本文档提供了 Google Workspace 登录审核发送到 Google Cloud 的审核日志的示例。
如需详细了解各种类型的登录审核活动事件的事件和参数,请参阅登录审核活动事件参考。
可用的登录审核日志
下表列出了登录审核生成的审核日志及其对应的 AuditLog.method_name:
| 说明 | 事件名称 | AuditLog.method_name |
|---|---|---|
| 事件类型:两步验证注册已更改 | ||
| 两步验证停用 | 2sv_disable |
google.login.LoginService.2svDisable |
| 两步验证注册 | 2sv_enroll |
google.login.LoginService.2svEnroll |
| 事件类型:账号密码已更改 | ||
| 账号密码更改 | password_edit |
google.login.LoginService.passwordEdit |
| 事件类型:账号恢复信息已更改 | ||
| 账号恢复辅助邮箱更改 | recovery_email_edit |
google.login.LoginService.recoveryEmailEdit |
| 账号恢复辅助电话号码更改 | recovery_phone_edit |
google.login.LoginService.recoveryPhoneEdit |
| 账号恢复保密问题/答案更改 | recovery_secret_qa_edit |
google.login.LoginService.recoverySecretQaEdit |
| 事件类型:账号警告 | ||
| 密码泄露 | account_disabled_password_leak |
google.login.LoginService.accountDisabledPasswordLeak |
| 允许执行有风险的敏感操作 | risky_sensitive_action_allowed |
google.login.LoginService.riskySensitiveActionAllowed |
| 有风险、敏感的 action_blocked | risky_sensitive_action_blocked |
google.login.LoginService.riskySensitiveActionBlocked |
| 已阻止可疑登录 | suspicious_login |
google.login.LoginService.suspiciousLogin |
| 已阻止使用安全性较低的应用进行的可疑登录 | suspicious_login_less_secure_app |
google.login.LoginService.suspiciousLoginLessSecureApp |
| 阻止了通过程序化方式进行的可疑登录 | suspicious_programmatic_login |
google.login.LoginService.suspiciousProgrammaticLogin |
| 用户被暂停 | account_disabled_generic |
google.login.LoginService.accountDisabledGeneric |
| 已暂停用户(通过中继服务发送垃圾内容) | account_disabled_spamming_through_relay |
google.login.LoginService.accountDisabledSpammingThroughRelay |
| 已暂停用户(垃圾内容) | account_disabled_spamming |
google.login.LoginService.accountDisabledSpamming |
| 已暂停用户(可疑活动) | account_disabled_hijacked |
google.login.LoginService.accountDisabledHijacked |
| 事件类型:高级保护注册已更改 | ||
| 注册高级保护计划 | titanium_enroll |
google.login.LoginService.titaniumEnroll |
| 取消注册高级保护计划 | titanium_unenroll |
google.login.LoginService.titaniumUnenroll |
| 事件类型:攻击警告 | ||
| 受政府支持的攻击 | gov_attack_warning |
google.login.LoginService.govAttackWarning |
| 事件类型:电子邮件转发设置已更改 | ||
| 网域外电子邮件转发功能已启用 | email_forwarding_out_of_domain |
google.login.LoginService.emailForwardingOutOfDomain |
| 事件类型:登录 | ||
| 登录失败 | login_failure |
google.login.LoginService.loginFailure |
| 登录验证 | login_challenge |
google.login.LoginService.loginChallenge |
| 登录验证 | login_verification |
google.login.LoginService.loginVerification |
| 退出 | logout |
google.login.LoginService.logout |
| 登录成功 | login_success |
google.login.LoginService.loginSuccess |
示例
以下是根据事件类型和事件名称的登录审核的审核日志示例。
两步验证注册已更改
2sv_disable
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalEmail": "test-user@example.com"
},
"requestMetadata": {
"callerIp": "203.0.113.255",
"requestAttributes": {},
"destinationAttributes": {}
},
"serviceName": "login.googleapis.com",
"methodName": "google.login.LoginService.2svDisable",
"resourceName": "organizations/123",
"metadata": {
"activityId": {
"uniqQualifier": "-7789616625639281959",
"timeUsec": "1632459962686000"
},
"event": [
{
"status": {
"success": true
},
"parameter": [
{
"type": "TYPE_STRING",
"label": "LABEL_OPTIONAL",
"value": "INfDlrzP9IH8_QE",
"name": "dusi"
}
],
"eventName": "2sv_disable",
"eventType": "2sv_change"
}
],
"@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
}
},
"insertId": "-tn3jrd3lko",
"resource": {
"type": "audited_resource",
"labels": {
"service": "login.googleapis.com",
"method": "google.login.LoginService.2svDisable"
}
},
"timestamp": "2021-09-24T05:06:02.686Z",
"severity": "NOTICE",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"receiveTimestamp": "2021-09-24T05:06:03.845372592Z"
}
2sv_enroll
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalEmail": "test-user@example.com"
},
"requestMetadata": {
"callerIp": "203.0.113.255",
"requestAttributes": {},
"destinationAttributes": {}
},
"serviceName": "login.googleapis.com",
"methodName": "google.login.LoginService.2svEnroll",
"resourceName": "organizations/123",
"metadata": {
"activityId": {
"uniqQualifier": "1624031130844323135",
"timeUsec": "1632458745769000"
},
"@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto",
"event": [
{
"eventType": "2sv_change",
"status": {
"success": true
},
"eventName": "2sv_enroll",
"parameter": [
{
"value": "INfDlrzP9IH8_QE",
"type": "TYPE_STRING",
"label": "LABEL_OPTIONAL",
"name": "dusi"
}
]
}
]
}
},
"insertId": "g3k8gid3b3p",
"resource": {
"type": "audited_resource",
"labels": {
"method": "google.login.LoginService.2svEnroll",
"service": "login.googleapis.com"
}
},
"timestamp": "2021-09-24T04:45:45.769Z",
"severity": "NOTICE",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"receiveTimestamp": "2021-09-24T04:45:46.331843829Z"
}
账号密码已更改
password_edit
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalEmail": "test-user@example.com"
},
"requestMetadata": {
"callerIp": "203.0.113.255",
"requestAttributes": {},
"destinationAttributes": {}
},
"serviceName": "login.googleapis.com",
"methodName": "google.login.LoginService.passwordEdit",
"resourceName": "organizations/123",
"metadata": {
"@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto",
"event": [
{
"eventName": "password_edit",
"status": {
"success": true
},
"parameter": [
{
"type": "TYPE_STRING",
"label": "LABEL_OPTIONAL",
"value": "INfDlrzP9IH8_QE",
"name": "dusi"
}
],
"eventType": "password_change"
}
],
"activityId": {
"uniqQualifier": "8894052787391296929",
"timeUsec": "1632803013900566"
}
}
},
"insertId": "-u8coc0d6n78",
"resource": {
"type": "audited_resource",
"labels": {
"service": "login.googleapis.com",
"method": "google.login.LoginService.passwordEdit"
}
},
"timestamp": "2021-09-28T04:23:33.900566Z",
"severity": "NOTICE",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"receiveTimestamp": "2021-09-28T04:23:37.724654918Z"
}
账号恢复信息已更改
recovery_email_edit
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalEmail": "test-user@example.com"
},
"requestMetadata": {
"callerIp": "203.0.113.255",
"requestAttributes": {},
"destinationAttributes": {}
},
"serviceName": "login.googleapis.com",
"methodName": "google.login.LoginService.recoveryEmailEdit",
"resourceName": "organizations/123",
"metadata": {
"activityId": {
"timeUsec": "1632802942940979",
"uniqQualifier": "-7373127890859496609"
},
"event": [
{
"eventType": "recovery_info_change",
"eventName": "recovery_email_edit",
"parameter": [
{
"label": "LABEL_OPTIONAL",
"type": "TYPE_STRING",
"value": "INfDlrzP9IH8_QE",
"name": "dusi"
}
],
"status": {
"success": true
}
}
],
"@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
}
},
"insertId": "-nkwfupd26zt",
"resource": {
"type": "audited_resource",
"labels": {
"service": "login.googleapis.com",
"method": "google.login.LoginService.recoveryEmailEdit"
}
},
"timestamp": "2021-09-28T04:22:22.940979Z",
"severity": "NOTICE",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"receiveTimestamp": "2021-09-28T04:22:26.523242112Z"
}
recovery_phone_edit
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalEmail": "test-user@example.com"
},
"requestMetadata": {
"callerIp": "203.0.113.255",
"requestAttributes": {},
"destinationAttributes": {}
},
"serviceName": "login.googleapis.com",
"methodName": "google.login.LoginService.recoveryPhoneEdit",
"resourceName": "organizations/123",
"metadata": {
"event": [
{
"status": {
"success": true
},
"eventType": "recovery_info_change",
"eventName": "recovery_phone_edit",
"parameter": [
{
"label": "LABEL_OPTIONAL",
"value": "INfDlrzP9IH8_QE",
"type": "TYPE_STRING",
"name": "dusi"
}
]
}
],
"@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto",
"activityId": {
"timeUsec": "1632804439611095",
"uniqQualifier": "1470137036135837564"
}
}
},
"insertId": "-1xtrgbd2vl2",
"resource": {
"type": "audited_resource",
"labels": {
"service": "login.googleapis.com",
"method": "google.login.LoginService.recoveryPhoneEdit"
}
},
"timestamp": "2021-09-28T04:47:19.611095Z",
"severity": "NOTICE",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"receiveTimestamp": "2021-09-28T04:47:25.741574446Z"
recovery_secret_qa_edit
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalEmail": "test-user@example.com"
},
"requestMetadata": {
"callerIp": "203.0.113.255",
"requestAttributes": {},
"destinationAttributes": {}
},
"serviceName": "login.googleapis.com",
"methodName": "google.login.LoginService.recoverySecretQaEdit",
"resourceName": "organizations/123",
"metadata": {
"activityId": {
"uniqQualifier": "8328506129139272243",
"timeUsec": "1632804455273424"
},
"@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto",
"event": [
{
"eventName": "recovery_secret_qa_edit",
"eventType": "recovery_info_change",
"status": {
"success": true
},
"parameter": [
{
"type": "TYPE_STRING",
"value": "INfDlrzP9IH8_QE",
"name": "dusi",
"label": "LABEL_OPTIONAL"
}
]
}
]
}
},
"insertId": "vn31slcpmy",
"resource": {
"type": "audited_resource",
"labels": {
"method": "google.login.LoginService.recoverySecretQaEdit",
"service": "login.googleapis.com"
}
},
"timestamp": "2021-09-28T04:47:35.273424Z",
"severity": "NOTICE",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"receiveTimestamp": "2021-09-28T04:47:37.650432219Z"
账号警告
account_disabled_password_leak
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {},
"requestMetadata": {
"callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
},
"serviceName": "login.googleapis.com",
"methodName": "google.login.LoginService.accountDisabledPasswordLeak",
"resourceName": "organizations/123",
"metadata": {
"activityId": {
"timeUsec": "1619808083475000",
"uniqQualifier": "6286848759980589624"
},
"event": [
{
"eventType": "account_warning",
"eventName": "account_disabled_password_leak",
"parameter": [
{
"name": "affected_email_address",
"value": "test-user@example.com",
"label": "LABEL_OPTIONAL",
"type": "TYPE_STRING"
}
],
"status": {
"success": true
}
}
],
"@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
}
},
"insertId": "-xkklkzcxkl",
"resource": {
"type": "audited_resource",
"labels": {
"method": "google.login.LoginService.accountDisabledPasswordLeak",
"service": "login.googleapis.com"
}
},
"timestamp": "2021-04-30T18:41:23.475Z",
"severity": "NOTICE",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"receiveTimestamp": "2021-04-30T18:41:24.650965796Z"
}
suspicious_login
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {},
"requestMetadata": {
"callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
},
"serviceName": "login.googleapis.com",
"methodName": "google.login.LoginService.suspiciousLogin",
"resourceName": "organizations/123",
"metadata": {
"activityId": {
"timeUsec": "1620095181000000",
"uniqQualifier": "-2034771694824799453"
},
"event": [
{
"eventType": "account_warning",
"eventName": "suspicious_login",
"parameter": [
{
"name": "affected_email_address",
"value": "test-user@example.com",
"label": "LABEL_OPTIONAL",
"type": "TYPE_STRING"
}
],
"status": {
"success": true
}
}
],
"@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
}
},
"insertId": "-778d70d2n5b",
"resource": {
"type": "audited_resource",
"labels": {
"service": "login.googleapis.com",
"method": "google.login.LoginService.suspiciousLogin"
}
},
"timestamp": "2021-05-04T02:26:21Z",
"severity": "NOTICE",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"receiveTimestamp": "2021-05-04T02:56:23.806722355Z"
}
suspicious_login_less_secure_app
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {},
"requestMetadata": {
"callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
},
"serviceName": "login.googleapis.com",
"methodName": "google.login.LoginService.suspiciousLoginLessSecureApp",
"resourceName": "organizations/123",
"metadata": {
"activityId": {
"timeUsec": "1620095181000000",
"uniqQualifier": "-2034771694824799453"
},
"event": [
{
"eventType": "account_warning",
"eventName": "suspicious_login_less_secure_app",
"parameter": [
{
"name": "affected_email_address",
"value": "test-user@example.com",
"label": "LABEL_OPTIONAL",
"type": "TYPE_STRING"
}
],
"status": {
"success": true
}
}
],
"@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
}
},
"insertId": "-778d70d2n5b",
"resource": {
"type": "audited_resource",
"labels": {
"service": "login.googleapis.com",
"method": "google.login.LoginService.suspiciousLoginLessSecureApp"
}
},
"timestamp": "2021-05-04T02:26:21Z",
"severity": "NOTICE",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"receiveTimestamp": "2021-05-04T02:56:23.806722355Z"
}
suspicious_programmatic_login
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {},
"requestMetadata": {
"callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
},
"serviceName": "login.googleapis.com",
"methodName": "google.login.LoginService.suspiciousProgrammaticLogin",
"resourceName": "organizations/123",
"metadata": {
"activityId": {
"timeUsec": "1620095181000000",
"uniqQualifier": "-2034771694824799453"
},
"event": [
{
"eventType": "account_warning",
"eventName": "suspicious_programmatic_login",
"parameter": [
{
"name": "affected_email_address",
"value": "test-user@example.com",
"label": "LABEL_OPTIONAL",
"type": "TYPE_STRING"
}
],
"status": {
"success": true
}
}
],
"@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
}
},
"insertId": "-778d70d2n5b",
"resource": {
"type": "audited_resource",
"labels": {
"service": "login.googleapis.com",
"method": "google.login.LoginService.suspiciousProgrammaticLogin"
}
},
"timestamp": "2021-05-04T02:26:21Z",
"severity": "NOTICE",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"receiveTimestamp": "2021-05-04T02:56:23.806722355Z"
}
account_disabled_generic
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {},
"requestMetadata": {
"callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
},
"serviceName": "login.googleapis.com",
"methodName": "google.login.LoginService.accountDisabledGeneric",
"resourceName": "organizations/123",
"metadata": {
"activityId": {
"timeUsec": "1619825589352000",
"uniqQualifier": "-3303614929287073633"
},
"event": [
{
"eventType": "account_warning",
"eventName": "account_disabled_generic",
"parameter": [
{
"name": "affected_email_address",
"value": "test-user@example.com",
"label": "LABEL_OPTIONAL",
"type": "TYPE_STRING"
}
],
"status": {
"success": true
}
}
],
"@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
}
},
"insertId": "nlgrf8d6ygj",
"resource": {
"type": "audited_resource",
"labels": {
"method": "google.login.LoginService.accountDisabledGeneric",
"service": "login.googleapis.com"
}
},
"timestamp": "2021-04-30T23:33:09.352Z",
"severity": "NOTICE",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"receiveTimestamp": "2021-04-30T23:33:10.673412983Z"
}
account_disabled_spamming_through_relay
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {},
"requestMetadata": {
"callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
},
"serviceName": "login.googleapis.com",
"methodName": "google.login.LoginService.accountDisabledSpammingThroughRelay",
"resourceName": "organizations/123",
"metadata": {
"activityId": {
"timeUsec": "1619808083475000",
"uniqQualifier": "6286848759980589624"
},
"event": [
{
"eventType": "account_warning",
"eventName": "account_disabled_spamming_through_relay",
"parameter": [
{
"name": "affected_email_address",
"value": "test-user@example.com",
"label": "LABEL_OPTIONAL",
"type": "TYPE_STRING"
}
],
"status": {
"success": true
}
}
],
"@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
}
},
"insertId": "-xkklkzcxkl",
"resource": {
"type": "audited_resource",
"labels": {
"method": "google.login.LoginService.accountDisabledSpammingThroughRelay",
"service": "login.googleapis.com"
}
},
"timestamp": "2021-04-30T18:41:23.475Z",
"severity": "NOTICE",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"receiveTimestamp": "2021-04-30T18:41:24.650965796Z"
}
account_disabled_spamming
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {},
"requestMetadata": {
"callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
},
"serviceName": "login.googleapis.com",
"methodName": "google.login.LoginService.accountDisabledSpamming",
"resourceName": "organizations/123",
"metadata": {
"activityId": {
"timeUsec": "1619808083475000",
"uniqQualifier": "6286848759980589624"
},
"event": [
{
"eventType": "account_warning",
"eventName": "account_disabled_spamming",
"parameter": [
{
"name": "affected_email_address",
"value": "test-user@example.com",
"label": "LABEL_OPTIONAL",
"type": "TYPE_STRING"
}
],
"status": {
"success": true
}
}
],
"@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
}
},
"insertId": "-xkklkzcxkl",
"resource": {
"type": "audited_resource",
"labels": {
"method": "google.login.LoginService.accountDisabledSpamming",
"service": "login.googleapis.com"
}
},
"timestamp": "2021-04-30T18:41:23.475Z",
"severity": "NOTICE",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"receiveTimestamp": "2021-04-30T18:41:24.650965796Z"
}
account_disabled_hijacked
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {},
"requestMetadata": {
"callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
},
"serviceName": "login.googleapis.com",
"methodName": "google.login.LoginService.accountDisabledHijacked",
"resourceName": "organizations/123",
"metadata": {
"activityId": {
"timeUsec": "1619825589352000",
"uniqQualifier": "-3303614929287073633"
},
"event": [
{
"eventType": "account_warning",
"eventName": "account_disabled_hijacked",
"parameter": [
{
"name": "affected_email_address",
"value": "test-user@example.com",
"label": "LABEL_OPTIONAL",
"type": "TYPE_STRING"
}
],
"status": {
"success": true
}
}
],
"@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
}
},
"insertId": "nlgrf8d6ygj",
"resource": {
"type": "audited_resource",
"labels": {
"method": "google.login.LoginService.accountDisabledHijacked",
"service": "login.googleapis.com"
}
},
"timestamp": "2021-04-30T23:33:09.352Z",
"severity": "NOTICE",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"receiveTimestamp": "2021-04-30T23:33:10.673412983Z"
}
已更改高级保护计划注册状态
titanium_enroll
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalEmail": "test-user@example.com"
},
"requestMetadata": {
"callerIp": "203.0.113.255",
"requestAttributes": {},
"destinationAttributes": {}
},
"serviceName": "login.googleapis.com",
"methodName": "google.login.LoginService.titaniumEnroll",
"resourceName": "organizations/123",
"metadata": {
"activityId": {
"uniqQualifier": "4206430548119220064",
"timeUsec": "1632843484846000"
},
"event": [
{
"eventName": "titanium_enroll",
"status": {
"success": true
},
"parameter": [
{
"label": "LABEL_OPTIONAL",
"value": "INfDlrzP9IH8_QE",
"type": "TYPE_STRING",
"name": "dusi"
}
],
"eventType": "titanium_change"
}
],
"@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
}
},
"insertId": "-bxbn5bd167i",
"resource": {
"type": "audited_resource",
"labels": {
"service": "login.googleapis.com",
"method": "google.login.LoginService.titaniumEnroll"
}
},
"timestamp": "2021-09-28T15:38:04.846Z",
"severity": "NOTICE",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"receiveTimestamp": "2021-09-28T15:38:05.969683854Z"
}
titanium_unenroll
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalEmail": "test-user@example.com"
},
"requestMetadata": {
"callerIp": "203.0.113.255",
"requestAttributes": {},
"destinationAttributes": {}
},
"serviceName": "login.googleapis.com",
"methodName": "google.login.LoginService.titaniumUnenroll",
"resourceName": "organizations/123",
"metadata": {
"@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto",
"event": [
{
"eventType": "titanium_change",
"status": {
"success": true
},
"eventName": "titanium_unenroll",
"parameter": [
{
"type": "TYPE_STRING",
"label": "LABEL_OPTIONAL",
"value": "INfDlrzP9IH8_QE",
"name": "dusi"
}
]
}
],
"activityId": {
"timeUsec": "1632843914653434",
"uniqQualifier": "-6706492269209711994"
}
}
},
"insertId": "-vw60qad1861",
"resource": {
"type": "audited_resource",
"labels": {
"service": "login.googleapis.com",
"method": "google.login.LoginService.titaniumUnenroll"
}
},
"timestamp": "2021-09-28T15:45:14.653434Z",
"severity": "NOTICE",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"receiveTimestamp": "2021-09-28T15:45:15.862755277Z"
}
攻击警告
gov_attack_warning
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalEmail": "test-user@example.com"
},
"requestMetadata": {
"callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff",
"requestAttributes": {},
"destinationAttributes": {}
},
"serviceName": "login.googleapis.com",
"methodName": "google.login.LoginService.govAttackWarning",
"resourceName": "organizations/123",
"metadata": {
"activityId": {
"timeUsec": "1619825837106000",
"uniqQualifier": "7230131091737932677"
},
"@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto",
"event": [
{
"eventName": "gov_attack_warning",
"eventType": "attack_warning",
"status": {
"success": true
}
}
]
}
},
"insertId": "bxuophd1vlw",
"resource": {
"type": "audited_resource",
"labels": {
"service": "login.googleapis.com",
"method": "google.login.LoginService.govAttackWarning"
}
},
"timestamp": "2021-04-30T23:37:17.106Z",
"severity": "NOTICE",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"receiveTimestamp": "2021-04-30T23:37:18.488559815Z"
}
已更改电子邮件转发设置
email_forwarding_out_of_domain
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalEmail": "test-user@example.com"
},
"requestMetadata": {
"callerIp": "203.0.113.255",
"requestAttributes": {},
"destinationAttributes": {}
},
"serviceName": "login.googleapis.com",
"methodName": "google.login.LoginService.emailForwardingOutOfDomain",
"resourceName": "organizations/123",
"metadata": {
"activityId": {
"uniqQualifier": "-5683698025624301037",
"timeUsec": "1632501152256000"
},
"@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto",
"event": [
{
"eventName": "email_forwarding_out_of_domain",
"status": {
"success": true
},
"parameter": [
{
"name": "dusi",
"type": "TYPE_STRING",
"value": "INfDlrzP9IH8_QE",
"label": "LABEL_OPTIONAL"
},
{
"type": "TYPE_STRING",
"label": "LABEL_OPTIONAL",
"value": "test-user@google.com",
"name": "email_forwarding_destination_address"
}
],
"eventType": "email_forwarding_change"
}
]
}
},
"insertId": "rrcp9gd3y2f",
"resource": {
"type": "audited_resource",
"labels": {
"method": "google.login.LoginService.emailForwardingOutOfDomain",
"service": "login.googleapis.com"
}
},
"timestamp": "2021-09-24T16:32:32.256Z",
"severity": "NOTICE",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"receiveTimestamp": "2021-09-24T16:32:33.319260836Z"
}
登录
login_failure
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalEmail": "test-user@example.com"
},
"requestMetadata": {
"callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff",
"requestAttributes": {},
"destinationAttributes": {}
},
"serviceName": "login.googleapis.com",
"methodName": "google.login.LoginService.loginFailure",
"resourceName": "organizations/123",
"metadata": {
"event": [
{
"eventName": "login_failure",
"eventType": "login",
"parameter": [
{
"value": "google_password",
"type": "TYPE_STRING",
"name": "login_type",
"label": "LABEL_OPTIONAL"
},
{
"name": "login_challenge_method",
"type": "TYPE_STRING",
"label": "LABEL_REPEATED",
"multiStrValue": [
"password",
"idv_preregistered_phone",
"idv_preregistered_phone"
]
},
{
"label": "LABEL_OPTIONAL",
"name": "dusi",
"type": "TYPE_STRING",
"value": "IOWJlfPwgvrTfg"
}
]
}
],
"activityId": {
"uniqQualifier": "358068855354",
"timeUsec": "1632500217183212"
},
"@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
}
},
"insertId": "-nahbepd4l1x",
"resource": {
"type": "audited_resource",
"labels": {
"method": "google.login.LoginService.loginFailure",
"service": "login.googleapis.com"
}
},
"timestamp": "2021-09-24T16:16:57.183212Z",
"severity": "NOTICE",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"receiveTimestamp": "2021-09-24T17:51:25.034361197Z"
}
login_challenge
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalEmail": "test-user@example.com"
},
"requestMetadata": {
"callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff",
"requestAttributes": {},
"destinationAttributes": {}
},
"serviceName": "login.googleapis.com",
"methodName": "google.login.LoginService.loginChallenge",
"resourceName": "organizations/123",
"metadata": {
"@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto",
"event": [
{
"eventName": "login_challenge",
"parameter": [
{
"name": "login_type",
"value": "google_password",
"type": "TYPE_STRING",
"label": "LABEL_OPTIONAL"
},
{
"type": "TYPE_STRING",
"label": "LABEL_REPEATED",
"name": "login_challenge_method",
"multiStrValue": [
"idv_preregistered_phone"
]
},
{
"label": "LABEL_OPTIONAL",
"type": "TYPE_STRING",
"value": "incorrect_answer_entered",
"name": "login_challenge_status"
},
{
"type": "TYPE_STRING",
"name": "dusi",
"label": "LABEL_OPTIONAL",
"value": "IOWJlfPwgvrTfg"
}
],
"eventType": "login"
}
],
"activityId": {
"timeUsec": "1632500217183211",
"uniqQualifier": "358068855354"
}
}
},
"insertId": "-nahbepd4l2j",
"resource": {
"type": "audited_resource",
"labels": {
"service": "login.googleapis.com",
"method": "google.login.LoginService.loginChallenge"
}
},
"timestamp": "2021-09-24T16:16:57.183211Z",
"severity": "NOTICE",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"receiveTimestamp": "2021-09-24T17:51:28.041126044Z"
login_verification
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalEmail": "test-user@example.com"
},
"requestMetadata": {
"callerIp": "203.0.113.255",
"requestAttributes": {},
"destinationAttributes": {}
},
"serviceName": "login.googleapis.com",
"methodName": "google.login.LoginService.loginVerification",
"resourceName": "organizations/123",
"metadata": {
"@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto",
"event": [
{
"eventName": "login_verification",
"parameter": [
{
"name": "login_type",
"type": "TYPE_STRING",
"value": "google_password",
"label": "LABEL_OPTIONAL"
},
{
"name": "login_challenge_method",
"multiStrValue": [
"idv_preregistered_phone"
],
"label": "LABEL_REPEATED",
"type": "TYPE_STRING"
},
{
"value": "passed",
"name": "login_challenge_status",
"type": "TYPE_STRING",
"label": "LABEL_OPTIONAL"
},
{
"value": "INfDlrzP9IH8_QE",
"label": "LABEL_OPTIONAL",
"name": "dusi",
"type": "TYPE_STRING"
},
{
"label": "LABEL_OPTIONAL",
"boolValue": true,
"type": "TYPE_BOOL",
"name": "is_second_factor"
}
],
"eventType": "login"
}
],
"activityId": {
"uniqQualifier": "358068855354",
"timeUsec": "1632459936762000"
}
}
},
"insertId": "ivb9z4d41rh",
"resource": {
"type": "audited_resource",
"labels": {
"method": "google.login.LoginService.loginVerification",
"service": "login.googleapis.com"
}
},
"timestamp": "2021-09-24T05:05:36.762Z",
"severity": "NOTICE",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"receiveTimestamp": "2021-09-24T06:39:22.386813664Z"
}
logout
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalEmail": "test-user@example.com"
},
"requestMetadata": {
"callerIp": "203.0.113.255",
"requestAttributes": {},
"destinationAttributes": {}
},
"serviceName": "login.googleapis.com",
"methodName": "google.login.LoginService.logout",
"resourceName": "organizations/123",
"metadata": {
"event": [
{
"eventName": "logout",
"eventType": "login",
"parameter": [
{
"type": "TYPE_STRING",
"label": "LABEL_OPTIONAL",
"name": "login_type",
"value": "google_password"
},
{
"type": "TYPE_STRING",
"name": "dusi",
"label": "LABEL_OPTIONAL",
"value": "INfDlrzP9IH8_QE"
}
]
}
],
"activityId": {
"uniqQualifier": "358068855354",
"timeUsec": "1632459903014598"
},
"@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
}
},
"insertId": "v37ytid14th",
"resource": {
"type": "audited_resource",
"labels": {
"service": "login.googleapis.com",
"method": "google.login.LoginService.logout"
}
},
"timestamp": "2021-09-24T05:05:03.014598Z",
"severity": "NOTICE",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"receiveTimestamp": "2021-09-24T06:39:22.229734504Z"
}
login_success
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalEmail": "test-user@example.com"
},
"requestMetadata": {
"callerIp": "203.0.113.255",
"requestAttributes": {},
"destinationAttributes": {}
},
"serviceName": "login.googleapis.com",
"methodName": "google.login.LoginService.loginSuccess",
"resourceName": "organizations/123",
"metadata": {
"@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto",
"activityId": {
"timeUsec": "1632458429811809",
"uniqQualifier": "358068855354"
},
"event": [
{
"parameter": [
{
"type": "TYPE_STRING",
"value": "google_password",
"name": "login_type",
"label": "LABEL_OPTIONAL"
},
{
"name": "login_challenge_method",
"label": "LABEL_REPEATED",
"type": "TYPE_STRING",
"multiStrValue": [
"password"
]
},
{
"type": "TYPE_BOOL",
"boolValue": false,
"name": "is_suspicious",
"label": "LABEL_OPTIONAL"
},
{
"value": "INfDlrzP9IH8_QE",
"name": "dusi",
"type": "TYPE_STRING",
"label": "LABEL_OPTIONAL"
}
],
"eventType": "login",
"eventName": "login_success"
}
]
}
},
"insertId": "ci1svzd3hfk",
"resource": {
"type": "audited_resource",
"labels": {
"service": "login.googleapis.com",
"method": "google.login.LoginService.loginSuccess"
}
},
"timestamp": "2021-09-24T04:40:29.811809Z",
"severity": "NOTICE",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"receiveTimestamp": "2021-09-24T05:43:20.474338130Z"
}