Dieses Dokument enthält Beispiele für die von Google Workspace Login Audit an Google Cloud gesendeten Audit-Logs.
Weitere Informationen zu den Ereignissen und Parametern für verschiedene Arten von Audit-Aktivitätsereignissen finden Sie in der Referenz zu Anmelde-Audit-Aktivitätsereignissen.
Verfügbare Audit-Logs zur Anmeldung
In der folgenden Tabelle sind die Audit-Logs aufgeführt, die von der Anmeldeprüfung erstellt wurden, und das entsprechende AuditLog.method_name:
| Beschreibung | Ereignisname | AuditLog.method_name |
|---|---|---|
| Ereignistyp: Anmeldung für die Bestätigung in zwei Schritten geändert | ||
| Bestätigung in zwei Schritten deaktiviert | 2sv_disable |
google.login.LoginService.2svDisable |
| Für die Bestätigung in zwei Schritten angemeldet | 2sv_enroll |
google.login.LoginService.2svEnroll |
| Ereignistyp: Kontopasswort geändert | ||
| Kontopasswort geändert | password_edit |
google.login.LoginService.passwordEdit |
| Ereignistyp: Informationen zur Kontowiederherstellung geändert | ||
| E-Mail-Adresse zur Kontowiederherstellung geändert | recovery_email_edit |
google.login.LoginService.recoveryEmailEdit |
| Telefonnummer zur Kontowiederherstellung geändert | recovery_phone_edit |
google.login.LoginService.recoveryPhoneEdit |
| Geheime Frage/Antwort zur Kontowiederherstellung geändert | recovery_secret_qa_edit |
google.login.LoginService.recoverySecretQaEdit |
| Ereignistyp: Kontowarnung | ||
| Passwort gehackt | account_disabled_password_leak |
google.login.LoginService.accountDisabledPasswordLeak |
| Riskante, sensible Aktion erlaubt | risky_sensitive_action_allowed |
google.login.LoginService.riskySensitiveActionAllowed |
| Riskante, reißerische action_blocked | risky_sensitive_action_blocked |
google.login.LoginService.riskySensitiveActionBlocked |
| Verdächtige Anmeldung blockiert | suspicious_login |
google.login.LoginService.suspiciousLogin |
| Verdächtige Anmeldung über eine weniger sichere App blockiert | suspicious_login_less_secure_app |
google.login.LoginService.suspiciousLoginLessSecureApp |
| Verdächtiger programmatischer Anmeldeversuch blockiert | suspicious_programmatic_login |
google.login.LoginService.suspiciousProgrammaticLogin |
| Nutzer gesperrt | account_disabled_generic |
google.login.LoginService.accountDisabledGeneric |
| Nutzer gesperrt (Relay-Spam) | account_disabled_spamming_through_relay |
google.login.LoginService.accountDisabledSpammingThroughRelay |
| Nutzer gesperrt (Spam) | account_disabled_spamming |
google.login.LoginService.accountDisabledSpamming |
| Nutzer gesperrt (verdächtige Aktivität) | account_disabled_hijacked |
google.login.LoginService.accountDisabledHijacked |
| Ereignistyp: Registrierung für die erweiterte Sicherheit geändert | ||
| Anmeldung für das erweiterte Sicherheitsprogramm | titanium_enroll |
google.login.LoginService.titaniumEnroll |
| Vom erweiterten Sicherheitsprogramm abmelden | titanium_unenroll |
google.login.LoginService.titaniumUnenroll |
| Ereignistyp: Angriffswarnung | ||
| Von einer Regierung unterstützter Angriff | gov_attack_warning |
google.login.LoginService.govAttackWarning |
| Ereignistyp: Einstellungen für die E-Mail-Weiterleitung geändert | ||
| E-Mail-Weiterleitung außerhalb der Domain aktiviert | email_forwarding_out_of_domain |
google.login.LoginService.emailForwardingOutOfDomain |
| Ereignistyp: Anmeldung | ||
| Fehler bei der Anmeldung | login_failure |
google.login.LoginService.loginFailure |
| Identitätsbestätigung | login_challenge |
google.login.LoginService.loginChallenge |
| Anmeldebestätigung | login_verification |
google.login.LoginService.loginVerification |
| Abmelden | logout |
google.login.LoginService.logout |
| Erfolgreiche Anmeldung | login_success |
google.login.LoginService.loginSuccess |
Beispiele
Im Folgenden finden Sie Beispiele für Audit-Logs für das Audit der Anmeldung nach Ereignistyp und Ereignisname.
Anmeldung für die Bestätigung in zwei Schritten geändert
2sv_disable
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalEmail": "test-user@example.com"
},
"requestMetadata": {
"callerIp": "203.0.113.255",
"requestAttributes": {},
"destinationAttributes": {}
},
"serviceName": "login.googleapis.com",
"methodName": "google.login.LoginService.2svDisable",
"resourceName": "organizations/123",
"metadata": {
"activityId": {
"uniqQualifier": "-7789616625639281959",
"timeUsec": "1632459962686000"
},
"event": [
{
"status": {
"success": true
},
"parameter": [
{
"type": "TYPE_STRING",
"label": "LABEL_OPTIONAL",
"value": "INfDlrzP9IH8_QE",
"name": "dusi"
}
],
"eventName": "2sv_disable",
"eventType": "2sv_change"
}
],
"@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
}
},
"insertId": "-tn3jrd3lko",
"resource": {
"type": "audited_resource",
"labels": {
"service": "login.googleapis.com",
"method": "google.login.LoginService.2svDisable"
}
},
"timestamp": "2021-09-24T05:06:02.686Z",
"severity": "NOTICE",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"receiveTimestamp": "2021-09-24T05:06:03.845372592Z"
}
2sv_enroll
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalEmail": "test-user@example.com"
},
"requestMetadata": {
"callerIp": "203.0.113.255",
"requestAttributes": {},
"destinationAttributes": {}
},
"serviceName": "login.googleapis.com",
"methodName": "google.login.LoginService.2svEnroll",
"resourceName": "organizations/123",
"metadata": {
"activityId": {
"uniqQualifier": "1624031130844323135",
"timeUsec": "1632458745769000"
},
"@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto",
"event": [
{
"eventType": "2sv_change",
"status": {
"success": true
},
"eventName": "2sv_enroll",
"parameter": [
{
"value": "INfDlrzP9IH8_QE",
"type": "TYPE_STRING",
"label": "LABEL_OPTIONAL",
"name": "dusi"
}
]
}
]
}
},
"insertId": "g3k8gid3b3p",
"resource": {
"type": "audited_resource",
"labels": {
"method": "google.login.LoginService.2svEnroll",
"service": "login.googleapis.com"
}
},
"timestamp": "2021-09-24T04:45:45.769Z",
"severity": "NOTICE",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"receiveTimestamp": "2021-09-24T04:45:46.331843829Z"
}
Kontopasswort geändert
password_edit
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalEmail": "test-user@example.com"
},
"requestMetadata": {
"callerIp": "203.0.113.255",
"requestAttributes": {},
"destinationAttributes": {}
},
"serviceName": "login.googleapis.com",
"methodName": "google.login.LoginService.passwordEdit",
"resourceName": "organizations/123",
"metadata": {
"@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto",
"event": [
{
"eventName": "password_edit",
"status": {
"success": true
},
"parameter": [
{
"type": "TYPE_STRING",
"label": "LABEL_OPTIONAL",
"value": "INfDlrzP9IH8_QE",
"name": "dusi"
}
],
"eventType": "password_change"
}
],
"activityId": {
"uniqQualifier": "8894052787391296929",
"timeUsec": "1632803013900566"
}
}
},
"insertId": "-u8coc0d6n78",
"resource": {
"type": "audited_resource",
"labels": {
"service": "login.googleapis.com",
"method": "google.login.LoginService.passwordEdit"
}
},
"timestamp": "2021-09-28T04:23:33.900566Z",
"severity": "NOTICE",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"receiveTimestamp": "2021-09-28T04:23:37.724654918Z"
}
Informationen zur Kontowiederherstellung geändert
recovery_email_edit
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalEmail": "test-user@example.com"
},
"requestMetadata": {
"callerIp": "203.0.113.255",
"requestAttributes": {},
"destinationAttributes": {}
},
"serviceName": "login.googleapis.com",
"methodName": "google.login.LoginService.recoveryEmailEdit",
"resourceName": "organizations/123",
"metadata": {
"activityId": {
"timeUsec": "1632802942940979",
"uniqQualifier": "-7373127890859496609"
},
"event": [
{
"eventType": "recovery_info_change",
"eventName": "recovery_email_edit",
"parameter": [
{
"label": "LABEL_OPTIONAL",
"type": "TYPE_STRING",
"value": "INfDlrzP9IH8_QE",
"name": "dusi"
}
],
"status": {
"success": true
}
}
],
"@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
}
},
"insertId": "-nkwfupd26zt",
"resource": {
"type": "audited_resource",
"labels": {
"service": "login.googleapis.com",
"method": "google.login.LoginService.recoveryEmailEdit"
}
},
"timestamp": "2021-09-28T04:22:22.940979Z",
"severity": "NOTICE",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"receiveTimestamp": "2021-09-28T04:22:26.523242112Z"
}
recovery_phone_edit
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalEmail": "test-user@example.com"
},
"requestMetadata": {
"callerIp": "203.0.113.255",
"requestAttributes": {},
"destinationAttributes": {}
},
"serviceName": "login.googleapis.com",
"methodName": "google.login.LoginService.recoveryPhoneEdit",
"resourceName": "organizations/123",
"metadata": {
"event": [
{
"status": {
"success": true
},
"eventType": "recovery_info_change",
"eventName": "recovery_phone_edit",
"parameter": [
{
"label": "LABEL_OPTIONAL",
"value": "INfDlrzP9IH8_QE",
"type": "TYPE_STRING",
"name": "dusi"
}
]
}
],
"@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto",
"activityId": {
"timeUsec": "1632804439611095",
"uniqQualifier": "1470137036135837564"
}
}
},
"insertId": "-1xtrgbd2vl2",
"resource": {
"type": "audited_resource",
"labels": {
"service": "login.googleapis.com",
"method": "google.login.LoginService.recoveryPhoneEdit"
}
},
"timestamp": "2021-09-28T04:47:19.611095Z",
"severity": "NOTICE",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"receiveTimestamp": "2021-09-28T04:47:25.741574446Z"
recovery_secret_qa_edit
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalEmail": "test-user@example.com"
},
"requestMetadata": {
"callerIp": "203.0.113.255",
"requestAttributes": {},
"destinationAttributes": {}
},
"serviceName": "login.googleapis.com",
"methodName": "google.login.LoginService.recoverySecretQaEdit",
"resourceName": "organizations/123",
"metadata": {
"activityId": {
"uniqQualifier": "8328506129139272243",
"timeUsec": "1632804455273424"
},
"@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto",
"event": [
{
"eventName": "recovery_secret_qa_edit",
"eventType": "recovery_info_change",
"status": {
"success": true
},
"parameter": [
{
"type": "TYPE_STRING",
"value": "INfDlrzP9IH8_QE",
"name": "dusi",
"label": "LABEL_OPTIONAL"
}
]
}
]
}
},
"insertId": "vn31slcpmy",
"resource": {
"type": "audited_resource",
"labels": {
"method": "google.login.LoginService.recoverySecretQaEdit",
"service": "login.googleapis.com"
}
},
"timestamp": "2021-09-28T04:47:35.273424Z",
"severity": "NOTICE",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"receiveTimestamp": "2021-09-28T04:47:37.650432219Z"
Kontowarnung
account_disabled_password_leak
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {},
"requestMetadata": {
"callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
},
"serviceName": "login.googleapis.com",
"methodName": "google.login.LoginService.accountDisabledPasswordLeak",
"resourceName": "organizations/123",
"metadata": {
"activityId": {
"timeUsec": "1619808083475000",
"uniqQualifier": "6286848759980589624"
},
"event": [
{
"eventType": "account_warning",
"eventName": "account_disabled_password_leak",
"parameter": [
{
"name": "affected_email_address",
"value": "test-user@example.com",
"label": "LABEL_OPTIONAL",
"type": "TYPE_STRING"
}
],
"status": {
"success": true
}
}
],
"@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
}
},
"insertId": "-xkklkzcxkl",
"resource": {
"type": "audited_resource",
"labels": {
"method": "google.login.LoginService.accountDisabledPasswordLeak",
"service": "login.googleapis.com"
}
},
"timestamp": "2021-04-30T18:41:23.475Z",
"severity": "NOTICE",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"receiveTimestamp": "2021-04-30T18:41:24.650965796Z"
}
suspicious_login
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {},
"requestMetadata": {
"callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
},
"serviceName": "login.googleapis.com",
"methodName": "google.login.LoginService.suspiciousLogin",
"resourceName": "organizations/123",
"metadata": {
"activityId": {
"timeUsec": "1620095181000000",
"uniqQualifier": "-2034771694824799453"
},
"event": [
{
"eventType": "account_warning",
"eventName": "suspicious_login",
"parameter": [
{
"name": "affected_email_address",
"value": "test-user@example.com",
"label": "LABEL_OPTIONAL",
"type": "TYPE_STRING"
}
],
"status": {
"success": true
}
}
],
"@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
}
},
"insertId": "-778d70d2n5b",
"resource": {
"type": "audited_resource",
"labels": {
"service": "login.googleapis.com",
"method": "google.login.LoginService.suspiciousLogin"
}
},
"timestamp": "2021-05-04T02:26:21Z",
"severity": "NOTICE",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"receiveTimestamp": "2021-05-04T02:56:23.806722355Z"
}
suspicious_login_less_secure_app
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {},
"requestMetadata": {
"callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
},
"serviceName": "login.googleapis.com",
"methodName": "google.login.LoginService.suspiciousLoginLessSecureApp",
"resourceName": "organizations/123",
"metadata": {
"activityId": {
"timeUsec": "1620095181000000",
"uniqQualifier": "-2034771694824799453"
},
"event": [
{
"eventType": "account_warning",
"eventName": "suspicious_login_less_secure_app",
"parameter": [
{
"name": "affected_email_address",
"value": "test-user@example.com",
"label": "LABEL_OPTIONAL",
"type": "TYPE_STRING"
}
],
"status": {
"success": true
}
}
],
"@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
}
},
"insertId": "-778d70d2n5b",
"resource": {
"type": "audited_resource",
"labels": {
"service": "login.googleapis.com",
"method": "google.login.LoginService.suspiciousLoginLessSecureApp"
}
},
"timestamp": "2021-05-04T02:26:21Z",
"severity": "NOTICE",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"receiveTimestamp": "2021-05-04T02:56:23.806722355Z"
}
suspicious_programmatic_login
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {},
"requestMetadata": {
"callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
},
"serviceName": "login.googleapis.com",
"methodName": "google.login.LoginService.suspiciousProgrammaticLogin",
"resourceName": "organizations/123",
"metadata": {
"activityId": {
"timeUsec": "1620095181000000",
"uniqQualifier": "-2034771694824799453"
},
"event": [
{
"eventType": "account_warning",
"eventName": "suspicious_programmatic_login",
"parameter": [
{
"name": "affected_email_address",
"value": "test-user@example.com",
"label": "LABEL_OPTIONAL",
"type": "TYPE_STRING"
}
],
"status": {
"success": true
}
}
],
"@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
}
},
"insertId": "-778d70d2n5b",
"resource": {
"type": "audited_resource",
"labels": {
"service": "login.googleapis.com",
"method": "google.login.LoginService.suspiciousProgrammaticLogin"
}
},
"timestamp": "2021-05-04T02:26:21Z",
"severity": "NOTICE",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"receiveTimestamp": "2021-05-04T02:56:23.806722355Z"
}
account_disabled_generic
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {},
"requestMetadata": {
"callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
},
"serviceName": "login.googleapis.com",
"methodName": "google.login.LoginService.accountDisabledGeneric",
"resourceName": "organizations/123",
"metadata": {
"activityId": {
"timeUsec": "1619825589352000",
"uniqQualifier": "-3303614929287073633"
},
"event": [
{
"eventType": "account_warning",
"eventName": "account_disabled_generic",
"parameter": [
{
"name": "affected_email_address",
"value": "test-user@example.com",
"label": "LABEL_OPTIONAL",
"type": "TYPE_STRING"
}
],
"status": {
"success": true
}
}
],
"@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
}
},
"insertId": "nlgrf8d6ygj",
"resource": {
"type": "audited_resource",
"labels": {
"method": "google.login.LoginService.accountDisabledGeneric",
"service": "login.googleapis.com"
}
},
"timestamp": "2021-04-30T23:33:09.352Z",
"severity": "NOTICE",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"receiveTimestamp": "2021-04-30T23:33:10.673412983Z"
}
account_disabled_spamming_through_relay
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {},
"requestMetadata": {
"callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
},
"serviceName": "login.googleapis.com",
"methodName": "google.login.LoginService.accountDisabledSpammingThroughRelay",
"resourceName": "organizations/123",
"metadata": {
"activityId": {
"timeUsec": "1619808083475000",
"uniqQualifier": "6286848759980589624"
},
"event": [
{
"eventType": "account_warning",
"eventName": "account_disabled_spamming_through_relay",
"parameter": [
{
"name": "affected_email_address",
"value": "test-user@example.com",
"label": "LABEL_OPTIONAL",
"type": "TYPE_STRING"
}
],
"status": {
"success": true
}
}
],
"@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
}
},
"insertId": "-xkklkzcxkl",
"resource": {
"type": "audited_resource",
"labels": {
"method": "google.login.LoginService.accountDisabledSpammingThroughRelay",
"service": "login.googleapis.com"
}
},
"timestamp": "2021-04-30T18:41:23.475Z",
"severity": "NOTICE",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"receiveTimestamp": "2021-04-30T18:41:24.650965796Z"
}
account_disabled_spamming
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {},
"requestMetadata": {
"callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
},
"serviceName": "login.googleapis.com",
"methodName": "google.login.LoginService.accountDisabledSpamming",
"resourceName": "organizations/123",
"metadata": {
"activityId": {
"timeUsec": "1619808083475000",
"uniqQualifier": "6286848759980589624"
},
"event": [
{
"eventType": "account_warning",
"eventName": "account_disabled_spamming",
"parameter": [
{
"name": "affected_email_address",
"value": "test-user@example.com",
"label": "LABEL_OPTIONAL",
"type": "TYPE_STRING"
}
],
"status": {
"success": true
}
}
],
"@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
}
},
"insertId": "-xkklkzcxkl",
"resource": {
"type": "audited_resource",
"labels": {
"method": "google.login.LoginService.accountDisabledSpamming",
"service": "login.googleapis.com"
}
},
"timestamp": "2021-04-30T18:41:23.475Z",
"severity": "NOTICE",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"receiveTimestamp": "2021-04-30T18:41:24.650965796Z"
}
account_disabled_hijacked
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {},
"requestMetadata": {
"callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
},
"serviceName": "login.googleapis.com",
"methodName": "google.login.LoginService.accountDisabledHijacked",
"resourceName": "organizations/123",
"metadata": {
"activityId": {
"timeUsec": "1619825589352000",
"uniqQualifier": "-3303614929287073633"
},
"event": [
{
"eventType": "account_warning",
"eventName": "account_disabled_hijacked",
"parameter": [
{
"name": "affected_email_address",
"value": "test-user@example.com",
"label": "LABEL_OPTIONAL",
"type": "TYPE_STRING"
}
],
"status": {
"success": true
}
}
],
"@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
}
},
"insertId": "nlgrf8d6ygj",
"resource": {
"type": "audited_resource",
"labels": {
"method": "google.login.LoginService.accountDisabledHijacked",
"service": "login.googleapis.com"
}
},
"timestamp": "2021-04-30T23:33:09.352Z",
"severity": "NOTICE",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"receiveTimestamp": "2021-04-30T23:33:10.673412983Z"
}
Anmeldung für das erweiterte Sicherheitsprogramm geändert
titanium_enroll
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalEmail": "test-user@example.com"
},
"requestMetadata": {
"callerIp": "203.0.113.255",
"requestAttributes": {},
"destinationAttributes": {}
},
"serviceName": "login.googleapis.com",
"methodName": "google.login.LoginService.titaniumEnroll",
"resourceName": "organizations/123",
"metadata": {
"activityId": {
"uniqQualifier": "4206430548119220064",
"timeUsec": "1632843484846000"
},
"event": [
{
"eventName": "titanium_enroll",
"status": {
"success": true
},
"parameter": [
{
"label": "LABEL_OPTIONAL",
"value": "INfDlrzP9IH8_QE",
"type": "TYPE_STRING",
"name": "dusi"
}
],
"eventType": "titanium_change"
}
],
"@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
}
},
"insertId": "-bxbn5bd167i",
"resource": {
"type": "audited_resource",
"labels": {
"service": "login.googleapis.com",
"method": "google.login.LoginService.titaniumEnroll"
}
},
"timestamp": "2021-09-28T15:38:04.846Z",
"severity": "NOTICE",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"receiveTimestamp": "2021-09-28T15:38:05.969683854Z"
}
titanium_unenroll
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalEmail": "test-user@example.com"
},
"requestMetadata": {
"callerIp": "203.0.113.255",
"requestAttributes": {},
"destinationAttributes": {}
},
"serviceName": "login.googleapis.com",
"methodName": "google.login.LoginService.titaniumUnenroll",
"resourceName": "organizations/123",
"metadata": {
"@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto",
"event": [
{
"eventType": "titanium_change",
"status": {
"success": true
},
"eventName": "titanium_unenroll",
"parameter": [
{
"type": "TYPE_STRING",
"label": "LABEL_OPTIONAL",
"value": "INfDlrzP9IH8_QE",
"name": "dusi"
}
]
}
],
"activityId": {
"timeUsec": "1632843914653434",
"uniqQualifier": "-6706492269209711994"
}
}
},
"insertId": "-vw60qad1861",
"resource": {
"type": "audited_resource",
"labels": {
"service": "login.googleapis.com",
"method": "google.login.LoginService.titaniumUnenroll"
}
},
"timestamp": "2021-09-28T15:45:14.653434Z",
"severity": "NOTICE",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"receiveTimestamp": "2021-09-28T15:45:15.862755277Z"
}
Angriffswarnung
gov_attack_warning
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalEmail": "test-user@example.com"
},
"requestMetadata": {
"callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff",
"requestAttributes": {},
"destinationAttributes": {}
},
"serviceName": "login.googleapis.com",
"methodName": "google.login.LoginService.govAttackWarning",
"resourceName": "organizations/123",
"metadata": {
"activityId": {
"timeUsec": "1619825837106000",
"uniqQualifier": "7230131091737932677"
},
"@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto",
"event": [
{
"eventName": "gov_attack_warning",
"eventType": "attack_warning",
"status": {
"success": true
}
}
]
}
},
"insertId": "bxuophd1vlw",
"resource": {
"type": "audited_resource",
"labels": {
"service": "login.googleapis.com",
"method": "google.login.LoginService.govAttackWarning"
}
},
"timestamp": "2021-04-30T23:37:17.106Z",
"severity": "NOTICE",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"receiveTimestamp": "2021-04-30T23:37:18.488559815Z"
}
Einstellungen für die E-Mail-Weiterleitung geändert
email_forwarding_out_of_domain
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalEmail": "test-user@example.com"
},
"requestMetadata": {
"callerIp": "203.0.113.255",
"requestAttributes": {},
"destinationAttributes": {}
},
"serviceName": "login.googleapis.com",
"methodName": "google.login.LoginService.emailForwardingOutOfDomain",
"resourceName": "organizations/123",
"metadata": {
"activityId": {
"uniqQualifier": "-5683698025624301037",
"timeUsec": "1632501152256000"
},
"@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto",
"event": [
{
"eventName": "email_forwarding_out_of_domain",
"status": {
"success": true
},
"parameter": [
{
"name": "dusi",
"type": "TYPE_STRING",
"value": "INfDlrzP9IH8_QE",
"label": "LABEL_OPTIONAL"
},
{
"type": "TYPE_STRING",
"label": "LABEL_OPTIONAL",
"value": "test-user@google.com",
"name": "email_forwarding_destination_address"
}
],
"eventType": "email_forwarding_change"
}
]
}
},
"insertId": "rrcp9gd3y2f",
"resource": {
"type": "audited_resource",
"labels": {
"method": "google.login.LoginService.emailForwardingOutOfDomain",
"service": "login.googleapis.com"
}
},
"timestamp": "2021-09-24T16:32:32.256Z",
"severity": "NOTICE",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"receiveTimestamp": "2021-09-24T16:32:33.319260836Z"
}
Anmeldung
login_failure
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalEmail": "test-user@example.com"
},
"requestMetadata": {
"callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff",
"requestAttributes": {},
"destinationAttributes": {}
},
"serviceName": "login.googleapis.com",
"methodName": "google.login.LoginService.loginFailure",
"resourceName": "organizations/123",
"metadata": {
"event": [
{
"eventName": "login_failure",
"eventType": "login",
"parameter": [
{
"value": "google_password",
"type": "TYPE_STRING",
"name": "login_type",
"label": "LABEL_OPTIONAL"
},
{
"name": "login_challenge_method",
"type": "TYPE_STRING",
"label": "LABEL_REPEATED",
"multiStrValue": [
"password",
"idv_preregistered_phone",
"idv_preregistered_phone"
]
},
{
"label": "LABEL_OPTIONAL",
"name": "dusi",
"type": "TYPE_STRING",
"value": "IOWJlfPwgvrTfg"
}
]
}
],
"activityId": {
"uniqQualifier": "358068855354",
"timeUsec": "1632500217183212"
},
"@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
}
},
"insertId": "-nahbepd4l1x",
"resource": {
"type": "audited_resource",
"labels": {
"method": "google.login.LoginService.loginFailure",
"service": "login.googleapis.com"
}
},
"timestamp": "2021-09-24T16:16:57.183212Z",
"severity": "NOTICE",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"receiveTimestamp": "2021-09-24T17:51:25.034361197Z"
}
login_challenge
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalEmail": "test-user@example.com"
},
"requestMetadata": {
"callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff",
"requestAttributes": {},
"destinationAttributes": {}
},
"serviceName": "login.googleapis.com",
"methodName": "google.login.LoginService.loginChallenge",
"resourceName": "organizations/123",
"metadata": {
"@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto",
"event": [
{
"eventName": "login_challenge",
"parameter": [
{
"name": "login_type",
"value": "google_password",
"type": "TYPE_STRING",
"label": "LABEL_OPTIONAL"
},
{
"type": "TYPE_STRING",
"label": "LABEL_REPEATED",
"name": "login_challenge_method",
"multiStrValue": [
"idv_preregistered_phone"
]
},
{
"label": "LABEL_OPTIONAL",
"type": "TYPE_STRING",
"value": "incorrect_answer_entered",
"name": "login_challenge_status"
},
{
"type": "TYPE_STRING",
"name": "dusi",
"label": "LABEL_OPTIONAL",
"value": "IOWJlfPwgvrTfg"
}
],
"eventType": "login"
}
],
"activityId": {
"timeUsec": "1632500217183211",
"uniqQualifier": "358068855354"
}
}
},
"insertId": "-nahbepd4l2j",
"resource": {
"type": "audited_resource",
"labels": {
"service": "login.googleapis.com",
"method": "google.login.LoginService.loginChallenge"
}
},
"timestamp": "2021-09-24T16:16:57.183211Z",
"severity": "NOTICE",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"receiveTimestamp": "2021-09-24T17:51:28.041126044Z"
login_verification
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalEmail": "test-user@example.com"
},
"requestMetadata": {
"callerIp": "203.0.113.255",
"requestAttributes": {},
"destinationAttributes": {}
},
"serviceName": "login.googleapis.com",
"methodName": "google.login.LoginService.loginVerification",
"resourceName": "organizations/123",
"metadata": {
"@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto",
"event": [
{
"eventName": "login_verification",
"parameter": [
{
"name": "login_type",
"type": "TYPE_STRING",
"value": "google_password",
"label": "LABEL_OPTIONAL"
},
{
"name": "login_challenge_method",
"multiStrValue": [
"idv_preregistered_phone"
],
"label": "LABEL_REPEATED",
"type": "TYPE_STRING"
},
{
"value": "passed",
"name": "login_challenge_status",
"type": "TYPE_STRING",
"label": "LABEL_OPTIONAL"
},
{
"value": "INfDlrzP9IH8_QE",
"label": "LABEL_OPTIONAL",
"name": "dusi",
"type": "TYPE_STRING"
},
{
"label": "LABEL_OPTIONAL",
"boolValue": true,
"type": "TYPE_BOOL",
"name": "is_second_factor"
}
],
"eventType": "login"
}
],
"activityId": {
"uniqQualifier": "358068855354",
"timeUsec": "1632459936762000"
}
}
},
"insertId": "ivb9z4d41rh",
"resource": {
"type": "audited_resource",
"labels": {
"method": "google.login.LoginService.loginVerification",
"service": "login.googleapis.com"
}
},
"timestamp": "2021-09-24T05:05:36.762Z",
"severity": "NOTICE",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"receiveTimestamp": "2021-09-24T06:39:22.386813664Z"
}
logout
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalEmail": "test-user@example.com"
},
"requestMetadata": {
"callerIp": "203.0.113.255",
"requestAttributes": {},
"destinationAttributes": {}
},
"serviceName": "login.googleapis.com",
"methodName": "google.login.LoginService.logout",
"resourceName": "organizations/123",
"metadata": {
"event": [
{
"eventName": "logout",
"eventType": "login",
"parameter": [
{
"type": "TYPE_STRING",
"label": "LABEL_OPTIONAL",
"name": "login_type",
"value": "google_password"
},
{
"type": "TYPE_STRING",
"name": "dusi",
"label": "LABEL_OPTIONAL",
"value": "INfDlrzP9IH8_QE"
}
]
}
],
"activityId": {
"uniqQualifier": "358068855354",
"timeUsec": "1632459903014598"
},
"@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
}
},
"insertId": "v37ytid14th",
"resource": {
"type": "audited_resource",
"labels": {
"service": "login.googleapis.com",
"method": "google.login.LoginService.logout"
}
},
"timestamp": "2021-09-24T05:05:03.014598Z",
"severity": "NOTICE",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"receiveTimestamp": "2021-09-24T06:39:22.229734504Z"
}
login_success
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalEmail": "test-user@example.com"
},
"requestMetadata": {
"callerIp": "203.0.113.255",
"requestAttributes": {},
"destinationAttributes": {}
},
"serviceName": "login.googleapis.com",
"methodName": "google.login.LoginService.loginSuccess",
"resourceName": "organizations/123",
"metadata": {
"@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto",
"activityId": {
"timeUsec": "1632458429811809",
"uniqQualifier": "358068855354"
},
"event": [
{
"parameter": [
{
"type": "TYPE_STRING",
"value": "google_password",
"name": "login_type",
"label": "LABEL_OPTIONAL"
},
{
"name": "login_challenge_method",
"label": "LABEL_REPEATED",
"type": "TYPE_STRING",
"multiStrValue": [
"password"
]
},
{
"type": "TYPE_BOOL",
"boolValue": false,
"name": "is_suspicious",
"label": "LABEL_OPTIONAL"
},
{
"value": "INfDlrzP9IH8_QE",
"name": "dusi",
"type": "TYPE_STRING",
"label": "LABEL_OPTIONAL"
}
],
"eventType": "login",
"eventName": "login_success"
}
]
}
},
"insertId": "ci1svzd3hfk",
"resource": {
"type": "audited_resource",
"labels": {
"service": "login.googleapis.com",
"method": "google.login.LoginService.loginSuccess"
}
},
"timestamp": "2021-09-24T04:40:29.811809Z",
"severity": "NOTICE",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"receiveTimestamp": "2021-09-24T05:43:20.474338130Z"
}