Google Cloud Audit Logs
Overview
Google Cloud Logging centralizes logs from Google Cloud products.
In this documentation, you will learn how to collect and send Google Cloud logs to SEKOIA.IO.
Configure
Before you begin working with PubSub, verify that you have the right permission.
Follow Google's documentation to configure a dedicated PubSub receiver. At the end of the documentation you should have done the following:
- Setup a project
- Create a topic
- Add a subscription (you should have the role
logging.adminexplicitly set on your account; for more information, see associated documentation) - Try your setup by publishing a message to the topic
Next, create a dedicated service account. At the end of the documentation you should have done the following:
- Create a service account with the role
Pub/Sub Subscriber - Create and download JSON keys (service account credentials)
You should now have:
- A credentials file
- A project ID
- A subscription ID
To pull events, you have to:
- Go to the playbooks' page
- Click on
+New playbookto create a new playbook - Select
Use a templatewhen creating a playbook - Search for
Google Cloudthen selectForward Google Pubsub records to SEKOIA.IO
This playbook consumes records from Google Pubsub and pushes them to SEKOIA.IO.
You can also create your own on the same basis by using the "Google Pub/Sub" trigger (Connect to the specified)
- Use the JSON keys (service account credentials) information downloaded to complete the fields on the trigger
Fields description
| Field | Meaning |
|---|---|
| name | Configuration name |
| auth_provider_x509_cert_url | The URL of the public x509 certificate, used to verify the signature on JWTs, such as ID tokens, signed by the authentication provider. https://wwww.googleapis.com/oauth2/v1/certs |
| auth_url | Google authentification url https://accounts.google.com/o/oauth2/auth |
| client_email | Client email |
| client_id | Client id |
| client_x509_cert_url | The URL of the public x509 certificate, used to verify JWTs signed by the client |
| private_key | Private key |
| private_key_id | Private key id |
| project_id | Project id |
| token_uri | token server endpoint URI https://oauth2.googleapis.com/token |
| type | Activity type service_account |
To start sending Logs to SEKOIA.IO, please create a Logs Router Sinks with an Inclusion Filter that fits your needs (Read the documentation dedicated to the product you want to monitor).
Last configuration on Google to setup is describe on each Intake.
Event Categories
The following table lists the data source offered by this integration.
| Data Source | Description |
|---|---|
GCP audit logs |
Google Cloud Audit contains logs from multiple Google Cloud source such as Google Cloud Console and Google Workspace. |
Event Samples
Find below few samples of events and how they are normalized by SEKOIA.IO.
{
"message": "{\n \"protoPayload\": {\n \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n \"authenticationInfo\": {\n \"principalEmail\": \"test-user@example.com\"\n },\n \"requestMetadata\": {\n \"callerIp\": \"203.0.113.255\",\n \"requestAttributes\": {},\n \"destinationAttributes\": {}\n },\n \"serviceName\": \"login.googleapis.com\",\n \"methodName\": \"google.login.LoginService.2svDisable\",\n \"resourceName\": \"organizations/123\",\n \"metadata\": {\n \"activityId\": {\n \"uniqQualifier\": \"-7789616625639281959\",\n \"timeUsec\": \"1632459962686000\"\n },\n \"event\": [\n {\n \"status\": {\n \"success\": true\n },\n \"parameter\": [\n {\n \"type\": \"TYPE_STRING\",\n \"label\": \"LABEL_OPTIONAL\",\n \"value\": \"INfDlrzP9IH8_QE\",\n \"name\": \"dusi\"\n }\n ],\n \"eventName\": \"2sv_disable\",\n \"eventType\": \"2sv_change\"\n }\n ],\n \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\"\n }\n },\n \"insertId\": \"-tn3jrd3lko\",\n \"resource\": {\n \"type\": \"audited_resource\",\n \"labels\": {\n \"service\": \"login.googleapis.com\",\n \"method\": \"google.login.LoginService.2svDisable\"\n }\n },\n \"timestamp\": \"2021-09-24T05:06:02.686Z\",\n \"severity\": \"NOTICE\",\n \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n \"receiveTimestamp\": \"2021-09-24T05:06:03.845372592Z\"\n}",
"@timestamp": "2021-09-24T05:06:02.686Z",
"google_cloud_audit": {
"receiveTimestamp": "2021-09-24T05:06:03.845372592Z",
"insertId": "-tn3jrd3lko",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"severity": "NOTICE",
"resource": {
"type": "audited_resource",
"labels": {
"method": "google.login.LoginService.2svDisable",
"service": "login.googleapis.com"
}
},
"protoPayload": {
"metadata": {
"type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto",
"event": [
{
"status": {
"success": true
},
"parameter": [
{
"type": "TYPE_STRING",
"label": "LABEL_OPTIONAL",
"value": "INfDlrzP9IH8_QE",
"name": "dusi"
}
],
"eventName": "2sv_disable",
"eventType": "2sv_change"
}
],
"activityId": {
"timeUsec": "1632459962686000",
"uniqQualifier": "-7789616625639281959"
}
},
"type": "type.googleapis.com/google.cloud.audit.AuditLog",
"methodName": "google.login.LoginService.2svDisable",
"resourceName": "organizations/123"
}
},
"user": {
"email": "test-user@example.com",
"name": "test-user@example.com"
},
"service": {
"name": "login.googleapis.com"
},
"source": {
"ip": "203.0.113.255",
"address": "203.0.113.255"
},
"related": {
"ip": [
"203.0.113.255"
],
"user": [
"test-user@example.com"
]
}
}
{
"message": "{\n \"protoPayload\": {\n \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n \"authenticationInfo\": {\n \"principalEmail\": \"test-user@example.com\"\n },\n \"requestMetadata\": {\n \"callerIp\": \"203.0.113.255\",\n \"requestAttributes\": {},\n \"destinationAttributes\": {}\n },\n \"serviceName\": \"login.googleapis.com\",\n \"methodName\": \"google.login.LoginService.2svEnroll\",\n \"resourceName\": \"organizations/123\",\n \"metadata\": {\n \"activityId\": {\n \"uniqQualifier\": \"1624031130844323135\",\n \"timeUsec\": \"1632458745769000\"\n },\n \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\",\n \"event\": [\n {\n \"eventType\": \"2sv_change\",\n \"status\": {\n \"success\": true\n },\n \"eventName\": \"2sv_enroll\",\n \"parameter\": [\n {\n \"value\": \"INfDlrzP9IH8_QE\",\n \"type\": \"TYPE_STRING\",\n \"label\": \"LABEL_OPTIONAL\",\n \"name\": \"dusi\"\n }\n ]\n }\n ]\n }\n },\n \"insertId\": \"g3k8gid3b3p\",\n \"resource\": {\n \"type\": \"audited_resource\",\n \"labels\": {\n \"method\": \"google.login.LoginService.2svEnroll\",\n \"service\": \"login.googleapis.com\"\n }\n },\n \"timestamp\": \"2021-09-24T04:45:45.769Z\",\n \"severity\": \"NOTICE\",\n \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n \"receiveTimestamp\": \"2021-09-24T04:45:46.331843829Z\"\n}",
"@timestamp": "2021-09-24T04:45:45.769Z",
"google_cloud_audit": {
"receiveTimestamp": "2021-09-24T04:45:46.331843829Z",
"insertId": "g3k8gid3b3p",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"severity": "NOTICE",
"resource": {
"type": "audited_resource",
"labels": {
"method": "google.login.LoginService.2svEnroll",
"service": "login.googleapis.com"
}
},
"protoPayload": {
"metadata": {
"type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto",
"event": [
{
"eventType": "2sv_change",
"status": {
"success": true
},
"eventName": "2sv_enroll",
"parameter": [
{
"value": "INfDlrzP9IH8_QE",
"type": "TYPE_STRING",
"label": "LABEL_OPTIONAL",
"name": "dusi"
}
]
}
],
"activityId": {
"timeUsec": "1632458745769000",
"uniqQualifier": "1624031130844323135"
}
},
"type": "type.googleapis.com/google.cloud.audit.AuditLog",
"methodName": "google.login.LoginService.2svEnroll",
"resourceName": "organizations/123"
}
},
"user": {
"email": "test-user@example.com",
"name": "test-user@example.com"
},
"service": {
"name": "login.googleapis.com"
},
"source": {
"ip": "203.0.113.255",
"address": "203.0.113.255"
},
"related": {
"ip": [
"203.0.113.255"
],
"user": [
"test-user@example.com"
]
}
}
{
"message": "{\n \"protoPayload\": {\n \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n \"authenticationInfo\": {},\n \"requestMetadata\": {\n \"callerIp\": \"2001:db8:ffff:ffff:ffff:ffff:ffff:ffff\"\n },\n \"serviceName\": \"login.googleapis.com\",\n \"methodName\": \"google.login.LoginService.accountDisabledGeneric\",\n \"resourceName\": \"organizations/123\",\n \"metadata\": {\n \"activityId\": {\n \"timeUsec\": \"1619825589352000\",\n \"uniqQualifier\": \"-3303614929287073633\"\n },\n \"event\": [\n {\n \"eventType\": \"account_warning\",\n \"eventName\": \"account_disabled_generic\",\n \"parameter\": [\n {\n \"name\": \"affected_email_address\",\n \"value\": \"test-user@example.com\",\n \"label\": \"LABEL_OPTIONAL\",\n \"type\": \"TYPE_STRING\"\n }\n ],\n \"status\": {\n \"success\": true\n }\n }\n ],\n \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\"\n }\n },\n \"insertId\": \"nlgrf8d6ygj\",\n \"resource\": {\n \"type\": \"audited_resource\",\n \"labels\": {\n \"method\": \"google.login.LoginService.accountDisabledGeneric\",\n \"service\": \"login.googleapis.com\"\n }\n },\n \"timestamp\": \"2021-04-30T23:33:09.352Z\",\n \"severity\": \"NOTICE\",\n \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n \"receiveTimestamp\": \"2021-04-30T23:33:10.673412983Z\"\n}",
"@timestamp": "2021-04-30T23:33:09.352Z",
"google_cloud_audit": {
"receiveTimestamp": "2021-04-30T23:33:10.673412983Z",
"insertId": "nlgrf8d6ygj",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"severity": "NOTICE",
"resource": {
"type": "audited_resource",
"labels": {
"method": "google.login.LoginService.accountDisabledGeneric",
"service": "login.googleapis.com"
}
},
"protoPayload": {
"metadata": {
"type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto",
"event": [
{
"eventType": "account_warning",
"eventName": "account_disabled_generic",
"parameter": [
{
"name": "affected_email_address",
"value": "test-user@example.com",
"label": "LABEL_OPTIONAL",
"type": "TYPE_STRING"
}
],
"status": {
"success": true
}
}
],
"activityId": {
"timeUsec": "1619825589352000",
"uniqQualifier": "-3303614929287073633"
}
},
"type": "type.googleapis.com/google.cloud.audit.AuditLog",
"methodName": "google.login.LoginService.accountDisabledGeneric",
"resourceName": "organizations/123"
}
},
"user": {
"email": "test-user@example.com"
},
"service": {
"name": "login.googleapis.com"
},
"source": {
"ip": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff",
"address": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
},
"related": {
"ip": [
"2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
]
}
}
{
"message": "{\n \"protoPayload\": {\n \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n \"authenticationInfo\": {},\n \"requestMetadata\": {\n \"callerIp\": \"2001:db8:ffff:ffff:ffff:ffff:ffff:ffff\"\n },\n \"serviceName\": \"login.googleapis.com\",\n \"methodName\": \"google.login.LoginService.accountDisabledHijacked\",\n \"resourceName\": \"organizations/123\",\n \"metadata\": {\n \"activityId\": {\n \"timeUsec\": \"1619825589352000\",\n \"uniqQualifier\": \"-3303614929287073633\"\n },\n \"event\": [\n {\n \"eventType\": \"account_warning\",\n \"eventName\": \"account_disabled_hijacked\",\n \"parameter\": [\n {\n \"name\": \"affected_email_address\",\n \"value\": \"test-user@example.com\",\n \"label\": \"LABEL_OPTIONAL\",\n \"type\": \"TYPE_STRING\"\n }\n ],\n \"status\": {\n \"success\": true\n }\n }\n ],\n \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\"\n }\n },\n \"insertId\": \"nlgrf8d6ygj\",\n \"resource\": {\n \"type\": \"audited_resource\",\n \"labels\": {\n \"method\": \"google.login.LoginService.accountDisabledHijacked\",\n \"service\": \"login.googleapis.com\"\n }\n },\n \"timestamp\": \"2021-04-30T23:33:09.352Z\",\n \"severity\": \"NOTICE\",\n \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n \"receiveTimestamp\": \"2021-04-30T23:33:10.673412983Z\"\n}",
"@timestamp": "2021-04-30T23:33:09.352Z",
"google_cloud_audit": {
"receiveTimestamp": "2021-04-30T23:33:10.673412983Z",
"insertId": "nlgrf8d6ygj",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"severity": "NOTICE",
"resource": {
"type": "audited_resource",
"labels": {
"method": "google.login.LoginService.accountDisabledHijacked",
"service": "login.googleapis.com"
}
},
"protoPayload": {
"metadata": {
"type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto",
"event": [
{
"eventType": "account_warning",
"eventName": "account_disabled_hijacked",
"parameter": [
{
"name": "affected_email_address",
"value": "test-user@example.com",
"label": "LABEL_OPTIONAL",
"type": "TYPE_STRING"
}
],
"status": {
"success": true
}
}
],
"activityId": {
"timeUsec": "1619825589352000",
"uniqQualifier": "-3303614929287073633"
}
},
"type": "type.googleapis.com/google.cloud.audit.AuditLog",
"methodName": "google.login.LoginService.accountDisabledHijacked",
"resourceName": "organizations/123"
}
},
"user": {
"email": "test-user@example.com"
},
"service": {
"name": "login.googleapis.com"
},
"source": {
"ip": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff",
"address": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
},
"related": {
"ip": [
"2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
]
}
}
{
"message": "{\n \"protoPayload\": {\n \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n \"authenticationInfo\": {},\n \"requestMetadata\": {\n \"callerIp\": \"2001:db8:ffff:ffff:ffff:ffff:ffff:ffff\"\n },\n \"serviceName\": \"login.googleapis.com\",\n \"methodName\": \"google.login.LoginService.accountDisabledPasswordLeak\",\n \"resourceName\": \"organizations/123\",\n \"metadata\": {\n \"activityId\": {\n \"timeUsec\": \"1619808083475000\",\n \"uniqQualifier\": \"6286848759980589624\"\n },\n \"event\": [\n {\n \"eventType\": \"account_warning\",\n \"eventName\": \"account_disabled_password_leak\",\n \"parameter\": [\n {\n \"name\": \"affected_email_address\",\n \"value\": \"test-user@example.com\",\n \"label\": \"LABEL_OPTIONAL\",\n \"type\": \"TYPE_STRING\"\n }\n ],\n \"status\": {\n \"success\": true\n }\n }\n ],\n \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\"\n }\n },\n \"insertId\": \"-xkklkzcxkl\",\n \"resource\": {\n \"type\": \"audited_resource\",\n \"labels\": {\n \"method\": \"google.login.LoginService.accountDisabledPasswordLeak\",\n \"service\": \"login.googleapis.com\"\n }\n },\n \"timestamp\": \"2021-04-30T18:41:23.475Z\",\n \"severity\": \"NOTICE\",\n \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n \"receiveTimestamp\": \"2021-04-30T18:41:24.650965796Z\"\n}",
"@timestamp": "2021-04-30T18:41:23.475Z",
"google_cloud_audit": {
"receiveTimestamp": "2021-04-30T18:41:24.650965796Z",
"insertId": "-xkklkzcxkl",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"severity": "NOTICE",
"resource": {
"type": "audited_resource",
"labels": {
"method": "google.login.LoginService.accountDisabledPasswordLeak",
"service": "login.googleapis.com"
}
},
"protoPayload": {
"metadata": {
"type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto",
"event": [
{
"eventType": "account_warning",
"eventName": "account_disabled_password_leak",
"parameter": [
{
"name": "affected_email_address",
"value": "test-user@example.com",
"label": "LABEL_OPTIONAL",
"type": "TYPE_STRING"
}
],
"status": {
"success": true
}
}
],
"activityId": {
"timeUsec": "1619808083475000",
"uniqQualifier": "6286848759980589624"
}
},
"type": "type.googleapis.com/google.cloud.audit.AuditLog",
"methodName": "google.login.LoginService.accountDisabledPasswordLeak",
"resourceName": "organizations/123"
}
},
"user": {
"email": "test-user@example.com"
},
"service": {
"name": "login.googleapis.com"
},
"source": {
"ip": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff",
"address": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
},
"related": {
"ip": [
"2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
]
}
}
{
"message": "{\n \"protoPayload\": {\n \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n \"authenticationInfo\": {},\n \"requestMetadata\": {\n \"callerIp\": \"2001:db8:ffff:ffff:ffff:ffff:ffff:ffff\"\n },\n \"serviceName\": \"login.googleapis.com\",\n \"methodName\": \"google.login.LoginService.accountDisabledSpamming\",\n \"resourceName\": \"organizations/123\",\n \"metadata\": {\n \"activityId\": {\n \"timeUsec\": \"1619808083475000\",\n \"uniqQualifier\": \"6286848759980589624\"\n },\n \"event\": [\n {\n \"eventType\": \"account_warning\",\n \"eventName\": \"account_disabled_spamming\",\n \"parameter\": [\n {\n \"name\": \"affected_email_address\",\n \"value\": \"test-user@example.com\",\n \"label\": \"LABEL_OPTIONAL\",\n \"type\": \"TYPE_STRING\"\n }\n ],\n \"status\": {\n \"success\": true\n }\n }\n ],\n \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\"\n }\n },\n \"insertId\": \"-xkklkzcxkl\",\n \"resource\": {\n \"type\": \"audited_resource\",\n \"labels\": {\n \"method\": \"google.login.LoginService.accountDisabledSpamming\",\n \"service\": \"login.googleapis.com\"\n }\n },\n \"timestamp\": \"2021-04-30T18:41:23.475Z\",\n \"severity\": \"NOTICE\",\n \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n \"receiveTimestamp\": \"2021-04-30T18:41:24.650965796Z\"\n}",
"@timestamp": "2021-04-30T18:41:23.475Z",
"google_cloud_audit": {
"receiveTimestamp": "2021-04-30T18:41:24.650965796Z",
"insertId": "-xkklkzcxkl",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"severity": "NOTICE",
"resource": {
"type": "audited_resource",
"labels": {
"method": "google.login.LoginService.accountDisabledSpamming",
"service": "login.googleapis.com"
}
},
"protoPayload": {
"metadata": {
"type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto",
"event": [
{
"eventType": "account_warning",
"eventName": "account_disabled_spamming",
"parameter": [
{
"name": "affected_email_address",
"value": "test-user@example.com",
"label": "LABEL_OPTIONAL",
"type": "TYPE_STRING"
}
],
"status": {
"success": true
}
}
],
"activityId": {
"timeUsec": "1619808083475000",
"uniqQualifier": "6286848759980589624"
}
},
"type": "type.googleapis.com/google.cloud.audit.AuditLog",
"methodName": "google.login.LoginService.accountDisabledSpamming",
"resourceName": "organizations/123"
}
},
"user": {
"email": "test-user@example.com"
},
"service": {
"name": "login.googleapis.com"
},
"source": {
"ip": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff",
"address": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
},
"related": {
"ip": [
"2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
]
}
}
{
"message": "{\n \"protoPayload\": {\n \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n \"authenticationInfo\": {},\n \"requestMetadata\": {\n \"callerIp\": \"2001:db8:ffff:ffff:ffff:ffff:ffff:ffff\"\n },\n \"serviceName\": \"login.googleapis.com\",\n \"methodName\": \"google.login.LoginService.accountDisabledSpammingThroughRelay\",\n \"resourceName\": \"organizations/123\",\n \"metadata\": {\n \"activityId\": {\n \"timeUsec\": \"1619808083475000\",\n \"uniqQualifier\": \"6286848759980589624\"\n },\n \"event\": [\n {\n \"eventType\": \"account_warning\",\n \"eventName\": \"account_disabled_spamming_through_relay\",\n \"parameter\": [\n {\n \"name\": \"affected_email_address\",\n \"value\": \"test-user@example.com\",\n \"label\": \"LABEL_OPTIONAL\",\n \"type\": \"TYPE_STRING\"\n }\n ],\n \"status\": {\n \"success\": true\n }\n }\n ],\n \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\"\n }\n },\n \"insertId\": \"-xkklkzcxkl\",\n \"resource\": {\n \"type\": \"audited_resource\",\n \"labels\": {\n \"method\": \"google.login.LoginService.accountDisabledSpammingThroughRelay\",\n \"service\": \"login.googleapis.com\"\n }\n },\n \"timestamp\": \"2021-04-30T18:41:23.475Z\",\n \"severity\": \"NOTICE\",\n \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n \"receiveTimestamp\": \"2021-04-30T18:41:24.650965796Z\"\n}",
"@timestamp": "2021-04-30T18:41:23.475Z",
"google_cloud_audit": {
"receiveTimestamp": "2021-04-30T18:41:24.650965796Z",
"insertId": "-xkklkzcxkl",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"severity": "NOTICE",
"resource": {
"type": "audited_resource",
"labels": {
"method": "google.login.LoginService.accountDisabledSpammingThroughRelay",
"service": "login.googleapis.com"
}
},
"protoPayload": {
"metadata": {
"type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto",
"event": [
{
"eventType": "account_warning",
"eventName": "account_disabled_spamming_through_relay",
"parameter": [
{
"name": "affected_email_address",
"value": "test-user@example.com",
"label": "LABEL_OPTIONAL",
"type": "TYPE_STRING"
}
],
"status": {
"success": true
}
}
],
"activityId": {
"timeUsec": "1619808083475000",
"uniqQualifier": "6286848759980589624"
}
},
"type": "type.googleapis.com/google.cloud.audit.AuditLog",
"methodName": "google.login.LoginService.accountDisabledSpammingThroughRelay",
"resourceName": "organizations/123"
}
},
"user": {
"email": "test-user@example.com"
},
"service": {
"name": "login.googleapis.com"
},
"source": {
"ip": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff",
"address": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
},
"related": {
"ip": [
"2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
]
}
}
{
"message": "{\n \"protoPayload\": {\n \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n \"authenticationInfo\": {\n \"principalEmail\": \"test-user@example.com\"\n },\n \"requestMetadata\": {\n \"callerIp\": \"203.0.113.255\",\n \"requestAttributes\": {},\n \"destinationAttributes\": {}\n },\n \"serviceName\": \"login.googleapis.com\",\n \"methodName\": \"google.login.LoginService.2svDisable\",\n \"resourceName\": \"organizations/123\",\n \"metadata\": {\n \"activityId\": {\n \"uniqQualifier\": \"-7789616625639281959\",\n \"timeUsec\": \"1632459962686000\"\n },\n \"event\": [\n {\n \"status\": {\n \"success\": true\n },\n \"parameter\": [\n {\n \"type\": \"TYPE_STRING\",\n \"label\": \"LABEL_OPTIONAL\",\n \"value\": \"INfDlrzP9IH8_QE\",\n \"name\": \"dusi\"\n }\n ],\n \"eventName\": \"2sv_disable\",\n \"eventType\": \"2sv_change\"\n }\n ],\n \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\"\n }\n },\n \"insertId\": \"-tn3jrd3lko\",\n \"resource\": {\n \"type\": \"audited_resource\",\n \"labels\": {\n \"service\": \"login.googleapis.com\",\n \"method\": \"google.login.LoginService.2svDisable\"\n }\n },\n \"timestamp\": \"2021-09-24T05:06:02.686Z\",\n \"severity\": \"NOTICE\",\n \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n \"receiveTimestamp\": \"2021-09-24T05:06:03.845372592Z\"\n}\n",
"@timestamp": "2021-09-24T05:06:02.686Z",
"google_cloud_audit": {
"receiveTimestamp": "2021-09-24T05:06:03.845372592Z",
"insertId": "-tn3jrd3lko",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"severity": "NOTICE",
"resource": {
"type": "audited_resource",
"labels": {
"method": "google.login.LoginService.2svDisable",
"service": "login.googleapis.com"
}
},
"protoPayload": {
"metadata": {
"type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto",
"event": [
{
"status": {
"success": true
},
"parameter": [
{
"type": "TYPE_STRING",
"label": "LABEL_OPTIONAL",
"value": "INfDlrzP9IH8_QE",
"name": "dusi"
}
],
"eventName": "2sv_disable",
"eventType": "2sv_change"
}
],
"activityId": {
"timeUsec": "1632459962686000",
"uniqQualifier": "-7789616625639281959"
}
},
"type": "type.googleapis.com/google.cloud.audit.AuditLog",
"methodName": "google.login.LoginService.2svDisable",
"resourceName": "organizations/123"
}
},
"user": {
"email": "test-user@example.com",
"name": "test-user@example.com"
},
"service": {
"name": "login.googleapis.com"
},
"source": {
"ip": "203.0.113.255",
"address": "203.0.113.255"
},
"related": {
"ip": [
"203.0.113.255"
],
"user": [
"test-user@example.com"
]
}
}
{
"message": "{\n \"protoPayload\": {\n \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n \"authenticationInfo\": {\n \"principalEmail\": \"test-user@example.com\"\n },\n \"requestMetadata\": {\n \"callerIp\": \"203.0.113.255\",\n \"requestAttributes\": {},\n \"destinationAttributes\": {}\n },\n \"serviceName\": \"login.googleapis.com\",\n \"methodName\": \"google.login.LoginService.emailForwardingOutOfDomain\",\n \"resourceName\": \"organizations/123\",\n \"metadata\": {\n \"activityId\": {\n \"uniqQualifier\": \"-5683698025624301037\",\n \"timeUsec\": \"1632501152256000\"\n },\n \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\",\n \"event\": [\n {\n \"eventName\": \"email_forwarding_out_of_domain\",\n \"status\": {\n \"success\": true\n },\n \"parameter\": [\n {\n \"name\": \"dusi\",\n \"type\": \"TYPE_STRING\",\n \"value\": \"INfDlrzP9IH8_QE\",\n \"label\": \"LABEL_OPTIONAL\"\n },\n {\n \"type\": \"TYPE_STRING\",\n \"label\": \"LABEL_OPTIONAL\",\n \"value\": \"test-user@google.com\",\n \"name\": \"email_forwarding_destination_address\"\n }\n ],\n \"eventType\": \"email_forwarding_change\"\n }\n ]\n }\n },\n \"insertId\": \"rrcp9gd3y2f\",\n \"resource\": {\n \"type\": \"audited_resource\",\n \"labels\": {\n \"method\": \"google.login.LoginService.emailForwardingOutOfDomain\",\n \"service\": \"login.googleapis.com\"\n }\n },\n \"timestamp\": \"2021-09-24T16:32:32.256Z\",\n \"severity\": \"NOTICE\",\n \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n \"receiveTimestamp\": \"2021-09-24T16:32:33.319260836Z\"\n}",
"@timestamp": "2021-09-24T16:32:32.256Z",
"google_cloud_audit": {
"receiveTimestamp": "2021-09-24T16:32:33.319260836Z",
"insertId": "rrcp9gd3y2f",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"severity": "NOTICE",
"resource": {
"type": "audited_resource",
"labels": {
"method": "google.login.LoginService.emailForwardingOutOfDomain",
"service": "login.googleapis.com"
}
},
"protoPayload": {
"metadata": {
"type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto",
"event": [
{
"eventName": "email_forwarding_out_of_domain",
"status": {
"success": true
},
"parameter": [
{
"name": "dusi",
"type": "TYPE_STRING",
"value": "INfDlrzP9IH8_QE",
"label": "LABEL_OPTIONAL"
},
{
"type": "TYPE_STRING",
"label": "LABEL_OPTIONAL",
"value": "test-user@google.com",
"name": "email_forwarding_destination_address"
}
],
"eventType": "email_forwarding_change"
}
],
"activityId": {
"timeUsec": "1632501152256000",
"uniqQualifier": "-5683698025624301037"
}
},
"type": "type.googleapis.com/google.cloud.audit.AuditLog",
"methodName": "google.login.LoginService.emailForwardingOutOfDomain",
"resourceName": "organizations/123"
}
},
"user": {
"email": "test-user@example.com",
"name": "test-user@example.com"
},
"service": {
"name": "login.googleapis.com"
},
"source": {
"ip": "203.0.113.255",
"address": "203.0.113.255"
},
"related": {
"ip": [
"203.0.113.255"
],
"user": [
"test-user@example.com"
]
}
}
{
"message": "{\"insertId\":\"2f93b0a6-f932-4d91-ad61-785ae9587360\",\"labels\":{\"authorization.k8s.io/decision\":\"allow\",\"authorization.k8s.io/reason\":\"RBAC: allowed by ClusterRoleBinding \\\"system:kube-scheduler\\\" of ClusterRole \\\"system:kube-scheduler\\\" to User \\\"system:kube-scheduler\\\"\"},\"logName\":\"projects/hazel-aria-348413/logs/cloudaudit.googleapis.com%2Factivity\",\"operation\":{\"first\":true,\"id\":\"2f93b0a6-f932-4d91-ad61-785ae9587360\",\"last\":true,\"producer\":\"k8s.io\"},\"protoPayload\":{\"@type\":\"type.googleapis.com/google.cloud.audit.AuditLog\",\"authenticationInfo\":{\"principalEmail\":\"system:kube-scheduler\"},\"authorizationInfo\":[{\"granted\":true,\"permission\":\"io.k8s.coordination.v1.leases.update\",\"resource\":\"coordination.k8s.io/v1/namespaces/kube-system/leases/kube-scheduler\"}],\"methodName\":\"io.k8s.coordination.v1.leases.update\",\"requestMetadata\":{\"callerIp\":\"10.186.0.146\",\"callerSuppliedUserAgent\":\"kube-scheduler/v1.22.8 (linux/amd64) kubernetes/2dca91e/leader-election\"},\"resourceName\":\"coordination.k8s.io/v1/namespaces/kube-system/leases/kube-scheduler\",\"serviceName\":\"k8s.io\",\"status\":{}},\"receiveTimestamp\":\"2022-06-14T14:32:10.838967694Z\",\"resource\":{\"labels\":{\"cluster_name\":\"cluster-1\",\"location\":\"europe-central2-a\",\"project_id\":\"hazel-aria-348413\"},\"type\":\"k8s_cluster\"},\"timestamp\":\"2022-06-14T14:32:09.910723Z\"}",
"@timestamp": "2022-06-14T14:32:09.910723Z",
"google_cloud_audit": {
"receiveTimestamp": "2022-06-14T14:32:10.838967694Z",
"insertId": "2f93b0a6-f932-4d91-ad61-785ae9587360",
"logName": "projects/hazel-aria-348413/logs/cloudaudit.googleapis.com%2Factivity",
"resource": {
"type": "k8s_cluster",
"labels": {
"project_id": "hazel-aria-348413",
"cluster_name": "cluster-1",
"location": "europe-central2-a"
}
},
"protoPayload": {
"type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authorizationInfo": [
{
"granted": true,
"permission": "io.k8s.coordination.v1.leases.update",
"resource": "coordination.k8s.io/v1/namespaces/kube-system/leases/kube-scheduler"
}
],
"methodName": "io.k8s.coordination.v1.leases.update",
"resourceName": "coordination.k8s.io/v1/namespaces/kube-system/leases/kube-scheduler"
},
"operation": {
"id": "2f93b0a6-f932-4d91-ad61-785ae9587360",
"first": true,
"last": true,
"producer": "k8s.io"
}
},
"user": {
"name": "system:kube-scheduler"
},
"service": {
"name": "k8s.io"
},
"source": {
"ip": "10.186.0.146",
"address": "10.186.0.146"
},
"user_agent": {
"original": "kube-scheduler/v1.22.8 (linux/amd64) kubernetes/2dca91e/leader-election",
"device": {
"name": "Other"
},
"name": "Other",
"os": {
"name": "Linux"
}
},
"related": {
"ip": [
"10.186.0.146"
],
"user": [
"system:kube-scheduler"
]
}
}
{
"message": "{\n \"protoPayload\": {\n \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n \"authenticationInfo\": {\n \"principalEmail\": \"test-user@example.com\"\n },\n \"requestMetadata\": {\n \"callerIp\": \"2001:db8:ffff:ffff:ffff:ffff:ffff:ffff\",\n \"requestAttributes\": {},\n \"destinationAttributes\": {}\n },\n \"serviceName\": \"login.googleapis.com\",\n \"methodName\": \"google.login.LoginService.govAttackWarning\",\n \"resourceName\": \"organizations/123\",\n \"metadata\": {\n \"activityId\": {\n \"timeUsec\": \"1619825837106000\",\n \"uniqQualifier\": \"7230131091737932677\"\n },\n \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\",\n \"event\": [\n {\n \"eventName\": \"gov_attack_warning\",\n \"eventType\": \"attack_warning\",\n \"status\": {\n \"success\": true\n }\n }\n ]\n }\n },\n \"insertId\": \"bxuophd1vlw\",\n \"resource\": {\n \"type\": \"audited_resource\",\n \"labels\": {\n \"service\": \"login.googleapis.com\",\n \"method\": \"google.login.LoginService.govAttackWarning\"\n }\n },\n \"timestamp\": \"2021-04-30T23:37:17.106Z\",\n \"severity\": \"NOTICE\",\n \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n \"receiveTimestamp\": \"2021-04-30T23:37:18.488559815Z\"\n}",
"@timestamp": "2021-04-30T23:37:17.106Z",
"google_cloud_audit": {
"receiveTimestamp": "2021-04-30T23:37:18.488559815Z",
"insertId": "bxuophd1vlw",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"severity": "NOTICE",
"resource": {
"type": "audited_resource",
"labels": {
"method": "google.login.LoginService.govAttackWarning",
"service": "login.googleapis.com"
}
},
"protoPayload": {
"metadata": {
"type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto",
"event": [
{
"eventName": "gov_attack_warning",
"eventType": "attack_warning",
"status": {
"success": true
}
}
],
"activityId": {
"timeUsec": "1619825837106000",
"uniqQualifier": "7230131091737932677"
}
},
"type": "type.googleapis.com/google.cloud.audit.AuditLog",
"methodName": "google.login.LoginService.govAttackWarning",
"resourceName": "organizations/123"
}
},
"user": {
"email": "test-user@example.com",
"name": "test-user@example.com"
},
"service": {
"name": "login.googleapis.com"
},
"source": {
"ip": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff",
"address": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
},
"related": {
"ip": [
"2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
],
"user": [
"test-user@example.com"
]
}
}
{
"message": "{\"insertId\":\"9d92cd5d-5043-4c8d-9a3b-92c0be113704\",\"labels\":{\"authorization.k8s.io/decision\":\"allow\",\"authorization.k8s.io/reason\":\"RBAC: allowed by ClusterRoleBinding \\\"system:kubestore-collector\\\" of ClusterRole \\\"system:kubestore-collector\\\" to User \\\"system:kubestore-collector\\\"\"},\"logName\":\"projects/hazel-aria-348413/logs/cloudaudit.googleapis.com%2Factivity\",\"operation\":{\"first\":true,\"id\":\"9d92cd5d-5043-4c8d-9a3b-92c0be113704\",\"last\":true,\"producer\":\"k8s.io\"},\"protoPayload\":{\"@type\":\"type.googleapis.com/google.cloud.audit.AuditLog\",\"authenticationInfo\":{\"principalEmail\":\"system:kubestore-collector\"},\"authorizationInfo\":[{\"granted\":true,\"permission\":\"io.k8s.core.v1.configmaps.update\",\"resource\":\"core/v1/namespaces/kube-system/configmaps/cluster-kubestore\"}],\"methodName\":\"io.k8s.core.v1.configmaps.update\",\"requestMetadata\":{\"callerIp\":\"10.186.0.146\",\"callerSuppliedUserAgent\":\"kubestore_collector/v0.0.0 (linux/amd64) kubernetes/$Format\"},\"resourceName\":\"core/v1/namespaces/kube-system/configmaps/cluster-kubestore\",\"serviceName\":\"k8s.io\",\"status\":{}},\"receiveTimestamp\":\"2022-06-15T07:27:38.524909478Z\",\"resource\":{\"labels\":{\"cluster_name\":\"cluster-1\",\"location\":\"europe-central2-a\",\"project_id\":\"hazel-aria-348413\"},\"type\":\"k8s_cluster\"},\"timestamp\":\"2022-06-15T07:27:36.652663Z\"}\n\n",
"@timestamp": "2022-06-15T07:27:36.652663Z",
"google_cloud_audit": {
"receiveTimestamp": "2022-06-15T07:27:38.524909478Z",
"insertId": "9d92cd5d-5043-4c8d-9a3b-92c0be113704",
"logName": "projects/hazel-aria-348413/logs/cloudaudit.googleapis.com%2Factivity",
"resource": {
"type": "k8s_cluster",
"labels": {
"project_id": "hazel-aria-348413",
"cluster_name": "cluster-1",
"location": "europe-central2-a"
}
},
"protoPayload": {
"type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authorizationInfo": [
{
"granted": true,
"permission": "io.k8s.core.v1.configmaps.update",
"resource": "core/v1/namespaces/kube-system/configmaps/cluster-kubestore"
}
],
"methodName": "io.k8s.core.v1.configmaps.update",
"resourceName": "core/v1/namespaces/kube-system/configmaps/cluster-kubestore"
},
"operation": {
"id": "9d92cd5d-5043-4c8d-9a3b-92c0be113704",
"first": true,
"last": true,
"producer": "k8s.io"
}
},
"user": {
"name": "system:kubestore-collector"
},
"service": {
"name": "k8s.io"
},
"source": {
"ip": "10.186.0.146",
"address": "10.186.0.146"
},
"user_agent": {
"original": "kubestore_collector/v0.0.0 (linux/amd64) kubernetes/$Format",
"device": {
"name": "Other"
},
"name": "Other",
"os": {
"name": "Linux"
}
},
"related": {
"ip": [
"10.186.0.146"
],
"user": [
"system:kubestore-collector"
]
}
}
{
"message": "{\"insertId\":\"ofj3qoe4mbih\",\"logName\":\"projects/hazel-aria-348413/logs/cloudaudit.googleapis.com%2Factivity\",\"operation\":{\"id\":\"operation-1655309832996-a5fd6e18\",\"last\":true,\"producer\":\"container.googleapis.com\"},\"protoPayload\":{\"@type\":\"type.googleapis.com/google.cloud.audit.AuditLog\",\"metadata\":{\"operationType\":\"DELETE_CLUSTER\"},\"methodName\":\"google.container.v1.ClusterManager.DeleteCluster\",\"policyViolationInfo\":{\"orgPolicyViolationInfo\":{}},\"resourceLocation\":{\"currentLocations\":[\"europe-central2-a\"]},\"resourceName\":\"projects/hazel-aria-348413/zones/europe-central2-a/clusters/cluster-1\",\"serviceName\":\"container.googleapis.com\",\"status\":{}},\"receiveTimestamp\":\"2022-06-15T16:19:48.068568099Z\",\"resource\":{\"labels\":{\"cluster_name\":\"cluster-1\",\"location\":\"europe-central2-a\",\"project_id\":\"hazel-aria-348413\"},\"type\":\"gke_cluster\"},\"severity\":\"NOTICE\",\"timestamp\":\"2022-06-15T16:19:47.720234784Z\"}",
"@timestamp": "2022-06-15T16:19:47.720234784Z",
"google_cloud_audit": {
"receiveTimestamp": "2022-06-15T16:19:48.068568099Z",
"insertId": "ofj3qoe4mbih",
"logName": "projects/hazel-aria-348413/logs/cloudaudit.googleapis.com%2Factivity",
"severity": "NOTICE",
"resource": {
"type": "gke_cluster",
"labels": {
"project_id": "hazel-aria-348413",
"cluster_name": "cluster-1",
"location": "europe-central2-a"
}
},
"protoPayload": {
"metadata": {
"operationType": "DELETE_CLUSTER"
},
"type": "type.googleapis.com/google.cloud.audit.AuditLog",
"methodName": "google.container.v1.ClusterManager.DeleteCluster",
"resourceName": "projects/hazel-aria-348413/zones/europe-central2-a/clusters/cluster-1",
"resourceLocation": {
"currentLocations": [
"europe-central2-a"
]
}
},
"operation": {
"id": "operation-1655309832996-a5fd6e18",
"last": true,
"producer": "container.googleapis.com"
}
},
"service": {
"name": "container.googleapis.com"
}
}
{
"message": "{\n \"protoPayload\": {\n \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n \"authenticationInfo\": {\n \"principalEmail\": \"test-user@example.com\"\n },\n \"requestMetadata\": {\n \"callerIp\": \"2001:db8:ffff:ffff:ffff:ffff:ffff:ffff\",\n \"requestAttributes\": {},\n \"destinationAttributes\": {}\n },\n \"serviceName\": \"login.googleapis.com\",\n \"methodName\": \"google.login.LoginService.loginChallenge\",\n \"resourceName\": \"organizations/123\",\n \"metadata\": {\n \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\",\n \"event\": [\n {\n \"eventName\": \"login_challenge\",\n \"parameter\": [\n {\n \"name\": \"login_type\",\n \"value\": \"google_password\",\n \"type\": \"TYPE_STRING\",\n \"label\": \"LABEL_OPTIONAL\"\n },\n {\n \"type\": \"TYPE_STRING\",\n \"label\": \"LABEL_REPEATED\",\n \"name\": \"login_challenge_method\",\n \"multiStrValue\": [\n \"idv_preregistered_phone\"\n ]\n },\n {\n \"label\": \"LABEL_OPTIONAL\",\n \"type\": \"TYPE_STRING\",\n \"value\": \"incorrect_answer_entered\",\n \"name\": \"login_challenge_status\"\n },\n {\n \"type\": \"TYPE_STRING\",\n \"name\": \"dusi\",\n \"label\": \"LABEL_OPTIONAL\",\n \"value\": \"IOWJlfPwgvrTfg\"\n }\n ],\n \"eventType\": \"login\"\n }\n ],\n \"activityId\": {\n \"timeUsec\": \"1632500217183211\",\n \"uniqQualifier\": \"358068855354\"\n }\n }\n },\n \"insertId\": \"-nahbepd4l2j\",\n \"resource\": {\n \"type\": \"audited_resource\",\n \"labels\": {\n \"service\": \"login.googleapis.com\",\n \"method\": \"google.login.LoginService.loginChallenge\"\n }\n },\n \"timestamp\": \"2021-09-24T16:16:57.183211Z\",\n \"severity\": \"NOTICE\",\n \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n \"receiveTimestamp\": \"2021-09-24T17:51:28.041126044Z\"}",
"@timestamp": "2021-09-24T16:16:57.183211Z",
"google_cloud_audit": {
"receiveTimestamp": "2021-09-24T17:51:28.041126044Z",
"insertId": "-nahbepd4l2j",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"severity": "NOTICE",
"resource": {
"type": "audited_resource",
"labels": {
"method": "google.login.LoginService.loginChallenge",
"service": "login.googleapis.com"
}
},
"protoPayload": {
"metadata": {
"type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto",
"event": [
{
"eventName": "login_challenge",
"parameter": [
{
"name": "login_type",
"value": "google_password",
"type": "TYPE_STRING",
"label": "LABEL_OPTIONAL"
},
{
"type": "TYPE_STRING",
"label": "LABEL_REPEATED",
"name": "login_challenge_method",
"multiStrValue": [
"idv_preregistered_phone"
]
},
{
"label": "LABEL_OPTIONAL",
"type": "TYPE_STRING",
"value": "incorrect_answer_entered",
"name": "login_challenge_status"
},
{
"type": "TYPE_STRING",
"name": "dusi",
"label": "LABEL_OPTIONAL",
"value": "IOWJlfPwgvrTfg"
}
],
"eventType": "login"
}
],
"activityId": {
"timeUsec": "1632500217183211",
"uniqQualifier": "358068855354"
}
},
"type": "type.googleapis.com/google.cloud.audit.AuditLog",
"methodName": "google.login.LoginService.loginChallenge",
"resourceName": "organizations/123"
}
},
"user": {
"email": "test-user@example.com",
"name": "test-user@example.com"
},
"service": {
"name": "login.googleapis.com"
},
"source": {
"ip": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff",
"address": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
},
"related": {
"ip": [
"2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
],
"user": [
"test-user@example.com"
]
}
}
{
"message": "{\n \"protoPayload\": {\n \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n \"authenticationInfo\": {\n \"principalEmail\": \"test-user@example.com\"\n },\n \"requestMetadata\": {\n \"callerIp\": \"2001:db8:ffff:ffff:ffff:ffff:ffff:ffff\",\n \"requestAttributes\": {},\n \"destinationAttributes\": {}\n },\n \"serviceName\": \"login.googleapis.com\",\n \"methodName\": \"google.login.LoginService.loginFailure\",\n \"resourceName\": \"organizations/123\",\n \"metadata\": {\n \"event\": [\n {\n \"eventName\": \"login_failure\",\n \"eventType\": \"login\",\n \"parameter\": [\n {\n \"value\": \"google_password\",\n \"type\": \"TYPE_STRING\",\n \"name\": \"login_type\",\n \"label\": \"LABEL_OPTIONAL\"\n },\n {\n \"name\": \"login_challenge_method\",\n \"type\": \"TYPE_STRING\",\n \"label\": \"LABEL_REPEATED\",\n \"multiStrValue\": [\n \"password\",\n \"idv_preregistered_phone\",\n \"idv_preregistered_phone\"\n ]\n },\n {\n \"label\": \"LABEL_OPTIONAL\",\n \"name\": \"dusi\",\n \"type\": \"TYPE_STRING\",\n \"value\": \"IOWJlfPwgvrTfg\"\n }\n ]\n }\n ],\n \"activityId\": {\n \"uniqQualifier\": \"358068855354\",\n \"timeUsec\": \"1632500217183212\"\n },\n \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\"\n }\n },\n \"insertId\": \"-nahbepd4l1x\",\n \"resource\": {\n \"type\": \"audited_resource\",\n \"labels\": {\n \"method\": \"google.login.LoginService.loginFailure\",\n \"service\": \"login.googleapis.com\"\n }\n },\n \"timestamp\": \"2021-09-24T16:16:57.183212Z\",\n \"severity\": \"NOTICE\",\n \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n \"receiveTimestamp\": \"2021-09-24T17:51:25.034361197Z\"\n}",
"@timestamp": "2021-09-24T16:16:57.183212Z",
"google_cloud_audit": {
"receiveTimestamp": "2021-09-24T17:51:25.034361197Z",
"insertId": "-nahbepd4l1x",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"severity": "NOTICE",
"resource": {
"type": "audited_resource",
"labels": {
"method": "google.login.LoginService.loginFailure",
"service": "login.googleapis.com"
}
},
"protoPayload": {
"metadata": {
"type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto",
"event": [
{
"eventName": "login_failure",
"eventType": "login",
"parameter": [
{
"value": "google_password",
"type": "TYPE_STRING",
"name": "login_type",
"label": "LABEL_OPTIONAL"
},
{
"name": "login_challenge_method",
"type": "TYPE_STRING",
"label": "LABEL_REPEATED",
"multiStrValue": [
"password",
"idv_preregistered_phone",
"idv_preregistered_phone"
]
},
{
"label": "LABEL_OPTIONAL",
"name": "dusi",
"type": "TYPE_STRING",
"value": "IOWJlfPwgvrTfg"
}
]
}
],
"activityId": {
"timeUsec": "1632500217183212",
"uniqQualifier": "358068855354"
}
},
"type": "type.googleapis.com/google.cloud.audit.AuditLog",
"methodName": "google.login.LoginService.loginFailure",
"resourceName": "organizations/123"
}
},
"user": {
"email": "test-user@example.com",
"name": "test-user@example.com"
},
"service": {
"name": "login.googleapis.com"
},
"source": {
"ip": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff",
"address": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
},
"related": {
"ip": [
"2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
],
"user": [
"test-user@example.com"
]
}
}
{
"message": "{\n \"protoPayload\": {\n \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n \"authenticationInfo\": {\n \"principalEmail\": \"test-user@example.com\"\n },\n \"requestMetadata\": {\n \"callerIp\": \"203.0.113.255\",\n \"requestAttributes\": {},\n \"destinationAttributes\": {}\n },\n \"serviceName\": \"login.googleapis.com\",\n \"methodName\": \"google.login.LoginService.loginSuccess\",\n \"resourceName\": \"organizations/123\",\n \"metadata\": {\n \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\",\n \"activityId\": {\n \"timeUsec\": \"1632458429811809\",\n \"uniqQualifier\": \"358068855354\"\n },\n \"event\": [\n {\n \"parameter\": [\n {\n \"type\": \"TYPE_STRING\",\n \"value\": \"google_password\",\n \"name\": \"login_type\",\n \"label\": \"LABEL_OPTIONAL\"\n },\n {\n \"name\": \"login_challenge_method\",\n \"label\": \"LABEL_REPEATED\",\n \"type\": \"TYPE_STRING\",\n \"multiStrValue\": [\n \"password\"\n ]\n },\n {\n \"type\": \"TYPE_BOOL\",\n \"boolValue\": false,\n \"name\": \"is_suspicious\",\n \"label\": \"LABEL_OPTIONAL\"\n },\n {\n \"value\": \"INfDlrzP9IH8_QE\",\n \"name\": \"dusi\",\n \"type\": \"TYPE_STRING\",\n \"label\": \"LABEL_OPTIONAL\"\n }\n ],\n \"eventType\": \"login\",\n \"eventName\": \"login_success\"\n }\n ]\n }\n },\n \"insertId\": \"ci1svzd3hfk\",\n \"resource\": {\n \"type\": \"audited_resource\",\n \"labels\": {\n \"service\": \"login.googleapis.com\",\n \"method\": \"google.login.LoginService.loginSuccess\"\n }\n },\n \"timestamp\": \"2021-09-24T04:40:29.811809Z\",\n \"severity\": \"NOTICE\",\n \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n \"receiveTimestamp\": \"2021-09-24T05:43:20.474338130Z\"\n}",
"@timestamp": "2021-09-24T04:40:29.811809Z",
"google_cloud_audit": {
"receiveTimestamp": "2021-09-24T05:43:20.474338130Z",
"insertId": "ci1svzd3hfk",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"severity": "NOTICE",
"resource": {
"type": "audited_resource",
"labels": {
"method": "google.login.LoginService.loginSuccess",
"service": "login.googleapis.com"
}
},
"protoPayload": {
"metadata": {
"type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto",
"event": [
{
"parameter": [
{
"type": "TYPE_STRING",
"value": "google_password",
"name": "login_type",
"label": "LABEL_OPTIONAL"
},
{
"name": "login_challenge_method",
"label": "LABEL_REPEATED",
"type": "TYPE_STRING",
"multiStrValue": [
"password"
]
},
{
"type": "TYPE_BOOL",
"boolValue": false,
"name": "is_suspicious",
"label": "LABEL_OPTIONAL"
},
{
"value": "INfDlrzP9IH8_QE",
"name": "dusi",
"type": "TYPE_STRING",
"label": "LABEL_OPTIONAL"
}
],
"eventType": "login",
"eventName": "login_success"
}
],
"activityId": {
"timeUsec": "1632458429811809",
"uniqQualifier": "358068855354"
}
},
"type": "type.googleapis.com/google.cloud.audit.AuditLog",
"methodName": "google.login.LoginService.loginSuccess",
"resourceName": "organizations/123"
}
},
"user": {
"email": "test-user@example.com",
"name": "test-user@example.com"
},
"service": {
"name": "login.googleapis.com"
},
"source": {
"ip": "203.0.113.255",
"address": "203.0.113.255"
},
"related": {
"ip": [
"203.0.113.255"
],
"user": [
"test-user@example.com"
]
}
}
{
"message": "{\n \"protoPayload\": {\n \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n \"authenticationInfo\": {\n \"principalEmail\": \"test-user@example.com\"\n },\n \"requestMetadata\": {\n \"callerIp\": \"203.0.113.255\",\n \"requestAttributes\": {},\n \"destinationAttributes\": {}\n },\n \"serviceName\": \"login.googleapis.com\",\n \"methodName\": \"google.login.LoginService.loginVerification\",\n \"resourceName\": \"organizations/123\",\n \"metadata\": {\n \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\",\n \"event\": [\n {\n \"eventName\": \"login_verification\",\n \"parameter\": [\n {\n \"name\": \"login_type\",\n \"type\": \"TYPE_STRING\",\n \"value\": \"google_password\",\n \"label\": \"LABEL_OPTIONAL\"\n },\n {\n \"name\": \"login_challenge_method\",\n \"multiStrValue\": [\n \"idv_preregistered_phone\"\n ],\n \"label\": \"LABEL_REPEATED\",\n \"type\": \"TYPE_STRING\"\n },\n {\n \"value\": \"passed\",\n \"name\": \"login_challenge_status\",\n \"type\": \"TYPE_STRING\",\n \"label\": \"LABEL_OPTIONAL\"\n },\n {\n \"value\": \"INfDlrzP9IH8_QE\",\n \"label\": \"LABEL_OPTIONAL\",\n \"name\": \"dusi\",\n \"type\": \"TYPE_STRING\"\n },\n {\n \"label\": \"LABEL_OPTIONAL\",\n \"boolValue\": true,\n \"type\": \"TYPE_BOOL\",\n \"name\": \"is_second_factor\"\n }\n ],\n \"eventType\": \"login\"\n }\n ],\n \"activityId\": {\n \"uniqQualifier\": \"358068855354\",\n \"timeUsec\": \"1632459936762000\"\n }\n }\n },\n \"insertId\": \"ivb9z4d41rh\",\n \"resource\": {\n \"type\": \"audited_resource\",\n \"labels\": {\n \"method\": \"google.login.LoginService.loginVerification\",\n \"service\": \"login.googleapis.com\"\n }\n },\n \"timestamp\": \"2021-09-24T05:05:36.762Z\",\n \"severity\": \"NOTICE\",\n \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n \"receiveTimestamp\": \"2021-09-24T06:39:22.386813664Z\"\n}",
"@timestamp": "2021-09-24T05:05:36.762Z",
"google_cloud_audit": {
"receiveTimestamp": "2021-09-24T06:39:22.386813664Z",
"insertId": "ivb9z4d41rh",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"severity": "NOTICE",
"resource": {
"type": "audited_resource",
"labels": {
"method": "google.login.LoginService.loginVerification",
"service": "login.googleapis.com"
}
},
"protoPayload": {
"metadata": {
"type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto",
"event": [
{
"eventName": "login_verification",
"parameter": [
{
"name": "login_type",
"type": "TYPE_STRING",
"value": "google_password",
"label": "LABEL_OPTIONAL"
},
{
"name": "login_challenge_method",
"multiStrValue": [
"idv_preregistered_phone"
],
"label": "LABEL_REPEATED",
"type": "TYPE_STRING"
},
{
"value": "passed",
"name": "login_challenge_status",
"type": "TYPE_STRING",
"label": "LABEL_OPTIONAL"
},
{
"value": "INfDlrzP9IH8_QE",
"label": "LABEL_OPTIONAL",
"name": "dusi",
"type": "TYPE_STRING"
},
{
"label": "LABEL_OPTIONAL",
"boolValue": true,
"type": "TYPE_BOOL",
"name": "is_second_factor"
}
],
"eventType": "login"
}
],
"activityId": {
"timeUsec": "1632459936762000",
"uniqQualifier": "358068855354"
}
},
"type": "type.googleapis.com/google.cloud.audit.AuditLog",
"methodName": "google.login.LoginService.loginVerification",
"resourceName": "organizations/123"
}
},
"user": {
"email": "test-user@example.com",
"name": "test-user@example.com"
},
"service": {
"name": "login.googleapis.com"
},
"source": {
"ip": "203.0.113.255",
"address": "203.0.113.255"
},
"related": {
"ip": [
"203.0.113.255"
],
"user": [
"test-user@example.com"
]
}
}
{
"message": "{\n \"protoPayload\": {\n \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n \"authenticationInfo\": {\n \"principalEmail\": \"test-user@example.com\"\n },\n \"requestMetadata\": {\n \"callerIp\": \"203.0.113.255\",\n \"requestAttributes\": {},\n \"destinationAttributes\": {}\n },\n \"serviceName\": \"login.googleapis.com\",\n \"methodName\": \"google.login.LoginService.logout\",\n \"resourceName\": \"organizations/123\",\n \"metadata\": {\n \"event\": [\n {\n \"eventName\": \"logout\",\n \"eventType\": \"login\",\n \"parameter\": [\n {\n \"type\": \"TYPE_STRING\",\n \"label\": \"LABEL_OPTIONAL\",\n \"name\": \"login_type\",\n \"value\": \"google_password\"\n },\n {\n \"type\": \"TYPE_STRING\",\n \"name\": \"dusi\",\n \"label\": \"LABEL_OPTIONAL\",\n \"value\": \"INfDlrzP9IH8_QE\"\n }\n ]\n }\n ],\n \"activityId\": {\n \"uniqQualifier\": \"358068855354\",\n \"timeUsec\": \"1632459903014598\"\n },\n \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\"\n }\n },\n \"insertId\": \"v37ytid14th\",\n \"resource\": {\n \"type\": \"audited_resource\",\n \"labels\": {\n \"service\": \"login.googleapis.com\",\n \"method\": \"google.login.LoginService.logout\"\n }\n },\n \"timestamp\": \"2021-09-24T05:05:03.014598Z\",\n \"severity\": \"NOTICE\",\n \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n \"receiveTimestamp\": \"2021-09-24T06:39:22.229734504Z\"\n}",
"@timestamp": "2021-09-24T05:05:03.014598Z",
"google_cloud_audit": {
"receiveTimestamp": "2021-09-24T06:39:22.229734504Z",
"insertId": "v37ytid14th",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"severity": "NOTICE",
"resource": {
"type": "audited_resource",
"labels": {
"method": "google.login.LoginService.logout",
"service": "login.googleapis.com"
}
},
"protoPayload": {
"metadata": {
"type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto",
"event": [
{
"eventName": "logout",
"eventType": "login",
"parameter": [
{
"type": "TYPE_STRING",
"label": "LABEL_OPTIONAL",
"name": "login_type",
"value": "google_password"
},
{
"type": "TYPE_STRING",
"name": "dusi",
"label": "LABEL_OPTIONAL",
"value": "INfDlrzP9IH8_QE"
}
]
}
],
"activityId": {
"timeUsec": "1632459903014598",
"uniqQualifier": "358068855354"
}
},
"type": "type.googleapis.com/google.cloud.audit.AuditLog",
"methodName": "google.login.LoginService.logout",
"resourceName": "organizations/123"
}
},
"user": {
"email": "test-user@example.com",
"name": "test-user@example.com"
},
"service": {
"name": "login.googleapis.com"
},
"source": {
"ip": "203.0.113.255",
"address": "203.0.113.255"
},
"related": {
"ip": [
"203.0.113.255"
],
"user": [
"test-user@example.com"
]
}
}
{
"message": "{\n \"protoPayload\": {\n \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n \"authenticationInfo\": {\n \"principalEmail\": \"test-user@example.com\"\n },\n \"requestMetadata\": {\n \"callerIp\": \"203.0.113.255\",\n \"requestAttributes\": {},\n \"destinationAttributes\": {}\n },\n \"serviceName\": \"login.googleapis.com\",\n \"methodName\": \"google.login.LoginService.passwordEdit\",\n \"resourceName\": \"organizations/123\",\n \"metadata\": {\n \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\",\n \"event\": [\n {\n \"eventName\": \"password_edit\",\n \"status\": {\n \"success\": true\n },\n \"parameter\": [\n {\n \"type\": \"TYPE_STRING\",\n \"label\": \"LABEL_OPTIONAL\",\n \"value\": \"INfDlrzP9IH8_QE\",\n \"name\": \"dusi\"\n }\n ],\n \"eventType\": \"password_change\"\n }\n ],\n \"activityId\": {\n \"uniqQualifier\": \"8894052787391296929\",\n \"timeUsec\": \"1632803013900566\"\n }\n }\n },\n \"insertId\": \"-u8coc0d6n78\",\n \"resource\": {\n \"type\": \"audited_resource\",\n \"labels\": {\n \"service\": \"login.googleapis.com\",\n \"method\": \"google.login.LoginService.passwordEdit\"\n }\n },\n \"timestamp\": \"2021-09-28T04:23:33.900566Z\",\n \"severity\": \"NOTICE\",\n \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n \"receiveTimestamp\": \"2021-09-28T04:23:37.724654918Z\"\n}",
"@timestamp": "2021-09-28T04:23:33.900566Z",
"google_cloud_audit": {
"receiveTimestamp": "2021-09-28T04:23:37.724654918Z",
"insertId": "-u8coc0d6n78",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"severity": "NOTICE",
"resource": {
"type": "audited_resource",
"labels": {
"method": "google.login.LoginService.passwordEdit",
"service": "login.googleapis.com"
}
},
"protoPayload": {
"metadata": {
"type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto",
"event": [
{
"eventName": "password_edit",
"status": {
"success": true
},
"parameter": [
{
"type": "TYPE_STRING",
"label": "LABEL_OPTIONAL",
"value": "INfDlrzP9IH8_QE",
"name": "dusi"
}
],
"eventType": "password_change"
}
],
"activityId": {
"timeUsec": "1632803013900566",
"uniqQualifier": "8894052787391296929"
}
},
"type": "type.googleapis.com/google.cloud.audit.AuditLog",
"methodName": "google.login.LoginService.passwordEdit",
"resourceName": "organizations/123"
}
},
"user": {
"email": "test-user@example.com",
"name": "test-user@example.com"
},
"service": {
"name": "login.googleapis.com"
},
"source": {
"ip": "203.0.113.255",
"address": "203.0.113.255"
},
"related": {
"ip": [
"203.0.113.255"
],
"user": [
"test-user@example.com"
]
}
}
{
"message": "{\n \"protoPayload\": {\n \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n \"authenticationInfo\": {\n \"principalEmail\": \"test-user@example.com\"\n },\n \"requestMetadata\": {\n \"callerIp\": \"203.0.113.255\",\n \"requestAttributes\": {},\n \"destinationAttributes\": {}\n },\n \"serviceName\": \"login.googleapis.com\",\n \"methodName\": \"google.login.LoginService.recoveryEmailEdit\",\n \"resourceName\": \"organizations/123\",\n \"metadata\": {\n \"activityId\": {\n \"timeUsec\": \"1632802942940979\",\n \"uniqQualifier\": \"-7373127890859496609\"\n },\n \"event\": [\n {\n \"eventType\": \"recovery_info_change\",\n \"eventName\": \"recovery_email_edit\",\n \"parameter\": [\n {\n \"label\": \"LABEL_OPTIONAL\",\n \"type\": \"TYPE_STRING\",\n \"value\": \"INfDlrzP9IH8_QE\",\n \"name\": \"dusi\"\n }\n ],\n \"status\": {\n \"success\": true\n }\n }\n ],\n \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\"\n }\n },\n \"insertId\": \"-nkwfupd26zt\",\n \"resource\": {\n \"type\": \"audited_resource\",\n \"labels\": {\n \"service\": \"login.googleapis.com\",\n \"method\": \"google.login.LoginService.recoveryEmailEdit\"\n }\n },\n \"timestamp\": \"2021-09-28T04:22:22.940979Z\",\n \"severity\": \"NOTICE\",\n \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n \"receiveTimestamp\": \"2021-09-28T04:22:26.523242112Z\"\n}",
"@timestamp": "2021-09-28T04:22:22.940979Z",
"google_cloud_audit": {
"receiveTimestamp": "2021-09-28T04:22:26.523242112Z",
"insertId": "-nkwfupd26zt",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"severity": "NOTICE",
"resource": {
"type": "audited_resource",
"labels": {
"method": "google.login.LoginService.recoveryEmailEdit",
"service": "login.googleapis.com"
}
},
"protoPayload": {
"metadata": {
"type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto",
"event": [
{
"eventType": "recovery_info_change",
"eventName": "recovery_email_edit",
"parameter": [
{
"label": "LABEL_OPTIONAL",
"type": "TYPE_STRING",
"value": "INfDlrzP9IH8_QE",
"name": "dusi"
}
],
"status": {
"success": true
}
}
],
"activityId": {
"timeUsec": "1632802942940979",
"uniqQualifier": "-7373127890859496609"
}
},
"type": "type.googleapis.com/google.cloud.audit.AuditLog",
"methodName": "google.login.LoginService.recoveryEmailEdit",
"resourceName": "organizations/123"
}
},
"user": {
"email": "test-user@example.com",
"name": "test-user@example.com"
},
"service": {
"name": "login.googleapis.com"
},
"source": {
"ip": "203.0.113.255",
"address": "203.0.113.255"
},
"related": {
"ip": [
"203.0.113.255"
],
"user": [
"test-user@example.com"
]
}
}
{
"message": "{\n \"protoPayload\": {\n \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n \"authenticationInfo\": {\n \"principalEmail\": \"test-user@example.com\"\n },\n \"requestMetadata\": {\n \"callerIp\": \"203.0.113.255\",\n \"requestAttributes\": {},\n \"destinationAttributes\": {}\n },\n \"serviceName\": \"login.googleapis.com\",\n \"methodName\": \"google.login.LoginService.recoveryPhoneEdit\",\n \"resourceName\": \"organizations/123\",\n \"metadata\": {\n \"event\": [\n {\n \"status\": {\n \"success\": true\n },\n \"eventType\": \"recovery_info_change\",\n \"eventName\": \"recovery_phone_edit\",\n \"parameter\": [\n {\n \"label\": \"LABEL_OPTIONAL\",\n \"value\": \"INfDlrzP9IH8_QE\",\n \"type\": \"TYPE_STRING\",\n \"name\": \"dusi\"\n }\n ]\n }\n ],\n \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\",\n \"activityId\": {\n \"timeUsec\": \"1632804439611095\",\n \"uniqQualifier\": \"1470137036135837564\"\n }\n }\n },\n \"insertId\": \"-1xtrgbd2vl2\",\n \"resource\": {\n \"type\": \"audited_resource\",\n \"labels\": {\n \"service\": \"login.googleapis.com\",\n \"method\": \"google.login.LoginService.recoveryPhoneEdit\"\n }\n },\n \"timestamp\": \"2021-09-28T04:47:19.611095Z\",\n \"severity\": \"NOTICE\",\n \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n \"receiveTimestamp\": \"2021-09-28T04:47:25.741574446Z\"}",
"@timestamp": "2021-09-28T04:47:19.611095Z",
"google_cloud_audit": {
"receiveTimestamp": "2021-09-28T04:47:25.741574446Z",
"insertId": "-1xtrgbd2vl2",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"severity": "NOTICE",
"resource": {
"type": "audited_resource",
"labels": {
"method": "google.login.LoginService.recoveryPhoneEdit",
"service": "login.googleapis.com"
}
},
"protoPayload": {
"metadata": {
"type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto",
"event": [
{
"status": {
"success": true
},
"eventType": "recovery_info_change",
"eventName": "recovery_phone_edit",
"parameter": [
{
"label": "LABEL_OPTIONAL",
"value": "INfDlrzP9IH8_QE",
"type": "TYPE_STRING",
"name": "dusi"
}
]
}
],
"activityId": {
"timeUsec": "1632804439611095",
"uniqQualifier": "1470137036135837564"
}
},
"type": "type.googleapis.com/google.cloud.audit.AuditLog",
"methodName": "google.login.LoginService.recoveryPhoneEdit",
"resourceName": "organizations/123"
}
},
"user": {
"email": "test-user@example.com",
"name": "test-user@example.com"
},
"service": {
"name": "login.googleapis.com"
},
"source": {
"ip": "203.0.113.255",
"address": "203.0.113.255"
},
"related": {
"ip": [
"203.0.113.255"
],
"user": [
"test-user@example.com"
]
}
}
{
"message": "{\n \"protoPayload\": {\n \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n \"authenticationInfo\": {\n \"principalEmail\": \"test-user@example.com\"\n },\n \"requestMetadata\": {\n \"callerIp\": \"203.0.113.255\",\n \"requestAttributes\": {},\n \"destinationAttributes\": {}\n },\n \"serviceName\": \"login.googleapis.com\",\n \"methodName\": \"google.login.LoginService.recoverySecretQaEdit\",\n \"resourceName\": \"organizations/123\",\n \"metadata\": {\n \"activityId\": {\n \"uniqQualifier\": \"8328506129139272243\",\n \"timeUsec\": \"1632804455273424\"\n },\n \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\",\n \"event\": [\n {\n \"eventName\": \"recovery_secret_qa_edit\",\n \"eventType\": \"recovery_info_change\",\n \"status\": {\n \"success\": true\n },\n \"parameter\": [\n {\n \"type\": \"TYPE_STRING\",\n \"value\": \"INfDlrzP9IH8_QE\",\n \"name\": \"dusi\",\n \"label\": \"LABEL_OPTIONAL\"\n }\n ]\n }\n ]\n }\n },\n \"insertId\": \"vn31slcpmy\",\n \"resource\": {\n \"type\": \"audited_resource\",\n \"labels\": {\n \"method\": \"google.login.LoginService.recoverySecretQaEdit\",\n \"service\": \"login.googleapis.com\"\n }\n },\n \"timestamp\": \"2021-09-28T04:47:35.273424Z\",\n \"severity\": \"NOTICE\",\n \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n \"receiveTimestamp\": \"2021-09-28T04:47:37.650432219Z\"}",
"@timestamp": "2021-09-28T04:47:35.273424Z",
"google_cloud_audit": {
"receiveTimestamp": "2021-09-28T04:47:37.650432219Z",
"insertId": "vn31slcpmy",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"severity": "NOTICE",
"resource": {
"type": "audited_resource",
"labels": {
"method": "google.login.LoginService.recoverySecretQaEdit",
"service": "login.googleapis.com"
}
},
"protoPayload": {
"metadata": {
"type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto",
"event": [
{
"eventName": "recovery_secret_qa_edit",
"eventType": "recovery_info_change",
"status": {
"success": true
},
"parameter": [
{
"type": "TYPE_STRING",
"value": "INfDlrzP9IH8_QE",
"name": "dusi",
"label": "LABEL_OPTIONAL"
}
]
}
],
"activityId": {
"timeUsec": "1632804455273424",
"uniqQualifier": "8328506129139272243"
}
},
"type": "type.googleapis.com/google.cloud.audit.AuditLog",
"methodName": "google.login.LoginService.recoverySecretQaEdit",
"resourceName": "organizations/123"
}
},
"user": {
"email": "test-user@example.com",
"name": "test-user@example.com"
},
"service": {
"name": "login.googleapis.com"
},
"source": {
"ip": "203.0.113.255",
"address": "203.0.113.255"
},
"related": {
"ip": [
"203.0.113.255"
],
"user": [
"test-user@example.com"
]
}
}
{
"message": "{\n \"protoPayload\": {\n \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n \"authenticationInfo\": {},\n \"requestMetadata\": {\n \"callerIp\": \"2001:db8:ffff:ffff:ffff:ffff:ffff:ffff\"\n },\n \"serviceName\": \"login.googleapis.com\",\n \"methodName\": \"google.login.LoginService.suspiciousLogin\",\n \"resourceName\": \"organizations/123\",\n \"metadata\": {\n \"activityId\": {\n \"timeUsec\": \"1620095181000000\",\n \"uniqQualifier\": \"-2034771694824799453\"\n },\n \"event\": [\n {\n \"eventType\": \"account_warning\",\n \"eventName\": \"suspicious_login\",\n \"parameter\": [\n {\n \"name\": \"affected_email_address\",\n \"value\": \"test-user@example.com\",\n \"label\": \"LABEL_OPTIONAL\",\n \"type\": \"TYPE_STRING\"\n }\n ],\n \"status\": {\n \"success\": true\n }\n }\n ],\n \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\"\n }\n },\n \"insertId\": \"-778d70d2n5b\",\n \"resource\": {\n \"type\": \"audited_resource\",\n \"labels\": {\n \"service\": \"login.googleapis.com\",\n \"method\": \"google.login.LoginService.suspiciousLogin\"\n }\n },\n \"timestamp\": \"2021-05-04T02:26:21Z\",\n \"severity\": \"NOTICE\",\n \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n \"receiveTimestamp\": \"2021-05-04T02:56:23.806722355Z\"\n}",
"@timestamp": "2021-05-04T02:26:21Z",
"google_cloud_audit": {
"receiveTimestamp": "2021-05-04T02:56:23.806722355Z",
"insertId": "-778d70d2n5b",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"severity": "NOTICE",
"resource": {
"type": "audited_resource",
"labels": {
"method": "google.login.LoginService.suspiciousLogin",
"service": "login.googleapis.com"
}
},
"protoPayload": {
"metadata": {
"type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto",
"event": [
{
"eventType": "account_warning",
"eventName": "suspicious_login",
"parameter": [
{
"name": "affected_email_address",
"value": "test-user@example.com",
"label": "LABEL_OPTIONAL",
"type": "TYPE_STRING"
}
],
"status": {
"success": true
}
}
],
"activityId": {
"timeUsec": "1620095181000000",
"uniqQualifier": "-2034771694824799453"
}
},
"type": "type.googleapis.com/google.cloud.audit.AuditLog",
"methodName": "google.login.LoginService.suspiciousLogin",
"resourceName": "organizations/123"
}
},
"user": {
"email": "test-user@example.com"
},
"service": {
"name": "login.googleapis.com"
},
"source": {
"ip": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff",
"address": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
},
"related": {
"ip": [
"2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
]
}
}
{
"message": "{\n \"protoPayload\": {\n \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n \"authenticationInfo\": {},\n \"requestMetadata\": {\n \"callerIp\": \"2001:db8:ffff:ffff:ffff:ffff:ffff:ffff\"\n },\n \"serviceName\": \"login.googleapis.com\",\n \"methodName\": \"google.login.LoginService.suspiciousLoginLessSecureApp\",\n \"resourceName\": \"organizations/123\",\n \"metadata\": {\n \"activityId\": {\n \"timeUsec\": \"1620095181000000\",\n \"uniqQualifier\": \"-2034771694824799453\"\n },\n \"event\": [\n {\n \"eventType\": \"account_warning\",\n \"eventName\": \"suspicious_login_less_secure_app\",\n \"parameter\": [\n {\n \"name\": \"affected_email_address\",\n \"value\": \"test-user@example.com\",\n \"label\": \"LABEL_OPTIONAL\",\n \"type\": \"TYPE_STRING\"\n }\n ],\n \"status\": {\n \"success\": true\n }\n }\n ],\n \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\"\n }\n },\n \"insertId\": \"-778d70d2n5b\",\n \"resource\": {\n \"type\": \"audited_resource\",\n \"labels\": {\n \"service\": \"login.googleapis.com\",\n \"method\": \"google.login.LoginService.suspiciousLoginLessSecureApp\"\n }\n },\n \"timestamp\": \"2021-05-04T02:26:21Z\",\n \"severity\": \"NOTICE\",\n \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n \"receiveTimestamp\": \"2021-05-04T02:56:23.806722355Z\"\n}",
"@timestamp": "2021-05-04T02:26:21Z",
"google_cloud_audit": {
"receiveTimestamp": "2021-05-04T02:56:23.806722355Z",
"insertId": "-778d70d2n5b",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"severity": "NOTICE",
"resource": {
"type": "audited_resource",
"labels": {
"method": "google.login.LoginService.suspiciousLoginLessSecureApp",
"service": "login.googleapis.com"
}
},
"protoPayload": {
"metadata": {
"type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto",
"event": [
{
"eventType": "account_warning",
"eventName": "suspicious_login_less_secure_app",
"parameter": [
{
"name": "affected_email_address",
"value": "test-user@example.com",
"label": "LABEL_OPTIONAL",
"type": "TYPE_STRING"
}
],
"status": {
"success": true
}
}
],
"activityId": {
"timeUsec": "1620095181000000",
"uniqQualifier": "-2034771694824799453"
}
},
"type": "type.googleapis.com/google.cloud.audit.AuditLog",
"methodName": "google.login.LoginService.suspiciousLoginLessSecureApp",
"resourceName": "organizations/123"
}
},
"user": {
"email": "test-user@example.com"
},
"service": {
"name": "login.googleapis.com"
},
"source": {
"ip": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff",
"address": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
},
"related": {
"ip": [
"2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
]
}
}
{
"message": "{\n \"protoPayload\": {\n \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n \"authenticationInfo\": {},\n \"requestMetadata\": {\n \"callerIp\": \"2001:db8:ffff:ffff:ffff:ffff:ffff:ffff\"\n },\n \"serviceName\": \"login.googleapis.com\",\n \"methodName\": \"google.login.LoginService.suspiciousProgrammaticLogin\",\n \"resourceName\": \"organizations/123\",\n \"metadata\": {\n \"activityId\": {\n \"timeUsec\": \"1620095181000000\",\n \"uniqQualifier\": \"-2034771694824799453\"\n },\n \"event\": [\n {\n \"eventType\": \"account_warning\",\n \"eventName\": \"suspicious_programmatic_login\",\n \"parameter\": [\n {\n \"name\": \"affected_email_address\",\n \"value\": \"test-user@example.com\",\n \"label\": \"LABEL_OPTIONAL\",\n \"type\": \"TYPE_STRING\"\n }\n ],\n \"status\": {\n \"success\": true\n }\n }\n ],\n \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\"\n }\n },\n \"insertId\": \"-778d70d2n5b\",\n \"resource\": {\n \"type\": \"audited_resource\",\n \"labels\": {\n \"service\": \"login.googleapis.com\",\n \"method\": \"google.login.LoginService.suspiciousProgrammaticLogin\"\n }\n },\n \"timestamp\": \"2021-05-04T02:26:21Z\",\n \"severity\": \"NOTICE\",\n \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n \"receiveTimestamp\": \"2021-05-04T02:56:23.806722355Z\"\n}",
"@timestamp": "2021-05-04T02:26:21Z",
"google_cloud_audit": {
"receiveTimestamp": "2021-05-04T02:56:23.806722355Z",
"insertId": "-778d70d2n5b",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"severity": "NOTICE",
"resource": {
"type": "audited_resource",
"labels": {
"method": "google.login.LoginService.suspiciousProgrammaticLogin",
"service": "login.googleapis.com"
}
},
"protoPayload": {
"metadata": {
"type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto",
"event": [
{
"eventType": "account_warning",
"eventName": "suspicious_programmatic_login",
"parameter": [
{
"name": "affected_email_address",
"value": "test-user@example.com",
"label": "LABEL_OPTIONAL",
"type": "TYPE_STRING"
}
],
"status": {
"success": true
}
}
],
"activityId": {
"timeUsec": "1620095181000000",
"uniqQualifier": "-2034771694824799453"
}
},
"type": "type.googleapis.com/google.cloud.audit.AuditLog",
"methodName": "google.login.LoginService.suspiciousProgrammaticLogin",
"resourceName": "organizations/123"
}
},
"user": {
"email": "test-user@example.com"
},
"service": {
"name": "login.googleapis.com"
},
"source": {
"ip": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff",
"address": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
},
"related": {
"ip": [
"2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
]
}
}
{
"message": "{\n \"protoPayload\": {\n \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n \"authenticationInfo\": {\n \"principalEmail\": \"test-user@example.com\"\n },\n \"requestMetadata\": {\n \"callerIp\": \"203.0.113.255\",\n \"requestAttributes\": {},\n \"destinationAttributes\": {}\n },\n \"serviceName\": \"login.googleapis.com\",\n \"methodName\": \"google.login.LoginService.titaniumEnroll\",\n \"resourceName\": \"organizations/123\",\n \"metadata\": {\n \"activityId\": {\n \"uniqQualifier\": \"4206430548119220064\",\n \"timeUsec\": \"1632843484846000\"\n },\n \"event\": [\n {\n \"eventName\": \"titanium_enroll\",\n \"status\": {\n \"success\": true\n },\n \"parameter\": [\n {\n \"label\": \"LABEL_OPTIONAL\",\n \"value\": \"INfDlrzP9IH8_QE\",\n \"type\": \"TYPE_STRING\",\n \"name\": \"dusi\"\n }\n ],\n \"eventType\": \"titanium_change\"\n }\n ],\n \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\"\n }\n },\n \"insertId\": \"-bxbn5bd167i\",\n \"resource\": {\n \"type\": \"audited_resource\",\n \"labels\": {\n \"service\": \"login.googleapis.com\",\n \"method\": \"google.login.LoginService.titaniumEnroll\"\n }\n },\n \"timestamp\": \"2021-09-28T15:38:04.846Z\",\n \"severity\": \"NOTICE\",\n \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n \"receiveTimestamp\": \"2021-09-28T15:38:05.969683854Z\"\n}",
"@timestamp": "2021-09-28T15:38:04.846Z",
"google_cloud_audit": {
"receiveTimestamp": "2021-09-28T15:38:05.969683854Z",
"insertId": "-bxbn5bd167i",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"severity": "NOTICE",
"resource": {
"type": "audited_resource",
"labels": {
"method": "google.login.LoginService.titaniumEnroll",
"service": "login.googleapis.com"
}
},
"protoPayload": {
"metadata": {
"type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto",
"event": [
{
"eventName": "titanium_enroll",
"status": {
"success": true
},
"parameter": [
{
"label": "LABEL_OPTIONAL",
"value": "INfDlrzP9IH8_QE",
"type": "TYPE_STRING",
"name": "dusi"
}
],
"eventType": "titanium_change"
}
],
"activityId": {
"timeUsec": "1632843484846000",
"uniqQualifier": "4206430548119220064"
}
},
"type": "type.googleapis.com/google.cloud.audit.AuditLog",
"methodName": "google.login.LoginService.titaniumEnroll",
"resourceName": "organizations/123"
}
},
"user": {
"email": "test-user@example.com",
"name": "test-user@example.com"
},
"service": {
"name": "login.googleapis.com"
},
"source": {
"ip": "203.0.113.255",
"address": "203.0.113.255"
},
"related": {
"ip": [
"203.0.113.255"
],
"user": [
"test-user@example.com"
]
}
}
{
"message": "{\n \"protoPayload\": {\n \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n \"authenticationInfo\": {\n \"principalEmail\": \"test-user@example.com\"\n },\n \"requestMetadata\": {\n \"callerIp\": \"203.0.113.255\",\n \"requestAttributes\": {},\n \"destinationAttributes\": {}\n },\n \"serviceName\": \"login.googleapis.com\",\n \"methodName\": \"google.login.LoginService.titaniumUnenroll\",\n \"resourceName\": \"organizations/123\",\n \"metadata\": {\n \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\",\n \"event\": [\n {\n \"eventType\": \"titanium_change\",\n \"status\": {\n \"success\": true\n },\n \"eventName\": \"titanium_unenroll\",\n \"parameter\": [\n {\n \"type\": \"TYPE_STRING\",\n \"label\": \"LABEL_OPTIONAL\",\n \"value\": \"INfDlrzP9IH8_QE\",\n \"name\": \"dusi\"\n }\n ]\n }\n ],\n \"activityId\": {\n \"timeUsec\": \"1632843914653434\",\n \"uniqQualifier\": \"-6706492269209711994\"\n }\n }\n },\n \"insertId\": \"-vw60qad1861\",\n \"resource\": {\n \"type\": \"audited_resource\",\n \"labels\": {\n \"service\": \"login.googleapis.com\",\n \"method\": \"google.login.LoginService.titaniumUnenroll\"\n }\n },\n \"timestamp\": \"2021-09-28T15:45:14.653434Z\",\n \"severity\": \"NOTICE\",\n \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n \"receiveTimestamp\": \"2021-09-28T15:45:15.862755277Z\"\n}",
"@timestamp": "2021-09-28T15:45:14.653434Z",
"google_cloud_audit": {
"receiveTimestamp": "2021-09-28T15:45:15.862755277Z",
"insertId": "-vw60qad1861",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"severity": "NOTICE",
"resource": {
"type": "audited_resource",
"labels": {
"method": "google.login.LoginService.titaniumUnenroll",
"service": "login.googleapis.com"
}
},
"protoPayload": {
"metadata": {
"type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto",
"event": [
{
"eventType": "titanium_change",
"status": {
"success": true
},
"eventName": "titanium_unenroll",
"parameter": [
{
"type": "TYPE_STRING",
"label": "LABEL_OPTIONAL",
"value": "INfDlrzP9IH8_QE",
"name": "dusi"
}
]
}
],
"activityId": {
"timeUsec": "1632843914653434",
"uniqQualifier": "-6706492269209711994"
}
},
"type": "type.googleapis.com/google.cloud.audit.AuditLog",
"methodName": "google.login.LoginService.titaniumUnenroll",
"resourceName": "organizations/123"
}
},
"user": {
"email": "test-user@example.com",
"name": "test-user@example.com"
},
"service": {
"name": "login.googleapis.com"
},
"source": {
"ip": "203.0.113.255",
"address": "203.0.113.255"
},
"related": {
"ip": [
"203.0.113.255"
],
"user": [
"test-user@example.com"
]
}
}
Extracted Fields
The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.
| Name | Type | Description |
|---|---|---|
@timestamp |
date |
Date/time when the event originated. |
google_cloud_audit.insertId |
keyword |
A unique identifier for the log entry. |
google_cloud_audit.logName |
keyword |
The resource name of the log to which this log entry belongs to. |
google_cloud_audit.operation.first |
bool |
|
google_cloud_audit.operation.id |
keyword |
|
google_cloud_audit.operation.last |
bool |
|
google_cloud_audit.operation.producer |
keyword |
|
google_cloud_audit.protoPayload.authorizationInfo |
object |
Authorization information. If there are multiple resources or permissions involved, then there is one AuthorizationInfo element for each {resource, permission} tuple. |
google_cloud_audit.protoPayload.metadata.activityId.timeUsec |
keyword |
|
google_cloud_audit.protoPayload.metadata.activityId.uniqQualifier |
keyword |
|
google_cloud_audit.protoPayload.metadata.event |
object |
|
google_cloud_audit.protoPayload.metadata.operationType |
keyword |
|
google_cloud_audit.protoPayload.metadata.type |
keyword |
Other service-specific data about the request, response, and other information associated with the current audited event. |
google_cloud_audit.protoPayload.methodName |
keyword |
The name of the service method or operation. For API calls, this should be the name of the API method. |
google_cloud_audit.protoPayload.request.policy.bindings |
keyword |
|
google_cloud_audit.protoPayload.request.policy.etag |
keyword |
|
google_cloud_audit.protoPayload.request.resource |
keyword |
|
google_cloud_audit.protoPayload.request.type |
keyword |
|
google_cloud_audit.protoPayload.requestMetadata.requestAttributes.time |
keyword |
Request attributes used in IAM condition evaluation. This field contains request attributes like request time and access levels associated with the request. |
google_cloud_audit.protoPayload.resourceLocation.currentLocations |
keyword |
|
google_cloud_audit.protoPayload.resourceName |
keyword |
The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. |
google_cloud_audit.protoPayload.response.bindings |
keyword |
|
google_cloud_audit.protoPayload.response.etag |
keyword |
|
google_cloud_audit.protoPayload.response.type |
keyword |
|
google_cloud_audit.protoPayload.type |
keyword |
protoPayload is an object containing fields of an arbitrary type. An additional field '@type' contains a URI identifying the type. Example: { 'id': 1234, '@type': 'types.example.com/standard/id' }. |
google_cloud_audit.receiveTimestamp |
keyword |
The time the log entry was received by Logging. |
google_cloud_audit.resource.labels.cluster_name |
keyword |
|
google_cloud_audit.resource.labels.location |
keyword |
|
google_cloud_audit.resource.labels.method |
keyword |
The labels associated with the peer. |
google_cloud_audit.resource.labels.node_name |
keyword |
|
google_cloud_audit.resource.labels.project_id |
keyword |
The labels associated with the peer. |
google_cloud_audit.resource.labels.service |
keyword |
The labels associated with the peer. |
google_cloud_audit.resource.labels.topic_id |
keyword |
The labels associated with the peer. |
google_cloud_audit.resource.type |
keyword |
|
google_cloud_audit.severity |
keyword |
The severity of the log entry. |
orchestrator.type |
keyword |
Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry). |
service.name |
keyword |
Name of the service. |
source.ip |
ip |
IP address of the source. |
user.email |
keyword |
User email address. |
user.name |
keyword |
Short name or login of the user. |
user_agent.original |
keyword |
Unparsed user_agent string. |
Google Workspace configuration
To begin, follow the official documentation to share audit logs with Google Cloud.
Once log sharing is activated, you should be able to see Google Workspace events in Google Cloud Log Explorer.
To forward these events to SEKOIA.IO, go to Logs Router > Create Sink and enter the information related to your PubSub topic (Google Cloud related documentation).
Your inclusion filter should contain the following (don't forget to specify your organization ID):
protoPayload.@type="type.googleapis.com/google.cloud.audit.AuditLog"
logName="organizations/<YOUR ORGANISATION ID>/logs/cloudaudit.googleapis.com%2Factivity"