENT\"},{\"name\":\"NEW_VALUE\",\"value\":\"true\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"IT\"}]},{\"type\":\"SECURITY_SETTINGS\",\"name\":\"ENFORCE_STRONG_AUTHENTICATION\",\"parameters\":[{\"name\":\"OLD_VALUE\",\"value\":\"INHERIT_FROM_PARENT\"},{\"name\":\"NEW_VALUE\",\"value\":\"true\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"IT\"}]},{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_TWO_STEP_VERIFICATION_FREQUENCY\",\"parameters\":[{\"name\":\"OLD_VALUE\",\"value\":\"INHERIT_FROM_PARENT\"},{\"name\":\"NEW_VALUE\",\"value\":\"DISABLE_USERS_TO_TRUST_DEVICE\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"IT\"}]},{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION\",\"parameters\":[{\"name\":\"OLD_VALUE\",\"value\":\"INHERIT_FROM_PARENT\"},{\"name\":\"NEW_VALUE\",\"value\":\"1 week\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"IT\"}]},{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION\",\"parameters\":[{\"name\":\"OLD_VALUE\",\"value\":\"INHERIT_FROM_PARENT\"},{\"name\":\"NEW_VALUE\",\"value\":\"1 day\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"IT\"}]},{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS\",\"parameters\":[{\"name\":\"ALLOWED_TWO_STEP_VERIFICATION_METHOD\",\"value\":\"NO_TELEPHONY\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"IT\"}]},{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_TWO_STEP_VERIFICATION_START_DATE\",\"parameters\":[{\"name\":\"OLD_VALUE\",\"value\":\"INHERIT_FROM_PARENT\"},{\"name\":\"NEW_VALUE\",\"value\":\"2019-10-31\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"IT\"}]}]}",
"event": {
"action": [
"ALLOW_STRONG_AUTHENTICATION",
"CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS",
"CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION",
"CHANGE_TWO_STEP_VERIFICATION_FREQUENCY",
"CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION",
"CHANGE_TWO_STEP_VERIFICATION_START_DATE",
"ENFORCE_STRONG_AUTHENTICATION"
],
"category": [
"configuration"
],
"dataset": "admin#reports#activity",
"type": [
"access",
"change"
]
},
"@timestamp": "2024-03-12T14:41:33.804000Z",
"cloud": {
"account": {
"id": "C03foh000"
}
},
"google": {
"report": {
"actor": {
"email": "test@test.com"
}
}
},
"network": {
"application": "admin"
},
"related": {
"ip": [
"2222:0:333:1111:7777:5555:6666:ddd"
],
"user": [
"test"
]
},
"source": {
"address": "2222:0:333:1111:7777:5555:6666:ddd",
"ip": "2222:0:333:1111:7777:5555:6666:ddd"
},
"user": {
"domain": "test.com",
"email": "test@test.com",
"id": "10125127141",
"name": "test"
}
}
{
"message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-03-13T10:25:01.859Z\",\"uniqueQualifier\":\"-119782077599\",\"applicationName\":\"calendar\",\"customerId\":\"C03foh000\"},\"etag\":\"\\\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z\\\"\",\"actor\":{\"email\":\"joe.done@test.com\",\"profileId\":\"1126768166\"},\"ownerDomain\":\"sekoia.io\",\"ipAddress\":\"1.2.3.4\",\"events\":[{\"type\":\"event_change\",\"name\":\"change_event\",\"parameters\":[{\"name\":\"event_id\",\"value\":\"6qr2cujo0lkfln\"},{\"name\":\"organizer_calendar_id\",\"value\":\"joe.done@test.com\"},{\"name\":\"calendar_id\",\"value\":\"joe.done@test.com\"},{\"name\":\"event_title\",\"value\":\"title test\"},{\"name\":\"is_recurring\",\"boolValue\":false},{\"name\":\"recurring\",\"value\":\"no\"},{\"name\":\"client_side_encrypted\",\"value\":\"no\"},{\"name\":\"start_time\",\"intValue\":\"63846009000\"},{\"name\":\"end_time\",\"intValue\":\"63846010800\"},{\"name\":\"api_kind\",\"value\":\"caldav\"},{\"name\":\"user_agent\",\"value\":\"macOS/12.5\"}]}]}",
"event": {
"action": "change_event",
"category": [
"configuration"
],
"dataset": "admin#reports#activity",
"type": [
"change"
]
},
"@timestamp": "2024-03-13T10:25:01.859000Z",
"cloud": {
"account": {
"id": "C03foh000"
}
},
"google": {
"report": {
"actor": {
"email": "joe.done@test.com"
}
}
},
"network": {
"application": "calendar"
},
"related": {
"ip": [
"1.2.3.4"
],
"user": [
"joe.done"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4"
},
"user": {
"domain": "test.com",
"email": "joe.done@test.com",
"id": "1126768166",
"name": "joe.done"
}
}
{
"message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-03-13T10:36:57.929Z\",\"uniqueQualifier\":\"2480088525820\",\"applicationName\":\"calendar\",\"customerId\":\"C03foh000\"},\"etag\":\"\\\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL\\\"\",\"actor\":{\"email\":\"joe.doe@test.com\",\"profileId\":\"1158856535600\"},\"ownerDomain\":\"test.com\",\"ipAddress\":\"ffff:2222:333:11:aa:2222:111:11\",\"events\":[{\"type\":\"event_change\",\"name\":\"create_event\",\"parameters\":[{\"name\":\"event_id\",\"value\":\"fksdqs5mv613b\"},{\"name\":\"organizer_calendar_id\",\"value\":\"joe.doe@test.com\"},{\"name\":\"calendar_id\",\"value\":\"jone.done@test.com\"},{\"name\":\"event_title\",\"value\":\"Test title\"},{\"name\":\"is_recurring\",\"boolValue\":false},{\"name\":\"recurring\",\"value\":\"no\"},{\"name\":\"client_side_encrypted\",\"value\":\"no\"},{\"name\":\"start_time\",\"intValue\":\"63846450000\"},{\"name\":\"end_time\",\"intValue\":\"63846453600\"},{\"name\":\"user_agent\",\"value\":\"Calendly\"}]},{\"type\":\"event_change\",\"name\":\"add_event_guest\",\"parameters\":[{\"name\":\"event_id\",\"value\":\"fksdqs5mv613b\"},{\"name\":\"organizer_calendar_id\",\"value\":\"joe.doe@test.com\"},{\"name\":\"calendar_id\",\"value\":\"jone.done@test.com\"},{\"name\":\"event_title\",\"value\":\"Test title\"},{\"name\":\"is_recurring\",\"boolValue\":false},{\"name\":\"recurring\",\"value\":\"no\"},{\"name\":\"client_side_encrypted\",\"value\":\"no\"},{\"name\":\"event_guest\",\"value\":\"jone.done@test.com\"},{\"name\":\"user_agent\",\"value\":\"Calendly\"}]}]}",
"event": {
"action": [
"add_event_guest",
"create_event"
],
"category": [
"configuration"
],
"dataset": "admin#reports#activity",
"type": [
"change",
"creation"
]
},
"@timestamp": "2024-03-13T10:36:57.929000Z",
"cloud": {
"account": {
"id": "C03foh000"
}
},
"destination": {
"user": {
"email": "jone.done@test.com"
}
},
"google": {
"report": {
"actor": {
"email": "joe.doe@test.com"
}
}
},
"network": {
"application": "calendar"
},
"related": {
"ip": [
"ffff:2222:333:11:aa:2222:111:11"
],
"user": [
"joe.doe"
]
},
"source": {
"address": "ffff:2222:333:11:aa:2222:111:11",
"ip": "ffff:2222:333:11:aa:2222:111:11"
},
"user": {
"domain": "test.com",
"email": "joe.doe@test.com",
"id": "1158856535600",
"name": "joe.doe"
}
}
{
"message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-03-08T10:37:56.354Z\",\"uniqueQualifier\":\"-75128508411076\",\"applicationName\":\"chat\",\"customerId\":\"C03foh000\"},\"etag\":\"\\\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z5X0H0\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"joe.done@test.com\",\"profileId\":\"1160802395241\"},\"events\":[{\"type\":\"user_action\",\"name\":\"message_posted\",\"parameters\":[{\"name\":\"room_id\",\"value\":\"AAAAAAAAAA\"},{\"name\":\"actor\",\"value\":\"joe.done@test.com\"},{\"name\":\"message_id\",\"value\":\"spaces/AAAApr7T222/messages/oODWFIV2CtA\"},{\"name\":\"retention_state\",\"value\":\"PERMANENT\"},{\"name\":\"room_name\",\"value\":\"Group Chat (AAAAAAAAAA)\"},{\"name\":\"dlp_scan_status\",\"value\":\"DLP_NOT_APPLICABLE\"}]}]}",
"event": {
"action": "message_posted",
"category": [
"session"
],
"dataset": "admin#reports#activity",
"type": [
"connection"
]
},
"@timestamp": "2024-03-08T10:37:56.354000Z",
"cloud": {
"account": {
"id": "C03foh000"
}
},
"google": {
"report": {
"actor": {
"email": "joe.done@test.com"
},
"chat": {
"message": {
"id": "spaces/AAAApr7T222/messages/oODWFIV2CtA"
},
"room": {
"name": "Group Chat (AAAAAAAAAA)"
}
}
}
},
"network": {
"application": "chat"
},
"related": {
"user": [
"joe.done"
]
},
"user": {
"domain": "test.com",
"email": "joe.done@test.com",
"id": "1160802395241",
"name": "joe.done"
}
}
{
"message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-03-12T10:01:16.430Z\",\"uniqueQualifier\":\"-2323518099402\",\"applicationName\":\"chat\",\"customerId\":\"C03foh000\"},\"etag\":\"\\\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z5X0\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"joe.done@test.com\",\"profileId\":\"1070981817756\"},\"events\":[{\"type\":\"user_action\",\"name\":\"room_created\",\"parameters\":[{\"name\":\"room_id\",\"value\":\"AAAAAAAAA\"},{\"name\":\"actor\",\"value\":\"joe.done@test.com\"},{\"name\":\"external_room\",\"value\":\"DISABLED\"},{\"name\":\"room_name\",\"value\":\"Group Chat (AAAAAAAAA)\"}]}]}",
"event": {
"action": "room_created",
"category": [
"session"
],
"dataset": "admin#reports#activity",
"type": [
"connection"
]
},
"@timestamp": "2024-03-12T10:01:16.430000Z",
"cloud": {
"account": {
"id": "C03foh000"
}
},
"google": {
"report": {
"actor": {
"email": "joe.done@test.com"
},
"chat": {
"room": {
"name": "Group Chat (AAAAAAAAA)"
}
}
}
},
"network": {
"application": "chat"
},
"related": {
"user": [
"joe.done"
]
},
"user": {
"domain": "test.com",
"email": "joe.done@test.com",
"id": "1070981817756",
"name": "joe.done"
}
}
{
"message": "{\"kind\":\"audit#activity\",\"id\":{\"time\":\"2014-03-17T15:39:18.460Z\",\"uniqQualifier\":\"reports unique ID\",\"applicationName\":\"drive\",\"customerId\":\"ABC123xyz\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"kim@example.com\",\"profileId\":\"users unique Google Workspace profile ID\",\"key\":\"consumer key of requestor in an OAuth 2LO request\"},\"ownerDomain\":\"domain of the source owner\",\"ipAddress\":\"1.2.3.4\",\"events\":[{\"type\":\"access\",\"name\":\"edit\",\"parameters\":[{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"billable\",\"boolValue\":true},{\"name\":\"owner_is_shared_drive\",\"boolValue\":true},{\"name\":\"owner_team_drive_id\",\"value\":\"AAAAAALLLLLL\"},{\"name\":\"owner\",\"value\":\"RH \"},{\"name\":\"doc_id\",\"value\":\"5555763535\"},{\"name\":\"doc_type\",\"value\":\"folder\"},{\"name\":\"is_encrypted\",\"boolValue\":false},{\"name\":\"doc_title\",\"value\":\"Divers\"},{\"name\":\"visibility\",\"value\":\"shared_internally\"},{\"name\":\"shared_drive_id\",\"value\":\"112-EIUBHDIUBEBUD\"},{\"name\":\"originating_app_id\",\"value\":\"691301496089\"},{\"name\":\"actor_is_collaborator_account\",\"boolValue\":false},{\"name\":\"owner_is_team_drive\",\"boolValue\":true},{\"name\":\"team_drive_id\",\"value\":\"111-EIUBHDIUBEBUD\"}]}]}",
"event": {
"action": "edit",
"category": [
"file"
],
"dataset": "audit#activity",
"type": [
"access",
"change"
]
},
"@timestamp": "2014-03-17T15:39:18.460000Z",
"cloud": {
"account": {
"id": "ABC123xyz"
}
},
"file": {
"gid": "AAAAAALLLLLL",
"name": "Divers",
"owner": "RH ",
"type": "folder"
},
"google": {
"report": {
"actor": {
"email": "kim@example.com"
},
"parameters": {
"visibility": "shared_internally"
}
}
},
"network": {
"application": "drive"
},
"related": {
"ip": [
"1.2.3.4"
],
"user": [
"RH ",
"kim"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4"
},
"user": {
"domain": "example.com",
"email": "kim@example.com",
"id": "users unique Google Workspace profile ID",
"name": "kim"
}
}
{
"message": "{\"kind\":\"audit#activity\",\"id\":{\"time\":\"2014-03-17T15:39:18.460Z\",\"uniqQualifier\":\"reports unique ID\",\"applicationName\":\"drive\",\"customerId\":\"ABC123xyz\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"kim@example.com\",\"profileId\":\"users unique Google Workspace profile ID\",\"key\":\"consumer key of requestor in an OAuth 2LO request\"},\"ownerDomain\":\"domain of the source owner\",\"ipAddress\":\"1.2.3.4\",\"events\":[{\"type\":\"access\",\"name\":\"edit\",\"parameters\":[{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1DWuYM3ot_sAyEQqOz0xWJ9bVMSYzOmRNeBqbgtSwuK8\"},{\"name\":\"doc_title\",\"value\":\"Meeting notes\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"owner\",\"value\":\"mary@example.com\"}]}]}",
"event": {
"action": "edit",
"category": [
"file"
],
"dataset": "audit#activity",
"type": [
"access",
"change"
]
},
"@timestamp": "2014-03-17T15:39:18.460000Z",
"cloud": {
"account": {
"id": "ABC123xyz"
}
},
"file": {
"name": "Meeting notes",
"owner": "mary@example.com",
"type": "document"
},
"google": {
"report": {
"actor": {
"email": "kim@example.com"
}
}
},
"network": {
"application": "drive"
},
"related": {
"ip": [
"1.2.3.4"
],
"user": [
"kim",
"mary@example.com"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4"
},
"user": {
"domain": "example.com",
"email": "kim@example.com",
"id": "users unique Google Workspace profile ID",
"name": "kim"
}
}
{
"message": "{\n \"kind\": \"admin#reports#activity\",\n \"id\": {\n \"time\": \"2023-09-04T08:42:51.615Z\",\n \"uniqueQualifier\": \"-2222222222222222222\",\n \"applicationName\": \"drive\",\n \"customerId\": \"111111111\"\n },\n \"actor\": {\n \"email\": \"john.doe@example.org\",\n \"profileId\": \"444444444444444444444\"\n },\n \"ipAddress\": \"1.2.3.4\",\n \"events\": [\n {\n \"type\": \"access\",\n \"name\": \"view\",\n \"parameters\": [\n {\n \"name\": \"primary_event\",\n \"boolValue\": true\n },\n {\n \"name\": \"billable\",\n \"boolValue\": true\n },\n {\n \"name\": \"owner_is_shared_drive\",\n \"boolValue\": true\n },\n {\n \"name\": \"owner_team_drive_id\",\n \"value\": \"DDD_111111111111111\"\n },\n {\n \"name\": \"owner\",\n \"value\": \"J.DOE\"\n },\n {\n \"name\": \"doc_id\",\n \"value\": \"333333333333333333333333333333333\"\n },\n {\n \"name\": \"doc_type\",\n \"value\": \"folder\"\n },\n {\n \"name\": \"is_encrypted\",\n \"boolValue\": false\n },\n {\n \"name\": \"doc_title\",\n \"value\": \"MyDocs\"\n },\n {\n \"name\": \"visibility\",\n \"value\": \"people_within_domain_with_link\"\n },\n {\n \"name\": \"shared_drive_id\",\n \"value\": \"DDD_222222222222222\"\n },\n {\n \"name\": \"originating_app_id\",\n \"value\": \"666666666666\"\n },\n {\n \"name\": \"actor_is_collaborator_account\",\n \"boolValue\": false\n },\n {\n \"name\": \"owner_is_team_drive\",\n \"boolValue\": true\n },\n {\n \"name\": \"team_drive_id\",\n \"value\": \"DDD_888888888888888\"\n }\n ]\n }\n ]\n}\n",
"event": {
"action": "view",
"category": [
"file"
],
"dataset": "admin#reports#activity",
"type": [
"access"
]
},
"@timestamp": "2023-09-04T08:42:51.615000Z",
"cloud": {
"account": {
"id": "111111111"
}
},
"file": {
"gid": "DDD_111111111111111",
"name": "MyDocs",
"owner": "J.DOE",
"type": "folder"
},
"google": {
"report": {
"actor": {
"email": "john.doe@example.org"
},
"parameters": {
"visibility": "people_within_domain_with_link"
}
}
},
"network": {
"application": "drive"
},
"related": {
"ip": [
"1.2.3.4"
],
"user": [
"J.DOE",
"john.doe"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4"
},
"user": {
"domain": "example.org",
"email": "john.doe@example.org",
"id": "444444444444444444444",
"name": "john.doe"
}
}
{
"message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-03-11T15:20:33.157Z\",\"uniqueQualifier\":\"-92180609786\",\"applicationName\":\"groups_enterprise\",\"customerId\":\"C03foh000\"},\"etag\":\"\\\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"joe.done@test.com\",\"profileId\":\"109472445\"},\"events\":[{\"type\":\"moderator_action\",\"name\":\"delete_group\",\"parameters\":[{\"name\":\"group_id\",\"value\":\"testgroup@test.com\"}]}]}",
"event": {
"action": "delete_group",
"category": [
"iam"
],
"dataset": "admin#reports#activity",
"type": [
"admin"
]
},
"@timestamp": "2024-03-11T15:20:33.157000Z",
"cloud": {
"account": {
"id": "C03foh000"
}
},
"google": {
"report": {
"actor": {
"email": "joe.done@test.com"
}
}
},
"network": {
"application": "groups_enterprise"
},
"related": {
"user": [
"joe.done"
]
},
"user": {
"domain": "test.com",
"email": "joe.done@test.com",
"group": {
"id": "testgroup@test.com"
},
"id": "109472445",
"name": "joe.done"
}
}
{
"message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-03-13T11:02:40.037Z\",\"uniqueQualifier\":\"235176017661\",\"applicationName\":\"meet\",\"customerId\":\"C03foh000\"},\"etag\":\"\\\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"jone.doe@test.com\",\"profileId\":\"1098488062555\"},\"events\":[{\"type\":\"call\",\"name\":\"call_ended\",\"parameters\":[{\"name\":\"video_send_seconds\",\"intValue\":\"0\"},{\"name\":\"location_country\",\"value\":\"FR\"},{\"name\":\"identifier_type\",\"value\":\"email_address\"},{\"name\":\"endpoint_id\",\"value\":\"dSzi5ZfqD8I\"},{\"name\":\"device_type\",\"value\":\"web\"},{\"name\":\"screencast_send_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"calendar_event_id\",\"value\":\"glb41ldt739tcf0bun7p9htaqr\"},{\"name\":\"screencast_send_seconds\",\"intValue\":\"83\"},{\"name\":\"screencast_send_short_side_median_pixels\",\"intValue\":\"1080\"},{\"name\":\"screencast_send_packet_loss_max\",\"intValue\":\"1\"},{\"name\":\"screencast_send_fps_mean\",\"intValue\":\"29\"},{\"name\":\"audio_recv_seconds\",\"intValue\":\"0\"},{\"name\":\"network_congestion\",\"intValue\":\"0\"},{\"name\":\"network_estimated_download_kbps_mean\",\"intValue\":\"1\"},{\"name\":\"network_transport_protocol\",\"value\":\"udp\"},{\"name\":\"duration_seconds\",\"intValue\":\"1498\"},{\"name\":\"identifier\",\"value\":\"jone.doe@test.com\"},{\"name\":\"location_region\",\"value\":\"Argenteuil\"},{\"name\":\"screencast_send_bitrate_kbps_mean\",\"intValue\":\"791\"},{\"name\":\"organizer_email\",\"value\":\"joe.done@test.com\"},{\"name\":\"ip_address\",\"value\":\"5555:333:333:5555:5555:5555:5555:5555\"},{\"name\":\"audio_send_seconds\",\"intValue\":\"0\"},{\"name\":\"display_name\",\"value\":\"Test SEGLA\"},{\"name\":\"video_recv_seconds\",\"intValue\":\"0\"},{\"name\":\"screencast_send_long_side_median_pixels\",\"intValue\":\"1920\"},{\"name\":\"network_rtt_msec_mean\",\"intValue\":\"12\"},{\"name\":\"conference_id\",\"value\":\"SQEGZkIp70zCVuvX_PtXDxI\"},{\"name\":\"screencast_recv_seconds\",\"intValue\":\"0\"},{\"name\":\"product_type\",\"value\":\"meet\"},{\"name\":\"network_estimated_upload_kbps_mean\",\"intValue\":\"0\"},{\"name\":\"meeting_code\",\"value\":\"GMGSZDDDDD\"},{\"name\":\"is_external\",\"boolValue\":false}]}]}",
"event": {
"action": "call_ended",
"category": [
"session"
],
"dataset": "admin#reports#activity",
"type": [
"connection"
]
},
"@timestamp": "2024-03-13T11:02:40.037000Z",
"client": {
"geo": {
"country_iso_code": "FR",
"region_name": "Argenteuil"
}
},
"cloud": {
"account": {
"id": "C03foh000"
}
},
"google": {
"report": {
"actor": {
"email": "jone.doe@test.com"
},
"meet": {
"code": "GMGSZDDDDD"
}
}
},
"network": {
"application": "meet",
"transport": "udp"
},
"related": {
"user": [
"jone.doe"
]
},
"user": {
"domain": "test.com",
"email": "jone.doe@test.com",
"id": "1098488062555",
"name": "jone.doe"
}
}
{
"message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-03-13T10:31:23.630Z\",\"uniqueQualifier\":\"47501654195\",\"applicationName\":\"meet\",\"customerId\":\"C03foh000\"},\"etag\":\"\\\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"jone.done@test.com\",\"profileId\":\"1070981817756\"},\"events\":[{\"type\":\"conference_action\",\"name\":\"presentation_started\",\"parameters\":[{\"name\":\"is_external\",\"boolValue\":false},{\"name\":\"meeting_code\",\"value\":\"BWXXZYNUUU\"},{\"name\":\"conference_id\",\"value\":\"iVYNZWWtL3-mwtWyAGIeDxIWOAkI\"},{\"name\":\"action_time\",\"value\":\"2024-03-13T10:31:23.630220Z\"},{\"name\":\"identifier\",\"value\":\"jone.done@test.com\"},{\"name\":\"identifier_type\",\"value\":\"email_address\"}]}]}",
"event": {
"action": "presentation_started",
"category": [
"session"
],
"dataset": "admin#reports#activity",
"type": [
"connection"
]
},
"@timestamp": "2024-03-13T10:31:23.630000Z",
"cloud": {
"account": {
"id": "C03foh000"
}
},
"google": {
"report": {
"actor": {
"email": "jone.done@test.com"
},
"meet": {
"code": "BWXXZYNUUU"
}
}
},
"network": {
"application": "meet"
},
"related": {
"user": [
"jone.done"
]
},
"user": {
"domain": "test.com",
"email": "jone.done@test.com",
"id": "1070981817756",
"name": "jone.done"
}
}
{
"message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-07-09T14:05:42.528Z\",\"uniqueQualifier\":\"0123456789101112131\",\"applicationName\":\"admin\",\"customerId\":\"C03foh000\"},\"etag\":\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z5X0\",\"actor\":{\"callerType\":\"USER\",\"email\":\"john.doe@test.fr\",\"profileId\":\"102788027662650927386\"},\"ipAddress\":\"1.2.3.4\",\"events\":[{\"type\":\"USER_SETTINGS\",\"name\":\"SUSPEND_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"jdoe@test.fr\"}]}]}",
"event": {
"action": "SUSPEND_USER",
"category": [
"configuration"
],
"dataset": "admin#reports#activity",
"type": [
"change"
]
},
"@timestamp": "2024-07-09T14:05:42.528000Z",
"cloud": {
"account": {
"id": "C03foh000"
}
},
"google": {
"report": {
"actor": {
"email": "john.doe@test.fr"
},
"parameters": {
"name": "USER_EMAIL",
"value": "jdoe@test.fr"
}
}
},
"network": {
"application": "admin"
},
"related": {
"ip": [
"1.2.3.4"
],
"user": [
"john.doe"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4"
},
"user": {
"domain": "test.fr",
"email": "john.doe@test.fr",
"id": "102788027662650927386",
"name": "john.doe"
}
}
{
"message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-01-17T11:09:39.840Z\",\"uniqueQualifier\":\"111111\",\"applicationName\":\"drive\",\"customerId\":\"XXXXXX\"},\"etag\":\"aaa-aaa/aaa\",\"actor\":{\"email\":\"senduser@test.com\",\"profileId\":\"11111\"},\"ipAddress\":\"0.0.0.0\",\"events\":[{\"type\":\"access\",\"name\":\"edit\",\"parameters\":[{\"name\":\"primary_event\",\"boolValue\":false},{\"name\":\"billable\",\"boolValue\":true},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"owner\",\"value\":\"owner@test.com\"},{\"name\":\"doc_id\",\"value\":\"1111111111\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"is_encrypted\",\"boolValue\":false},{\"name\":\"doc_title\",\"value\":\"Doc Temp\"},{\"name\":\"visibility\",\"value\":\"shared_externally\"},{\"name\":\"originating_app_id\",\"value\":\"111111\"},{\"name\":\"actor_is_collaborator_account\",\"boolValue\":false},{\"name\":\"owner_is_team_drive\",\"boolValue\":false}]},{\"type\":\"acl_change\",\"name\":\"change_user_access\",\"parameters\":[{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"billable\",\"boolValue\":true},{\"name\":\"visibility_change\",\"value\":\"external\"},{\"name\":\"target_user\",\"value\":\"targetuser@test.fr\"},{\"name\":\"old_value\",\"multiValue\":[\"none\"]},{\"name\":\"new_value\",\"multiValue\":[\"can_edit\"]},{\"name\":\"old_visibility\",\"value\":\"shared_internally\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"owner\",\"value\":\"owner@test.com\"},{\"name\":\"doc_id\",\"value\":\"11111\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"is_encrypted\",\"boolValue\":false},{\"name\":\"doc_title\",\"value\":\"Doc Temp\"},{\"name\":\"visibility\",\"value\":\"shared_externally\"},{\"name\":\"originating_app_id\",\"value\":\"11111\"},{\"name\":\"actor_is_collaborator_account\",\"boolValue\":false},{\"name\":\"owner_is_team_drive\",\"boolValue\":false}]}]}",
"event": {
"action": [
"change_user_access",
"edit"
],
"category": [
"file"
],
"dataset": "admin#reports#activity",
"type": [
"access",
"change"
]
},
"@timestamp": "2024-01-17T11:09:39.840000Z",
"cloud": {
"account": {
"id": "XXXXXX"
}
},
"file": {
"name": "Doc Temp",
"owner": "owner@test.com",
"type": "document"
},
"google": {
"report": {
"actor": {
"email": "senduser@test.com"
},
"parameters": {
"visibility": "shared_externally"
}
}
},
"network": {
"application": "drive"
},
"related": {
"ip": [
"0.0.0.0"
],
"user": [
"owner@test.com",
"senduser"
]
},
"source": {
"address": "0.0.0.0",
"ip": "0.0.0.0"
},
"user": {
"domain": "test.com",
"email": "senduser@test.com",
"id": "11111",
"name": "senduser",
"target": {
"email": "targetuser@test.fr"
}
}
}
{
"message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-03-13T11:24:59.810Z\",\"uniqueQualifier\":\"515960775816012389\",\"applicationName\":\"token\",\"customerId\":\"C03foh04q\"},\"etag\":\"\\\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z5X0H\\\"\",\"actor\":{\"email\":\"JONE.DOE@test.com\",\"profileId\":\"109472445\"},\"ipAddress\":\"1.2.3.4\",\"events\":[{\"name\":\"authorize\",\"parameters\":[{\"name\":\"client_id\",\"value\":\"11057316681905\"},{\"name\":\"app_name\",\"value\":\"Test Log Workspace\"},{\"name\":\"client_type\",\"value\":\"WEB\"},{\"name\":\"scope_data\",\"multiMessageValue\":[{\"parameter\":[{\"name\":\"scope_name\",\"value\":\"https://www.googleapis.com/auth/admin.reports.audit.readonly\"},{\"name\":\"product_bucket\",\"multiValue\":[\"GSUITE_ADMIN\"]}]},{\"parameter\":[{\"name\":\"scope_name\",\"value\":\"https://www.googleapis.com/auth/admin.reports.usage.readonly\"},{\"name\":\"product_bucket\",\"multiValue\":[\"GSUITE_ADMIN\"]}]}]},{\"name\":\"scope\",\"multiValue\":[\"https://www.googleapis.com/auth/admin.reports.audit.readonly\",\"https://www.googleapis.com/auth/admin.reports.usage.readonly\"]}]}]}",
"event": {
"action": "authorize",
"category": [
"authentication"
],
"dataset": "admin#reports#activity",
"type": [
"access",
"connection"
]
},
"@timestamp": "2024-03-13T11:24:59.810000Z",
"client": {
"user": {
"id": "11057316681905"
}
},
"cloud": {
"account": {
"id": "C03foh04q"
}
},
"google": {
"report": {
"actor": {
"email": "JONE.DOE@test.com"
},
"token": {
"app_name": "Test Log Workspace",
"type": "WEB"
}
}
},
"network": {
"application": "token"
},
"related": {
"ip": [
"1.2.3.4"
],
"user": [
"JONE.DOE"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4"
},
"user": {
"domain": "test.com",
"email": "JONE.DOE@test.com",
"id": "109472445",
"name": "JONE.DOE"
}
}
{
"message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-03-13T11:25:23.391Z\",\"uniqueQualifier\":\"-38605878274\",\"applicationName\":\"token\",\"customerId\":\"C03foh5555\"},\"etag\":\"\\\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z5X0H0/t\\\"\",\"actor\":{\"email\":\"JOE.DONE@test.com\",\"profileId\":\"1094724450\"},\"ipAddress\":\"1.1.1.1\",\"events\":[{\"type\":\"auth\",\"name\":\"activity\",\"parameters\":[{\"name\":\"api_name\",\"value\":\"admin\"},{\"name\":\"method_name\",\"value\":\"reports.activities.list\"},{\"name\":\"client_id\",\"value\":\"110573166819\"},{\"name\":\"num_response_bytes\",\"intValue\":\"7\"},{\"name\":\"product_bucket\",\"value\":\"GSUITE_ADMIN\"},{\"name\":\"app_name\",\"value\":\"Test Log Workspace\"},{\"name\":\"client_type\",\"value\":\"WEB\"}]}]}",
"event": {
"action": "activity",
"category": [
"authentication"
],
"dataset": "admin#reports#activity",
"type": [
"access",
"connection"
]
},
"@timestamp": "2024-03-13T11:25:23.391000Z",
"client": {
"user": {
"id": "110573166819"
}
},
"cloud": {
"account": {
"id": "C03foh5555"
}
},
"google": {
"report": {
"actor": {
"email": "JOE.DONE@test.com"
},
"token": {
"app_name": "Test Log Workspace",
"type": "WEB"
}
}
},
"network": {
"application": "token"
},
"related": {
"ip": [
"1.1.1.1"
],
"user": [
"JOE.DONE"
]
},
"source": {
"address": "1.1.1.1",
"ip": "1.1.1.1"
},
"user": {
"domain": "test.com",
"email": "JOE.DONE@test.com",
"id": "1094724450",
"name": "JOE.DONE"
}
}
Extracted Fields
The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.
Name | Type | Description |
---|---|---|
@timestamp |
date |
Date/time when the event originated. |
client.geo.country_iso_code |
keyword |
Country ISO code. |
client.geo.region_name |
keyword |
Region name. |
client.user.id |
keyword |
Unique identifier of the user. |
cloud.account.id |
keyword |
The cloud account or organization id. |
destination.user.email |
keyword |
User email address. |
event.action |
keyword |
The action captured by the event. |
event.category |
keyword |
Event category. The second categorization field in the hierarchy. |
event.dataset |
keyword |
Name of the dataset. |
event.type |
keyword |
Event type. The third categorization field in the hierarchy. |
file.gid |
keyword |
Primary group ID (GID) of the file. |
file.name |
keyword |
Name of the file including the extension, without the directory. |
file.owner |
keyword |
File owner's username. |
file.type |
keyword |
File type (file, dir, or symlink). |
google.report.actor.email |
keyword |
|
google.report.chat.message.id |
keyword |
Message id |
google.report.chat.room.name |
keyword |
Room name |
google.report.meet.code |
keyword |
Meet code |
google.report.parameters.name |
keyword |
Name of the item associated with the activity |
google.report.parameters.value |
keyword |
Value of the item associated with the activity |
google.report.parameters.visibility |
keyword |
Visibility of the Drive item associated with the activity |
google.report.token.app_name |
keyword |
Token authorization application name |
google.report.token.type |
keyword |
Token type |
network.application |
keyword |
Application level protocol name. |
network.transport |
keyword |
Protocol Name corresponding to the field iana_number . |
source.ip |
ip |
IP address of the source. |
user.domain |
keyword |
Name of the directory the user is a member of. |
user.email |
keyword |
User email address. |
user.group.id |
keyword |
Unique identifier for the group on the system/platform. |
user.id |
keyword |
Unique identifier of the user. |
user.name |
keyword |
Short name or login of the user. |
user.target.email |
keyword |
User email address. |
For more information on the Intake Format, please find the code of the Parser, Smart Descriptions, and Supported Events here.