Google Cloud Audit Logs
Overview
Google Cloud Logging centralizes logs from Google Cloud products.
In this documentation, you will learn how to collect and send Google Workspace and Google Cloud audit logs to Sekoia.io.
Event Categories
The following table lists the data source offered by this integration.
| Data Source | Description |
|---|---|
GCP audit logs |
Google Cloud Audit contains logs from multiple Google Cloud source such as Google Cloud Console and Google Workspace. |
Event Samples
Find below few samples of events and how they are normalized by Sekoia.io.
{
"message": "{\n \"protoPayload\": {\n \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n \"authenticationInfo\": {\n \"principalEmail\": \"test-user@example.com\"\n },\n \"requestMetadata\": {\n \"callerIp\": \"203.0.113.255\",\n \"requestAttributes\": {},\n \"destinationAttributes\": {}\n },\n \"serviceName\": \"login.googleapis.com\",\n \"methodName\": \"google.login.LoginService.2svDisable\",\n \"resourceName\": \"organizations/123\",\n \"metadata\": {\n \"activityId\": {\n \"uniqQualifier\": \"-7789616625639281959\",\n \"timeUsec\": \"1632459962686000\"\n },\n \"event\": [\n {\n \"status\": {\n \"success\": true\n },\n \"parameter\": [\n {\n \"type\": \"TYPE_STRING\",\n \"label\": \"LABEL_OPTIONAL\",\n \"value\": \"INfDlrzP9IH8_QE\",\n \"name\": \"dusi\"\n }\n ],\n \"eventName\": \"2sv_disable\",\n \"eventType\": \"2sv_change\"\n }\n ],\n \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\"\n }\n },\n \"insertId\": \"-tn3jrd3lko\",\n \"resource\": {\n \"type\": \"audited_resource\",\n \"labels\": {\n \"service\": \"login.googleapis.com\",\n \"method\": \"google.login.LoginService.2svDisable\"\n }\n },\n \"timestamp\": \"2021-09-24T05:06:02.686Z\",\n \"severity\": \"NOTICE\",\n \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n \"receiveTimestamp\": \"2021-09-24T05:06:03.845372592Z\"\n}",
"@timestamp": "2021-09-24T05:06:02.686000Z",
"google_cloud_audit": {
"insertId": "-tn3jrd3lko",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"protoPayload": {
"metadata": {
"activityId": {
"timeUsec": "1632459962686000",
"uniqQualifier": "-7789616625639281959"
},
"event": [
{
"eventName": "2sv_disable",
"eventType": "2sv_change",
"parameter": [
{
"label": "LABEL_OPTIONAL",
"name": "dusi",
"type": "TYPE_STRING",
"value": "INfDlrzP9IH8_QE"
}
],
"status": {
"success": true
}
}
],
"type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
},
"methodName": "google.login.LoginService.2svDisable",
"resourceName": "organizations/123",
"type": "type.googleapis.com/google.cloud.audit.AuditLog"
},
"receiveTimestamp": "2021-09-24T05:06:03.845372592Z",
"resource": {
"labels": {
"method": "google.login.LoginService.2svDisable",
"service": "login.googleapis.com"
},
"type": "audited_resource"
},
"severity": "NOTICE"
},
"related": {
"ip": [
"203.0.113.255"
],
"user": [
"test-user@example.com"
]
},
"service": {
"name": "login.googleapis.com"
},
"source": {
"address": "203.0.113.255",
"ip": "203.0.113.255"
},
"user": {
"email": "test-user@example.com",
"name": "test-user@example.com"
}
}
{
"message": "{\n \"protoPayload\": {\n \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n \"authenticationInfo\": {\n \"principalEmail\": \"test-user@example.com\"\n },\n \"requestMetadata\": {\n \"callerIp\": \"203.0.113.255\",\n \"requestAttributes\": {},\n \"destinationAttributes\": {}\n },\n \"serviceName\": \"login.googleapis.com\",\n \"methodName\": \"google.login.LoginService.2svEnroll\",\n \"resourceName\": \"organizations/123\",\n \"metadata\": {\n \"activityId\": {\n \"uniqQualifier\": \"1624031130844323135\",\n \"timeUsec\": \"1632458745769000\"\n },\n \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\",\n \"event\": [\n {\n \"eventType\": \"2sv_change\",\n \"status\": {\n \"success\": true\n },\n \"eventName\": \"2sv_enroll\",\n \"parameter\": [\n {\n \"value\": \"INfDlrzP9IH8_QE\",\n \"type\": \"TYPE_STRING\",\n \"label\": \"LABEL_OPTIONAL\",\n \"name\": \"dusi\"\n }\n ]\n }\n ]\n }\n },\n \"insertId\": \"g3k8gid3b3p\",\n \"resource\": {\n \"type\": \"audited_resource\",\n \"labels\": {\n \"method\": \"google.login.LoginService.2svEnroll\",\n \"service\": \"login.googleapis.com\"\n }\n },\n \"timestamp\": \"2021-09-24T04:45:45.769Z\",\n \"severity\": \"NOTICE\",\n \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n \"receiveTimestamp\": \"2021-09-24T04:45:46.331843829Z\"\n}",
"@timestamp": "2021-09-24T04:45:45.769000Z",
"google_cloud_audit": {
"insertId": "g3k8gid3b3p",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"protoPayload": {
"metadata": {
"activityId": {
"timeUsec": "1632458745769000",
"uniqQualifier": "1624031130844323135"
},
"event": [
{
"eventName": "2sv_enroll",
"eventType": "2sv_change",
"parameter": [
{
"label": "LABEL_OPTIONAL",
"name": "dusi",
"type": "TYPE_STRING",
"value": "INfDlrzP9IH8_QE"
}
],
"status": {
"success": true
}
}
],
"type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
},
"methodName": "google.login.LoginService.2svEnroll",
"resourceName": "organizations/123",
"type": "type.googleapis.com/google.cloud.audit.AuditLog"
},
"receiveTimestamp": "2021-09-24T04:45:46.331843829Z",
"resource": {
"labels": {
"method": "google.login.LoginService.2svEnroll",
"service": "login.googleapis.com"
},
"type": "audited_resource"
},
"severity": "NOTICE"
},
"related": {
"ip": [
"203.0.113.255"
],
"user": [
"test-user@example.com"
]
},
"service": {
"name": "login.googleapis.com"
},
"source": {
"address": "203.0.113.255",
"ip": "203.0.113.255"
},
"user": {
"email": "test-user@example.com",
"name": "test-user@example.com"
}
}
{
"message": "{\n \"protoPayload\": {\n \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n \"authenticationInfo\": {},\n \"requestMetadata\": {\n \"callerIp\": \"2001:db8:ffff:ffff:ffff:ffff:ffff:ffff\"\n },\n \"serviceName\": \"login.googleapis.com\",\n \"methodName\": \"google.login.LoginService.accountDisabledGeneric\",\n \"resourceName\": \"organizations/123\",\n \"metadata\": {\n \"activityId\": {\n \"timeUsec\": \"1619825589352000\",\n \"uniqQualifier\": \"-3303614929287073633\"\n },\n \"event\": [\n {\n \"eventType\": \"account_warning\",\n \"eventName\": \"account_disabled_generic\",\n \"parameter\": [\n {\n \"name\": \"affected_email_address\",\n \"value\": \"test-user@example.com\",\n \"label\": \"LABEL_OPTIONAL\",\n \"type\": \"TYPE_STRING\"\n }\n ],\n \"status\": {\n \"success\": true\n }\n }\n ],\n \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\"\n }\n },\n \"insertId\": \"nlgrf8d6ygj\",\n \"resource\": {\n \"type\": \"audited_resource\",\n \"labels\": {\n \"method\": \"google.login.LoginService.accountDisabledGeneric\",\n \"service\": \"login.googleapis.com\"\n }\n },\n \"timestamp\": \"2021-04-30T23:33:09.352Z\",\n \"severity\": \"NOTICE\",\n \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n \"receiveTimestamp\": \"2021-04-30T23:33:10.673412983Z\"\n}",
"@timestamp": "2021-04-30T23:33:09.352000Z",
"google_cloud_audit": {
"insertId": "nlgrf8d6ygj",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"protoPayload": {
"metadata": {
"activityId": {
"timeUsec": "1619825589352000",
"uniqQualifier": "-3303614929287073633"
},
"event": [
{
"eventName": "account_disabled_generic",
"eventType": "account_warning",
"parameter": [
{
"label": "LABEL_OPTIONAL",
"name": "affected_email_address",
"type": "TYPE_STRING",
"value": "test-user@example.com"
}
],
"status": {
"success": true
}
}
],
"type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
},
"methodName": "google.login.LoginService.accountDisabledGeneric",
"resourceName": "organizations/123",
"type": "type.googleapis.com/google.cloud.audit.AuditLog"
},
"receiveTimestamp": "2021-04-30T23:33:10.673412983Z",
"resource": {
"labels": {
"method": "google.login.LoginService.accountDisabledGeneric",
"service": "login.googleapis.com"
},
"type": "audited_resource"
},
"severity": "NOTICE"
},
"related": {
"ip": [
"2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
]
},
"service": {
"name": "login.googleapis.com"
},
"source": {
"address": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff",
"ip": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
},
"user": {
"email": "test-user@example.com"
}
}
{
"message": "{\n \"protoPayload\": {\n \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n \"authenticationInfo\": {},\n \"requestMetadata\": {\n \"callerIp\": \"2001:db8:ffff:ffff:ffff:ffff:ffff:ffff\"\n },\n \"serviceName\": \"login.googleapis.com\",\n \"methodName\": \"google.login.LoginService.accountDisabledHijacked\",\n \"resourceName\": \"organizations/123\",\n \"metadata\": {\n \"activityId\": {\n \"timeUsec\": \"1619825589352000\",\n \"uniqQualifier\": \"-3303614929287073633\"\n },\n \"event\": [\n {\n \"eventType\": \"account_warning\",\n \"eventName\": \"account_disabled_hijacked\",\n \"parameter\": [\n {\n \"name\": \"affected_email_address\",\n \"value\": \"test-user@example.com\",\n \"label\": \"LABEL_OPTIONAL\",\n \"type\": \"TYPE_STRING\"\n }\n ],\n \"status\": {\n \"success\": true\n }\n }\n ],\n \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\"\n }\n },\n \"insertId\": \"nlgrf8d6ygj\",\n \"resource\": {\n \"type\": \"audited_resource\",\n \"labels\": {\n \"method\": \"google.login.LoginService.accountDisabledHijacked\",\n \"service\": \"login.googleapis.com\"\n }\n },\n \"timestamp\": \"2021-04-30T23:33:09.352Z\",\n \"severity\": \"NOTICE\",\n \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n \"receiveTimestamp\": \"2021-04-30T23:33:10.673412983Z\"\n}",
"@timestamp": "2021-04-30T23:33:09.352000Z",
"google_cloud_audit": {
"insertId": "nlgrf8d6ygj",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"protoPayload": {
"metadata": {
"activityId": {
"timeUsec": "1619825589352000",
"uniqQualifier": "-3303614929287073633"
},
"event": [
{
"eventName": "account_disabled_hijacked",
"eventType": "account_warning",
"parameter": [
{
"label": "LABEL_OPTIONAL",
"name": "affected_email_address",
"type": "TYPE_STRING",
"value": "test-user@example.com"
}
],
"status": {
"success": true
}
}
],
"type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
},
"methodName": "google.login.LoginService.accountDisabledHijacked",
"resourceName": "organizations/123",
"type": "type.googleapis.com/google.cloud.audit.AuditLog"
},
"receiveTimestamp": "2021-04-30T23:33:10.673412983Z",
"resource": {
"labels": {
"method": "google.login.LoginService.accountDisabledHijacked",
"service": "login.googleapis.com"
},
"type": "audited_resource"
},
"severity": "NOTICE"
},
"related": {
"ip": [
"2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
]
},
"service": {
"name": "login.googleapis.com"
},
"source": {
"address": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff",
"ip": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
},
"user": {
"email": "test-user@example.com"
}
}
{
"message": "{\n \"protoPayload\": {\n \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n \"authenticationInfo\": {},\n \"requestMetadata\": {\n \"callerIp\": \"2001:db8:ffff:ffff:ffff:ffff:ffff:ffff\"\n },\n \"serviceName\": \"login.googleapis.com\",\n \"methodName\": \"google.login.LoginService.accountDisabledPasswordLeak\",\n \"resourceName\": \"organizations/123\",\n \"metadata\": {\n \"activityId\": {\n \"timeUsec\": \"1619808083475000\",\n \"uniqQualifier\": \"6286848759980589624\"\n },\n \"event\": [\n {\n \"eventType\": \"account_warning\",\n \"eventName\": \"account_disabled_password_leak\",\n \"parameter\": [\n {\n \"name\": \"affected_email_address\",\n \"value\": \"test-user@example.com\",\n \"label\": \"LABEL_OPTIONAL\",\n \"type\": \"TYPE_STRING\"\n }\n ],\n \"status\": {\n \"success\": true\n }\n }\n ],\n \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\"\n }\n },\n \"insertId\": \"-xkklkzcxkl\",\n \"resource\": {\n \"type\": \"audited_resource\",\n \"labels\": {\n \"method\": \"google.login.LoginService.accountDisabledPasswordLeak\",\n \"service\": \"login.googleapis.com\"\n }\n },\n \"timestamp\": \"2021-04-30T18:41:23.475Z\",\n \"severity\": \"NOTICE\",\n \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n \"receiveTimestamp\": \"2021-04-30T18:41:24.650965796Z\"\n}",
"@timestamp": "2021-04-30T18:41:23.475000Z",
"google_cloud_audit": {
"insertId": "-xkklkzcxkl",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"protoPayload": {
"metadata": {
"activityId": {
"timeUsec": "1619808083475000",
"uniqQualifier": "6286848759980589624"
},
"event": [
{
"eventName": "account_disabled_password_leak",
"eventType": "account_warning",
"parameter": [
{
"label": "LABEL_OPTIONAL",
"name": "affected_email_address",
"type": "TYPE_STRING",
"value": "test-user@example.com"
}
],
"status": {
"success": true
}
}
],
"type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
},
"methodName": "google.login.LoginService.accountDisabledPasswordLeak",
"resourceName": "organizations/123",
"type": "type.googleapis.com/google.cloud.audit.AuditLog"
},
"receiveTimestamp": "2021-04-30T18:41:24.650965796Z",
"resource": {
"labels": {
"method": "google.login.LoginService.accountDisabledPasswordLeak",
"service": "login.googleapis.com"
},
"type": "audited_resource"
},
"severity": "NOTICE"
},
"related": {
"ip": [
"2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
]
},
"service": {
"name": "login.googleapis.com"
},
"source": {
"address": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff",
"ip": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
},
"user": {
"email": "test-user@example.com"
}
}
{
"message": "{\n \"protoPayload\": {\n \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n \"authenticationInfo\": {},\n \"requestMetadata\": {\n \"callerIp\": \"2001:db8:ffff:ffff:ffff:ffff:ffff:ffff\"\n },\n \"serviceName\": \"login.googleapis.com\",\n \"methodName\": \"google.login.LoginService.accountDisabledSpamming\",\n \"resourceName\": \"organizations/123\",\n \"metadata\": {\n \"activityId\": {\n \"timeUsec\": \"1619808083475000\",\n \"uniqQualifier\": \"6286848759980589624\"\n },\n \"event\": [\n {\n \"eventType\": \"account_warning\",\n \"eventName\": \"account_disabled_spamming\",\n \"parameter\": [\n {\n \"name\": \"affected_email_address\",\n \"value\": \"test-user@example.com\",\n \"label\": \"LABEL_OPTIONAL\",\n \"type\": \"TYPE_STRING\"\n }\n ],\n \"status\": {\n \"success\": true\n }\n }\n ],\n \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\"\n }\n },\n \"insertId\": \"-xkklkzcxkl\",\n \"resource\": {\n \"type\": \"audited_resource\",\n \"labels\": {\n \"method\": \"google.login.LoginService.accountDisabledSpamming\",\n \"service\": \"login.googleapis.com\"\n }\n },\n \"timestamp\": \"2021-04-30T18:41:23.475Z\",\n \"severity\": \"NOTICE\",\n \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n \"receiveTimestamp\": \"2021-04-30T18:41:24.650965796Z\"\n}",
"@timestamp": "2021-04-30T18:41:23.475000Z",
"google_cloud_audit": {
"insertId": "-xkklkzcxkl",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"protoPayload": {
"metadata": {
"activityId": {
"timeUsec": "1619808083475000",
"uniqQualifier": "6286848759980589624"
},
"event": [
{
"eventName": "account_disabled_spamming",
"eventType": "account_warning",
"parameter": [
{
"label": "LABEL_OPTIONAL",
"name": "affected_email_address",
"type": "TYPE_STRING",
"value": "test-user@example.com"
}
],
"status": {
"success": true
}
}
],
"type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
},
"methodName": "google.login.LoginService.accountDisabledSpamming",
"resourceName": "organizations/123",
"type": "type.googleapis.com/google.cloud.audit.AuditLog"
},
"receiveTimestamp": "2021-04-30T18:41:24.650965796Z",
"resource": {
"labels": {
"method": "google.login.LoginService.accountDisabledSpamming",
"service": "login.googleapis.com"
},
"type": "audited_resource"
},
"severity": "NOTICE"
},
"related": {
"ip": [
"2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
]
},
"service": {
"name": "login.googleapis.com"
},
"source": {
"address": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff",
"ip": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
},
"user": {
"email": "test-user@example.com"
}
}
{
"message": "{\n \"protoPayload\": {\n \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n \"authenticationInfo\": {},\n \"requestMetadata\": {\n \"callerIp\": \"2001:db8:ffff:ffff:ffff:ffff:ffff:ffff\"\n },\n \"serviceName\": \"login.googleapis.com\",\n \"methodName\": \"google.login.LoginService.accountDisabledSpammingThroughRelay\",\n \"resourceName\": \"organizations/123\",\n \"metadata\": {\n \"activityId\": {\n \"timeUsec\": \"1619808083475000\",\n \"uniqQualifier\": \"6286848759980589624\"\n },\n \"event\": [\n {\n \"eventType\": \"account_warning\",\n \"eventName\": \"account_disabled_spamming_through_relay\",\n \"parameter\": [\n {\n \"name\": \"affected_email_address\",\n \"value\": \"test-user@example.com\",\n \"label\": \"LABEL_OPTIONAL\",\n \"type\": \"TYPE_STRING\"\n }\n ],\n \"status\": {\n \"success\": true\n }\n }\n ],\n \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\"\n }\n },\n \"insertId\": \"-xkklkzcxkl\",\n \"resource\": {\n \"type\": \"audited_resource\",\n \"labels\": {\n \"method\": \"google.login.LoginService.accountDisabledSpammingThroughRelay\",\n \"service\": \"login.googleapis.com\"\n }\n },\n \"timestamp\": \"2021-04-30T18:41:23.475Z\",\n \"severity\": \"NOTICE\",\n \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n \"receiveTimestamp\": \"2021-04-30T18:41:24.650965796Z\"\n}",
"@timestamp": "2021-04-30T18:41:23.475000Z",
"google_cloud_audit": {
"insertId": "-xkklkzcxkl",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"protoPayload": {
"metadata": {
"activityId": {
"timeUsec": "1619808083475000",
"uniqQualifier": "6286848759980589624"
},
"event": [
{
"eventName": "account_disabled_spamming_through_relay",
"eventType": "account_warning",
"parameter": [
{
"label": "LABEL_OPTIONAL",
"name": "affected_email_address",
"type": "TYPE_STRING",
"value": "test-user@example.com"
}
],
"status": {
"success": true
}
}
],
"type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
},
"methodName": "google.login.LoginService.accountDisabledSpammingThroughRelay",
"resourceName": "organizations/123",
"type": "type.googleapis.com/google.cloud.audit.AuditLog"
},
"receiveTimestamp": "2021-04-30T18:41:24.650965796Z",
"resource": {
"labels": {
"method": "google.login.LoginService.accountDisabledSpammingThroughRelay",
"service": "login.googleapis.com"
},
"type": "audited_resource"
},
"severity": "NOTICE"
},
"related": {
"ip": [
"2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
]
},
"service": {
"name": "login.googleapis.com"
},
"source": {
"address": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff",
"ip": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
},
"user": {
"email": "test-user@example.com"
}
}
{
"message": "{\n \"protoPayload\": {\n \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n \"authenticationInfo\": {\n \"principalEmail\": \"test-user@example.com\"\n },\n \"requestMetadata\": {\n \"callerIp\": \"203.0.113.255\",\n \"requestAttributes\": {},\n \"destinationAttributes\": {}\n },\n \"serviceName\": \"login.googleapis.com\",\n \"methodName\": \"google.login.LoginService.2svDisable\",\n \"resourceName\": \"organizations/123\",\n \"metadata\": {\n \"activityId\": {\n \"uniqQualifier\": \"-7789616625639281959\",\n \"timeUsec\": \"1632459962686000\"\n },\n \"event\": [\n {\n \"status\": {\n \"success\": true\n },\n \"parameter\": [\n {\n \"type\": \"TYPE_STRING\",\n \"label\": \"LABEL_OPTIONAL\",\n \"value\": \"INfDlrzP9IH8_QE\",\n \"name\": \"dusi\"\n }\n ],\n \"eventName\": \"2sv_disable\",\n \"eventType\": \"2sv_change\"\n }\n ],\n \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\"\n }\n },\n \"insertId\": \"-tn3jrd3lko\",\n \"resource\": {\n \"type\": \"audited_resource\",\n \"labels\": {\n \"service\": \"login.googleapis.com\",\n \"method\": \"google.login.LoginService.2svDisable\"\n }\n },\n \"timestamp\": \"2021-09-24T05:06:02.686Z\",\n \"severity\": \"NOTICE\",\n \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n \"receiveTimestamp\": \"2021-09-24T05:06:03.845372592Z\"\n}\n",
"@timestamp": "2021-09-24T05:06:02.686000Z",
"google_cloud_audit": {
"insertId": "-tn3jrd3lko",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"protoPayload": {
"metadata": {
"activityId": {
"timeUsec": "1632459962686000",
"uniqQualifier": "-7789616625639281959"
},
"event": [
{
"eventName": "2sv_disable",
"eventType": "2sv_change",
"parameter": [
{
"label": "LABEL_OPTIONAL",
"name": "dusi",
"type": "TYPE_STRING",
"value": "INfDlrzP9IH8_QE"
}
],
"status": {
"success": true
}
}
],
"type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
},
"methodName": "google.login.LoginService.2svDisable",
"resourceName": "organizations/123",
"type": "type.googleapis.com/google.cloud.audit.AuditLog"
},
"receiveTimestamp": "2021-09-24T05:06:03.845372592Z",
"resource": {
"labels": {
"method": "google.login.LoginService.2svDisable",
"service": "login.googleapis.com"
},
"type": "audited_resource"
},
"severity": "NOTICE"
},
"related": {
"ip": [
"203.0.113.255"
],
"user": [
"test-user@example.com"
]
},
"service": {
"name": "login.googleapis.com"
},
"source": {
"address": "203.0.113.255",
"ip": "203.0.113.255"
},
"user": {
"email": "test-user@example.com",
"name": "test-user@example.com"
}
}
{
"message": "{\n \"protoPayload\": {\n \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n \"authenticationInfo\": {\n \"principalEmail\": \"test-user@example.com\"\n },\n \"requestMetadata\": {\n \"callerIp\": \"203.0.113.255\",\n \"requestAttributes\": {},\n \"destinationAttributes\": {}\n },\n \"serviceName\": \"login.googleapis.com\",\n \"methodName\": \"google.login.LoginService.emailForwardingOutOfDomain\",\n \"resourceName\": \"organizations/123\",\n \"metadata\": {\n \"activityId\": {\n \"uniqQualifier\": \"-5683698025624301037\",\n \"timeUsec\": \"1632501152256000\"\n },\n \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\",\n \"event\": [\n {\n \"eventName\": \"email_forwarding_out_of_domain\",\n \"status\": {\n \"success\": true\n },\n \"parameter\": [\n {\n \"name\": \"dusi\",\n \"type\": \"TYPE_STRING\",\n \"value\": \"INfDlrzP9IH8_QE\",\n \"label\": \"LABEL_OPTIONAL\"\n },\n {\n \"type\": \"TYPE_STRING\",\n \"label\": \"LABEL_OPTIONAL\",\n \"value\": \"test-user@google.com\",\n \"name\": \"email_forwarding_destination_address\"\n }\n ],\n \"eventType\": \"email_forwarding_change\"\n }\n ]\n }\n },\n \"insertId\": \"rrcp9gd3y2f\",\n \"resource\": {\n \"type\": \"audited_resource\",\n \"labels\": {\n \"method\": \"google.login.LoginService.emailForwardingOutOfDomain\",\n \"service\": \"login.googleapis.com\"\n }\n },\n \"timestamp\": \"2021-09-24T16:32:32.256Z\",\n \"severity\": \"NOTICE\",\n \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n \"receiveTimestamp\": \"2021-09-24T16:32:33.319260836Z\"\n}",
"@timestamp": "2021-09-24T16:32:32.256000Z",
"google_cloud_audit": {
"insertId": "rrcp9gd3y2f",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"protoPayload": {
"metadata": {
"activityId": {
"timeUsec": "1632501152256000",
"uniqQualifier": "-5683698025624301037"
},
"event": [
{
"eventName": "email_forwarding_out_of_domain",
"eventType": "email_forwarding_change",
"parameter": [
{
"label": "LABEL_OPTIONAL",
"name": "dusi",
"type": "TYPE_STRING",
"value": "INfDlrzP9IH8_QE"
},
{
"label": "LABEL_OPTIONAL",
"name": "email_forwarding_destination_address",
"type": "TYPE_STRING",
"value": "test-user@google.com"
}
],
"status": {
"success": true
}
}
],
"type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
},
"methodName": "google.login.LoginService.emailForwardingOutOfDomain",
"resourceName": "organizations/123",
"type": "type.googleapis.com/google.cloud.audit.AuditLog"
},
"receiveTimestamp": "2021-09-24T16:32:33.319260836Z",
"resource": {
"labels": {
"method": "google.login.LoginService.emailForwardingOutOfDomain",
"service": "login.googleapis.com"
},
"type": "audited_resource"
},
"severity": "NOTICE"
},
"related": {
"ip": [
"203.0.113.255"
],
"user": [
"test-user@example.com"
]
},
"service": {
"name": "login.googleapis.com"
},
"source": {
"address": "203.0.113.255",
"ip": "203.0.113.255"
},
"user": {
"email": "test-user@example.com",
"name": "test-user@example.com"
}
}
{
"message": "{\"insertId\":\"2f93b0a6-f932-4d91-ad61-785ae9587360\",\"labels\":{\"authorization.k8s.io/decision\":\"allow\",\"authorization.k8s.io/reason\":\"RBAC: allowed by ClusterRoleBinding \\\"system:kube-scheduler\\\" of ClusterRole \\\"system:kube-scheduler\\\" to User \\\"system:kube-scheduler\\\"\"},\"logName\":\"projects/hazel-aria-348413/logs/cloudaudit.googleapis.com%2Factivity\",\"operation\":{\"first\":true,\"id\":\"2f93b0a6-f932-4d91-ad61-785ae9587360\",\"last\":true,\"producer\":\"k8s.io\"},\"protoPayload\":{\"@type\":\"type.googleapis.com/google.cloud.audit.AuditLog\",\"authenticationInfo\":{\"principalEmail\":\"system:kube-scheduler\"},\"authorizationInfo\":[{\"granted\":true,\"permission\":\"io.k8s.coordination.v1.leases.update\",\"resource\":\"coordination.k8s.io/v1/namespaces/kube-system/leases/kube-scheduler\"}],\"methodName\":\"io.k8s.coordination.v1.leases.update\",\"requestMetadata\":{\"callerIp\":\"10.186.0.146\",\"callerSuppliedUserAgent\":\"kube-scheduler/v1.22.8 (linux/amd64) kubernetes/2dca91e/leader-election\"},\"resourceName\":\"coordination.k8s.io/v1/namespaces/kube-system/leases/kube-scheduler\",\"serviceName\":\"k8s.io\",\"status\":{}},\"receiveTimestamp\":\"2022-06-14T14:32:10.838967694Z\",\"resource\":{\"labels\":{\"cluster_name\":\"cluster-1\",\"location\":\"europe-central2-a\",\"project_id\":\"hazel-aria-348413\"},\"type\":\"k8s_cluster\"},\"timestamp\":\"2022-06-14T14:32:09.910723Z\"}",
"@timestamp": "2022-06-14T14:32:09.910723Z",
"google_cloud_audit": {
"insertId": "2f93b0a6-f932-4d91-ad61-785ae9587360",
"logName": "projects/hazel-aria-348413/logs/cloudaudit.googleapis.com%2Factivity",
"operation": {
"first": true,
"id": "2f93b0a6-f932-4d91-ad61-785ae9587360",
"last": true,
"producer": "k8s.io"
},
"protoPayload": {
"authorizationInfo": [
{
"granted": true,
"permission": "io.k8s.coordination.v1.leases.update",
"resource": "coordination.k8s.io/v1/namespaces/kube-system/leases/kube-scheduler"
}
],
"methodName": "io.k8s.coordination.v1.leases.update",
"resourceName": "coordination.k8s.io/v1/namespaces/kube-system/leases/kube-scheduler",
"type": "type.googleapis.com/google.cloud.audit.AuditLog"
},
"receiveTimestamp": "2022-06-14T14:32:10.838967694Z",
"resource": {
"labels": {
"cluster_name": "cluster-1",
"location": "europe-central2-a",
"project_id": "hazel-aria-348413"
},
"type": "k8s_cluster"
}
},
"related": {
"ip": [
"10.186.0.146"
],
"user": [
"system:kube-scheduler"
]
},
"service": {
"name": "k8s.io"
},
"source": {
"address": "10.186.0.146",
"ip": "10.186.0.146"
},
"user": {
"name": "system:kube-scheduler"
},
"user_agent": {
"device": {
"name": "Other"
},
"name": "Other",
"original": "kube-scheduler/v1.22.8 (linux/amd64) kubernetes/2dca91e/leader-election",
"os": {
"name": "Linux"
}
}
}
{
"message": "{\n \"protoPayload\": {\n \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n \"authenticationInfo\": {\n \"principalEmail\": \"test-user@example.com\"\n },\n \"requestMetadata\": {\n \"callerIp\": \"2001:db8:ffff:ffff:ffff:ffff:ffff:ffff\",\n \"requestAttributes\": {},\n \"destinationAttributes\": {}\n },\n \"serviceName\": \"login.googleapis.com\",\n \"methodName\": \"google.login.LoginService.govAttackWarning\",\n \"resourceName\": \"organizations/123\",\n \"metadata\": {\n \"activityId\": {\n \"timeUsec\": \"1619825837106000\",\n \"uniqQualifier\": \"7230131091737932677\"\n },\n \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\",\n \"event\": [\n {\n \"eventName\": \"gov_attack_warning\",\n \"eventType\": \"attack_warning\",\n \"status\": {\n \"success\": true\n }\n }\n ]\n }\n },\n \"insertId\": \"bxuophd1vlw\",\n \"resource\": {\n \"type\": \"audited_resource\",\n \"labels\": {\n \"service\": \"login.googleapis.com\",\n \"method\": \"google.login.LoginService.govAttackWarning\"\n }\n },\n \"timestamp\": \"2021-04-30T23:37:17.106Z\",\n \"severity\": \"NOTICE\",\n \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n \"receiveTimestamp\": \"2021-04-30T23:37:18.488559815Z\"\n}",
"@timestamp": "2021-04-30T23:37:17.106000Z",
"google_cloud_audit": {
"insertId": "bxuophd1vlw",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"protoPayload": {
"metadata": {
"activityId": {
"timeUsec": "1619825837106000",
"uniqQualifier": "7230131091737932677"
},
"event": [
{
"eventName": "gov_attack_warning",
"eventType": "attack_warning",
"status": {
"success": true
}
}
],
"type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
},
"methodName": "google.login.LoginService.govAttackWarning",
"resourceName": "organizations/123",
"type": "type.googleapis.com/google.cloud.audit.AuditLog"
},
"receiveTimestamp": "2021-04-30T23:37:18.488559815Z",
"resource": {
"labels": {
"method": "google.login.LoginService.govAttackWarning",
"service": "login.googleapis.com"
},
"type": "audited_resource"
},
"severity": "NOTICE"
},
"related": {
"ip": [
"2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
],
"user": [
"test-user@example.com"
]
},
"service": {
"name": "login.googleapis.com"
},
"source": {
"address": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff",
"ip": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
},
"user": {
"email": "test-user@example.com",
"name": "test-user@example.com"
}
}
{
"message": "{\"insertId\":\"9d92cd5d-5043-4c8d-9a3b-92c0be113704\",\"labels\":{\"authorization.k8s.io/decision\":\"allow\",\"authorization.k8s.io/reason\":\"RBAC: allowed by ClusterRoleBinding \\\"system:kubestore-collector\\\" of ClusterRole \\\"system:kubestore-collector\\\" to User \\\"system:kubestore-collector\\\"\"},\"logName\":\"projects/hazel-aria-348413/logs/cloudaudit.googleapis.com%2Factivity\",\"operation\":{\"first\":true,\"id\":\"9d92cd5d-5043-4c8d-9a3b-92c0be113704\",\"last\":true,\"producer\":\"k8s.io\"},\"protoPayload\":{\"@type\":\"type.googleapis.com/google.cloud.audit.AuditLog\",\"authenticationInfo\":{\"principalEmail\":\"system:kubestore-collector\"},\"authorizationInfo\":[{\"granted\":true,\"permission\":\"io.k8s.core.v1.configmaps.update\",\"resource\":\"core/v1/namespaces/kube-system/configmaps/cluster-kubestore\"}],\"methodName\":\"io.k8s.core.v1.configmaps.update\",\"requestMetadata\":{\"callerIp\":\"10.186.0.146\",\"callerSuppliedUserAgent\":\"kubestore_collector/v0.0.0 (linux/amd64) kubernetes/$Format\"},\"resourceName\":\"core/v1/namespaces/kube-system/configmaps/cluster-kubestore\",\"serviceName\":\"k8s.io\",\"status\":{}},\"receiveTimestamp\":\"2022-06-15T07:27:38.524909478Z\",\"resource\":{\"labels\":{\"cluster_name\":\"cluster-1\",\"location\":\"europe-central2-a\",\"project_id\":\"hazel-aria-348413\"},\"type\":\"k8s_cluster\"},\"timestamp\":\"2022-06-15T07:27:36.652663Z\"}\n\n",
"@timestamp": "2022-06-15T07:27:36.652663Z",
"google_cloud_audit": {
"insertId": "9d92cd5d-5043-4c8d-9a3b-92c0be113704",
"logName": "projects/hazel-aria-348413/logs/cloudaudit.googleapis.com%2Factivity",
"operation": {
"first": true,
"id": "9d92cd5d-5043-4c8d-9a3b-92c0be113704",
"last": true,
"producer": "k8s.io"
},
"protoPayload": {
"authorizationInfo": [
{
"granted": true,
"permission": "io.k8s.core.v1.configmaps.update",
"resource": "core/v1/namespaces/kube-system/configmaps/cluster-kubestore"
}
],
"methodName": "io.k8s.core.v1.configmaps.update",
"resourceName": "core/v1/namespaces/kube-system/configmaps/cluster-kubestore",
"type": "type.googleapis.com/google.cloud.audit.AuditLog"
},
"receiveTimestamp": "2022-06-15T07:27:38.524909478Z",
"resource": {
"labels": {
"cluster_name": "cluster-1",
"location": "europe-central2-a",
"project_id": "hazel-aria-348413"
},
"type": "k8s_cluster"
}
},
"related": {
"ip": [
"10.186.0.146"
],
"user": [
"system:kubestore-collector"
]
},
"service": {
"name": "k8s.io"
},
"source": {
"address": "10.186.0.146",
"ip": "10.186.0.146"
},
"user": {
"name": "system:kubestore-collector"
},
"user_agent": {
"device": {
"name": "Other"
},
"name": "Other",
"original": "kubestore_collector/v0.0.0 (linux/amd64) kubernetes/$Format",
"os": {
"name": "Linux"
}
}
}
{
"message": "{\"insertId\":\"ofj3qoe4mbih\",\"logName\":\"projects/hazel-aria-348413/logs/cloudaudit.googleapis.com%2Factivity\",\"operation\":{\"id\":\"operation-1655309832996-a5fd6e18\",\"last\":true,\"producer\":\"container.googleapis.com\"},\"protoPayload\":{\"@type\":\"type.googleapis.com/google.cloud.audit.AuditLog\",\"metadata\":{\"operationType\":\"DELETE_CLUSTER\"},\"methodName\":\"google.container.v1.ClusterManager.DeleteCluster\",\"policyViolationInfo\":{\"orgPolicyViolationInfo\":{}},\"resourceLocation\":{\"currentLocations\":[\"europe-central2-a\"]},\"resourceName\":\"projects/hazel-aria-348413/zones/europe-central2-a/clusters/cluster-1\",\"serviceName\":\"container.googleapis.com\",\"status\":{}},\"receiveTimestamp\":\"2022-06-15T16:19:48.068568099Z\",\"resource\":{\"labels\":{\"cluster_name\":\"cluster-1\",\"location\":\"europe-central2-a\",\"project_id\":\"hazel-aria-348413\"},\"type\":\"gke_cluster\"},\"severity\":\"NOTICE\",\"timestamp\":\"2022-06-15T16:19:47.720234784Z\"}",
"@timestamp": "2022-06-15T16:19:47.720234Z",
"google_cloud_audit": {
"insertId": "ofj3qoe4mbih",
"logName": "projects/hazel-aria-348413/logs/cloudaudit.googleapis.com%2Factivity",
"operation": {
"id": "operation-1655309832996-a5fd6e18",
"last": true,
"producer": "container.googleapis.com"
},
"protoPayload": {
"metadata": {
"operationType": "DELETE_CLUSTER"
},
"methodName": "google.container.v1.ClusterManager.DeleteCluster",
"resourceLocation": {
"currentLocations": [
"europe-central2-a"
]
},
"resourceName": "projects/hazel-aria-348413/zones/europe-central2-a/clusters/cluster-1",
"type": "type.googleapis.com/google.cloud.audit.AuditLog"
},
"receiveTimestamp": "2022-06-15T16:19:48.068568099Z",
"resource": {
"labels": {
"cluster_name": "cluster-1",
"location": "europe-central2-a",
"project_id": "hazel-aria-348413"
},
"type": "gke_cluster"
},
"severity": "NOTICE"
},
"service": {
"name": "container.googleapis.com"
}
}
{
"message": "{\n \"protoPayload\": {\n \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n \"authenticationInfo\": {\n \"principalEmail\": \"test-user@example.com\"\n },\n \"requestMetadata\": {\n \"callerIp\": \"2001:db8:ffff:ffff:ffff:ffff:ffff:ffff\",\n \"requestAttributes\": {},\n \"destinationAttributes\": {}\n },\n \"serviceName\": \"login.googleapis.com\",\n \"methodName\": \"google.login.LoginService.loginChallenge\",\n \"resourceName\": \"organizations/123\",\n \"metadata\": {\n \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\",\n \"event\": [\n {\n \"eventName\": \"login_challenge\",\n \"parameter\": [\n {\n \"name\": \"login_type\",\n \"value\": \"google_password\",\n \"type\": \"TYPE_STRING\",\n \"label\": \"LABEL_OPTIONAL\"\n },\n {\n \"type\": \"TYPE_STRING\",\n \"label\": \"LABEL_REPEATED\",\n \"name\": \"login_challenge_method\",\n \"multiStrValue\": [\n \"idv_preregistered_phone\"\n ]\n },\n {\n \"label\": \"LABEL_OPTIONAL\",\n \"type\": \"TYPE_STRING\",\n \"value\": \"incorrect_answer_entered\",\n \"name\": \"login_challenge_status\"\n },\n {\n \"type\": \"TYPE_STRING\",\n \"name\": \"dusi\",\n \"label\": \"LABEL_OPTIONAL\",\n \"value\": \"IOWJlfPwgvrTfg\"\n }\n ],\n \"eventType\": \"login\"\n }\n ],\n \"activityId\": {\n \"timeUsec\": \"1632500217183211\",\n \"uniqQualifier\": \"358068855354\"\n }\n }\n },\n \"insertId\": \"-nahbepd4l2j\",\n \"resource\": {\n \"type\": \"audited_resource\",\n \"labels\": {\n \"service\": \"login.googleapis.com\",\n \"method\": \"google.login.LoginService.loginChallenge\"\n }\n },\n \"timestamp\": \"2021-09-24T16:16:57.183211Z\",\n \"severity\": \"NOTICE\",\n \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n \"receiveTimestamp\": \"2021-09-24T17:51:28.041126044Z\"}",
"@timestamp": "2021-09-24T16:16:57.183211Z",
"google_cloud_audit": {
"insertId": "-nahbepd4l2j",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"protoPayload": {
"metadata": {
"activityId": {
"timeUsec": "1632500217183211",
"uniqQualifier": "358068855354"
},
"event": [
{
"eventName": "login_challenge",
"eventType": "login",
"parameter": [
{
"label": "LABEL_OPTIONAL",
"name": "login_type",
"type": "TYPE_STRING",
"value": "google_password"
},
{
"label": "LABEL_REPEATED",
"multiStrValue": [
"idv_preregistered_phone"
],
"name": "login_challenge_method",
"type": "TYPE_STRING"
},
{
"label": "LABEL_OPTIONAL",
"name": "login_challenge_status",
"type": "TYPE_STRING",
"value": "incorrect_answer_entered"
},
{
"label": "LABEL_OPTIONAL",
"name": "dusi",
"type": "TYPE_STRING",
"value": "IOWJlfPwgvrTfg"
}
]
}
],
"type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
},
"methodName": "google.login.LoginService.loginChallenge",
"resourceName": "organizations/123",
"type": "type.googleapis.com/google.cloud.audit.AuditLog"
},
"receiveTimestamp": "2021-09-24T17:51:28.041126044Z",
"resource": {
"labels": {
"method": "google.login.LoginService.loginChallenge",
"service": "login.googleapis.com"
},
"type": "audited_resource"
},
"severity": "NOTICE"
},
"related": {
"ip": [
"2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
],
"user": [
"test-user@example.com"
]
},
"service": {
"name": "login.googleapis.com"
},
"source": {
"address": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff",
"ip": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
},
"user": {
"email": "test-user@example.com",
"name": "test-user@example.com"
}
}
{
"message": "{\n \"protoPayload\": {\n \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n \"authenticationInfo\": {\n \"principalEmail\": \"test-user@example.com\"\n },\n \"requestMetadata\": {\n \"callerIp\": \"2001:db8:ffff:ffff:ffff:ffff:ffff:ffff\",\n \"requestAttributes\": {},\n \"destinationAttributes\": {}\n },\n \"serviceName\": \"login.googleapis.com\",\n \"methodName\": \"google.login.LoginService.loginFailure\",\n \"resourceName\": \"organizations/123\",\n \"metadata\": {\n \"event\": [\n {\n \"eventName\": \"login_failure\",\n \"eventType\": \"login\",\n \"parameter\": [\n {\n \"value\": \"google_password\",\n \"type\": \"TYPE_STRING\",\n \"name\": \"login_type\",\n \"label\": \"LABEL_OPTIONAL\"\n },\n {\n \"name\": \"login_challenge_method\",\n \"type\": \"TYPE_STRING\",\n \"label\": \"LABEL_REPEATED\",\n \"multiStrValue\": [\n \"password\",\n \"idv_preregistered_phone\",\n \"idv_preregistered_phone\"\n ]\n },\n {\n \"label\": \"LABEL_OPTIONAL\",\n \"name\": \"dusi\",\n \"type\": \"TYPE_STRING\",\n \"value\": \"IOWJlfPwgvrTfg\"\n }\n ]\n }\n ],\n \"activityId\": {\n \"uniqQualifier\": \"358068855354\",\n \"timeUsec\": \"1632500217183212\"\n },\n \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\"\n }\n },\n \"insertId\": \"-nahbepd4l1x\",\n \"resource\": {\n \"type\": \"audited_resource\",\n \"labels\": {\n \"method\": \"google.login.LoginService.loginFailure\",\n \"service\": \"login.googleapis.com\"\n }\n },\n \"timestamp\": \"2021-09-24T16:16:57.183212Z\",\n \"severity\": \"NOTICE\",\n \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n \"receiveTimestamp\": \"2021-09-24T17:51:25.034361197Z\"\n}",
"@timestamp": "2021-09-24T16:16:57.183212Z",
"google_cloud_audit": {
"insertId": "-nahbepd4l1x",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"protoPayload": {
"metadata": {
"activityId": {
"timeUsec": "1632500217183212",
"uniqQualifier": "358068855354"
},
"event": [
{
"eventName": "login_failure",
"eventType": "login",
"parameter": [
{
"label": "LABEL_OPTIONAL",
"name": "login_type",
"type": "TYPE_STRING",
"value": "google_password"
},
{
"label": "LABEL_REPEATED",
"multiStrValue": [
"password",
"idv_preregistered_phone",
"idv_preregistered_phone"
],
"name": "login_challenge_method",
"type": "TYPE_STRING"
},
{
"label": "LABEL_OPTIONAL",
"name": "dusi",
"type": "TYPE_STRING",
"value": "IOWJlfPwgvrTfg"
}
]
}
],
"type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
},
"methodName": "google.login.LoginService.loginFailure",
"resourceName": "organizations/123",
"type": "type.googleapis.com/google.cloud.audit.AuditLog"
},
"receiveTimestamp": "2021-09-24T17:51:25.034361197Z",
"resource": {
"labels": {
"method": "google.login.LoginService.loginFailure",
"service": "login.googleapis.com"
},
"type": "audited_resource"
},
"severity": "NOTICE"
},
"related": {
"ip": [
"2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
],
"user": [
"test-user@example.com"
]
},
"service": {
"name": "login.googleapis.com"
},
"source": {
"address": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff",
"ip": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
},
"user": {
"email": "test-user@example.com",
"name": "test-user@example.com"
}
}
{
"message": "{\n \"protoPayload\": {\n \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n \"authenticationInfo\": {\n \"principalEmail\": \"test-user@example.com\"\n },\n \"requestMetadata\": {\n \"callerIp\": \"203.0.113.255\",\n \"requestAttributes\": {},\n \"destinationAttributes\": {}\n },\n \"serviceName\": \"login.googleapis.com\",\n \"methodName\": \"google.login.LoginService.loginSuccess\",\n \"resourceName\": \"organizations/123\",\n \"metadata\": {\n \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\",\n \"activityId\": {\n \"timeUsec\": \"1632458429811809\",\n \"uniqQualifier\": \"358068855354\"\n },\n \"event\": [\n {\n \"parameter\": [\n {\n \"type\": \"TYPE_STRING\",\n \"value\": \"google_password\",\n \"name\": \"login_type\",\n \"label\": \"LABEL_OPTIONAL\"\n },\n {\n \"name\": \"login_challenge_method\",\n \"label\": \"LABEL_REPEATED\",\n \"type\": \"TYPE_STRING\",\n \"multiStrValue\": [\n \"password\"\n ]\n },\n {\n \"type\": \"TYPE_BOOL\",\n \"boolValue\": false,\n \"name\": \"is_suspicious\",\n \"label\": \"LABEL_OPTIONAL\"\n },\n {\n \"value\": \"INfDlrzP9IH8_QE\",\n \"name\": \"dusi\",\n \"type\": \"TYPE_STRING\",\n \"label\": \"LABEL_OPTIONAL\"\n }\n ],\n \"eventType\": \"login\",\n \"eventName\": \"login_success\"\n }\n ]\n }\n },\n \"insertId\": \"ci1svzd3hfk\",\n \"resource\": {\n \"type\": \"audited_resource\",\n \"labels\": {\n \"service\": \"login.googleapis.com\",\n \"method\": \"google.login.LoginService.loginSuccess\"\n }\n },\n \"timestamp\": \"2021-09-24T04:40:29.811809Z\",\n \"severity\": \"NOTICE\",\n \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n \"receiveTimestamp\": \"2021-09-24T05:43:20.474338130Z\"\n}",
"@timestamp": "2021-09-24T04:40:29.811809Z",
"google_cloud_audit": {
"insertId": "ci1svzd3hfk",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"protoPayload": {
"metadata": {
"activityId": {
"timeUsec": "1632458429811809",
"uniqQualifier": "358068855354"
},
"event": [
{
"eventName": "login_success",
"eventType": "login",
"parameter": [
{
"label": "LABEL_OPTIONAL",
"name": "login_type",
"type": "TYPE_STRING",
"value": "google_password"
},
{
"label": "LABEL_REPEATED",
"multiStrValue": [
"password"
],
"name": "login_challenge_method",
"type": "TYPE_STRING"
},
{
"boolValue": false,
"label": "LABEL_OPTIONAL",
"name": "is_suspicious",
"type": "TYPE_BOOL"
},
{
"label": "LABEL_OPTIONAL",
"name": "dusi",
"type": "TYPE_STRING",
"value": "INfDlrzP9IH8_QE"
}
]
}
],
"type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
},
"methodName": "google.login.LoginService.loginSuccess",
"resourceName": "organizations/123",
"type": "type.googleapis.com/google.cloud.audit.AuditLog"
},
"receiveTimestamp": "2021-09-24T05:43:20.474338130Z",
"resource": {
"labels": {
"method": "google.login.LoginService.loginSuccess",
"service": "login.googleapis.com"
},
"type": "audited_resource"
},
"severity": "NOTICE"
},
"related": {
"ip": [
"203.0.113.255"
],
"user": [
"test-user@example.com"
]
},
"service": {
"name": "login.googleapis.com"
},
"source": {
"address": "203.0.113.255",
"ip": "203.0.113.255"
},
"user": {
"email": "test-user@example.com",
"name": "test-user@example.com"
}
}
{
"message": "{\n \"protoPayload\": {\n \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n \"authenticationInfo\": {\n \"principalEmail\": \"test-user@example.com\"\n },\n \"requestMetadata\": {\n \"callerIp\": \"203.0.113.255\",\n \"requestAttributes\": {},\n \"destinationAttributes\": {}\n },\n \"serviceName\": \"login.googleapis.com\",\n \"methodName\": \"google.login.LoginService.loginVerification\",\n \"resourceName\": \"organizations/123\",\n \"metadata\": {\n \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\",\n \"event\": [\n {\n \"eventName\": \"login_verification\",\n \"parameter\": [\n {\n \"name\": \"login_type\",\n \"type\": \"TYPE_STRING\",\n \"value\": \"google_password\",\n \"label\": \"LABEL_OPTIONAL\"\n },\n {\n \"name\": \"login_challenge_method\",\n \"multiStrValue\": [\n \"idv_preregistered_phone\"\n ],\n \"label\": \"LABEL_REPEATED\",\n \"type\": \"TYPE_STRING\"\n },\n {\n \"value\": \"passed\",\n \"name\": \"login_challenge_status\",\n \"type\": \"TYPE_STRING\",\n \"label\": \"LABEL_OPTIONAL\"\n },\n {\n \"value\": \"INfDlrzP9IH8_QE\",\n \"label\": \"LABEL_OPTIONAL\",\n \"name\": \"dusi\",\n \"type\": \"TYPE_STRING\"\n },\n {\n \"label\": \"LABEL_OPTIONAL\",\n \"boolValue\": true,\n \"type\": \"TYPE_BOOL\",\n \"name\": \"is_second_factor\"\n }\n ],\n \"eventType\": \"login\"\n }\n ],\n \"activityId\": {\n \"uniqQualifier\": \"358068855354\",\n \"timeUsec\": \"1632459936762000\"\n }\n }\n },\n \"insertId\": \"ivb9z4d41rh\",\n \"resource\": {\n \"type\": \"audited_resource\",\n \"labels\": {\n \"method\": \"google.login.LoginService.loginVerification\",\n \"service\": \"login.googleapis.com\"\n }\n },\n \"timestamp\": \"2021-09-24T05:05:36.762Z\",\n \"severity\": \"NOTICE\",\n \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n \"receiveTimestamp\": \"2021-09-24T06:39:22.386813664Z\"\n}",
"@timestamp": "2021-09-24T05:05:36.762000Z",
"google_cloud_audit": {
"insertId": "ivb9z4d41rh",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"protoPayload": {
"metadata": {
"activityId": {
"timeUsec": "1632459936762000",
"uniqQualifier": "358068855354"
},
"event": [
{
"eventName": "login_verification",
"eventType": "login",
"parameter": [
{
"label": "LABEL_OPTIONAL",
"name": "login_type",
"type": "TYPE_STRING",
"value": "google_password"
},
{
"label": "LABEL_REPEATED",
"multiStrValue": [
"idv_preregistered_phone"
],
"name": "login_challenge_method",
"type": "TYPE_STRING"
},
{
"label": "LABEL_OPTIONAL",
"name": "login_challenge_status",
"type": "TYPE_STRING",
"value": "passed"
},
{
"label": "LABEL_OPTIONAL",
"name": "dusi",
"type": "TYPE_STRING",
"value": "INfDlrzP9IH8_QE"
},
{
"boolValue": true,
"label": "LABEL_OPTIONAL",
"name": "is_second_factor",
"type": "TYPE_BOOL"
}
]
}
],
"type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
},
"methodName": "google.login.LoginService.loginVerification",
"resourceName": "organizations/123",
"type": "type.googleapis.com/google.cloud.audit.AuditLog"
},
"receiveTimestamp": "2021-09-24T06:39:22.386813664Z",
"resource": {
"labels": {
"method": "google.login.LoginService.loginVerification",
"service": "login.googleapis.com"
},
"type": "audited_resource"
},
"severity": "NOTICE"
},
"related": {
"ip": [
"203.0.113.255"
],
"user": [
"test-user@example.com"
]
},
"service": {
"name": "login.googleapis.com"
},
"source": {
"address": "203.0.113.255",
"ip": "203.0.113.255"
},
"user": {
"email": "test-user@example.com",
"name": "test-user@example.com"
}
}
{
"message": "{\n \"protoPayload\": {\n \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n \"authenticationInfo\": {\n \"principalEmail\": \"test-user@example.com\"\n },\n \"requestMetadata\": {\n \"callerIp\": \"203.0.113.255\",\n \"requestAttributes\": {},\n \"destinationAttributes\": {}\n },\n \"serviceName\": \"login.googleapis.com\",\n \"methodName\": \"google.login.LoginService.logout\",\n \"resourceName\": \"organizations/123\",\n \"metadata\": {\n \"event\": [\n {\n \"eventName\": \"logout\",\n \"eventType\": \"login\",\n \"parameter\": [\n {\n \"type\": \"TYPE_STRING\",\n \"label\": \"LABEL_OPTIONAL\",\n \"name\": \"login_type\",\n \"value\": \"google_password\"\n },\n {\n \"type\": \"TYPE_STRING\",\n \"name\": \"dusi\",\n \"label\": \"LABEL_OPTIONAL\",\n \"value\": \"INfDlrzP9IH8_QE\"\n }\n ]\n }\n ],\n \"activityId\": {\n \"uniqQualifier\": \"358068855354\",\n \"timeUsec\": \"1632459903014598\"\n },\n \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\"\n }\n },\n \"insertId\": \"v37ytid14th\",\n \"resource\": {\n \"type\": \"audited_resource\",\n \"labels\": {\n \"service\": \"login.googleapis.com\",\n \"method\": \"google.login.LoginService.logout\"\n }\n },\n \"timestamp\": \"2021-09-24T05:05:03.014598Z\",\n \"severity\": \"NOTICE\",\n \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n \"receiveTimestamp\": \"2021-09-24T06:39:22.229734504Z\"\n}",
"@timestamp": "2021-09-24T05:05:03.014598Z",
"google_cloud_audit": {
"insertId": "v37ytid14th",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"protoPayload": {
"metadata": {
"activityId": {
"timeUsec": "1632459903014598",
"uniqQualifier": "358068855354"
},
"event": [
{
"eventName": "logout",
"eventType": "login",
"parameter": [
{
"label": "LABEL_OPTIONAL",
"name": "login_type",
"type": "TYPE_STRING",
"value": "google_password"
},
{
"label": "LABEL_OPTIONAL",
"name": "dusi",
"type": "TYPE_STRING",
"value": "INfDlrzP9IH8_QE"
}
]
}
],
"type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
},
"methodName": "google.login.LoginService.logout",
"resourceName": "organizations/123",
"type": "type.googleapis.com/google.cloud.audit.AuditLog"
},
"receiveTimestamp": "2021-09-24T06:39:22.229734504Z",
"resource": {
"labels": {
"method": "google.login.LoginService.logout",
"service": "login.googleapis.com"
},
"type": "audited_resource"
},
"severity": "NOTICE"
},
"related": {
"ip": [
"203.0.113.255"
],
"user": [
"test-user@example.com"
]
},
"service": {
"name": "login.googleapis.com"
},
"source": {
"address": "203.0.113.255",
"ip": "203.0.113.255"
},
"user": {
"email": "test-user@example.com",
"name": "test-user@example.com"
}
}
{
"message": "{\n \"protoPayload\": {\n \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n \"authenticationInfo\": {\n \"principalEmail\": \"test-user@example.com\"\n },\n \"requestMetadata\": {\n \"callerIp\": \"203.0.113.255\",\n \"requestAttributes\": {},\n \"destinationAttributes\": {}\n },\n \"serviceName\": \"login.googleapis.com\",\n \"methodName\": \"google.login.LoginService.passwordEdit\",\n \"resourceName\": \"organizations/123\",\n \"metadata\": {\n \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\",\n \"event\": [\n {\n \"eventName\": \"password_edit\",\n \"status\": {\n \"success\": true\n },\n \"parameter\": [\n {\n \"type\": \"TYPE_STRING\",\n \"label\": \"LABEL_OPTIONAL\",\n \"value\": \"INfDlrzP9IH8_QE\",\n \"name\": \"dusi\"\n }\n ],\n \"eventType\": \"password_change\"\n }\n ],\n \"activityId\": {\n \"uniqQualifier\": \"8894052787391296929\",\n \"timeUsec\": \"1632803013900566\"\n }\n }\n },\n \"insertId\": \"-u8coc0d6n78\",\n \"resource\": {\n \"type\": \"audited_resource\",\n \"labels\": {\n \"service\": \"login.googleapis.com\",\n \"method\": \"google.login.LoginService.passwordEdit\"\n }\n },\n \"timestamp\": \"2021-09-28T04:23:33.900566Z\",\n \"severity\": \"NOTICE\",\n \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n \"receiveTimestamp\": \"2021-09-28T04:23:37.724654918Z\"\n}",
"@timestamp": "2021-09-28T04:23:33.900566Z",
"google_cloud_audit": {
"insertId": "-u8coc0d6n78",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"protoPayload": {
"metadata": {
"activityId": {
"timeUsec": "1632803013900566",
"uniqQualifier": "8894052787391296929"
},
"event": [
{
"eventName": "password_edit",
"eventType": "password_change",
"parameter": [
{
"label": "LABEL_OPTIONAL",
"name": "dusi",
"type": "TYPE_STRING",
"value": "INfDlrzP9IH8_QE"
}
],
"status": {
"success": true
}
}
],
"type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
},
"methodName": "google.login.LoginService.passwordEdit",
"resourceName": "organizations/123",
"type": "type.googleapis.com/google.cloud.audit.AuditLog"
},
"receiveTimestamp": "2021-09-28T04:23:37.724654918Z",
"resource": {
"labels": {
"method": "google.login.LoginService.passwordEdit",
"service": "login.googleapis.com"
},
"type": "audited_resource"
},
"severity": "NOTICE"
},
"related": {
"ip": [
"203.0.113.255"
],
"user": [
"test-user@example.com"
]
},
"service": {
"name": "login.googleapis.com"
},
"source": {
"address": "203.0.113.255",
"ip": "203.0.113.255"
},
"user": {
"email": "test-user@example.com",
"name": "test-user@example.com"
}
}
{
"message": "{\n \"protoPayload\": {\n \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n \"authenticationInfo\": {\n \"principalEmail\": \"test-user@example.com\"\n },\n \"requestMetadata\": {\n \"callerIp\": \"203.0.113.255\",\n \"requestAttributes\": {},\n \"destinationAttributes\": {}\n },\n \"serviceName\": \"login.googleapis.com\",\n \"methodName\": \"google.login.LoginService.recoveryEmailEdit\",\n \"resourceName\": \"organizations/123\",\n \"metadata\": {\n \"activityId\": {\n \"timeUsec\": \"1632802942940979\",\n \"uniqQualifier\": \"-7373127890859496609\"\n },\n \"event\": [\n {\n \"eventType\": \"recovery_info_change\",\n \"eventName\": \"recovery_email_edit\",\n \"parameter\": [\n {\n \"label\": \"LABEL_OPTIONAL\",\n \"type\": \"TYPE_STRING\",\n \"value\": \"INfDlrzP9IH8_QE\",\n \"name\": \"dusi\"\n }\n ],\n \"status\": {\n \"success\": true\n }\n }\n ],\n \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\"\n }\n },\n \"insertId\": \"-nkwfupd26zt\",\n \"resource\": {\n \"type\": \"audited_resource\",\n \"labels\": {\n \"service\": \"login.googleapis.com\",\n \"method\": \"google.login.LoginService.recoveryEmailEdit\"\n }\n },\n \"timestamp\": \"2021-09-28T04:22:22.940979Z\",\n \"severity\": \"NOTICE\",\n \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n \"receiveTimestamp\": \"2021-09-28T04:22:26.523242112Z\"\n}",
"@timestamp": "2021-09-28T04:22:22.940979Z",
"google_cloud_audit": {
"insertId": "-nkwfupd26zt",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"protoPayload": {
"metadata": {
"activityId": {
"timeUsec": "1632802942940979",
"uniqQualifier": "-7373127890859496609"
},
"event": [
{
"eventName": "recovery_email_edit",
"eventType": "recovery_info_change",
"parameter": [
{
"label": "LABEL_OPTIONAL",
"name": "dusi",
"type": "TYPE_STRING",
"value": "INfDlrzP9IH8_QE"
}
],
"status": {
"success": true
}
}
],
"type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
},
"methodName": "google.login.LoginService.recoveryEmailEdit",
"resourceName": "organizations/123",
"type": "type.googleapis.com/google.cloud.audit.AuditLog"
},
"receiveTimestamp": "2021-09-28T04:22:26.523242112Z",
"resource": {
"labels": {
"method": "google.login.LoginService.recoveryEmailEdit",
"service": "login.googleapis.com"
},
"type": "audited_resource"
},
"severity": "NOTICE"
},
"related": {
"ip": [
"203.0.113.255"
],
"user": [
"test-user@example.com"
]
},
"service": {
"name": "login.googleapis.com"
},
"source": {
"address": "203.0.113.255",
"ip": "203.0.113.255"
},
"user": {
"email": "test-user@example.com",
"name": "test-user@example.com"
}
}
{
"message": "{\n \"protoPayload\": {\n \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n \"authenticationInfo\": {\n \"principalEmail\": \"test-user@example.com\"\n },\n \"requestMetadata\": {\n \"callerIp\": \"203.0.113.255\",\n \"requestAttributes\": {},\n \"destinationAttributes\": {}\n },\n \"serviceName\": \"login.googleapis.com\",\n \"methodName\": \"google.login.LoginService.recoveryPhoneEdit\",\n \"resourceName\": \"organizations/123\",\n \"metadata\": {\n \"event\": [\n {\n \"status\": {\n \"success\": true\n },\n \"eventType\": \"recovery_info_change\",\n \"eventName\": \"recovery_phone_edit\",\n \"parameter\": [\n {\n \"label\": \"LABEL_OPTIONAL\",\n \"value\": \"INfDlrzP9IH8_QE\",\n \"type\": \"TYPE_STRING\",\n \"name\": \"dusi\"\n }\n ]\n }\n ],\n \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\",\n \"activityId\": {\n \"timeUsec\": \"1632804439611095\",\n \"uniqQualifier\": \"1470137036135837564\"\n }\n }\n },\n \"insertId\": \"-1xtrgbd2vl2\",\n \"resource\": {\n \"type\": \"audited_resource\",\n \"labels\": {\n \"service\": \"login.googleapis.com\",\n \"method\": \"google.login.LoginService.recoveryPhoneEdit\"\n }\n },\n \"timestamp\": \"2021-09-28T04:47:19.611095Z\",\n \"severity\": \"NOTICE\",\n \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n \"receiveTimestamp\": \"2021-09-28T04:47:25.741574446Z\"}",
"@timestamp": "2021-09-28T04:47:19.611095Z",
"google_cloud_audit": {
"insertId": "-1xtrgbd2vl2",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"protoPayload": {
"metadata": {
"activityId": {
"timeUsec": "1632804439611095",
"uniqQualifier": "1470137036135837564"
},
"event": [
{
"eventName": "recovery_phone_edit",
"eventType": "recovery_info_change",
"parameter": [
{
"label": "LABEL_OPTIONAL",
"name": "dusi",
"type": "TYPE_STRING",
"value": "INfDlrzP9IH8_QE"
}
],
"status": {
"success": true
}
}
],
"type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
},
"methodName": "google.login.LoginService.recoveryPhoneEdit",
"resourceName": "organizations/123",
"type": "type.googleapis.com/google.cloud.audit.AuditLog"
},
"receiveTimestamp": "2021-09-28T04:47:25.741574446Z",
"resource": {
"labels": {
"method": "google.login.LoginService.recoveryPhoneEdit",
"service": "login.googleapis.com"
},
"type": "audited_resource"
},
"severity": "NOTICE"
},
"related": {
"ip": [
"203.0.113.255"
],
"user": [
"test-user@example.com"
]
},
"service": {
"name": "login.googleapis.com"
},
"source": {
"address": "203.0.113.255",
"ip": "203.0.113.255"
},
"user": {
"email": "test-user@example.com",
"name": "test-user@example.com"
}
}
{
"message": "{\n \"protoPayload\": {\n \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n \"authenticationInfo\": {\n \"principalEmail\": \"test-user@example.com\"\n },\n \"requestMetadata\": {\n \"callerIp\": \"203.0.113.255\",\n \"requestAttributes\": {},\n \"destinationAttributes\": {}\n },\n \"serviceName\": \"login.googleapis.com\",\n \"methodName\": \"google.login.LoginService.recoverySecretQaEdit\",\n \"resourceName\": \"organizations/123\",\n \"metadata\": {\n \"activityId\": {\n \"uniqQualifier\": \"8328506129139272243\",\n \"timeUsec\": \"1632804455273424\"\n },\n \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\",\n \"event\": [\n {\n \"eventName\": \"recovery_secret_qa_edit\",\n \"eventType\": \"recovery_info_change\",\n \"status\": {\n \"success\": true\n },\n \"parameter\": [\n {\n \"type\": \"TYPE_STRING\",\n \"value\": \"INfDlrzP9IH8_QE\",\n \"name\": \"dusi\",\n \"label\": \"LABEL_OPTIONAL\"\n }\n ]\n }\n ]\n }\n },\n \"insertId\": \"vn31slcpmy\",\n \"resource\": {\n \"type\": \"audited_resource\",\n \"labels\": {\n \"method\": \"google.login.LoginService.recoverySecretQaEdit\",\n \"service\": \"login.googleapis.com\"\n }\n },\n \"timestamp\": \"2021-09-28T04:47:35.273424Z\",\n \"severity\": \"NOTICE\",\n \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n \"receiveTimestamp\": \"2021-09-28T04:47:37.650432219Z\"}",
"@timestamp": "2021-09-28T04:47:35.273424Z",
"google_cloud_audit": {
"insertId": "vn31slcpmy",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"protoPayload": {
"metadata": {
"activityId": {
"timeUsec": "1632804455273424",
"uniqQualifier": "8328506129139272243"
},
"event": [
{
"eventName": "recovery_secret_qa_edit",
"eventType": "recovery_info_change",
"parameter": [
{
"label": "LABEL_OPTIONAL",
"name": "dusi",
"type": "TYPE_STRING",
"value": "INfDlrzP9IH8_QE"
}
],
"status": {
"success": true
}
}
],
"type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
},
"methodName": "google.login.LoginService.recoverySecretQaEdit",
"resourceName": "organizations/123",
"type": "type.googleapis.com/google.cloud.audit.AuditLog"
},
"receiveTimestamp": "2021-09-28T04:47:37.650432219Z",
"resource": {
"labels": {
"method": "google.login.LoginService.recoverySecretQaEdit",
"service": "login.googleapis.com"
},
"type": "audited_resource"
},
"severity": "NOTICE"
},
"related": {
"ip": [
"203.0.113.255"
],
"user": [
"test-user@example.com"
]
},
"service": {
"name": "login.googleapis.com"
},
"source": {
"address": "203.0.113.255",
"ip": "203.0.113.255"
},
"user": {
"email": "test-user@example.com",
"name": "test-user@example.com"
}
}
{
"message": "{\n \"protoPayload\": {\n \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n \"authenticationInfo\": {},\n \"requestMetadata\": {\n \"callerIp\": \"2001:db8:ffff:ffff:ffff:ffff:ffff:ffff\"\n },\n \"serviceName\": \"login.googleapis.com\",\n \"methodName\": \"google.login.LoginService.suspiciousLogin\",\n \"resourceName\": \"organizations/123\",\n \"metadata\": {\n \"activityId\": {\n \"timeUsec\": \"1620095181000000\",\n \"uniqQualifier\": \"-2034771694824799453\"\n },\n \"event\": [\n {\n \"eventType\": \"account_warning\",\n \"eventName\": \"suspicious_login\",\n \"parameter\": [\n {\n \"name\": \"affected_email_address\",\n \"value\": \"test-user@example.com\",\n \"label\": \"LABEL_OPTIONAL\",\n \"type\": \"TYPE_STRING\"\n }\n ],\n \"status\": {\n \"success\": true\n }\n }\n ],\n \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\"\n }\n },\n \"insertId\": \"-778d70d2n5b\",\n \"resource\": {\n \"type\": \"audited_resource\",\n \"labels\": {\n \"service\": \"login.googleapis.com\",\n \"method\": \"google.login.LoginService.suspiciousLogin\"\n }\n },\n \"timestamp\": \"2021-05-04T02:26:21Z\",\n \"severity\": \"NOTICE\",\n \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n \"receiveTimestamp\": \"2021-05-04T02:56:23.806722355Z\"\n}",
"@timestamp": "2021-05-04T02:26:21Z",
"google_cloud_audit": {
"insertId": "-778d70d2n5b",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"protoPayload": {
"metadata": {
"activityId": {
"timeUsec": "1620095181000000",
"uniqQualifier": "-2034771694824799453"
},
"event": [
{
"eventName": "suspicious_login",
"eventType": "account_warning",
"parameter": [
{
"label": "LABEL_OPTIONAL",
"name": "affected_email_address",
"type": "TYPE_STRING",
"value": "test-user@example.com"
}
],
"status": {
"success": true
}
}
],
"type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
},
"methodName": "google.login.LoginService.suspiciousLogin",
"resourceName": "organizations/123",
"type": "type.googleapis.com/google.cloud.audit.AuditLog"
},
"receiveTimestamp": "2021-05-04T02:56:23.806722355Z",
"resource": {
"labels": {
"method": "google.login.LoginService.suspiciousLogin",
"service": "login.googleapis.com"
},
"type": "audited_resource"
},
"severity": "NOTICE"
},
"related": {
"ip": [
"2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
]
},
"service": {
"name": "login.googleapis.com"
},
"source": {
"address": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff",
"ip": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
},
"user": {
"email": "test-user@example.com"
}
}
{
"message": "{\n \"protoPayload\": {\n \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n \"authenticationInfo\": {},\n \"requestMetadata\": {\n \"callerIp\": \"2001:db8:ffff:ffff:ffff:ffff:ffff:ffff\"\n },\n \"serviceName\": \"login.googleapis.com\",\n \"methodName\": \"google.login.LoginService.suspiciousLoginLessSecureApp\",\n \"resourceName\": \"organizations/123\",\n \"metadata\": {\n \"activityId\": {\n \"timeUsec\": \"1620095181000000\",\n \"uniqQualifier\": \"-2034771694824799453\"\n },\n \"event\": [\n {\n \"eventType\": \"account_warning\",\n \"eventName\": \"suspicious_login_less_secure_app\",\n \"parameter\": [\n {\n \"name\": \"affected_email_address\",\n \"value\": \"test-user@example.com\",\n \"label\": \"LABEL_OPTIONAL\",\n \"type\": \"TYPE_STRING\"\n }\n ],\n \"status\": {\n \"success\": true\n }\n }\n ],\n \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\"\n }\n },\n \"insertId\": \"-778d70d2n5b\",\n \"resource\": {\n \"type\": \"audited_resource\",\n \"labels\": {\n \"service\": \"login.googleapis.com\",\n \"method\": \"google.login.LoginService.suspiciousLoginLessSecureApp\"\n }\n },\n \"timestamp\": \"2021-05-04T02:26:21Z\",\n \"severity\": \"NOTICE\",\n \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n \"receiveTimestamp\": \"2021-05-04T02:56:23.806722355Z\"\n}",
"@timestamp": "2021-05-04T02:26:21Z",
"google_cloud_audit": {
"insertId": "-778d70d2n5b",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"protoPayload": {
"metadata": {
"activityId": {
"timeUsec": "1620095181000000",
"uniqQualifier": "-2034771694824799453"
},
"event": [
{
"eventName": "suspicious_login_less_secure_app",
"eventType": "account_warning",
"parameter": [
{
"label": "LABEL_OPTIONAL",
"name": "affected_email_address",
"type": "TYPE_STRING",
"value": "test-user@example.com"
}
],
"status": {
"success": true
}
}
],
"type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
},
"methodName": "google.login.LoginService.suspiciousLoginLessSecureApp",
"resourceName": "organizations/123",
"type": "type.googleapis.com/google.cloud.audit.AuditLog"
},
"receiveTimestamp": "2021-05-04T02:56:23.806722355Z",
"resource": {
"labels": {
"method": "google.login.LoginService.suspiciousLoginLessSecureApp",
"service": "login.googleapis.com"
},
"type": "audited_resource"
},
"severity": "NOTICE"
},
"related": {
"ip": [
"2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
]
},
"service": {
"name": "login.googleapis.com"
},
"source": {
"address": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff",
"ip": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
},
"user": {
"email": "test-user@example.com"
}
}
{
"message": "{\n \"protoPayload\": {\n \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n \"authenticationInfo\": {},\n \"requestMetadata\": {\n \"callerIp\": \"2001:db8:ffff:ffff:ffff:ffff:ffff:ffff\"\n },\n \"serviceName\": \"login.googleapis.com\",\n \"methodName\": \"google.login.LoginService.suspiciousProgrammaticLogin\",\n \"resourceName\": \"organizations/123\",\n \"metadata\": {\n \"activityId\": {\n \"timeUsec\": \"1620095181000000\",\n \"uniqQualifier\": \"-2034771694824799453\"\n },\n \"event\": [\n {\n \"eventType\": \"account_warning\",\n \"eventName\": \"suspicious_programmatic_login\",\n \"parameter\": [\n {\n \"name\": \"affected_email_address\",\n \"value\": \"test-user@example.com\",\n \"label\": \"LABEL_OPTIONAL\",\n \"type\": \"TYPE_STRING\"\n }\n ],\n \"status\": {\n \"success\": true\n }\n }\n ],\n \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\"\n }\n },\n \"insertId\": \"-778d70d2n5b\",\n \"resource\": {\n \"type\": \"audited_resource\",\n \"labels\": {\n \"service\": \"login.googleapis.com\",\n \"method\": \"google.login.LoginService.suspiciousProgrammaticLogin\"\n }\n },\n \"timestamp\": \"2021-05-04T02:26:21Z\",\n \"severity\": \"NOTICE\",\n \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n \"receiveTimestamp\": \"2021-05-04T02:56:23.806722355Z\"\n}",
"@timestamp": "2021-05-04T02:26:21Z",
"google_cloud_audit": {
"insertId": "-778d70d2n5b",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"protoPayload": {
"metadata": {
"activityId": {
"timeUsec": "1620095181000000",
"uniqQualifier": "-2034771694824799453"
},
"event": [
{
"eventName": "suspicious_programmatic_login",
"eventType": "account_warning",
"parameter": [
{
"label": "LABEL_OPTIONAL",
"name": "affected_email_address",
"type": "TYPE_STRING",
"value": "test-user@example.com"
}
],
"status": {
"success": true
}
}
],
"type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
},
"methodName": "google.login.LoginService.suspiciousProgrammaticLogin",
"resourceName": "organizations/123",
"type": "type.googleapis.com/google.cloud.audit.AuditLog"
},
"receiveTimestamp": "2021-05-04T02:56:23.806722355Z",
"resource": {
"labels": {
"method": "google.login.LoginService.suspiciousProgrammaticLogin",
"service": "login.googleapis.com"
},
"type": "audited_resource"
},
"severity": "NOTICE"
},
"related": {
"ip": [
"2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
]
},
"service": {
"name": "login.googleapis.com"
},
"source": {
"address": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff",
"ip": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
},
"user": {
"email": "test-user@example.com"
}
}
{
"message": "{\n \"protoPayload\": {\n \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n \"authenticationInfo\": {\n \"principalEmail\": \"test-user@example.com\"\n },\n \"requestMetadata\": {\n \"callerIp\": \"203.0.113.255\",\n \"requestAttributes\": {},\n \"destinationAttributes\": {}\n },\n \"serviceName\": \"login.googleapis.com\",\n \"methodName\": \"google.login.LoginService.titaniumEnroll\",\n \"resourceName\": \"organizations/123\",\n \"metadata\": {\n \"activityId\": {\n \"uniqQualifier\": \"4206430548119220064\",\n \"timeUsec\": \"1632843484846000\"\n },\n \"event\": [\n {\n \"eventName\": \"titanium_enroll\",\n \"status\": {\n \"success\": true\n },\n \"parameter\": [\n {\n \"label\": \"LABEL_OPTIONAL\",\n \"value\": \"INfDlrzP9IH8_QE\",\n \"type\": \"TYPE_STRING\",\n \"name\": \"dusi\"\n }\n ],\n \"eventType\": \"titanium_change\"\n }\n ],\n \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\"\n }\n },\n \"insertId\": \"-bxbn5bd167i\",\n \"resource\": {\n \"type\": \"audited_resource\",\n \"labels\": {\n \"service\": \"login.googleapis.com\",\n \"method\": \"google.login.LoginService.titaniumEnroll\"\n }\n },\n \"timestamp\": \"2021-09-28T15:38:04.846Z\",\n \"severity\": \"NOTICE\",\n \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n \"receiveTimestamp\": \"2021-09-28T15:38:05.969683854Z\"\n}",
"@timestamp": "2021-09-28T15:38:04.846000Z",
"google_cloud_audit": {
"insertId": "-bxbn5bd167i",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"protoPayload": {
"metadata": {
"activityId": {
"timeUsec": "1632843484846000",
"uniqQualifier": "4206430548119220064"
},
"event": [
{
"eventName": "titanium_enroll",
"eventType": "titanium_change",
"parameter": [
{
"label": "LABEL_OPTIONAL",
"name": "dusi",
"type": "TYPE_STRING",
"value": "INfDlrzP9IH8_QE"
}
],
"status": {
"success": true
}
}
],
"type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
},
"methodName": "google.login.LoginService.titaniumEnroll",
"resourceName": "organizations/123",
"type": "type.googleapis.com/google.cloud.audit.AuditLog"
},
"receiveTimestamp": "2021-09-28T15:38:05.969683854Z",
"resource": {
"labels": {
"method": "google.login.LoginService.titaniumEnroll",
"service": "login.googleapis.com"
},
"type": "audited_resource"
},
"severity": "NOTICE"
},
"related": {
"ip": [
"203.0.113.255"
],
"user": [
"test-user@example.com"
]
},
"service": {
"name": "login.googleapis.com"
},
"source": {
"address": "203.0.113.255",
"ip": "203.0.113.255"
},
"user": {
"email": "test-user@example.com",
"name": "test-user@example.com"
}
}
{
"message": "{\n \"protoPayload\": {\n \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n \"authenticationInfo\": {\n \"principalEmail\": \"test-user@example.com\"\n },\n \"requestMetadata\": {\n \"callerIp\": \"203.0.113.255\",\n \"requestAttributes\": {},\n \"destinationAttributes\": {}\n },\n \"serviceName\": \"login.googleapis.com\",\n \"methodName\": \"google.login.LoginService.titaniumUnenroll\",\n \"resourceName\": \"organizations/123\",\n \"metadata\": {\n \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\",\n \"event\": [\n {\n \"eventType\": \"titanium_change\",\n \"status\": {\n \"success\": true\n },\n \"eventName\": \"titanium_unenroll\",\n \"parameter\": [\n {\n \"type\": \"TYPE_STRING\",\n \"label\": \"LABEL_OPTIONAL\",\n \"value\": \"INfDlrzP9IH8_QE\",\n \"name\": \"dusi\"\n }\n ]\n }\n ],\n \"activityId\": {\n \"timeUsec\": \"1632843914653434\",\n \"uniqQualifier\": \"-6706492269209711994\"\n }\n }\n },\n \"insertId\": \"-vw60qad1861\",\n \"resource\": {\n \"type\": \"audited_resource\",\n \"labels\": {\n \"service\": \"login.googleapis.com\",\n \"method\": \"google.login.LoginService.titaniumUnenroll\"\n }\n },\n \"timestamp\": \"2021-09-28T15:45:14.653434Z\",\n \"severity\": \"NOTICE\",\n \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n \"receiveTimestamp\": \"2021-09-28T15:45:15.862755277Z\"\n}",
"@timestamp": "2021-09-28T15:45:14.653434Z",
"google_cloud_audit": {
"insertId": "-vw60qad1861",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"protoPayload": {
"metadata": {
"activityId": {
"timeUsec": "1632843914653434",
"uniqQualifier": "-6706492269209711994"
},
"event": [
{
"eventName": "titanium_unenroll",
"eventType": "titanium_change",
"parameter": [
{
"label": "LABEL_OPTIONAL",
"name": "dusi",
"type": "TYPE_STRING",
"value": "INfDlrzP9IH8_QE"
}
],
"status": {
"success": true
}
}
],
"type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
},
"methodName": "google.login.LoginService.titaniumUnenroll",
"resourceName": "organizations/123",
"type": "type.googleapis.com/google.cloud.audit.AuditLog"
},
"receiveTimestamp": "2021-09-28T15:45:15.862755277Z",
"resource": {
"labels": {
"method": "google.login.LoginService.titaniumUnenroll",
"service": "login.googleapis.com"
},
"type": "audited_resource"
},
"severity": "NOTICE"
},
"related": {
"ip": [
"203.0.113.255"
],
"user": [
"test-user@example.com"
]
},
"service": {
"name": "login.googleapis.com"
},
"source": {
"address": "203.0.113.255",
"ip": "203.0.113.255"
},
"user": {
"email": "test-user@example.com",
"name": "test-user@example.com"
}
}
Extracted Fields
The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.
| Name | Type | Description |
|---|---|---|
@timestamp |
date |
Date/time when the event originated. |
google_cloud_audit.insertId |
keyword |
A unique identifier for the log entry. |
google_cloud_audit.logName |
keyword |
The resource name of the log to which this log entry belongs to. |
google_cloud_audit.operation.first |
bool |
|
google_cloud_audit.operation.id |
keyword |
|
google_cloud_audit.operation.last |
bool |
|
google_cloud_audit.operation.producer |
keyword |
|
google_cloud_audit.protoPayload.authorizationInfo |
object |
Authorization information. If there are multiple resources or permissions involved, then there is one AuthorizationInfo element for each {resource, permission} tuple. |
google_cloud_audit.protoPayload.metadata.activityId.timeUsec |
keyword |
|
google_cloud_audit.protoPayload.metadata.activityId.uniqQualifier |
keyword |
|
google_cloud_audit.protoPayload.metadata.event |
object |
|
google_cloud_audit.protoPayload.metadata.operationType |
keyword |
|
google_cloud_audit.protoPayload.metadata.type |
keyword |
Other service-specific data about the request, response, and other information associated with the current audited event. |
google_cloud_audit.protoPayload.methodName |
keyword |
The name of the service method or operation. For API calls, this should be the name of the API method. |
google_cloud_audit.protoPayload.request.policy.bindings |
keyword |
|
google_cloud_audit.protoPayload.request.policy.etag |
keyword |
|
google_cloud_audit.protoPayload.request.resource |
keyword |
|
google_cloud_audit.protoPayload.request.type |
keyword |
|
google_cloud_audit.protoPayload.requestMetadata.requestAttributes.time |
keyword |
Request attributes used in IAM condition evaluation. This field contains request attributes like request time and access levels associated with the request. |
google_cloud_audit.protoPayload.resourceLocation.currentLocations |
keyword |
|
google_cloud_audit.protoPayload.resourceName |
keyword |
The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. |
google_cloud_audit.protoPayload.response.bindings |
keyword |
|
google_cloud_audit.protoPayload.response.etag |
keyword |
|
google_cloud_audit.protoPayload.response.type |
keyword |
|
google_cloud_audit.protoPayload.type |
keyword |
protoPayload is an object containing fields of an arbitrary type. An additional field '@type' contains a URI identifying the type. Example: { 'id': 1234, '@type': 'types.example.com/standard/id' }. |
google_cloud_audit.receiveTimestamp |
keyword |
The time the log entry was received by Logging. |
google_cloud_audit.resource.labels.cluster_name |
keyword |
|
google_cloud_audit.resource.labels.location |
keyword |
|
google_cloud_audit.resource.labels.method |
keyword |
The labels associated with the peer. |
google_cloud_audit.resource.labels.node_name |
keyword |
|
google_cloud_audit.resource.labels.project_id |
keyword |
The labels associated with the peer. |
google_cloud_audit.resource.labels.service |
keyword |
The labels associated with the peer. |
google_cloud_audit.resource.labels.topic_id |
keyword |
The labels associated with the peer. |
google_cloud_audit.resource.type |
keyword |
|
google_cloud_audit.severity |
keyword |
The severity of the log entry. |
orchestrator.type |
keyword |
Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry). |
service.name |
keyword |
Name of the service. |
source.ip |
ip |
IP address of the source. |
user.email |
keyword |
User email address. |
user.name |
keyword |
Short name or login of the user. |
user_agent.original |
keyword |
Unparsed user_agent string. |
Google Cloud configuration procedure
Prerequisites
- Google licence Enterprise standard or higher
- Access to Sekoia.io Intakes and Playbook pages with write permissions
- Administrator access to the Google Cloud console
Warning
The administrator that proceeds to the configuration MUST explicitly have the role "Logging Admin" activated. This is not the case by default even for administrator users.
Centralise Google Workspace logs on your Google Cloud
Create a topic
This topic will hold messages to be delivered.
- In the Google Cloud console available at
console.cloud.google.com, go to your Pub/Sub page - Click Create topic
- In the window that opens, enter
sekoia-gca-topicin the Topic ID field - Click Create topic
Create a subscription to query the topic
To add a subscription to the topic you just created, complete these steps:
- Click the Subscriptions tab
- Click Create subscription
- Enter
sekoia-gca-subscriptionin the Subscription ID field - Leave the default values for the remaining options
- Click Create
- Return to the Topics page and click
sekoia-gca-topic.
Note
The sekoia-gca-subscription subscription is now attached to the topic sekoia-gca-topic. Google Pub/Sub will deliver all messages sent to sekoia-gca-topic to this subscription.
More information on this procedure is available in the official google documentation.
Create a project-level log sink
This will be used to capture all logs across this project that should be sent to the Pub/Sub topic created above.
Important
Your account should have the role logging.admin explicitly set on your account which is not the case of administrator accounts by default. For more information, see associated documentation.
On the left panel, go to Logs Router then click on Create Sink
-
Sink details
- Name:
sekoia-gca-sink - Description:
Routing sink to forward audit logs to Sekoia.io
- Name:
-
Sink destination
- Select sink service: Cloud Pub/Sub topic
- Select Cloud Pub/Sub topic: Use a Cloud Pub/Sub topic in a project
Note
Replace [PROJECT_ID] by its value according to your context and [TOPIC_ID] by sekoia-gca-topic.
- Choose logs to include in sink
- Choose Include only logs ingested by this organisation
- In the section "Build inclusion filter", enter the following query:
LOG_ID("cloudaudit.googleapis.com/activity")
OR LOG_ID("cloudaudit.googleapis.com/data_access")
-
Choose logs to filter out of sink
- If you have other products on Google Cloud such as virtual machines or Kubernetes that are part of the project, you should apply a filter that excludes these components to avoid collecting their logs in the process
-
Click on CREATE SINK
This should add an entry in the log router sinks list named sekoia-gca-sink with status Enabled and type Cloud Pub/Sub topic.
Note
You cannot create aggregated sinks through the Google Cloud Console. They must be configured and managed through either the API or gcloud CLI tool. Only project-level (non-aggregated) sinks show up in Google Cloud Console. This is what we configured here.
Confirm the logs are received in your Pub/Sub
By following these steps, you should see events appearing on the list
- Go to your Pub/Sub page, then click on Topics on the left panel
- Click on your sekoia
sekoia-gca-topictopic previously configured - On the bottom of the page, click on the Message tab
- Select your project
- Click on Pull button
Create a dedicated service account
The service account will be used on Sekoia.io to pull logs available on your Google Cloud instance.
- Go to the Create service account page
- Select your cloud project
- Enter
sekoia-gca-service-accountas a service account name - Click Create and continue
- Set the role Pub/Sub Subscriber
- Click Continue, then click Done to finish creating the service account
Note
Ensure that this user has the role Pub/Sub Subscriber in both Topic and Subsciption pages. Otherwise, you will have an error with status 403 when you will activate the playbook detailed on the bottom of this page.
Find more information on the official google documentation.
Create and download JSON keys (service account credentials)
To use a service account from outside of Google Cloud, such as on Sekoia.io, you must first establish the identity of the service account. Public/private key pairs provide a secure way of accomplishing this goal. When you create a service account key, the public portion is stored on Google Cloud, while the private portion is available only to you.
Note
By default, service account keys never expire.
- Go to the Service accounts page
- Select your cloud project
- Click the email address of the service account that you want to create a key for
- Click the Keys tab
- Click the Add key drop-down menu, then select Create new key
- Select JSON as the Key type and click Create
Important
Clicking Create downloads a service account key file. After you download the key file, you cannot download it again. You will need it on the following steps on Sekoia.io.
Find more information on the official google documentation.
Example of JSON key file
{
"type": "service_account",
"project_id": "PROJECT_ID",
"private_key_id": "KEY_ID",
"private_key": "-----BEGIN PRIVATE KEY-----\nPRIVATE_KEY\n-----END PRIVATE KEY-----\n",
"client_email": "SERVICE_ACCOUNT_EMAIL",
"client_id": "CLIENT_ID",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://accounts.google.com/o/oauth2/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/SERVICE_ACCOUNT_EMAIL"
}
Sekoia.io configuration procedure
Create your intake
Go to your Sekoia.io Intakes page, and follow these steps:
- Click on + Intake button to create a new one
- Choose Google Cloud Audit Logs, give it a name and choose the relevant Entity
- Click on Create button
- Copy the Intake key of this Google Intake.
Note
Save the Intake key on a block note. It will be used in the next step.
Pull the logs to collect them on Sekoia.io
Go to the Sekoia.io playbook page, and follow these steps:
- Click on + PLAYBOOK button to create a new one
- Select Use a template
- Search for
Googlekeywork on the search bar and select the template namedForward Google Pubsub records to Sekoia.io
- Create a Module configuration using your service account credentials from your Google Cloud environment extracted on a JSON file. Name the module configuration as you wish
-
Create a Trigger configuration using:
Intake keycreated on the previous- The project ID
- The suject ID that is
sekoia-gca-subscription
-
Click on the Save button
- Activate the playbook with the toggle button on the top right corner of the page