Beispiele für Google Workspace Login Audit

In diesem Dokument finden Sie Beispiele für Audit-Logs, die von der Google Workspace-Anmeldeprüfung an Google Cloud gesendet werden.

Weitere Informationen zu den Ereignissen und Parametern für verschiedene Arten von Audit-Aktivitätsereignissen zu Anmeldeaktivitäten finden Sie in der Referenz zu Audit-Aktivitätsereignissen zu Anmeldeaktivitäten.

Verfügbare Audit-Logs für die Anmeldung

In der folgenden Tabelle sind die von der Anmeldeprüfung generierten Audit-Logs und die entsprechenden AuditLog.method_name aufgeführt:

Beschreibung Ereignisname AuditLog.method_name
Ereignistyp: Anmeldung für die Bestätigung in zwei Schritten geändert
2-Faktor-Authentifizierung deaktiviert 2sv_disable google.login.LoginService.2svDisable
Für die 2-Faktor-Authentifizierung angemeldet 2sv_enroll google.login.LoginService.2svEnroll
Ereignistyp: Kontopasswort geändert
Kontopasswort geändert password_edit google.login.LoginService.passwordEdit
Ereignistyp: Informationen zur Kontowiederherstellung geändert
E-Mail-Adresse zur Kontowiederherstellung geändert recovery_email_edit google.login.LoginService.recoveryEmailEdit
Telefonnummer zur Kontowiederherstellung geändert recovery_phone_edit google.login.LoginService.recoveryPhoneEdit
Geheime Frage/Antwort zur Kontowiederherstellung geändert recovery_secret_qa_edit google.login.LoginService.recoverySecretQaEdit
Ereignistyp: Kontowarnung
Passwort gehackt account_disabled_password_leak google.login.LoginService.accountDisabledPasswordLeak
Riskante, vertrauliche Aktion erlaubt risky_sensitive_action_allowed google.login.LoginService.riskySensitiveActionAllowed
Riskante, vertrauliche Aktion blockiert risky_sensitive_action_blocked google.login.LoginService.riskySensitiveActionBlocked
Verdächtige Anmeldung blockiert suspicious_login google.login.LoginService.suspiciousLogin
Verdächtige Anmeldung über eine weniger sichere App blockiert suspicious_login_less_secure_app google.login.LoginService.suspiciousLoginLessSecureApp
Verdächtiger programmatischer Anmeldeversuch blockiert suspicious_programmatic_login google.login.LoginService.suspiciousProgrammaticLogin
Nutzer gesperrt account_disabled_generic google.login.LoginService.accountDisabledGeneric
Nutzer gesperrt (Relay-Spam) account_disabled_spamming_through_relay google.login.LoginService.accountDisabledSpammingThroughRelay
Nutzer gesperrt (Spam) account_disabled_spamming google.login.LoginService.accountDisabledSpamming
Nutzer gesperrt (verdächtige Aktivität) account_disabled_hijacked google.login.LoginService.accountDisabledHijacked
Ereignistyp: Anmeldung für das erweiterte Sicherheitsprogramm geändert
Anmeldung für das erweiterte Sicherheitsprogramm titanium_enroll google.login.LoginService.titaniumEnroll
Vom erweiterten Sicherheitsprogramm abmelden titanium_unenroll google.login.LoginService.titaniumUnenroll
Ereignistyp: Angriffswarnung
Von einer Regierung unterstützter Angriff gov_attack_warning google.login.LoginService.govAttackWarning
Ereignistyp: Einstellungen für die E-Mail-Weiterleitung geändert
E-Mail-Weiterleitung außerhalb der Domain aktiviert email_forwarding_out_of_domain google.login.LoginService.emailForwardingOutOfDomain
Ereignistyp: Anmeldung
Fehler bei der Anmeldung login_failure google.login.LoginService.loginFailure
Identitätsbestätigung login_challenge google.login.LoginService.loginChallenge
Anmeldebestätigung login_verification google.login.LoginService.loginVerification
Abmelden logout google.login.LoginService.logout
Erfolgreiche Anmeldung login_success google.login.LoginService.loginSuccess

Beispiele

Im Folgenden finden Sie Beispiele für Audit-Logs für die Prüfung von Anmeldeaktivitäten nach Ereignistyp und Ereignisname.

2sv_disable

{
  "protoPayload": {
    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
    "authenticationInfo": {
      "principalEmail": "test-user@example.com"
    },
    "requestMetadata": {
      "callerIp": "203.0.113.255",
      "requestAttributes": {},
      "destinationAttributes": {}
    },
    "serviceName": "login.googleapis.com",
    "methodName": "google.login.LoginService.2svDisable",
    "resourceName": "organizations/123",
    "metadata": {
      "activityId": {
        "uniqQualifier": "-7789616625639281959",
        "timeUsec": "1632459962686000"
      },
      "event": [
        {
          "status": {
            "success": true
          },
          "parameter": [
            {
              "type": "TYPE_STRING",
              "label": "LABEL_OPTIONAL",
              "value": "INfDlrzP9IH8_QE",
              "name": "dusi"
            }
          ],
          "eventName": "2sv_disable",
          "eventType": "2sv_change"
        }
      ],
      "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
    }
  },
  "insertId": "-tn3jrd3lko",
  "resource": {
    "type": "audited_resource",
    "labels": {
      "service": "login.googleapis.com",
      "method": "google.login.LoginService.2svDisable"
    }
  },
  "timestamp": "2021-09-24T05:06:02.686Z",
  "severity": "NOTICE",
  "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
  "receiveTimestamp": "2021-09-24T05:06:03.845372592Z"
}

2sv_enroll

{
  "protoPayload": {
    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
    "authenticationInfo": {
      "principalEmail": "test-user@example.com"
    },
    "requestMetadata": {
      "callerIp": "203.0.113.255",
      "requestAttributes": {},
      "destinationAttributes": {}
    },
    "serviceName": "login.googleapis.com",
    "methodName": "google.login.LoginService.2svEnroll",
    "resourceName": "organizations/123",
    "metadata": {
      "activityId": {
        "uniqQualifier": "1624031130844323135",
        "timeUsec": "1632458745769000"
      },
      "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto",
      "event": [
        {
          "eventType": "2sv_change",
          "status": {
            "success": true
          },
          "eventName": "2sv_enroll",
          "parameter": [
            {
              "value": "INfDlrzP9IH8_QE",
              "type": "TYPE_STRING",
              "label": "LABEL_OPTIONAL",
              "name": "dusi"
            }
          ]
        }
      ]
    }
  },
  "insertId": "g3k8gid3b3p",
  "resource": {
    "type": "audited_resource",
    "labels": {
      "method": "google.login.LoginService.2svEnroll",
      "service": "login.googleapis.com"
    }
  },
  "timestamp": "2021-09-24T04:45:45.769Z",
  "severity": "NOTICE",
  "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
  "receiveTimestamp": "2021-09-24T04:45:46.331843829Z"
}

password_edit

{
  "protoPayload": {
    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
    "authenticationInfo": {
      "principalEmail": "test-user@example.com"
    },
    "requestMetadata": {
      "callerIp": "203.0.113.255",
      "requestAttributes": {},
      "destinationAttributes": {}
    },
    "serviceName": "login.googleapis.com",
    "methodName": "google.login.LoginService.passwordEdit",
    "resourceName": "organizations/123",
    "metadata": {
      "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto",
      "event": [
        {
          "eventName": "password_edit",
          "status": {
            "success": true
          },
          "parameter": [
            {
              "type": "TYPE_STRING",
              "label": "LABEL_OPTIONAL",
              "value": "INfDlrzP9IH8_QE",
              "name": "dusi"
            }
          ],
          "eventType": "password_change"
        }
      ],
      "activityId": {
        "uniqQualifier": "8894052787391296929",
        "timeUsec": "1632803013900566"
      }
    }
  },
  "insertId": "-u8coc0d6n78",
  "resource": {
    "type": "audited_resource",
    "labels": {
      "service": "login.googleapis.com",
      "method": "google.login.LoginService.passwordEdit"
    }
  },
  "timestamp": "2021-09-28T04:23:33.900566Z",
  "severity": "NOTICE",
  "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
  "receiveTimestamp": "2021-09-28T04:23:37.724654918Z"
}

recovery_email_edit

{
  "protoPayload": {
    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
    "authenticationInfo": {
      "principalEmail": "test-user@example.com"
    },
    "requestMetadata": {
      "callerIp": "203.0.113.255",
      "requestAttributes": {},
      "destinationAttributes": {}
    },
    "serviceName": "login.googleapis.com",
    "methodName": "google.login.LoginService.recoveryEmailEdit",
    "resourceName": "organizations/123",
    "metadata": {
      "activityId": {
        "timeUsec": "1632802942940979",
        "uniqQualifier": "-7373127890859496609"
      },
      "event": [
        {
          "eventType": "recovery_info_change",
          "eventName": "recovery_email_edit",
          "parameter": [
            {
              "label": "LABEL_OPTIONAL",
              "type": "TYPE_STRING",
              "value": "INfDlrzP9IH8_QE",
              "name": "dusi"
            }
          ],
          "status": {
            "success": true
          }
        }
      ],
      "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
    }
  },
  "insertId": "-nkwfupd26zt",
  "resource": {
    "type": "audited_resource",
    "labels": {
      "service": "login.googleapis.com",
      "method": "google.login.LoginService.recoveryEmailEdit"
    }
  },
  "timestamp": "2021-09-28T04:22:22.940979Z",
  "severity": "NOTICE",
  "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
  "receiveTimestamp": "2021-09-28T04:22:26.523242112Z"
}

recovery_phone_edit

{
  "protoPayload": {
    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
    "authenticationInfo": {
      "principalEmail": "test-user@example.com"
    },
    "requestMetadata": {
      "callerIp": "203.0.113.255",
      "requestAttributes": {},
      "destinationAttributes": {}
    },
    "serviceName": "login.googleapis.com",
    "methodName": "google.login.LoginService.recoveryPhoneEdit",
    "resourceName": "organizations/123",
    "metadata": {
      "event": [
        {
          "status": {
            "success": true
          },
          "eventType": "recovery_info_change",
          "eventName": "recovery_phone_edit",
          "parameter": [
            {
              "label": "LABEL_OPTIONAL",
              "value": "INfDlrzP9IH8_QE",
              "type": "TYPE_STRING",
              "name": "dusi"
            }
          ]
        }
      ],
      "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto",
      "activityId": {
        "timeUsec": "1632804439611095",
        "uniqQualifier": "1470137036135837564"
      }
    }
  },
  "insertId": "-1xtrgbd2vl2",
  "resource": {
    "type": "audited_resource",
    "labels": {
      "service": "login.googleapis.com",
      "method": "google.login.LoginService.recoveryPhoneEdit"
    }
  },
  "timestamp": "2021-09-28T04:47:19.611095Z",
  "severity": "NOTICE",
  "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
  "receiveTimestamp": "2021-09-28T04:47:25.741574446Z"

recovery_secret_qa_edit

{
  "protoPayload": {
    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
    "authenticationInfo": {
      "principalEmail": "test-user@example.com"
    },
    "requestMetadata": {
      "callerIp": "203.0.113.255",
      "requestAttributes": {},
      "destinationAttributes": {}
    },
    "serviceName": "login.googleapis.com",
    "methodName": "google.login.LoginService.recoverySecretQaEdit",
    "resourceName": "organizations/123",
    "metadata": {
      "activityId": {
        "uniqQualifier": "8328506129139272243",
        "timeUsec": "1632804455273424"
      },
      "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto",
      "event": [
        {
          "eventName": "recovery_secret_qa_edit",
          "eventType": "recovery_info_change",
          "status": {
            "success": true
          },
          "parameter": [
            {
              "type": "TYPE_STRING",
              "value": "INfDlrzP9IH8_QE",
              "name": "dusi",
              "label": "LABEL_OPTIONAL"
            }
          ]
        }
      ]
    }
  },
  "insertId": "vn31slcpmy",
  "resource": {
    "type": "audited_resource",
    "labels": {
      "method": "google.login.LoginService.recoverySecretQaEdit",
      "service": "login.googleapis.com"
    }
  },
  "timestamp": "2021-09-28T04:47:35.273424Z",
  "severity": "NOTICE",
  "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
  "receiveTimestamp": "2021-09-28T04:47:37.650432219Z"

account_disabled_password_leak

{
  "protoPayload": {
    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
    "authenticationInfo": {},
    "requestMetadata": {
      "callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
    },
    "serviceName": "login.googleapis.com",
    "methodName": "google.login.LoginService.accountDisabledPasswordLeak",
    "resourceName": "organizations/123",
    "metadata": {
      "activityId": {
        "timeUsec": "1619808083475000",
        "uniqQualifier": "6286848759980589624"
      },
      "event": [
        {
          "eventType": "account_warning",
          "eventName": "account_disabled_password_leak",
          "parameter": [
            {
              "name": "affected_email_address",
              "value": "test-user@example.com",
              "label": "LABEL_OPTIONAL",
              "type": "TYPE_STRING"
            }
          ],
          "status": {
            "success": true
          }
        }
      ],
      "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
    }
  },
  "insertId": "-xkklkzcxkl",
  "resource": {
    "type": "audited_resource",
    "labels": {
      "method": "google.login.LoginService.accountDisabledPasswordLeak",
      "service": "login.googleapis.com"
    }
  },
  "timestamp": "2021-04-30T18:41:23.475Z",
  "severity": "NOTICE",
  "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
  "receiveTimestamp": "2021-04-30T18:41:24.650965796Z"
}

suspicious_login

{
  "protoPayload": {
    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
    "authenticationInfo": {},
    "requestMetadata": {
      "callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
    },
    "serviceName": "login.googleapis.com",
    "methodName": "google.login.LoginService.suspiciousLogin",
    "resourceName": "organizations/123",
    "metadata": {
      "activityId": {
        "timeUsec": "1620095181000000",
        "uniqQualifier": "-2034771694824799453"
      },
      "event": [
        {
          "eventType": "account_warning",
          "eventName": "suspicious_login",
          "parameter": [
            {
              "name": "affected_email_address",
              "value": "test-user@example.com",
              "label": "LABEL_OPTIONAL",
              "type": "TYPE_STRING"
            }
          ],
          "status": {
            "success": true
          }
        }
      ],
      "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
    }
  },
  "insertId": "-778d70d2n5b",
  "resource": {
    "type": "audited_resource",
    "labels": {
      "service": "login.googleapis.com",
      "method": "google.login.LoginService.suspiciousLogin"
    }
  },
  "timestamp": "2021-05-04T02:26:21Z",
  "severity": "NOTICE",
  "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
  "receiveTimestamp": "2021-05-04T02:56:23.806722355Z"
}

suspicious_login_less_secure_app

{
  "protoPayload": {
    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
    "authenticationInfo": {},
    "requestMetadata": {
      "callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
    },
    "serviceName": "login.googleapis.com",
    "methodName": "google.login.LoginService.suspiciousLoginLessSecureApp",
    "resourceName": "organizations/123",
    "metadata": {
      "activityId": {
        "timeUsec": "1620095181000000",
        "uniqQualifier": "-2034771694824799453"
      },
      "event": [
        {
          "eventType": "account_warning",
          "eventName": "suspicious_login_less_secure_app",
          "parameter": [
            {
              "name": "affected_email_address",
              "value": "test-user@example.com",
              "label": "LABEL_OPTIONAL",
              "type": "TYPE_STRING"
            }
          ],
          "status": {
            "success": true
          }
        }
      ],
      "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
    }
  },
  "insertId": "-778d70d2n5b",
  "resource": {
    "type": "audited_resource",
    "labels": {
      "service": "login.googleapis.com",
      "method": "google.login.LoginService.suspiciousLoginLessSecureApp"
    }
  },
  "timestamp": "2021-05-04T02:26:21Z",
  "severity": "NOTICE",
  "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
  "receiveTimestamp": "2021-05-04T02:56:23.806722355Z"
}

suspicious_programmatic_login

{
  "protoPayload": {
    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
    "authenticationInfo": {},
    "requestMetadata": {
      "callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
    },
    "serviceName": "login.googleapis.com",
    "methodName": "google.login.LoginService.suspiciousProgrammaticLogin",
    "resourceName": "organizations/123",
    "metadata": {
      "activityId": {
        "timeUsec": "1620095181000000",
        "uniqQualifier": "-2034771694824799453"
      },
      "event": [
        {
          "eventType": "account_warning",
          "eventName": "suspicious_programmatic_login",
          "parameter": [
            {
              "name": "affected_email_address",
              "value": "test-user@example.com",
              "label": "LABEL_OPTIONAL",
              "type": "TYPE_STRING"
            }
          ],
          "status": {
            "success": true
          }
        }
      ],
      "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
    }
  },
  "insertId": "-778d70d2n5b",
  "resource": {
    "type": "audited_resource",
    "labels": {
      "service": "login.googleapis.com",
      "method": "google.login.LoginService.suspiciousProgrammaticLogin"
    }
  },
  "timestamp": "2021-05-04T02:26:21Z",
  "severity": "NOTICE",
  "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
  "receiveTimestamp": "2021-05-04T02:56:23.806722355Z"
}

account_disabled_generic

{
  "protoPayload": {
    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
    "authenticationInfo": {},
    "requestMetadata": {
      "callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
    },
    "serviceName": "login.googleapis.com",
    "methodName": "google.login.LoginService.accountDisabledGeneric",
    "resourceName": "organizations/123",
    "metadata": {
      "activityId": {
        "timeUsec": "1619825589352000",
        "uniqQualifier": "-3303614929287073633"
      },
      "event": [
        {
          "eventType": "account_warning",
          "eventName": "account_disabled_generic",
          "parameter": [
            {
              "name": "affected_email_address",
              "value": "test-user@example.com",
              "label": "LABEL_OPTIONAL",
              "type": "TYPE_STRING"
            }
          ],
          "status": {
            "success": true
          }
        }
      ],
      "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
    }
  },
  "insertId": "nlgrf8d6ygj",
  "resource": {
    "type": "audited_resource",
    "labels": {
      "method": "google.login.LoginService.accountDisabledGeneric",
      "service": "login.googleapis.com"
    }
  },
  "timestamp": "2021-04-30T23:33:09.352Z",
  "severity": "NOTICE",
  "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
  "receiveTimestamp": "2021-04-30T23:33:10.673412983Z"
}

account_disabled_spamming_through_relay

{
  "protoPayload": {
    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
    "authenticationInfo": {},
    "requestMetadata": {
      "callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
    },
    "serviceName": "login.googleapis.com",
    "methodName": "google.login.LoginService.accountDisabledSpammingThroughRelay",
    "resourceName": "organizations/123",
    "metadata": {
      "activityId": {
        "timeUsec": "1619808083475000",
        "uniqQualifier": "6286848759980589624"
      },
      "event": [
        {
          "eventType": "account_warning",
          "eventName": "account_disabled_spamming_through_relay",
          "parameter": [
            {
              "name": "affected_email_address",
              "value": "test-user@example.com",
              "label": "LABEL_OPTIONAL",
              "type": "TYPE_STRING"
            }
          ],
          "status": {
            "success": true
          }
        }
      ],
      "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
    }
  },
  "insertId": "-xkklkzcxkl",
  "resource": {
    "type": "audited_resource",
    "labels": {
      "method": "google.login.LoginService.accountDisabledSpammingThroughRelay",
      "service": "login.googleapis.com"
    }
  },
  "timestamp": "2021-04-30T18:41:23.475Z",
  "severity": "NOTICE",
  "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
  "receiveTimestamp": "2021-04-30T18:41:24.650965796Z"
}

account_disabled_spamming

{
  "protoPayload": {
    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
    "authenticationInfo": {},
    "requestMetadata": {
      "callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
    },
    "serviceName": "login.googleapis.com",
    "methodName": "google.login.LoginService.accountDisabledSpamming",
    "resourceName": "organizations/123",
    "metadata": {
      "activityId": {
        "timeUsec": "1619808083475000",
        "uniqQualifier": "6286848759980589624"
      },
      "event": [
        {
          "eventType": "account_warning",
          "eventName": "account_disabled_spamming",
          "parameter": [
            {
              "name": "affected_email_address",
              "value": "test-user@example.com",
              "label": "LABEL_OPTIONAL",
              "type": "TYPE_STRING"
            }
          ],
          "status": {
            "success": true
          }
        }
      ],
      "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
    }
  },
  "insertId": "-xkklkzcxkl",
  "resource": {
    "type": "audited_resource",
    "labels": {
      "method": "google.login.LoginService.accountDisabledSpamming",
      "service": "login.googleapis.com"
    }
  },
  "timestamp": "2021-04-30T18:41:23.475Z",
  "severity": "NOTICE",
  "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
  "receiveTimestamp": "2021-04-30T18:41:24.650965796Z"
}

account_disabled_hijacked

{
  "protoPayload": {
    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
    "authenticationInfo": {},
    "requestMetadata": {
      "callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
    },
    "serviceName": "login.googleapis.com",
    "methodName": "google.login.LoginService.accountDisabledHijacked",
    "resourceName": "organizations/123",
    "metadata": {
      "activityId": {
        "timeUsec": "1619825589352000",
        "uniqQualifier": "-3303614929287073633"
      },
      "event": [
        {
          "eventType": "account_warning",
          "eventName": "account_disabled_hijacked",
          "parameter": [
            {
              "name": "affected_email_address",
              "value": "test-user@example.com",
              "label": "LABEL_OPTIONAL",
              "type": "TYPE_STRING"
            }
          ],
          "status": {
            "success": true
          }
        }
      ],
      "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
    }
  },
  "insertId": "nlgrf8d6ygj",
  "resource": {
    "type": "audited_resource",
    "labels": {
      "method": "google.login.LoginService.accountDisabledHijacked",
      "service": "login.googleapis.com"
    }
  },
  "timestamp": "2021-04-30T23:33:09.352Z",
  "severity": "NOTICE",
  "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
  "receiveTimestamp": "2021-04-30T23:33:10.673412983Z"
}

titanium_enroll

{
  "protoPayload": {
    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
    "authenticationInfo": {
      "principalEmail": "test-user@example.com"
    },
    "requestMetadata": {
      "callerIp": "203.0.113.255",
      "requestAttributes": {},
      "destinationAttributes": {}
    },
    "serviceName": "login.googleapis.com",
    "methodName": "google.login.LoginService.titaniumEnroll",
    "resourceName": "organizations/123",
    "metadata": {
      "activityId": {
        "uniqQualifier": "4206430548119220064",
        "timeUsec": "1632843484846000"
      },
      "event": [
        {
          "eventName": "titanium_enroll",
          "status": {
            "success": true
          },
          "parameter": [
            {
              "label": "LABEL_OPTIONAL",
              "value": "INfDlrzP9IH8_QE",
              "type": "TYPE_STRING",
              "name": "dusi"
            }
          ],
          "eventType": "titanium_change"
        }
      ],
      "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
    }
  },
  "insertId": "-bxbn5bd167i",
  "resource": {
    "type": "audited_resource",
    "labels": {
      "service": "login.googleapis.com",
      "method": "google.login.LoginService.titaniumEnroll"
    }
  },
  "timestamp": "2021-09-28T15:38:04.846Z",
  "severity": "NOTICE",
  "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
  "receiveTimestamp": "2021-09-28T15:38:05.969683854Z"
}

titanium_unenroll

{
  "protoPayload": {
    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
    "authenticationInfo": {
      "principalEmail": "test-user@example.com"
    },
    "requestMetadata": {
      "callerIp": "203.0.113.255",
      "requestAttributes": {},
      "destinationAttributes": {}
    },
    "serviceName": "login.googleapis.com",
    "methodName": "google.login.LoginService.titaniumUnenroll",
    "resourceName": "organizations/123",
    "metadata": {
      "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto",
      "event": [
        {
          "eventType": "titanium_change",
          "status": {
            "success": true
          },
          "eventName": "titanium_unenroll",
          "parameter": [
            {
              "type": "TYPE_STRING",
              "label": "LABEL_OPTIONAL",
              "value": "INfDlrzP9IH8_QE",
              "name": "dusi"
            }
          ]
        }
      ],
      "activityId": {
        "timeUsec": "1632843914653434",
        "uniqQualifier": "-6706492269209711994"
      }
    }
  },
  "insertId": "-vw60qad1861",
  "resource": {
    "type": "audited_resource",
    "labels": {
      "service": "login.googleapis.com",
      "method": "google.login.LoginService.titaniumUnenroll"
    }
  },
  "timestamp": "2021-09-28T15:45:14.653434Z",
  "severity": "NOTICE",
  "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
  "receiveTimestamp": "2021-09-28T15:45:15.862755277Z"
}

gov_attack_warning

{
  "protoPayload": {
    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
    "authenticationInfo": {
      "principalEmail": "test-user@example.com"
    },
    "requestMetadata": {
      "callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff",
      "requestAttributes": {},
      "destinationAttributes": {}
    },
    "serviceName": "login.googleapis.com",
    "methodName": "google.login.LoginService.govAttackWarning",
    "resourceName": "organizations/123",
    "metadata": {
      "activityId": {
        "timeUsec": "1619825837106000",
        "uniqQualifier": "7230131091737932677"
      },
      "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto",
      "event": [
        {
          "eventName": "gov_attack_warning",
          "eventType": "attack_warning",
          "status": {
            "success": true
          }
        }
      ]
    }
  },
  "insertId": "bxuophd1vlw",
  "resource": {
    "type": "audited_resource",
    "labels": {
      "service": "login.googleapis.com",
      "method": "google.login.LoginService.govAttackWarning"
    }
  },
  "timestamp": "2021-04-30T23:37:17.106Z",
  "severity": "NOTICE",
  "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
  "receiveTimestamp": "2021-04-30T23:37:18.488559815Z"
}

email_forwarding_out_of_domain

{
  "protoPayload": {
    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
    "authenticationInfo": {
      "principalEmail": "test-user@example.com"
    },
    "requestMetadata": {
      "callerIp": "203.0.113.255",
      "requestAttributes": {},
      "destinationAttributes": {}
    },
    "serviceName": "login.googleapis.com",
    "methodName": "google.login.LoginService.emailForwardingOutOfDomain",
    "resourceName": "organizations/123",
    "metadata": {
      "activityId": {
        "uniqQualifier": "-5683698025624301037",
        "timeUsec": "1632501152256000"
      },
      "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto",
      "event": [
        {
          "eventName": "email_forwarding_out_of_domain",
          "status": {
            "success": true
          },
          "parameter": [
            {
              "name": "dusi",
              "type": "TYPE_STRING",
              "value": "INfDlrzP9IH8_QE",
              "label": "LABEL_OPTIONAL"
            },
            {
              "type": "TYPE_STRING",
              "label": "LABEL_OPTIONAL",
              "value": "test-user@google.com",
              "name": "email_forwarding_destination_address"
            }
          ],
          "eventType": "email_forwarding_change"
        }
      ]
    }
  },
  "insertId": "rrcp9gd3y2f",
  "resource": {
    "type": "audited_resource",
    "labels": {
      "method": "google.login.LoginService.emailForwardingOutOfDomain",
      "service": "login.googleapis.com"
    }
  },
  "timestamp": "2021-09-24T16:32:32.256Z",
  "severity": "NOTICE",
  "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
  "receiveTimestamp": "2021-09-24T16:32:33.319260836Z"
}

login_failure

{
  "protoPayload": {
    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
    "authenticationInfo": {
      "principalEmail": "test-user@example.com"
    },
    "requestMetadata": {
      "callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff",
      "requestAttributes": {},
      "destinationAttributes": {}
    },
    "serviceName": "login.googleapis.com",
    "methodName": "google.login.LoginService.loginFailure",
    "resourceName": "organizations/123",
    "metadata": {
      "event": [
        {
          "eventName": "login_failure",
          "eventType": "login",
          "parameter": [
            {
              "value": "google_password",
              "type": "TYPE_STRING",
              "name": "login_type",
              "label": "LABEL_OPTIONAL"
            },
            {
              "name": "login_challenge_method",
              "type": "TYPE_STRING",
              "label": "LABEL_REPEATED",
              "multiStrValue": [
                "password",
                "idv_preregistered_phone",
                "idv_preregistered_phone"
              ]
            },
            {
              "label": "LABEL_OPTIONAL",
              "name": "dusi",
              "type": "TYPE_STRING",
              "value": "IOWJlfPwgvrTfg"
            }
          ]
        }
      ],
      "activityId": {
        "uniqQualifier": "358068855354",
        "timeUsec": "1632500217183212"
      },
      "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
    }
  },
  "insertId": "-nahbepd4l1x",
  "resource": {
    "type": "audited_resource",
    "labels": {
      "method": "google.login.LoginService.loginFailure",
      "service": "login.googleapis.com"
    }
  },
  "timestamp": "2021-09-24T16:16:57.183212Z",
  "severity": "NOTICE",
  "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
  "receiveTimestamp": "2021-09-24T17:51:25.034361197Z"
}

login_challenge

{
  "protoPayload": {
    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
    "authenticationInfo": {
      "principalEmail": "test-user@example.com"
    },
    "requestMetadata": {
      "callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff",
      "requestAttributes": {},
      "destinationAttributes": {}
    },
    "serviceName": "login.googleapis.com",
    "methodName": "google.login.LoginService.loginChallenge",
    "resourceName": "organizations/123",
    "metadata": {
      "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto",
      "event": [
        {
          "eventName": "login_challenge",
          "parameter": [
            {
              "name": "login_type",
              "value": "google_password",
              "type": "TYPE_STRING",
              "label": "LABEL_OPTIONAL"
            },
            {
              "type": "TYPE_STRING",
              "label": "LABEL_REPEATED",
              "name": "login_challenge_method",
              "multiStrValue": [
                "idv_preregistered_phone"
              ]
            },
            {
              "label": "LABEL_OPTIONAL",
              "type": "TYPE_STRING",
              "value": "incorrect_answer_entered",
              "name": "login_challenge_status"
            },
            {
              "type": "TYPE_STRING",
              "name": "dusi",
              "label": "LABEL_OPTIONAL",
              "value": "IOWJlfPwgvrTfg"
            }
          ],
          "eventType": "login"
        }
      ],
      "activityId": {
        "timeUsec": "1632500217183211",
        "uniqQualifier": "358068855354"
      }
    }
  },
  "insertId": "-nahbepd4l2j",
  "resource": {
    "type": "audited_resource",
    "labels": {
      "service": "login.googleapis.com",
      "method": "google.login.LoginService.loginChallenge"
    }
  },
  "timestamp": "2021-09-24T16:16:57.183211Z",
  "severity": "NOTICE",
  "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
  "receiveTimestamp": "2021-09-24T17:51:28.041126044Z"

login_verification

{
  "protoPayload": {
    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
    "authenticationInfo": {
      "principalEmail": "test-user@example.com"
    },
    "requestMetadata": {
      "callerIp": "203.0.113.255",
      "requestAttributes": {},
      "destinationAttributes": {}
    },
    "serviceName": "login.googleapis.com",
    "methodName": "google.login.LoginService.loginVerification",
    "resourceName": "organizations/123",
    "metadata": {
      "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto",
      "event": [
        {
          "eventName": "login_verification",
          "parameter": [
            {
              "name": "login_type",
              "type": "TYPE_STRING",
              "value": "google_password",
              "label": "LABEL_OPTIONAL"
            },
            {
              "name": "login_challenge_method",
              "multiStrValue": [
                "idv_preregistered_phone"
              ],
              "label": "LABEL_REPEATED",
              "type": "TYPE_STRING"
            },
            {
              "value": "passed",
              "name": "login_challenge_status",
              "type": "TYPE_STRING",
              "label": "LABEL_OPTIONAL"
            },
            {
              "value": "INfDlrzP9IH8_QE",
              "label": "LABEL_OPTIONAL",
              "name": "dusi",
              "type": "TYPE_STRING"
            },
            {
              "label": "LABEL_OPTIONAL",
              "boolValue": true,
              "type": "TYPE_BOOL",
              "name": "is_second_factor"
            }
          ],
          "eventType": "login"
        }
      ],
      "activityId": {
        "uniqQualifier": "358068855354",
        "timeUsec": "1632459936762000"
      }
    }
  },
  "insertId": "ivb9z4d41rh",
  "resource": {
    "type": "audited_resource",
    "labels": {
      "method": "google.login.LoginService.loginVerification",
      "service": "login.googleapis.com"
    }
  },
  "timestamp": "2021-09-24T05:05:36.762Z",
  "severity": "NOTICE",
  "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
  "receiveTimestamp": "2021-09-24T06:39:22.386813664Z"
}

logout

{
  "protoPayload": {
    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
    "authenticationInfo": {
      "principalEmail": "test-user@example.com"
    },
    "requestMetadata": {
      "callerIp": "203.0.113.255",
      "requestAttributes": {},
      "destinationAttributes": {}
    },
    "serviceName": "login.googleapis.com",
    "methodName": "google.login.LoginService.logout",
    "resourceName": "organizations/123",
    "metadata": {
      "event": [
        {
          "eventName": "logout",
          "eventType": "login",
          "parameter": [
            {
              "type": "TYPE_STRING",
              "label": "LABEL_OPTIONAL",
              "name": "login_type",
              "value": "google_password"
            },
            {
              "type": "TYPE_STRING",
              "name": "dusi",
              "label": "LABEL_OPTIONAL",
              "value": "INfDlrzP9IH8_QE"
            }
          ]
        }
      ],
      "activityId": {
        "uniqQualifier": "358068855354",
        "timeUsec": "1632459903014598"
      },
      "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
    }
  },
  "insertId": "v37ytid14th",
  "resource": {
    "type": "audited_resource",
    "labels": {
      "service": "login.googleapis.com",
      "method": "google.login.LoginService.logout"
    }
  },
  "timestamp": "2021-09-24T05:05:03.014598Z",
  "severity": "NOTICE",
  "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
  "receiveTimestamp": "2021-09-24T06:39:22.229734504Z"
}

login_success

{
  "protoPayload": {
    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
    "authenticationInfo": {
      "principalEmail": "test-user@example.com"
    },
    "requestMetadata": {
      "callerIp": "203.0.113.255",
      "requestAttributes": {},
      "destinationAttributes": {}
    },
    "serviceName": "login.googleapis.com",
    "methodName": "google.login.LoginService.loginSuccess",
    "resourceName": "organizations/123",
    "metadata": {
      "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto",
      "activityId": {
        "timeUsec": "1632458429811809",
        "uniqQualifier": "358068855354"
      },
      "event": [
        {
          "parameter": [
            {
              "type": "TYPE_STRING",
              "value": "google_password",
              "name": "login_type",
              "label": "LABEL_OPTIONAL"
            },
            {
              "name": "login_challenge_method",
              "label": "LABEL_REPEATED",
              "type": "TYPE_STRING",
              "multiStrValue": [
                "password"
              ]
            },
            {
              "type": "TYPE_BOOL",
              "boolValue": false,
              "name": "is_suspicious",
              "label": "LABEL_OPTIONAL"
            },
            {
              "value": "INfDlrzP9IH8_QE",
              "name": "dusi",
              "type": "TYPE_STRING",
              "label": "LABEL_OPTIONAL"
            }
          ],
          "eventType": "login",
          "eventName": "login_success"
        }
      ]
    }
  },
  "insertId": "ci1svzd3hfk",
  "resource": {
    "type": "audited_resource",
    "labels": {
      "service": "login.googleapis.com",
      "method": "google.login.LoginService.loginSuccess"
    }
  },
  "timestamp": "2021-09-24T04:40:29.811809Z",
  "severity": "NOTICE",
  "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
  "receiveTimestamp": "2021-09-24T05:43:20.474338130Z"
}