本文档提供了 Google Workspace 登录审核发送到 Google Cloud 的审核日志的示例。
如需详细了解各种类型的登录审核活动事件的事件和参数,请参阅登录审核活动事件参考。
可用的登录审核日志
下表列出了登录审核生成的审核日志及其对应的 AuditLog.method_name
:
说明 | 事件名称 | AuditLog.method_name |
---|---|---|
事件类型:两步验证注册已更改 | ||
两步验证停用 | 2sv_disable |
google.login.LoginService.2svDisable |
两步验证注册 | 2sv_enroll |
google.login.LoginService.2svEnroll |
事件类型:账号密码已更改 | ||
账号密码更改 | password_edit |
google.login.LoginService.passwordEdit |
事件类型:账号恢复信息已更改 | ||
账号恢复辅助邮箱更改 | recovery_email_edit |
google.login.LoginService.recoveryEmailEdit |
账号恢复辅助电话号码更改 | recovery_phone_edit |
google.login.LoginService.recoveryPhoneEdit |
账号恢复保密问题/答案更改 | recovery_secret_qa_edit |
google.login.LoginService.recoverySecretQaEdit |
事件类型:账号警告 | ||
密码泄露 | account_disabled_password_leak |
google.login.LoginService.accountDisabledPasswordLeak |
允许有风险的敏感操作 | risky_sensitive_action_allowed |
google.login.LoginService.riskySensitiveActionAllowed |
存在风险的敏感操作已被阻止 | risky_sensitive_action_blocked |
google.login.LoginService.riskySensitiveActionBlocked |
已阻止可疑登录 | suspicious_login |
google.login.LoginService.suspiciousLogin |
已阻止使用安全性较低的应用进行的可疑登录 | suspicious_login_less_secure_app |
google.login.LoginService.suspiciousLoginLessSecureApp |
阻止了通过程序化方式进行的可疑登录 | suspicious_programmatic_login |
google.login.LoginService.suspiciousProgrammaticLogin |
用户被暂停 | account_disabled_generic |
google.login.LoginService.accountDisabledGeneric |
已暂停用户(通过中继服务发送垃圾内容) | account_disabled_spamming_through_relay |
google.login.LoginService.accountDisabledSpammingThroughRelay |
已暂停用户(垃圾内容) | account_disabled_spamming |
google.login.LoginService.accountDisabledSpamming |
已暂停用户(可疑活动) | account_disabled_hijacked |
google.login.LoginService.accountDisabledHijacked |
事件类型:高级保护注册已更改 | ||
注册高级保护计划 | titanium_enroll |
google.login.LoginService.titaniumEnroll |
取消注册高级保护计划 | titanium_unenroll |
google.login.LoginService.titaniumUnenroll |
事件类型:攻击警告 | ||
受政府支持的攻击 | gov_attack_warning |
google.login.LoginService.govAttackWarning |
事件类型:电子邮件转发设置已更改 | ||
网域外电子邮件转发功能已启用 | email_forwarding_out_of_domain |
google.login.LoginService.emailForwardingOutOfDomain |
事件类型:登录 | ||
登录失败 | login_failure |
google.login.LoginService.loginFailure |
登录验证 | login_challenge |
google.login.LoginService.loginChallenge |
登录验证 | login_verification |
google.login.LoginService.loginVerification |
退出 | logout |
google.login.LoginService.logout |
登录成功 | login_success |
google.login.LoginService.loginSuccess |
示例
以下是根据事件类型和事件名称的登录审核的审核日志示例。
两步验证注册已更改
2sv_disable
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalEmail": "test-user@example.com" }, "requestMetadata": { "callerIp": "203.0.113.255", "requestAttributes": {}, "destinationAttributes": {} }, "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.2svDisable", "resourceName": "organizations/123", "metadata": { "activityId": { "uniqQualifier": "-7789616625639281959", "timeUsec": "1632459962686000" }, "event": [ { "status": { "success": true }, "parameter": [ { "type": "TYPE_STRING", "label": "LABEL_OPTIONAL", "value": "INfDlrzP9IH8_QE", "name": "dusi" } ], "eventName": "2sv_disable", "eventType": "2sv_change" } ], "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto" } }, "insertId": "-tn3jrd3lko", "resource": { "type": "audited_resource", "labels": { "service": "login.googleapis.com", "method": "google.login.LoginService.2svDisable" } }, "timestamp": "2021-09-24T05:06:02.686Z", "severity": "NOTICE", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", "receiveTimestamp": "2021-09-24T05:06:03.845372592Z" }
2sv_enroll
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalEmail": "test-user@example.com" }, "requestMetadata": { "callerIp": "203.0.113.255", "requestAttributes": {}, "destinationAttributes": {} }, "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.2svEnroll", "resourceName": "organizations/123", "metadata": { "activityId": { "uniqQualifier": "1624031130844323135", "timeUsec": "1632458745769000" }, "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto", "event": [ { "eventType": "2sv_change", "status": { "success": true }, "eventName": "2sv_enroll", "parameter": [ { "value": "INfDlrzP9IH8_QE", "type": "TYPE_STRING", "label": "LABEL_OPTIONAL", "name": "dusi" } ] } ] } }, "insertId": "g3k8gid3b3p", "resource": { "type": "audited_resource", "labels": { "method": "google.login.LoginService.2svEnroll", "service": "login.googleapis.com" } }, "timestamp": "2021-09-24T04:45:45.769Z", "severity": "NOTICE", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", "receiveTimestamp": "2021-09-24T04:45:46.331843829Z" }
账号密码已更改
password_edit
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalEmail": "test-user@example.com" }, "requestMetadata": { "callerIp": "203.0.113.255", "requestAttributes": {}, "destinationAttributes": {} }, "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.passwordEdit", "resourceName": "organizations/123", "metadata": { "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto", "event": [ { "eventName": "password_edit", "status": { "success": true }, "parameter": [ { "type": "TYPE_STRING", "label": "LABEL_OPTIONAL", "value": "INfDlrzP9IH8_QE", "name": "dusi" } ], "eventType": "password_change" } ], "activityId": { "uniqQualifier": "8894052787391296929", "timeUsec": "1632803013900566" } } }, "insertId": "-u8coc0d6n78", "resource": { "type": "audited_resource", "labels": { "service": "login.googleapis.com", "method": "google.login.LoginService.passwordEdit" } }, "timestamp": "2021-09-28T04:23:33.900566Z", "severity": "NOTICE", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", "receiveTimestamp": "2021-09-28T04:23:37.724654918Z" }
账号恢复信息已更改
recovery_email_edit
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalEmail": "test-user@example.com" }, "requestMetadata": { "callerIp": "203.0.113.255", "requestAttributes": {}, "destinationAttributes": {} }, "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.recoveryEmailEdit", "resourceName": "organizations/123", "metadata": { "activityId": { "timeUsec": "1632802942940979", "uniqQualifier": "-7373127890859496609" }, "event": [ { "eventType": "recovery_info_change", "eventName": "recovery_email_edit", "parameter": [ { "label": "LABEL_OPTIONAL", "type": "TYPE_STRING", "value": "INfDlrzP9IH8_QE", "name": "dusi" } ], "status": { "success": true } } ], "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto" } }, "insertId": "-nkwfupd26zt", "resource": { "type": "audited_resource", "labels": { "service": "login.googleapis.com", "method": "google.login.LoginService.recoveryEmailEdit" } }, "timestamp": "2021-09-28T04:22:22.940979Z", "severity": "NOTICE", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", "receiveTimestamp": "2021-09-28T04:22:26.523242112Z" }
recovery_phone_edit
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalEmail": "test-user@example.com" }, "requestMetadata": { "callerIp": "203.0.113.255", "requestAttributes": {}, "destinationAttributes": {} }, "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.recoveryPhoneEdit", "resourceName": "organizations/123", "metadata": { "event": [ { "status": { "success": true }, "eventType": "recovery_info_change", "eventName": "recovery_phone_edit", "parameter": [ { "label": "LABEL_OPTIONAL", "value": "INfDlrzP9IH8_QE", "type": "TYPE_STRING", "name": "dusi" } ] } ], "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto", "activityId": { "timeUsec": "1632804439611095", "uniqQualifier": "1470137036135837564" } } }, "insertId": "-1xtrgbd2vl2", "resource": { "type": "audited_resource", "labels": { "service": "login.googleapis.com", "method": "google.login.LoginService.recoveryPhoneEdit" } }, "timestamp": "2021-09-28T04:47:19.611095Z", "severity": "NOTICE", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", "receiveTimestamp": "2021-09-28T04:47:25.741574446Z"
recovery_secret_qa_edit
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalEmail": "test-user@example.com" }, "requestMetadata": { "callerIp": "203.0.113.255", "requestAttributes": {}, "destinationAttributes": {} }, "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.recoverySecretQaEdit", "resourceName": "organizations/123", "metadata": { "activityId": { "uniqQualifier": "8328506129139272243", "timeUsec": "1632804455273424" }, "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto", "event": [ { "eventName": "recovery_secret_qa_edit", "eventType": "recovery_info_change", "status": { "success": true }, "parameter": [ { "type": "TYPE_STRING", "value": "INfDlrzP9IH8_QE", "name": "dusi", "label": "LABEL_OPTIONAL" } ] } ] } }, "insertId": "vn31slcpmy", "resource": { "type": "audited_resource", "labels": { "method": "google.login.LoginService.recoverySecretQaEdit", "service": "login.googleapis.com" } }, "timestamp": "2021-09-28T04:47:35.273424Z", "severity": "NOTICE", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", "receiveTimestamp": "2021-09-28T04:47:37.650432219Z"
账号警告
account_disabled_password_leak
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": {}, "requestMetadata": { "callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff" }, "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.accountDisabledPasswordLeak", "resourceName": "organizations/123", "metadata": { "activityId": { "timeUsec": "1619808083475000", "uniqQualifier": "6286848759980589624" }, "event": [ { "eventType": "account_warning", "eventName": "account_disabled_password_leak", "parameter": [ { "name": "affected_email_address", "value": "test-user@example.com", "label": "LABEL_OPTIONAL", "type": "TYPE_STRING" } ], "status": { "success": true } } ], "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto" } }, "insertId": "-xkklkzcxkl", "resource": { "type": "audited_resource", "labels": { "method": "google.login.LoginService.accountDisabledPasswordLeak", "service": "login.googleapis.com" } }, "timestamp": "2021-04-30T18:41:23.475Z", "severity": "NOTICE", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", "receiveTimestamp": "2021-04-30T18:41:24.650965796Z" }
suspicious_login
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": {}, "requestMetadata": { "callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff" }, "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.suspiciousLogin", "resourceName": "organizations/123", "metadata": { "activityId": { "timeUsec": "1620095181000000", "uniqQualifier": "-2034771694824799453" }, "event": [ { "eventType": "account_warning", "eventName": "suspicious_login", "parameter": [ { "name": "affected_email_address", "value": "test-user@example.com", "label": "LABEL_OPTIONAL", "type": "TYPE_STRING" } ], "status": { "success": true } } ], "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto" } }, "insertId": "-778d70d2n5b", "resource": { "type": "audited_resource", "labels": { "service": "login.googleapis.com", "method": "google.login.LoginService.suspiciousLogin" } }, "timestamp": "2021-05-04T02:26:21Z", "severity": "NOTICE", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", "receiveTimestamp": "2021-05-04T02:56:23.806722355Z" }
suspicious_login_less_secure_app
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": {}, "requestMetadata": { "callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff" }, "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.suspiciousLoginLessSecureApp", "resourceName": "organizations/123", "metadata": { "activityId": { "timeUsec": "1620095181000000", "uniqQualifier": "-2034771694824799453" }, "event": [ { "eventType": "account_warning", "eventName": "suspicious_login_less_secure_app", "parameter": [ { "name": "affected_email_address", "value": "test-user@example.com", "label": "LABEL_OPTIONAL", "type": "TYPE_STRING" } ], "status": { "success": true } } ], "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto" } }, "insertId": "-778d70d2n5b", "resource": { "type": "audited_resource", "labels": { "service": "login.googleapis.com", "method": "google.login.LoginService.suspiciousLoginLessSecureApp" } }, "timestamp": "2021-05-04T02:26:21Z", "severity": "NOTICE", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", "receiveTimestamp": "2021-05-04T02:56:23.806722355Z" }
suspicious_programmatic_login
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": {}, "requestMetadata": { "callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff" }, "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.suspiciousProgrammaticLogin", "resourceName": "organizations/123", "metadata": { "activityId": { "timeUsec": "1620095181000000", "uniqQualifier": "-2034771694824799453" }, "event": [ { "eventType": "account_warning", "eventName": "suspicious_programmatic_login", "parameter": [ { "name": "affected_email_address", "value": "test-user@example.com", "label": "LABEL_OPTIONAL", "type": "TYPE_STRING" } ], "status": { "success": true } } ], "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto" } }, "insertId": "-778d70d2n5b", "resource": { "type": "audited_resource", "labels": { "service": "login.googleapis.com", "method": "google.login.LoginService.suspiciousProgrammaticLogin" } }, "timestamp": "2021-05-04T02:26:21Z", "severity": "NOTICE", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", "receiveTimestamp": "2021-05-04T02:56:23.806722355Z" }
account_disabled_generic
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": {}, "requestMetadata": { "callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff" }, "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.accountDisabledGeneric", "resourceName": "organizations/123", "metadata": { "activityId": { "timeUsec": "1619825589352000", "uniqQualifier": "-3303614929287073633" }, "event": [ { "eventType": "account_warning", "eventName": "account_disabled_generic", "parameter": [ { "name": "affected_email_address", "value": "test-user@example.com", "label": "LABEL_OPTIONAL", "type": "TYPE_STRING" } ], "status": { "success": true } } ], "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto" } }, "insertId": "nlgrf8d6ygj", "resource": { "type": "audited_resource", "labels": { "method": "google.login.LoginService.accountDisabledGeneric", "service": "login.googleapis.com" } }, "timestamp": "2021-04-30T23:33:09.352Z", "severity": "NOTICE", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", "receiveTimestamp": "2021-04-30T23:33:10.673412983Z" }
account_disabled_spamming_through_relay
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": {}, "requestMetadata": { "callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff" }, "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.accountDisabledSpammingThroughRelay", "resourceName": "organizations/123", "metadata": { "activityId": { "timeUsec": "1619808083475000", "uniqQualifier": "6286848759980589624" }, "event": [ { "eventType": "account_warning", "eventName": "account_disabled_spamming_through_relay", "parameter": [ { "name": "affected_email_address", "value": "test-user@example.com", "label": "LABEL_OPTIONAL", "type": "TYPE_STRING" } ], "status": { "success": true } } ], "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto" } }, "insertId": "-xkklkzcxkl", "resource": { "type": "audited_resource", "labels": { "method": "google.login.LoginService.accountDisabledSpammingThroughRelay", "service": "login.googleapis.com" } }, "timestamp": "2021-04-30T18:41:23.475Z", "severity": "NOTICE", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", "receiveTimestamp": "2021-04-30T18:41:24.650965796Z" }
account_disabled_spamming
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": {}, "requestMetadata": { "callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff" }, "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.accountDisabledSpamming", "resourceName": "organizations/123", "metadata": { "activityId": { "timeUsec": "1619808083475000", "uniqQualifier": "6286848759980589624" }, "event": [ { "eventType": "account_warning", "eventName": "account_disabled_spamming", "parameter": [ { "name": "affected_email_address", "value": "test-user@example.com", "label": "LABEL_OPTIONAL", "type": "TYPE_STRING" } ], "status": { "success": true } } ], "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto" } }, "insertId": "-xkklkzcxkl", "resource": { "type": "audited_resource", "labels": { "method": "google.login.LoginService.accountDisabledSpamming", "service": "login.googleapis.com" } }, "timestamp": "2021-04-30T18:41:23.475Z", "severity": "NOTICE", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", "receiveTimestamp": "2021-04-30T18:41:24.650965796Z" }
account_disabled_hijacked
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": {}, "requestMetadata": { "callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff" }, "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.accountDisabledHijacked", "resourceName": "organizations/123", "metadata": { "activityId": { "timeUsec": "1619825589352000", "uniqQualifier": "-3303614929287073633" }, "event": [ { "eventType": "account_warning", "eventName": "account_disabled_hijacked", "parameter": [ { "name": "affected_email_address", "value": "test-user@example.com", "label": "LABEL_OPTIONAL", "type": "TYPE_STRING" } ], "status": { "success": true } } ], "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto" } }, "insertId": "nlgrf8d6ygj", "resource": { "type": "audited_resource", "labels": { "method": "google.login.LoginService.accountDisabledHijacked", "service": "login.googleapis.com" } }, "timestamp": "2021-04-30T23:33:09.352Z", "severity": "NOTICE", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", "receiveTimestamp": "2021-04-30T23:33:10.673412983Z" }
已更改高级保护计划注册状态
titanium_enroll
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalEmail": "test-user@example.com" }, "requestMetadata": { "callerIp": "203.0.113.255", "requestAttributes": {}, "destinationAttributes": {} }, "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.titaniumEnroll", "resourceName": "organizations/123", "metadata": { "activityId": { "uniqQualifier": "4206430548119220064", "timeUsec": "1632843484846000" }, "event": [ { "eventName": "titanium_enroll", "status": { "success": true }, "parameter": [ { "label": "LABEL_OPTIONAL", "value": "INfDlrzP9IH8_QE", "type": "TYPE_STRING", "name": "dusi" } ], "eventType": "titanium_change" } ], "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto" } }, "insertId": "-bxbn5bd167i", "resource": { "type": "audited_resource", "labels": { "service": "login.googleapis.com", "method": "google.login.LoginService.titaniumEnroll" } }, "timestamp": "2021-09-28T15:38:04.846Z", "severity": "NOTICE", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", "receiveTimestamp": "2021-09-28T15:38:05.969683854Z" }
titanium_unenroll
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalEmail": "test-user@example.com" }, "requestMetadata": { "callerIp": "203.0.113.255", "requestAttributes": {}, "destinationAttributes": {} }, "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.titaniumUnenroll", "resourceName": "organizations/123", "metadata": { "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto", "event": [ { "eventType": "titanium_change", "status": { "success": true }, "eventName": "titanium_unenroll", "parameter": [ { "type": "TYPE_STRING", "label": "LABEL_OPTIONAL", "value": "INfDlrzP9IH8_QE", "name": "dusi" } ] } ], "activityId": { "timeUsec": "1632843914653434", "uniqQualifier": "-6706492269209711994" } } }, "insertId": "-vw60qad1861", "resource": { "type": "audited_resource", "labels": { "service": "login.googleapis.com", "method": "google.login.LoginService.titaniumUnenroll" } }, "timestamp": "2021-09-28T15:45:14.653434Z", "severity": "NOTICE", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", "receiveTimestamp": "2021-09-28T15:45:15.862755277Z" }
攻击警告
gov_attack_warning
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalEmail": "test-user@example.com" }, "requestMetadata": { "callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff", "requestAttributes": {}, "destinationAttributes": {} }, "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.govAttackWarning", "resourceName": "organizations/123", "metadata": { "activityId": { "timeUsec": "1619825837106000", "uniqQualifier": "7230131091737932677" }, "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto", "event": [ { "eventName": "gov_attack_warning", "eventType": "attack_warning", "status": { "success": true } } ] } }, "insertId": "bxuophd1vlw", "resource": { "type": "audited_resource", "labels": { "service": "login.googleapis.com", "method": "google.login.LoginService.govAttackWarning" } }, "timestamp": "2021-04-30T23:37:17.106Z", "severity": "NOTICE", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", "receiveTimestamp": "2021-04-30T23:37:18.488559815Z" }
已更改电子邮件转发设置
email_forwarding_out_of_domain
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalEmail": "test-user@example.com" }, "requestMetadata": { "callerIp": "203.0.113.255", "requestAttributes": {}, "destinationAttributes": {} }, "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.emailForwardingOutOfDomain", "resourceName": "organizations/123", "metadata": { "activityId": { "uniqQualifier": "-5683698025624301037", "timeUsec": "1632501152256000" }, "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto", "event": [ { "eventName": "email_forwarding_out_of_domain", "status": { "success": true }, "parameter": [ { "name": "dusi", "type": "TYPE_STRING", "value": "INfDlrzP9IH8_QE", "label": "LABEL_OPTIONAL" }, { "type": "TYPE_STRING", "label": "LABEL_OPTIONAL", "value": "test-user@google.com", "name": "email_forwarding_destination_address" } ], "eventType": "email_forwarding_change" } ] } }, "insertId": "rrcp9gd3y2f", "resource": { "type": "audited_resource", "labels": { "method": "google.login.LoginService.emailForwardingOutOfDomain", "service": "login.googleapis.com" } }, "timestamp": "2021-09-24T16:32:32.256Z", "severity": "NOTICE", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", "receiveTimestamp": "2021-09-24T16:32:33.319260836Z" }
登录
login_failure
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalEmail": "test-user@example.com" }, "requestMetadata": { "callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff", "requestAttributes": {}, "destinationAttributes": {} }, "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.loginFailure", "resourceName": "organizations/123", "metadata": { "event": [ { "eventName": "login_failure", "eventType": "login", "parameter": [ { "value": "google_password", "type": "TYPE_STRING", "name": "login_type", "label": "LABEL_OPTIONAL" }, { "name": "login_challenge_method", "type": "TYPE_STRING", "label": "LABEL_REPEATED", "multiStrValue": [ "password", "idv_preregistered_phone", "idv_preregistered_phone" ] }, { "label": "LABEL_OPTIONAL", "name": "dusi", "type": "TYPE_STRING", "value": "IOWJlfPwgvrTfg" } ] } ], "activityId": { "uniqQualifier": "358068855354", "timeUsec": "1632500217183212" }, "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto" } }, "insertId": "-nahbepd4l1x", "resource": { "type": "audited_resource", "labels": { "method": "google.login.LoginService.loginFailure", "service": "login.googleapis.com" } }, "timestamp": "2021-09-24T16:16:57.183212Z", "severity": "NOTICE", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", "receiveTimestamp": "2021-09-24T17:51:25.034361197Z" }
login_challenge
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalEmail": "test-user@example.com" }, "requestMetadata": { "callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff", "requestAttributes": {}, "destinationAttributes": {} }, "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.loginChallenge", "resourceName": "organizations/123", "metadata": { "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto", "event": [ { "eventName": "login_challenge", "parameter": [ { "name": "login_type", "value": "google_password", "type": "TYPE_STRING", "label": "LABEL_OPTIONAL" }, { "type": "TYPE_STRING", "label": "LABEL_REPEATED", "name": "login_challenge_method", "multiStrValue": [ "idv_preregistered_phone" ] }, { "label": "LABEL_OPTIONAL", "type": "TYPE_STRING", "value": "incorrect_answer_entered", "name": "login_challenge_status" }, { "type": "TYPE_STRING", "name": "dusi", "label": "LABEL_OPTIONAL", "value": "IOWJlfPwgvrTfg" } ], "eventType": "login" } ], "activityId": { "timeUsec": "1632500217183211", "uniqQualifier": "358068855354" } } }, "insertId": "-nahbepd4l2j", "resource": { "type": "audited_resource", "labels": { "service": "login.googleapis.com", "method": "google.login.LoginService.loginChallenge" } }, "timestamp": "2021-09-24T16:16:57.183211Z", "severity": "NOTICE", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", "receiveTimestamp": "2021-09-24T17:51:28.041126044Z"
login_verification
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalEmail": "test-user@example.com" }, "requestMetadata": { "callerIp": "203.0.113.255", "requestAttributes": {}, "destinationAttributes": {} }, "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.loginVerification", "resourceName": "organizations/123", "metadata": { "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto", "event": [ { "eventName": "login_verification", "parameter": [ { "name": "login_type", "type": "TYPE_STRING", "value": "google_password", "label": "LABEL_OPTIONAL" }, { "name": "login_challenge_method", "multiStrValue": [ "idv_preregistered_phone" ], "label": "LABEL_REPEATED", "type": "TYPE_STRING" }, { "value": "passed", "name": "login_challenge_status", "type": "TYPE_STRING", "label": "LABEL_OPTIONAL" }, { "value": "INfDlrzP9IH8_QE", "label": "LABEL_OPTIONAL", "name": "dusi", "type": "TYPE_STRING" }, { "label": "LABEL_OPTIONAL", "boolValue": true, "type": "TYPE_BOOL", "name": "is_second_factor" } ], "eventType": "login" } ], "activityId": { "uniqQualifier": "358068855354", "timeUsec": "1632459936762000" } } }, "insertId": "ivb9z4d41rh", "resource": { "type": "audited_resource", "labels": { "method": "google.login.LoginService.loginVerification", "service": "login.googleapis.com" } }, "timestamp": "2021-09-24T05:05:36.762Z", "severity": "NOTICE", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", "receiveTimestamp": "2021-09-24T06:39:22.386813664Z" }
logout
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalEmail": "test-user@example.com" }, "requestMetadata": { "callerIp": "203.0.113.255", "requestAttributes": {}, "destinationAttributes": {} }, "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.logout", "resourceName": "organizations/123", "metadata": { "event": [ { "eventName": "logout", "eventType": "login", "parameter": [ { "type": "TYPE_STRING", "label": "LABEL_OPTIONAL", "name": "login_type", "value": "google_password" }, { "type": "TYPE_STRING", "name": "dusi", "label": "LABEL_OPTIONAL", "value": "INfDlrzP9IH8_QE" } ] } ], "activityId": { "uniqQualifier": "358068855354", "timeUsec": "1632459903014598" }, "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto" } }, "insertId": "v37ytid14th", "resource": { "type": "audited_resource", "labels": { "service": "login.googleapis.com", "method": "google.login.LoginService.logout" } }, "timestamp": "2021-09-24T05:05:03.014598Z", "severity": "NOTICE", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", "receiveTimestamp": "2021-09-24T06:39:22.229734504Z" }
login_success
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalEmail": "test-user@example.com" }, "requestMetadata": { "callerIp": "203.0.113.255", "requestAttributes": {}, "destinationAttributes": {} }, "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.loginSuccess", "resourceName": "organizations/123", "metadata": { "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto", "activityId": { "timeUsec": "1632458429811809", "uniqQualifier": "358068855354" }, "event": [ { "parameter": [ { "type": "TYPE_STRING", "value": "google_password", "name": "login_type", "label": "LABEL_OPTIONAL" }, { "name": "login_challenge_method", "label": "LABEL_REPEATED", "type": "TYPE_STRING", "multiStrValue": [ "password" ] }, { "type": "TYPE_BOOL", "boolValue": false, "name": "is_suspicious", "label": "LABEL_OPTIONAL" }, { "value": "INfDlrzP9IH8_QE", "name": "dusi", "type": "TYPE_STRING", "label": "LABEL_OPTIONAL" } ], "eventType": "login", "eventName": "login_success" } ] } }, "insertId": "ci1svzd3hfk", "resource": { "type": "audited_resource", "labels": { "service": "login.googleapis.com", "method": "google.login.LoginService.loginSuccess" } }, "timestamp": "2021-09-24T04:40:29.811809Z", "severity": "NOTICE", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", "receiveTimestamp": "2021-09-24T05:43:20.474338130Z" }