En este documento, se proporcionan muestras de registros de auditoría que la auditoría de acceso de Google Workspace envía a Google Cloud.
Si quieres obtener más información sobre los eventos y parámetros para varios tipos de eventos de actividad de auditoría de accesos, consulta la referencia de Eventos de actividad de auditoría de acceso.
Registros de auditoría de accesos disponibles
En la siguiente tabla, se enumeran los registros de auditoría que produce la auditoría de acceso y su AuditLog.method_name correspondiente:
| Descripción | Nombre del evento | AuditLog.method_name |
|---|---|---|
| Tipo de evento: Se modificó la inscripción en la verificación en 2 pasos | ||
| Se inhabilitó la verificación en 2 pasos | 2sv_disable |
google.login.LoginService.2svDisable |
| Inscripción en la verificación en 2 pasos | 2sv_enroll |
google.login.LoginService.2svEnroll |
| Tipo de evento: Se cambió la contraseña de la cuenta | ||
| Cambio de contraseña de la cuenta | password_edit |
google.login.LoginService.passwordEdit |
| Tipo de evento: Cambió la información de recuperación de la cuenta | ||
| Cambio de correo electrónico de recuperación de la cuenta | recovery_email_edit |
google.login.LoginService.recoveryEmailEdit |
| Cambio de teléfono de recuperación de la cuenta | recovery_phone_edit |
google.login.LoginService.recoveryPhoneEdit |
| Cambio de pregunta/respuesta secreta de recuperación de la cuenta | recovery_secret_qa_edit |
google.login.LoginService.recoverySecretQaEdit |
| Tipo de evento: Advertencia de la cuenta | ||
| Contraseña filtrada | account_disabled_password_leak |
google.login.LoginService.accountDisabledPasswordLeak |
| Acción riesgosa y sensual permitida | risky_sensitive_action_allowed |
google.login.LoginService.riskySensitiveActionAllowed |
| Acción riesgosa y sensacional bloqueada | risky_sensitive_action_blocked |
google.login.LoginService.riskySensitiveActionBlocked |
| Acceso sospechoso bloqueado | suspicious_login |
google.login.LoginService.suspiciousLogin |
| Acceso sospechoso desde app menos segura bloqueado | suspicious_login_less_secure_app |
google.login.LoginService.suspiciousLoginLessSecureApp |
| Acceso programático sospechoso bloqueado | suspicious_programmatic_login |
google.login.LoginService.suspiciousProgrammaticLogin |
| Usuario suspendido | account_disabled_generic |
google.login.LoginService.accountDisabledGeneric |
| Usuario suspendido (spam mediante retransmisión) | account_disabled_spamming_through_relay |
google.login.LoginService.accountDisabledSpammingThroughRelay |
| Usuario suspendido (spam) | account_disabled_spamming |
google.login.LoginService.accountDisabledSpamming |
| Usuario suspendido (actividad sospechosa) | account_disabled_hijacked |
google.login.LoginService.accountDisabledHijacked |
| Tipo de evento: Se modificó la inscripción a la Protección avanzada | ||
| Inscripción en Protección avanzada | titanium_enroll |
google.login.LoginService.titaniumEnroll |
| Baja de Protección avanzada | titanium_unenroll |
google.login.LoginService.titaniumUnenroll |
| Tipo de evento: Advertencia de ataque | ||
| Ataque respaldado por el Gobierno | gov_attack_warning |
google.login.LoginService.govAttackWarning |
| Tipo de evento: Cambio en la configuración de reenvío de correo electrónico | ||
| Se habilitó el reenvío de correo electrónico fuera del dominio | email_forwarding_out_of_domain |
google.login.LoginService.emailForwardingOutOfDomain |
| Tipo de evento: Acceso | ||
| Acceso fallido | login_failure |
google.login.LoginService.loginFailure |
| Verificación de identidad | login_challenge |
google.login.LoginService.loginChallenge |
| Verificación de acceso | login_verification |
google.login.LoginService.loginVerification |
| Salir | logout |
google.login.LoginService.logout |
| Se accedió correctamente | login_success |
google.login.LoginService.loginSuccess |
Muestras
A continuación, se incluyen muestras de registros de auditoría para la auditoría de acceso según el tipo y el nombre del evento.
Se modificó la inscripción en la verificación en 2 pasos
2sv_disable
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalEmail": "test-user@example.com"
},
"requestMetadata": {
"callerIp": "203.0.113.255",
"requestAttributes": {},
"destinationAttributes": {}
},
"serviceName": "login.googleapis.com",
"methodName": "google.login.LoginService.2svDisable",
"resourceName": "organizations/123",
"metadata": {
"activityId": {
"uniqQualifier": "-7789616625639281959",
"timeUsec": "1632459962686000"
},
"event": [
{
"status": {
"success": true
},
"parameter": [
{
"type": "TYPE_STRING",
"label": "LABEL_OPTIONAL",
"value": "INfDlrzP9IH8_QE",
"name": "dusi"
}
],
"eventName": "2sv_disable",
"eventType": "2sv_change"
}
],
"@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
}
},
"insertId": "-tn3jrd3lko",
"resource": {
"type": "audited_resource",
"labels": {
"service": "login.googleapis.com",
"method": "google.login.LoginService.2svDisable"
}
},
"timestamp": "2021-09-24T05:06:02.686Z",
"severity": "NOTICE",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"receiveTimestamp": "2021-09-24T05:06:03.845372592Z"
}
2sv_enroll
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalEmail": "test-user@example.com"
},
"requestMetadata": {
"callerIp": "203.0.113.255",
"requestAttributes": {},
"destinationAttributes": {}
},
"serviceName": "login.googleapis.com",
"methodName": "google.login.LoginService.2svEnroll",
"resourceName": "organizations/123",
"metadata": {
"activityId": {
"uniqQualifier": "1624031130844323135",
"timeUsec": "1632458745769000"
},
"@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto",
"event": [
{
"eventType": "2sv_change",
"status": {
"success": true
},
"eventName": "2sv_enroll",
"parameter": [
{
"value": "INfDlrzP9IH8_QE",
"type": "TYPE_STRING",
"label": "LABEL_OPTIONAL",
"name": "dusi"
}
]
}
]
}
},
"insertId": "g3k8gid3b3p",
"resource": {
"type": "audited_resource",
"labels": {
"method": "google.login.LoginService.2svEnroll",
"service": "login.googleapis.com"
}
},
"timestamp": "2021-09-24T04:45:45.769Z",
"severity": "NOTICE",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"receiveTimestamp": "2021-09-24T04:45:46.331843829Z"
}
Se cambió la contraseña de la cuenta
password_edit
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalEmail": "test-user@example.com"
},
"requestMetadata": {
"callerIp": "203.0.113.255",
"requestAttributes": {},
"destinationAttributes": {}
},
"serviceName": "login.googleapis.com",
"methodName": "google.login.LoginService.passwordEdit",
"resourceName": "organizations/123",
"metadata": {
"@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto",
"event": [
{
"eventName": "password_edit",
"status": {
"success": true
},
"parameter": [
{
"type": "TYPE_STRING",
"label": "LABEL_OPTIONAL",
"value": "INfDlrzP9IH8_QE",
"name": "dusi"
}
],
"eventType": "password_change"
}
],
"activityId": {
"uniqQualifier": "8894052787391296929",
"timeUsec": "1632803013900566"
}
}
},
"insertId": "-u8coc0d6n78",
"resource": {
"type": "audited_resource",
"labels": {
"service": "login.googleapis.com",
"method": "google.login.LoginService.passwordEdit"
}
},
"timestamp": "2021-09-28T04:23:33.900566Z",
"severity": "NOTICE",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"receiveTimestamp": "2021-09-28T04:23:37.724654918Z"
}
Cambió la información de recuperación de la cuenta
recovery_email_edit
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalEmail": "test-user@example.com"
},
"requestMetadata": {
"callerIp": "203.0.113.255",
"requestAttributes": {},
"destinationAttributes": {}
},
"serviceName": "login.googleapis.com",
"methodName": "google.login.LoginService.recoveryEmailEdit",
"resourceName": "organizations/123",
"metadata": {
"activityId": {
"timeUsec": "1632802942940979",
"uniqQualifier": "-7373127890859496609"
},
"event": [
{
"eventType": "recovery_info_change",
"eventName": "recovery_email_edit",
"parameter": [
{
"label": "LABEL_OPTIONAL",
"type": "TYPE_STRING",
"value": "INfDlrzP9IH8_QE",
"name": "dusi"
}
],
"status": {
"success": true
}
}
],
"@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
}
},
"insertId": "-nkwfupd26zt",
"resource": {
"type": "audited_resource",
"labels": {
"service": "login.googleapis.com",
"method": "google.login.LoginService.recoveryEmailEdit"
}
},
"timestamp": "2021-09-28T04:22:22.940979Z",
"severity": "NOTICE",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"receiveTimestamp": "2021-09-28T04:22:26.523242112Z"
}
recovery_phone_edit
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalEmail": "test-user@example.com"
},
"requestMetadata": {
"callerIp": "203.0.113.255",
"requestAttributes": {},
"destinationAttributes": {}
},
"serviceName": "login.googleapis.com",
"methodName": "google.login.LoginService.recoveryPhoneEdit",
"resourceName": "organizations/123",
"metadata": {
"event": [
{
"status": {
"success": true
},
"eventType": "recovery_info_change",
"eventName": "recovery_phone_edit",
"parameter": [
{
"label": "LABEL_OPTIONAL",
"value": "INfDlrzP9IH8_QE",
"type": "TYPE_STRING",
"name": "dusi"
}
]
}
],
"@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto",
"activityId": {
"timeUsec": "1632804439611095",
"uniqQualifier": "1470137036135837564"
}
}
},
"insertId": "-1xtrgbd2vl2",
"resource": {
"type": "audited_resource",
"labels": {
"service": "login.googleapis.com",
"method": "google.login.LoginService.recoveryPhoneEdit"
}
},
"timestamp": "2021-09-28T04:47:19.611095Z",
"severity": "NOTICE",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"receiveTimestamp": "2021-09-28T04:47:25.741574446Z"
recovery_secret_qa_edit
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalEmail": "test-user@example.com"
},
"requestMetadata": {
"callerIp": "203.0.113.255",
"requestAttributes": {},
"destinationAttributes": {}
},
"serviceName": "login.googleapis.com",
"methodName": "google.login.LoginService.recoverySecretQaEdit",
"resourceName": "organizations/123",
"metadata": {
"activityId": {
"uniqQualifier": "8328506129139272243",
"timeUsec": "1632804455273424"
},
"@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto",
"event": [
{
"eventName": "recovery_secret_qa_edit",
"eventType": "recovery_info_change",
"status": {
"success": true
},
"parameter": [
{
"type": "TYPE_STRING",
"value": "INfDlrzP9IH8_QE",
"name": "dusi",
"label": "LABEL_OPTIONAL"
}
]
}
]
}
},
"insertId": "vn31slcpmy",
"resource": {
"type": "audited_resource",
"labels": {
"method": "google.login.LoginService.recoverySecretQaEdit",
"service": "login.googleapis.com"
}
},
"timestamp": "2021-09-28T04:47:35.273424Z",
"severity": "NOTICE",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"receiveTimestamp": "2021-09-28T04:47:37.650432219Z"
Advertencia sobre las cuentas
account_disabled_password_leak
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {},
"requestMetadata": {
"callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
},
"serviceName": "login.googleapis.com",
"methodName": "google.login.LoginService.accountDisabledPasswordLeak",
"resourceName": "organizations/123",
"metadata": {
"activityId": {
"timeUsec": "1619808083475000",
"uniqQualifier": "6286848759980589624"
},
"event": [
{
"eventType": "account_warning",
"eventName": "account_disabled_password_leak",
"parameter": [
{
"name": "affected_email_address",
"value": "test-user@example.com",
"label": "LABEL_OPTIONAL",
"type": "TYPE_STRING"
}
],
"status": {
"success": true
}
}
],
"@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
}
},
"insertId": "-xkklkzcxkl",
"resource": {
"type": "audited_resource",
"labels": {
"method": "google.login.LoginService.accountDisabledPasswordLeak",
"service": "login.googleapis.com"
}
},
"timestamp": "2021-04-30T18:41:23.475Z",
"severity": "NOTICE",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"receiveTimestamp": "2021-04-30T18:41:24.650965796Z"
}
suspicious_login
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {},
"requestMetadata": {
"callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
},
"serviceName": "login.googleapis.com",
"methodName": "google.login.LoginService.suspiciousLogin",
"resourceName": "organizations/123",
"metadata": {
"activityId": {
"timeUsec": "1620095181000000",
"uniqQualifier": "-2034771694824799453"
},
"event": [
{
"eventType": "account_warning",
"eventName": "suspicious_login",
"parameter": [
{
"name": "affected_email_address",
"value": "test-user@example.com",
"label": "LABEL_OPTIONAL",
"type": "TYPE_STRING"
}
],
"status": {
"success": true
}
}
],
"@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
}
},
"insertId": "-778d70d2n5b",
"resource": {
"type": "audited_resource",
"labels": {
"service": "login.googleapis.com",
"method": "google.login.LoginService.suspiciousLogin"
}
},
"timestamp": "2021-05-04T02:26:21Z",
"severity": "NOTICE",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"receiveTimestamp": "2021-05-04T02:56:23.806722355Z"
}
suspicious_login_less_secure_app
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {},
"requestMetadata": {
"callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
},
"serviceName": "login.googleapis.com",
"methodName": "google.login.LoginService.suspiciousLoginLessSecureApp",
"resourceName": "organizations/123",
"metadata": {
"activityId": {
"timeUsec": "1620095181000000",
"uniqQualifier": "-2034771694824799453"
},
"event": [
{
"eventType": "account_warning",
"eventName": "suspicious_login_less_secure_app",
"parameter": [
{
"name": "affected_email_address",
"value": "test-user@example.com",
"label": "LABEL_OPTIONAL",
"type": "TYPE_STRING"
}
],
"status": {
"success": true
}
}
],
"@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
}
},
"insertId": "-778d70d2n5b",
"resource": {
"type": "audited_resource",
"labels": {
"service": "login.googleapis.com",
"method": "google.login.LoginService.suspiciousLoginLessSecureApp"
}
},
"timestamp": "2021-05-04T02:26:21Z",
"severity": "NOTICE",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"receiveTimestamp": "2021-05-04T02:56:23.806722355Z"
}
suspicious_programmatic_login
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {},
"requestMetadata": {
"callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
},
"serviceName": "login.googleapis.com",
"methodName": "google.login.LoginService.suspiciousProgrammaticLogin",
"resourceName": "organizations/123",
"metadata": {
"activityId": {
"timeUsec": "1620095181000000",
"uniqQualifier": "-2034771694824799453"
},
"event": [
{
"eventType": "account_warning",
"eventName": "suspicious_programmatic_login",
"parameter": [
{
"name": "affected_email_address",
"value": "test-user@example.com",
"label": "LABEL_OPTIONAL",
"type": "TYPE_STRING"
}
],
"status": {
"success": true
}
}
],
"@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
}
},
"insertId": "-778d70d2n5b",
"resource": {
"type": "audited_resource",
"labels": {
"service": "login.googleapis.com",
"method": "google.login.LoginService.suspiciousProgrammaticLogin"
}
},
"timestamp": "2021-05-04T02:26:21Z",
"severity": "NOTICE",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"receiveTimestamp": "2021-05-04T02:56:23.806722355Z"
}
account_disabled_generic
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {},
"requestMetadata": {
"callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
},
"serviceName": "login.googleapis.com",
"methodName": "google.login.LoginService.accountDisabledGeneric",
"resourceName": "organizations/123",
"metadata": {
"activityId": {
"timeUsec": "1619825589352000",
"uniqQualifier": "-3303614929287073633"
},
"event": [
{
"eventType": "account_warning",
"eventName": "account_disabled_generic",
"parameter": [
{
"name": "affected_email_address",
"value": "test-user@example.com",
"label": "LABEL_OPTIONAL",
"type": "TYPE_STRING"
}
],
"status": {
"success": true
}
}
],
"@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
}
},
"insertId": "nlgrf8d6ygj",
"resource": {
"type": "audited_resource",
"labels": {
"method": "google.login.LoginService.accountDisabledGeneric",
"service": "login.googleapis.com"
}
},
"timestamp": "2021-04-30T23:33:09.352Z",
"severity": "NOTICE",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"receiveTimestamp": "2021-04-30T23:33:10.673412983Z"
}
account_disabled_spamming_through_relay
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {},
"requestMetadata": {
"callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
},
"serviceName": "login.googleapis.com",
"methodName": "google.login.LoginService.accountDisabledSpammingThroughRelay",
"resourceName": "organizations/123",
"metadata": {
"activityId": {
"timeUsec": "1619808083475000",
"uniqQualifier": "6286848759980589624"
},
"event": [
{
"eventType": "account_warning",
"eventName": "account_disabled_spamming_through_relay",
"parameter": [
{
"name": "affected_email_address",
"value": "test-user@example.com",
"label": "LABEL_OPTIONAL",
"type": "TYPE_STRING"
}
],
"status": {
"success": true
}
}
],
"@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
}
},
"insertId": "-xkklkzcxkl",
"resource": {
"type": "audited_resource",
"labels": {
"method": "google.login.LoginService.accountDisabledSpammingThroughRelay",
"service": "login.googleapis.com"
}
},
"timestamp": "2021-04-30T18:41:23.475Z",
"severity": "NOTICE",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"receiveTimestamp": "2021-04-30T18:41:24.650965796Z"
}
account_disabled_spamming
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {},
"requestMetadata": {
"callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
},
"serviceName": "login.googleapis.com",
"methodName": "google.login.LoginService.accountDisabledSpamming",
"resourceName": "organizations/123",
"metadata": {
"activityId": {
"timeUsec": "1619808083475000",
"uniqQualifier": "6286848759980589624"
},
"event": [
{
"eventType": "account_warning",
"eventName": "account_disabled_spamming",
"parameter": [
{
"name": "affected_email_address",
"value": "test-user@example.com",
"label": "LABEL_OPTIONAL",
"type": "TYPE_STRING"
}
],
"status": {
"success": true
}
}
],
"@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
}
},
"insertId": "-xkklkzcxkl",
"resource": {
"type": "audited_resource",
"labels": {
"method": "google.login.LoginService.accountDisabledSpamming",
"service": "login.googleapis.com"
}
},
"timestamp": "2021-04-30T18:41:23.475Z",
"severity": "NOTICE",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"receiveTimestamp": "2021-04-30T18:41:24.650965796Z"
}
account_disabled_hijacked
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {},
"requestMetadata": {
"callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
},
"serviceName": "login.googleapis.com",
"methodName": "google.login.LoginService.accountDisabledHijacked",
"resourceName": "organizations/123",
"metadata": {
"activityId": {
"timeUsec": "1619825589352000",
"uniqQualifier": "-3303614929287073633"
},
"event": [
{
"eventType": "account_warning",
"eventName": "account_disabled_hijacked",
"parameter": [
{
"name": "affected_email_address",
"value": "test-user@example.com",
"label": "LABEL_OPTIONAL",
"type": "TYPE_STRING"
}
],
"status": {
"success": true
}
}
],
"@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
}
},
"insertId": "nlgrf8d6ygj",
"resource": {
"type": "audited_resource",
"labels": {
"method": "google.login.LoginService.accountDisabledHijacked",
"service": "login.googleapis.com"
}
},
"timestamp": "2021-04-30T23:33:09.352Z",
"severity": "NOTICE",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"receiveTimestamp": "2021-04-30T23:33:10.673412983Z"
}
Se cambió la inscripción al programa de Protección avanzada
titanium_enroll
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalEmail": "test-user@example.com"
},
"requestMetadata": {
"callerIp": "203.0.113.255",
"requestAttributes": {},
"destinationAttributes": {}
},
"serviceName": "login.googleapis.com",
"methodName": "google.login.LoginService.titaniumEnroll",
"resourceName": "organizations/123",
"metadata": {
"activityId": {
"uniqQualifier": "4206430548119220064",
"timeUsec": "1632843484846000"
},
"event": [
{
"eventName": "titanium_enroll",
"status": {
"success": true
},
"parameter": [
{
"label": "LABEL_OPTIONAL",
"value": "INfDlrzP9IH8_QE",
"type": "TYPE_STRING",
"name": "dusi"
}
],
"eventType": "titanium_change"
}
],
"@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
}
},
"insertId": "-bxbn5bd167i",
"resource": {
"type": "audited_resource",
"labels": {
"service": "login.googleapis.com",
"method": "google.login.LoginService.titaniumEnroll"
}
},
"timestamp": "2021-09-28T15:38:04.846Z",
"severity": "NOTICE",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"receiveTimestamp": "2021-09-28T15:38:05.969683854Z"
}
titanium_unenroll
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalEmail": "test-user@example.com"
},
"requestMetadata": {
"callerIp": "203.0.113.255",
"requestAttributes": {},
"destinationAttributes": {}
},
"serviceName": "login.googleapis.com",
"methodName": "google.login.LoginService.titaniumUnenroll",
"resourceName": "organizations/123",
"metadata": {
"@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto",
"event": [
{
"eventType": "titanium_change",
"status": {
"success": true
},
"eventName": "titanium_unenroll",
"parameter": [
{
"type": "TYPE_STRING",
"label": "LABEL_OPTIONAL",
"value": "INfDlrzP9IH8_QE",
"name": "dusi"
}
]
}
],
"activityId": {
"timeUsec": "1632843914653434",
"uniqQualifier": "-6706492269209711994"
}
}
},
"insertId": "-vw60qad1861",
"resource": {
"type": "audited_resource",
"labels": {
"service": "login.googleapis.com",
"method": "google.login.LoginService.titaniumUnenroll"
}
},
"timestamp": "2021-09-28T15:45:14.653434Z",
"severity": "NOTICE",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"receiveTimestamp": "2021-09-28T15:45:15.862755277Z"
}
Advertencia de ataque
gov_attack_warning
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalEmail": "test-user@example.com"
},
"requestMetadata": {
"callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff",
"requestAttributes": {},
"destinationAttributes": {}
},
"serviceName": "login.googleapis.com",
"methodName": "google.login.LoginService.govAttackWarning",
"resourceName": "organizations/123",
"metadata": {
"activityId": {
"timeUsec": "1619825837106000",
"uniqQualifier": "7230131091737932677"
},
"@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto",
"event": [
{
"eventName": "gov_attack_warning",
"eventType": "attack_warning",
"status": {
"success": true
}
}
]
}
},
"insertId": "bxuophd1vlw",
"resource": {
"type": "audited_resource",
"labels": {
"service": "login.googleapis.com",
"method": "google.login.LoginService.govAttackWarning"
}
},
"timestamp": "2021-04-30T23:37:17.106Z",
"severity": "NOTICE",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"receiveTimestamp": "2021-04-30T23:37:18.488559815Z"
}
Se cambió la configuración de reenvío de correo electrónico
email_forwarding_out_of_domain
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalEmail": "test-user@example.com"
},
"requestMetadata": {
"callerIp": "203.0.113.255",
"requestAttributes": {},
"destinationAttributes": {}
},
"serviceName": "login.googleapis.com",
"methodName": "google.login.LoginService.emailForwardingOutOfDomain",
"resourceName": "organizations/123",
"metadata": {
"activityId": {
"uniqQualifier": "-5683698025624301037",
"timeUsec": "1632501152256000"
},
"@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto",
"event": [
{
"eventName": "email_forwarding_out_of_domain",
"status": {
"success": true
},
"parameter": [
{
"name": "dusi",
"type": "TYPE_STRING",
"value": "INfDlrzP9IH8_QE",
"label": "LABEL_OPTIONAL"
},
{
"type": "TYPE_STRING",
"label": "LABEL_OPTIONAL",
"value": "test-user@google.com",
"name": "email_forwarding_destination_address"
}
],
"eventType": "email_forwarding_change"
}
]
}
},
"insertId": "rrcp9gd3y2f",
"resource": {
"type": "audited_resource",
"labels": {
"method": "google.login.LoginService.emailForwardingOutOfDomain",
"service": "login.googleapis.com"
}
},
"timestamp": "2021-09-24T16:32:32.256Z",
"severity": "NOTICE",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"receiveTimestamp": "2021-09-24T16:32:33.319260836Z"
}
Acceso
login_failure
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalEmail": "test-user@example.com"
},
"requestMetadata": {
"callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff",
"requestAttributes": {},
"destinationAttributes": {}
},
"serviceName": "login.googleapis.com",
"methodName": "google.login.LoginService.loginFailure",
"resourceName": "organizations/123",
"metadata": {
"event": [
{
"eventName": "login_failure",
"eventType": "login",
"parameter": [
{
"value": "google_password",
"type": "TYPE_STRING",
"name": "login_type",
"label": "LABEL_OPTIONAL"
},
{
"name": "login_challenge_method",
"type": "TYPE_STRING",
"label": "LABEL_REPEATED",
"multiStrValue": [
"password",
"idv_preregistered_phone",
"idv_preregistered_phone"
]
},
{
"label": "LABEL_OPTIONAL",
"name": "dusi",
"type": "TYPE_STRING",
"value": "IOWJlfPwgvrTfg"
}
]
}
],
"activityId": {
"uniqQualifier": "358068855354",
"timeUsec": "1632500217183212"
},
"@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
}
},
"insertId": "-nahbepd4l1x",
"resource": {
"type": "audited_resource",
"labels": {
"method": "google.login.LoginService.loginFailure",
"service": "login.googleapis.com"
}
},
"timestamp": "2021-09-24T16:16:57.183212Z",
"severity": "NOTICE",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"receiveTimestamp": "2021-09-24T17:51:25.034361197Z"
}
login_challenge
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalEmail": "test-user@example.com"
},
"requestMetadata": {
"callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff",
"requestAttributes": {},
"destinationAttributes": {}
},
"serviceName": "login.googleapis.com",
"methodName": "google.login.LoginService.loginChallenge",
"resourceName": "organizations/123",
"metadata": {
"@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto",
"event": [
{
"eventName": "login_challenge",
"parameter": [
{
"name": "login_type",
"value": "google_password",
"type": "TYPE_STRING",
"label": "LABEL_OPTIONAL"
},
{
"type": "TYPE_STRING",
"label": "LABEL_REPEATED",
"name": "login_challenge_method",
"multiStrValue": [
"idv_preregistered_phone"
]
},
{
"label": "LABEL_OPTIONAL",
"type": "TYPE_STRING",
"value": "incorrect_answer_entered",
"name": "login_challenge_status"
},
{
"type": "TYPE_STRING",
"name": "dusi",
"label": "LABEL_OPTIONAL",
"value": "IOWJlfPwgvrTfg"
}
],
"eventType": "login"
}
],
"activityId": {
"timeUsec": "1632500217183211",
"uniqQualifier": "358068855354"
}
}
},
"insertId": "-nahbepd4l2j",
"resource": {
"type": "audited_resource",
"labels": {
"service": "login.googleapis.com",
"method": "google.login.LoginService.loginChallenge"
}
},
"timestamp": "2021-09-24T16:16:57.183211Z",
"severity": "NOTICE",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"receiveTimestamp": "2021-09-24T17:51:28.041126044Z"
login_verification
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalEmail": "test-user@example.com"
},
"requestMetadata": {
"callerIp": "203.0.113.255",
"requestAttributes": {},
"destinationAttributes": {}
},
"serviceName": "login.googleapis.com",
"methodName": "google.login.LoginService.loginVerification",
"resourceName": "organizations/123",
"metadata": {
"@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto",
"event": [
{
"eventName": "login_verification",
"parameter": [
{
"name": "login_type",
"type": "TYPE_STRING",
"value": "google_password",
"label": "LABEL_OPTIONAL"
},
{
"name": "login_challenge_method",
"multiStrValue": [
"idv_preregistered_phone"
],
"label": "LABEL_REPEATED",
"type": "TYPE_STRING"
},
{
"value": "passed",
"name": "login_challenge_status",
"type": "TYPE_STRING",
"label": "LABEL_OPTIONAL"
},
{
"value": "INfDlrzP9IH8_QE",
"label": "LABEL_OPTIONAL",
"name": "dusi",
"type": "TYPE_STRING"
},
{
"label": "LABEL_OPTIONAL",
"boolValue": true,
"type": "TYPE_BOOL",
"name": "is_second_factor"
}
],
"eventType": "login"
}
],
"activityId": {
"uniqQualifier": "358068855354",
"timeUsec": "1632459936762000"
}
}
},
"insertId": "ivb9z4d41rh",
"resource": {
"type": "audited_resource",
"labels": {
"method": "google.login.LoginService.loginVerification",
"service": "login.googleapis.com"
}
},
"timestamp": "2021-09-24T05:05:36.762Z",
"severity": "NOTICE",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"receiveTimestamp": "2021-09-24T06:39:22.386813664Z"
}
logout
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalEmail": "test-user@example.com"
},
"requestMetadata": {
"callerIp": "203.0.113.255",
"requestAttributes": {},
"destinationAttributes": {}
},
"serviceName": "login.googleapis.com",
"methodName": "google.login.LoginService.logout",
"resourceName": "organizations/123",
"metadata": {
"event": [
{
"eventName": "logout",
"eventType": "login",
"parameter": [
{
"type": "TYPE_STRING",
"label": "LABEL_OPTIONAL",
"name": "login_type",
"value": "google_password"
},
{
"type": "TYPE_STRING",
"name": "dusi",
"label": "LABEL_OPTIONAL",
"value": "INfDlrzP9IH8_QE"
}
]
}
],
"activityId": {
"uniqQualifier": "358068855354",
"timeUsec": "1632459903014598"
},
"@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
}
},
"insertId": "v37ytid14th",
"resource": {
"type": "audited_resource",
"labels": {
"service": "login.googleapis.com",
"method": "google.login.LoginService.logout"
}
},
"timestamp": "2021-09-24T05:05:03.014598Z",
"severity": "NOTICE",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"receiveTimestamp": "2021-09-24T06:39:22.229734504Z"
}
login_success
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalEmail": "test-user@example.com"
},
"requestMetadata": {
"callerIp": "203.0.113.255",
"requestAttributes": {},
"destinationAttributes": {}
},
"serviceName": "login.googleapis.com",
"methodName": "google.login.LoginService.loginSuccess",
"resourceName": "organizations/123",
"metadata": {
"@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto",
"activityId": {
"timeUsec": "1632458429811809",
"uniqQualifier": "358068855354"
},
"event": [
{
"parameter": [
{
"type": "TYPE_STRING",
"value": "google_password",
"name": "login_type",
"label": "LABEL_OPTIONAL"
},
{
"name": "login_challenge_method",
"label": "LABEL_REPEATED",
"type": "TYPE_STRING",
"multiStrValue": [
"password"
]
},
{
"type": "TYPE_BOOL",
"boolValue": false,
"name": "is_suspicious",
"label": "LABEL_OPTIONAL"
},
{
"value": "INfDlrzP9IH8_QE",
"name": "dusi",
"type": "TYPE_STRING",
"label": "LABEL_OPTIONAL"
}
],
"eventType": "login",
"eventName": "login_success"
}
]
}
},
"insertId": "ci1svzd3hfk",
"resource": {
"type": "audited_resource",
"labels": {
"service": "login.googleapis.com",
"method": "google.login.LoginService.loginSuccess"
}
},
"timestamp": "2021-09-24T04:40:29.811809Z",
"severity": "NOTICE",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"receiveTimestamp": "2021-09-24T05:43:20.474338130Z"
}