En este documento, se proporcionan ejemplos registros de auditoría enviados a Google Cloud de la Auditoría de acceso de Google Workspace.
Para obtener más información sobre los eventos y parámetros de varios tipos de eventos de actividad de auditoría de acceso, consulta la referencia de Eventos de actividad de auditoría de acceso.
Registros de auditoría de accesos disponibles
En la siguiente tabla, se muestran los registros de auditoría que produce la auditoría de acceso y sus AuditLog.method_name correspondientes:
| Descripción | Nombre del evento | AuditLog.method_name |
|---|---|---|
| Tipo de evento: Se cambió la inscripción en la verificación en 2 pasos | ||
| Se inhabilitó la verificación en 2 pasos | 2sv_disable |
google.login.LoginService.2svDisable |
| Inscripción en la verificación en 2 pasos | 2sv_enroll |
google.login.LoginService.2svEnroll |
| Tipo de evento: Se cambió la contraseña de la cuenta | ||
| Cambio de contraseña de la cuenta | password_edit |
google.login.LoginService.passwordEdit |
| Tipo de evento: Se modificó la información de recuperación de la cuenta | ||
| Cambio de correo electrónico de recuperación de la cuenta | recovery_email_edit |
google.login.LoginService.recoveryEmailEdit |
| Cambio de teléfono de recuperación de la cuenta | recovery_phone_edit |
google.login.LoginService.recoveryPhoneEdit |
| Cambio de pregunta/respuesta secreta de recuperación de la cuenta | recovery_secret_qa_edit |
google.login.LoginService.recoverySecretQaEdit |
| Tipo de evento: Advertencia de la cuenta | ||
| Contraseña filtrada | account_disabled_password_leak |
google.login.LoginService.accountDisabledPasswordLeak |
| Se permitió una acción riesgosa y sensible | risky_sensitive_action_allowed |
google.login.LoginService.riskySensitiveActionAllowed |
| Risky, senstive action_blocked | risky_sensitive_action_blocked |
google.login.LoginService.riskySensitiveActionBlocked |
| Acceso sospechoso bloqueado | suspicious_login |
google.login.LoginService.suspiciousLogin |
| Se bloqueó el acceso sospechoso desde una app menos segura | suspicious_login_less_secure_app |
google.login.LoginService.suspiciousLoginLessSecureApp |
| Acceso programático sospechoso bloqueado | suspicious_programmatic_login |
google.login.LoginService.suspiciousProgrammaticLogin |
| Usuario suspendido | account_disabled_generic |
google.login.LoginService.accountDisabledGeneric |
| Usuario suspendido (spam mediante retransmisión) | account_disabled_spamming_through_relay |
google.login.LoginService.accountDisabledSpammingThroughRelay |
| Usuario suspendido (spam) | account_disabled_spamming |
google.login.LoginService.accountDisabledSpamming |
| Usuario suspendido (actividad sospechosa) | account_disabled_hijacked |
google.login.LoginService.accountDisabledHijacked |
| Tipo de evento: Se modificó la inscripción a la Protección avanzada | ||
| Inscripción en Protección avanzada | titanium_enroll |
google.login.LoginService.titaniumEnroll |
| Baja de Protección avanzada | titanium_unenroll |
google.login.LoginService.titaniumUnenroll |
| Tipo de evento: Advertencia de ataque | ||
| Ataque respaldado por el Gobierno | gov_attack_warning |
google.login.LoginService.govAttackWarning |
| Tipo de evento: Se modificó la configuración de reenvío de correo electrónico | ||
| Se habilitó el reenvío de correo electrónico fuera del dominio | email_forwarding_out_of_domain |
google.login.LoginService.emailForwardingOutOfDomain |
| Tipo de evento: Acceso | ||
| Acceso fallido | login_failure |
google.login.LoginService.loginFailure |
| Verificación de identidad | login_challenge |
google.login.LoginService.loginChallenge |
| Verificación de acceso | login_verification |
google.login.LoginService.loginVerification |
| Salir | logout |
google.login.LoginService.logout |
| Se accedió correctamente | login_success |
google.login.LoginService.loginSuccess |
Muestras
A continuación, se muestran muestras de registros de auditoría para la auditoría de inicio de sesión según el tipo y nombre del evento.
Se cambió la inscripción en la verificación en 2 pasos
2sv_disable
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalEmail": "test-user@example.com" }, "requestMetadata": { "callerIp": "203.0.113.255", "requestAttributes": {}, "destinationAttributes": {} }, "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.2svDisable", "resourceName": "organizations/123", "metadata": { "activityId": { "uniqQualifier": "-7789616625639281959", "timeUsec": "1632459962686000" }, "event": [ { "status": { "success": true }, "parameter": [ { "type": "TYPE_STRING", "label": "LABEL_OPTIONAL", "value": "INfDlrzP9IH8_QE", "name": "dusi" } ], "eventName": "2sv_disable", "eventType": "2sv_change" } ], "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto" } }, "insertId": "-tn3jrd3lko", "resource": { "type": "audited_resource", "labels": { "service": "login.googleapis.com", "method": "google.login.LoginService.2svDisable" } }, "timestamp": "2021-09-24T05:06:02.686Z", "severity": "NOTICE", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", "receiveTimestamp": "2021-09-24T05:06:03.845372592Z" }
2sv_enroll
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalEmail": "test-user@example.com" }, "requestMetadata": { "callerIp": "203.0.113.255", "requestAttributes": {}, "destinationAttributes": {} }, "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.2svEnroll", "resourceName": "organizations/123", "metadata": { "activityId": { "uniqQualifier": "1624031130844323135", "timeUsec": "1632458745769000" }, "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto", "event": [ { "eventType": "2sv_change", "status": { "success": true }, "eventName": "2sv_enroll", "parameter": [ { "value": "INfDlrzP9IH8_QE", "type": "TYPE_STRING", "label": "LABEL_OPTIONAL", "name": "dusi" } ] } ] } }, "insertId": "g3k8gid3b3p", "resource": { "type": "audited_resource", "labels": { "method": "google.login.LoginService.2svEnroll", "service": "login.googleapis.com" } }, "timestamp": "2021-09-24T04:45:45.769Z", "severity": "NOTICE", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", "receiveTimestamp": "2021-09-24T04:45:46.331843829Z" }
Se cambió la contraseña de la cuenta
password_edit
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalEmail": "test-user@example.com" }, "requestMetadata": { "callerIp": "203.0.113.255", "requestAttributes": {}, "destinationAttributes": {} }, "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.passwordEdit", "resourceName": "organizations/123", "metadata": { "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto", "event": [ { "eventName": "password_edit", "status": { "success": true }, "parameter": [ { "type": "TYPE_STRING", "label": "LABEL_OPTIONAL", "value": "INfDlrzP9IH8_QE", "name": "dusi" } ], "eventType": "password_change" } ], "activityId": { "uniqQualifier": "8894052787391296929", "timeUsec": "1632803013900566" } } }, "insertId": "-u8coc0d6n78", "resource": { "type": "audited_resource", "labels": { "service": "login.googleapis.com", "method": "google.login.LoginService.passwordEdit" } }, "timestamp": "2021-09-28T04:23:33.900566Z", "severity": "NOTICE", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", "receiveTimestamp": "2021-09-28T04:23:37.724654918Z" }
Se cambió la información de recuperación de la cuenta
recovery_email_edit
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalEmail": "test-user@example.com" }, "requestMetadata": { "callerIp": "203.0.113.255", "requestAttributes": {}, "destinationAttributes": {} }, "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.recoveryEmailEdit", "resourceName": "organizations/123", "metadata": { "activityId": { "timeUsec": "1632802942940979", "uniqQualifier": "-7373127890859496609" }, "event": [ { "eventType": "recovery_info_change", "eventName": "recovery_email_edit", "parameter": [ { "label": "LABEL_OPTIONAL", "type": "TYPE_STRING", "value": "INfDlrzP9IH8_QE", "name": "dusi" } ], "status": { "success": true } } ], "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto" } }, "insertId": "-nkwfupd26zt", "resource": { "type": "audited_resource", "labels": { "service": "login.googleapis.com", "method": "google.login.LoginService.recoveryEmailEdit" } }, "timestamp": "2021-09-28T04:22:22.940979Z", "severity": "NOTICE", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", "receiveTimestamp": "2021-09-28T04:22:26.523242112Z" }
recovery_phone_edit
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalEmail": "test-user@example.com" }, "requestMetadata": { "callerIp": "203.0.113.255", "requestAttributes": {}, "destinationAttributes": {} }, "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.recoveryPhoneEdit", "resourceName": "organizations/123", "metadata": { "event": [ { "status": { "success": true }, "eventType": "recovery_info_change", "eventName": "recovery_phone_edit", "parameter": [ { "label": "LABEL_OPTIONAL", "value": "INfDlrzP9IH8_QE", "type": "TYPE_STRING", "name": "dusi" } ] } ], "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto", "activityId": { "timeUsec": "1632804439611095", "uniqQualifier": "1470137036135837564" } } }, "insertId": "-1xtrgbd2vl2", "resource": { "type": "audited_resource", "labels": { "service": "login.googleapis.com", "method": "google.login.LoginService.recoveryPhoneEdit" } }, "timestamp": "2021-09-28T04:47:19.611095Z", "severity": "NOTICE", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", "receiveTimestamp": "2021-09-28T04:47:25.741574446Z"
recovery_secret_qa_edit
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalEmail": "test-user@example.com" }, "requestMetadata": { "callerIp": "203.0.113.255", "requestAttributes": {}, "destinationAttributes": {} }, "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.recoverySecretQaEdit", "resourceName": "organizations/123", "metadata": { "activityId": { "uniqQualifier": "8328506129139272243", "timeUsec": "1632804455273424" }, "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto", "event": [ { "eventName": "recovery_secret_qa_edit", "eventType": "recovery_info_change", "status": { "success": true }, "parameter": [ { "type": "TYPE_STRING", "value": "INfDlrzP9IH8_QE", "name": "dusi", "label": "LABEL_OPTIONAL" } ] } ] } }, "insertId": "vn31slcpmy", "resource": { "type": "audited_resource", "labels": { "method": "google.login.LoginService.recoverySecretQaEdit", "service": "login.googleapis.com" } }, "timestamp": "2021-09-28T04:47:35.273424Z", "severity": "NOTICE", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", "receiveTimestamp": "2021-09-28T04:47:37.650432219Z"
Advertencia sobre las cuentas
account_disabled_password_leak
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": {}, "requestMetadata": { "callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff" }, "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.accountDisabledPasswordLeak", "resourceName": "organizations/123", "metadata": { "activityId": { "timeUsec": "1619808083475000", "uniqQualifier": "6286848759980589624" }, "event": [ { "eventType": "account_warning", "eventName": "account_disabled_password_leak", "parameter": [ { "name": "affected_email_address", "value": "test-user@example.com", "label": "LABEL_OPTIONAL", "type": "TYPE_STRING" } ], "status": { "success": true } } ], "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto" } }, "insertId": "-xkklkzcxkl", "resource": { "type": "audited_resource", "labels": { "method": "google.login.LoginService.accountDisabledPasswordLeak", "service": "login.googleapis.com" } }, "timestamp": "2021-04-30T18:41:23.475Z", "severity": "NOTICE", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", "receiveTimestamp": "2021-04-30T18:41:24.650965796Z" }
suspicious_login
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": {}, "requestMetadata": { "callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff" }, "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.suspiciousLogin", "resourceName": "organizations/123", "metadata": { "activityId": { "timeUsec": "1620095181000000", "uniqQualifier": "-2034771694824799453" }, "event": [ { "eventType": "account_warning", "eventName": "suspicious_login", "parameter": [ { "name": "affected_email_address", "value": "test-user@example.com", "label": "LABEL_OPTIONAL", "type": "TYPE_STRING" } ], "status": { "success": true } } ], "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto" } }, "insertId": "-778d70d2n5b", "resource": { "type": "audited_resource", "labels": { "service": "login.googleapis.com", "method": "google.login.LoginService.suspiciousLogin" } }, "timestamp": "2021-05-04T02:26:21Z", "severity": "NOTICE", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", "receiveTimestamp": "2021-05-04T02:56:23.806722355Z" }
suspicious_login_less_secure_app
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": {}, "requestMetadata": { "callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff" }, "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.suspiciousLoginLessSecureApp", "resourceName": "organizations/123", "metadata": { "activityId": { "timeUsec": "1620095181000000", "uniqQualifier": "-2034771694824799453" }, "event": [ { "eventType": "account_warning", "eventName": "suspicious_login_less_secure_app", "parameter": [ { "name": "affected_email_address", "value": "test-user@example.com", "label": "LABEL_OPTIONAL", "type": "TYPE_STRING" } ], "status": { "success": true } } ], "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto" } }, "insertId": "-778d70d2n5b", "resource": { "type": "audited_resource", "labels": { "service": "login.googleapis.com", "method": "google.login.LoginService.suspiciousLoginLessSecureApp" } }, "timestamp": "2021-05-04T02:26:21Z", "severity": "NOTICE", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", "receiveTimestamp": "2021-05-04T02:56:23.806722355Z" }
suspicious_programmatic_login
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": {}, "requestMetadata": { "callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff" }, "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.suspiciousProgrammaticLogin", "resourceName": "organizations/123", "metadata": { "activityId": { "timeUsec": "1620095181000000", "uniqQualifier": "-2034771694824799453" }, "event": [ { "eventType": "account_warning", "eventName": "suspicious_programmatic_login", "parameter": [ { "name": "affected_email_address", "value": "test-user@example.com", "label": "LABEL_OPTIONAL", "type": "TYPE_STRING" } ], "status": { "success": true } } ], "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto" } }, "insertId": "-778d70d2n5b", "resource": { "type": "audited_resource", "labels": { "service": "login.googleapis.com", "method": "google.login.LoginService.suspiciousProgrammaticLogin" } }, "timestamp": "2021-05-04T02:26:21Z", "severity": "NOTICE", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", "receiveTimestamp": "2021-05-04T02:56:23.806722355Z" }
account_disabled_generic
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": {}, "requestMetadata": { "callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff" }, "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.accountDisabledGeneric", "resourceName": "organizations/123", "metadata": { "activityId": { "timeUsec": "1619825589352000", "uniqQualifier": "-3303614929287073633" }, "event": [ { "eventType": "account_warning", "eventName": "account_disabled_generic", "parameter": [ { "name": "affected_email_address", "value": "test-user@example.com", "label": "LABEL_OPTIONAL", "type": "TYPE_STRING" } ], "status": { "success": true } } ], "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto" } }, "insertId": "nlgrf8d6ygj", "resource": { "type": "audited_resource", "labels": { "method": "google.login.LoginService.accountDisabledGeneric", "service": "login.googleapis.com" } }, "timestamp": "2021-04-30T23:33:09.352Z", "severity": "NOTICE", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", "receiveTimestamp": "2021-04-30T23:33:10.673412983Z" }
account_disabled_spamming_through_relay
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": {}, "requestMetadata": { "callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff" }, "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.accountDisabledSpammingThroughRelay", "resourceName": "organizations/123", "metadata": { "activityId": { "timeUsec": "1619808083475000", "uniqQualifier": "6286848759980589624" }, "event": [ { "eventType": "account_warning", "eventName": "account_disabled_spamming_through_relay", "parameter": [ { "name": "affected_email_address", "value": "test-user@example.com", "label": "LABEL_OPTIONAL", "type": "TYPE_STRING" } ], "status": { "success": true } } ], "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto" } }, "insertId": "-xkklkzcxkl", "resource": { "type": "audited_resource", "labels": { "method": "google.login.LoginService.accountDisabledSpammingThroughRelay", "service": "login.googleapis.com" } }, "timestamp": "2021-04-30T18:41:23.475Z", "severity": "NOTICE", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", "receiveTimestamp": "2021-04-30T18:41:24.650965796Z" }
account_disabled_spamming
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": {}, "requestMetadata": { "callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff" }, "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.accountDisabledSpamming", "resourceName": "organizations/123", "metadata": { "activityId": { "timeUsec": "1619808083475000", "uniqQualifier": "6286848759980589624" }, "event": [ { "eventType": "account_warning", "eventName": "account_disabled_spamming", "parameter": [ { "name": "affected_email_address", "value": "test-user@example.com", "label": "LABEL_OPTIONAL", "type": "TYPE_STRING" } ], "status": { "success": true } } ], "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto" } }, "insertId": "-xkklkzcxkl", "resource": { "type": "audited_resource", "labels": { "method": "google.login.LoginService.accountDisabledSpamming", "service": "login.googleapis.com" } }, "timestamp": "2021-04-30T18:41:23.475Z", "severity": "NOTICE", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", "receiveTimestamp": "2021-04-30T18:41:24.650965796Z" }
account_disabled_hijacked
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": {}, "requestMetadata": { "callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff" }, "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.accountDisabledHijacked", "resourceName": "organizations/123", "metadata": { "activityId": { "timeUsec": "1619825589352000", "uniqQualifier": "-3303614929287073633" }, "event": [ { "eventType": "account_warning", "eventName": "account_disabled_hijacked", "parameter": [ { "name": "affected_email_address", "value": "test-user@example.com", "label": "LABEL_OPTIONAL", "type": "TYPE_STRING" } ], "status": { "success": true } } ], "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto" } }, "insertId": "nlgrf8d6ygj", "resource": { "type": "audited_resource", "labels": { "method": "google.login.LoginService.accountDisabledHijacked", "service": "login.googleapis.com" } }, "timestamp": "2021-04-30T23:33:09.352Z", "severity": "NOTICE", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", "receiveTimestamp": "2021-04-30T23:33:10.673412983Z" }
Se modificó la inscripción en la Protección avanzada
titanium_enroll
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalEmail": "test-user@example.com" }, "requestMetadata": { "callerIp": "203.0.113.255", "requestAttributes": {}, "destinationAttributes": {} }, "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.titaniumEnroll", "resourceName": "organizations/123", "metadata": { "activityId": { "uniqQualifier": "4206430548119220064", "timeUsec": "1632843484846000" }, "event": [ { "eventName": "titanium_enroll", "status": { "success": true }, "parameter": [ { "label": "LABEL_OPTIONAL", "value": "INfDlrzP9IH8_QE", "type": "TYPE_STRING", "name": "dusi" } ], "eventType": "titanium_change" } ], "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto" } }, "insertId": "-bxbn5bd167i", "resource": { "type": "audited_resource", "labels": { "service": "login.googleapis.com", "method": "google.login.LoginService.titaniumEnroll" } }, "timestamp": "2021-09-28T15:38:04.846Z", "severity": "NOTICE", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", "receiveTimestamp": "2021-09-28T15:38:05.969683854Z" }
titanium_unenroll
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalEmail": "test-user@example.com" }, "requestMetadata": { "callerIp": "203.0.113.255", "requestAttributes": {}, "destinationAttributes": {} }, "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.titaniumUnenroll", "resourceName": "organizations/123", "metadata": { "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto", "event": [ { "eventType": "titanium_change", "status": { "success": true }, "eventName": "titanium_unenroll", "parameter": [ { "type": "TYPE_STRING", "label": "LABEL_OPTIONAL", "value": "INfDlrzP9IH8_QE", "name": "dusi" } ] } ], "activityId": { "timeUsec": "1632843914653434", "uniqQualifier": "-6706492269209711994" } } }, "insertId": "-vw60qad1861", "resource": { "type": "audited_resource", "labels": { "service": "login.googleapis.com", "method": "google.login.LoginService.titaniumUnenroll" } }, "timestamp": "2021-09-28T15:45:14.653434Z", "severity": "NOTICE", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", "receiveTimestamp": "2021-09-28T15:45:15.862755277Z" }
Advertencia de ataque
gov_attack_warning
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalEmail": "test-user@example.com" }, "requestMetadata": { "callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff", "requestAttributes": {}, "destinationAttributes": {} }, "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.govAttackWarning", "resourceName": "organizations/123", "metadata": { "activityId": { "timeUsec": "1619825837106000", "uniqQualifier": "7230131091737932677" }, "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto", "event": [ { "eventName": "gov_attack_warning", "eventType": "attack_warning", "status": { "success": true } } ] } }, "insertId": "bxuophd1vlw", "resource": { "type": "audited_resource", "labels": { "service": "login.googleapis.com", "method": "google.login.LoginService.govAttackWarning" } }, "timestamp": "2021-04-30T23:37:17.106Z", "severity": "NOTICE", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", "receiveTimestamp": "2021-04-30T23:37:18.488559815Z" }
Se cambió la configuración de reenvío de correo electrónico
email_forwarding_out_of_domain
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalEmail": "test-user@example.com" }, "requestMetadata": { "callerIp": "203.0.113.255", "requestAttributes": {}, "destinationAttributes": {} }, "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.emailForwardingOutOfDomain", "resourceName": "organizations/123", "metadata": { "activityId": { "uniqQualifier": "-5683698025624301037", "timeUsec": "1632501152256000" }, "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto", "event": [ { "eventName": "email_forwarding_out_of_domain", "status": { "success": true }, "parameter": [ { "name": "dusi", "type": "TYPE_STRING", "value": "INfDlrzP9IH8_QE", "label": "LABEL_OPTIONAL" }, { "type": "TYPE_STRING", "label": "LABEL_OPTIONAL", "value": "test-user@google.com", "name": "email_forwarding_destination_address" } ], "eventType": "email_forwarding_change" } ] } }, "insertId": "rrcp9gd3y2f", "resource": { "type": "audited_resource", "labels": { "method": "google.login.LoginService.emailForwardingOutOfDomain", "service": "login.googleapis.com" } }, "timestamp": "2021-09-24T16:32:32.256Z", "severity": "NOTICE", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", "receiveTimestamp": "2021-09-24T16:32:33.319260836Z" }
Acceder
login_failure
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalEmail": "test-user@example.com" }, "requestMetadata": { "callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff", "requestAttributes": {}, "destinationAttributes": {} }, "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.loginFailure", "resourceName": "organizations/123", "metadata": { "event": [ { "eventName": "login_failure", "eventType": "login", "parameter": [ { "value": "google_password", "type": "TYPE_STRING", "name": "login_type", "label": "LABEL_OPTIONAL" }, { "name": "login_challenge_method", "type": "TYPE_STRING", "label": "LABEL_REPEATED", "multiStrValue": [ "password", "idv_preregistered_phone", "idv_preregistered_phone" ] }, { "label": "LABEL_OPTIONAL", "name": "dusi", "type": "TYPE_STRING", "value": "IOWJlfPwgvrTfg" } ] } ], "activityId": { "uniqQualifier": "358068855354", "timeUsec": "1632500217183212" }, "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto" } }, "insertId": "-nahbepd4l1x", "resource": { "type": "audited_resource", "labels": { "method": "google.login.LoginService.loginFailure", "service": "login.googleapis.com" } }, "timestamp": "2021-09-24T16:16:57.183212Z", "severity": "NOTICE", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", "receiveTimestamp": "2021-09-24T17:51:25.034361197Z" }
login_challenge
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalEmail": "test-user@example.com" }, "requestMetadata": { "callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff", "requestAttributes": {}, "destinationAttributes": {} }, "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.loginChallenge", "resourceName": "organizations/123", "metadata": { "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto", "event": [ { "eventName": "login_challenge", "parameter": [ { "name": "login_type", "value": "google_password", "type": "TYPE_STRING", "label": "LABEL_OPTIONAL" }, { "type": "TYPE_STRING", "label": "LABEL_REPEATED", "name": "login_challenge_method", "multiStrValue": [ "idv_preregistered_phone" ] }, { "label": "LABEL_OPTIONAL", "type": "TYPE_STRING", "value": "incorrect_answer_entered", "name": "login_challenge_status" }, { "type": "TYPE_STRING", "name": "dusi", "label": "LABEL_OPTIONAL", "value": "IOWJlfPwgvrTfg" } ], "eventType": "login" } ], "activityId": { "timeUsec": "1632500217183211", "uniqQualifier": "358068855354" } } }, "insertId": "-nahbepd4l2j", "resource": { "type": "audited_resource", "labels": { "service": "login.googleapis.com", "method": "google.login.LoginService.loginChallenge" } }, "timestamp": "2021-09-24T16:16:57.183211Z", "severity": "NOTICE", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", "receiveTimestamp": "2021-09-24T17:51:28.041126044Z"
login_verification
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalEmail": "test-user@example.com" }, "requestMetadata": { "callerIp": "203.0.113.255", "requestAttributes": {}, "destinationAttributes": {} }, "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.loginVerification", "resourceName": "organizations/123", "metadata": { "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto", "event": [ { "eventName": "login_verification", "parameter": [ { "name": "login_type", "type": "TYPE_STRING", "value": "google_password", "label": "LABEL_OPTIONAL" }, { "name": "login_challenge_method", "multiStrValue": [ "idv_preregistered_phone" ], "label": "LABEL_REPEATED", "type": "TYPE_STRING" }, { "value": "passed", "name": "login_challenge_status", "type": "TYPE_STRING", "label": "LABEL_OPTIONAL" }, { "value": "INfDlrzP9IH8_QE", "label": "LABEL_OPTIONAL", "name": "dusi", "type": "TYPE_STRING" }, { "label": "LABEL_OPTIONAL", "boolValue": true, "type": "TYPE_BOOL", "name": "is_second_factor" } ], "eventType": "login" } ], "activityId": { "uniqQualifier": "358068855354", "timeUsec": "1632459936762000" } } }, "insertId": "ivb9z4d41rh", "resource": { "type": "audited_resource", "labels": { "method": "google.login.LoginService.loginVerification", "service": "login.googleapis.com" } }, "timestamp": "2021-09-24T05:05:36.762Z", "severity": "NOTICE", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", "receiveTimestamp": "2021-09-24T06:39:22.386813664Z" }
logout
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalEmail": "test-user@example.com" }, "requestMetadata": { "callerIp": "203.0.113.255", "requestAttributes": {}, "destinationAttributes": {} }, "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.logout", "resourceName": "organizations/123", "metadata": { "event": [ { "eventName": "logout", "eventType": "login", "parameter": [ { "type": "TYPE_STRING", "label": "LABEL_OPTIONAL", "name": "login_type", "value": "google_password" }, { "type": "TYPE_STRING", "name": "dusi", "label": "LABEL_OPTIONAL", "value": "INfDlrzP9IH8_QE" } ] } ], "activityId": { "uniqQualifier": "358068855354", "timeUsec": "1632459903014598" }, "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto" } }, "insertId": "v37ytid14th", "resource": { "type": "audited_resource", "labels": { "service": "login.googleapis.com", "method": "google.login.LoginService.logout" } }, "timestamp": "2021-09-24T05:05:03.014598Z", "severity": "NOTICE", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", "receiveTimestamp": "2021-09-24T06:39:22.229734504Z" }
login_success
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalEmail": "test-user@example.com" }, "requestMetadata": { "callerIp": "203.0.113.255", "requestAttributes": {}, "destinationAttributes": {} }, "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.loginSuccess", "resourceName": "organizations/123", "metadata": { "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto", "activityId": { "timeUsec": "1632458429811809", "uniqQualifier": "358068855354" }, "event": [ { "parameter": [ { "type": "TYPE_STRING", "value": "google_password", "name": "login_type", "label": "LABEL_OPTIONAL" }, { "name": "login_challenge_method", "label": "LABEL_REPEATED", "type": "TYPE_STRING", "multiStrValue": [ "password" ] }, { "type": "TYPE_BOOL", "boolValue": false, "name": "is_suspicious", "label": "LABEL_OPTIONAL" }, { "value": "INfDlrzP9IH8_QE", "name": "dusi", "type": "TYPE_STRING", "label": "LABEL_OPTIONAL" } ], "eventType": "login", "eventName": "login_success" } ] } }, "insertId": "ci1svzd3hfk", "resource": { "type": "audited_resource", "labels": { "service": "login.googleapis.com", "method": "google.login.LoginService.loginSuccess" } }, "timestamp": "2021-09-24T04:40:29.811809Z", "severity": "NOTICE", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", "receiveTimestamp": "2021-09-24T05:43:20.474338130Z" }