本文件提供 Google Workspace 登入稽核功能傳送至 Google Cloud的稽核記錄範例。
如要進一步瞭解各種登入稽核活動事件的事件和參數,請參閱「登入稽核活動事件」參考資料。
可用的登入稽核記錄
下表列出登入稽核產生的稽核記錄,以及對應的 AuditLog.method_name。詳情請參閱稽核記錄格式:
| 說明 | 事件名稱 | AuditLog.method_name | 
|---|---|---|
| 事件類型:兩步驟驗證註冊狀態變更 | ||
| 停用兩步驟驗證 | 2sv_disable | google.login.LoginService.2svDisable | 
| 兩步驟驗證註冊 | 2sv_enroll | google.login.LoginService.2svEnroll | 
| 事件類型:帳戶密碼已變更 | ||
| 變更帳戶密碼 | password_edit | google.login.LoginService.passwordEdit | 
| 事件類型:帳戶救援資訊變更 | ||
| 變更帳戶備援電子郵件地址 | recovery_email_edit | google.login.LoginService.recoveryEmailEdit | 
| 變更帳戶備援電話號碼 | recovery_phone_edit | google.login.LoginService.recoveryPhoneEdit | 
| 變更帳戶救援安全提示問題/答案 | recovery_secret_qa_edit | google.login.LoginService.recoverySecretQaEdit | 
| 事件類型:帳戶警告 | ||
| 密碼外洩 | account_disabled_password_leak | google.login.LoginService.accountDisabledPasswordLeak | 
| 允許有風險的敏感操作 | risky_sensitive_action_allowed | google.login.LoginService.riskySensitiveActionAllowed | 
| 高風險、敏感的 action_blocked | risky_sensitive_action_blocked | google.login.LoginService.riskySensitiveActionBlocked | 
| 禁止可疑的登入活動 | suspicious_login | google.login.LoginService.suspiciousLogin | 
| 已封鎖來自低安全性應用程式的可疑登入活動 | suspicious_login_less_secure_app | google.login.LoginService.suspiciousLoginLessSecureApp | 
| 已封鎖使用程式輔助方式進行的可疑登入活動 | suspicious_programmatic_login | google.login.LoginService.suspiciousProgrammaticLogin | 
| 使用者已遭停權 | account_disabled_generic | google.login.LoginService.accountDisabledGeneric | 
| 使用者已遭停權 (轉發垃圾郵件) | account_disabled_spamming_through_relay | google.login.LoginService.accountDisabledSpammingThroughRelay | 
| 使用者已遭停權 (傳送垃圾郵件) | account_disabled_spamming | google.login.LoginService.accountDisabledSpamming | 
| 使用者已遭到停權 (出現可疑活動) | account_disabled_hijacked | google.login.LoginService.accountDisabledHijacked | 
| 事件類型:已變更進階保護註冊狀態 | ||
| 註冊進階保護計畫 | titanium_enroll | google.login.LoginService.titaniumEnroll | 
| 取消註冊進階保護計畫 | titanium_unenroll | google.login.LoginService.titaniumUnenroll | 
| 事件類型:攻擊警告 | ||
| 受到政府資助的入侵者攻擊 | gov_attack_warning | google.login.LoginService.govAttackWarning | 
| 事件類型:電子郵件轉寄設定已變更 | ||
| 啟用網域外電子郵件轉寄功能 | email_forwarding_out_of_domain | google.login.LoginService.emailForwardingOutOfDomain | 
| 事件類型:登入 | ||
| 登入失敗 | login_failure | google.login.LoginService.loginFailure | 
| 登入身分確認問題 | login_challenge | google.login.LoginService.loginChallenge | 
| 登入驗證 | login_verification | google.login.LoginService.loginVerification | 
| 登出 | logout | google.login.LoginService.logout | 
| 成功登入 | login_success | google.login.LoginService.loginSuccess | 
範例
以下是登入稽核的稽核記錄範例,依事件類型和事件名稱分類。
已變更兩步驟驗證註冊狀態
2sv_disable
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalEmail": "test-user@example.com" }, "requestMetadata": { "callerIp": "203.0.113.255", "requestAttributes": {}, "destinationAttributes": {} }, "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.2svDisable", "resourceName": "organizations/123", "metadata": { "activityId": { "uniqQualifier": "-7789616625639281959", "timeUsec": "1632459962686000" }, "event": [ { "status": { "success": true }, "parameter": [ { "type": "TYPE_STRING", "label": "LABEL_OPTIONAL", "value": "INfDlrzP9IH8_QE", "name": "dusi" } ], "eventName": "2sv_disable", "eventType": "2sv_change" } ], "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto" } }, "insertId": "-tn3jrd3lko", "resource": { "type": "audited_resource", "labels": { "service": "login.googleapis.com", "method": "google.login.LoginService.2svDisable" } }, "timestamp": "2021-09-24T05:06:02.686Z", "severity": "NOTICE", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", "receiveTimestamp": "2021-09-24T05:06:03.845372592Z" }
2sv_enroll
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalEmail": "test-user@example.com" }, "requestMetadata": { "callerIp": "203.0.113.255", "requestAttributes": {}, "destinationAttributes": {} }, "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.2svEnroll", "resourceName": "organizations/123", "metadata": { "activityId": { "uniqQualifier": "1624031130844323135", "timeUsec": "1632458745769000" }, "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto", "event": [ { "eventType": "2sv_change", "status": { "success": true }, "eventName": "2sv_enroll", "parameter": [ { "value": "INfDlrzP9IH8_QE", "type": "TYPE_STRING", "label": "LABEL_OPTIONAL", "name": "dusi" } ] } ] } }, "insertId": "g3k8gid3b3p", "resource": { "type": "audited_resource", "labels": { "method": "google.login.LoginService.2svEnroll", "service": "login.googleapis.com" } }, "timestamp": "2021-09-24T04:45:45.769Z", "severity": "NOTICE", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", "receiveTimestamp": "2021-09-24T04:45:46.331843829Z" }
已變更裝置密碼
password_edit
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalEmail": "test-user@example.com" }, "requestMetadata": { "callerIp": "203.0.113.255", "requestAttributes": {}, "destinationAttributes": {} }, "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.passwordEdit", "resourceName": "organizations/123", "metadata": { "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto", "event": [ { "eventName": "password_edit", "status": { "success": true }, "parameter": [ { "type": "TYPE_STRING", "label": "LABEL_OPTIONAL", "value": "INfDlrzP9IH8_QE", "name": "dusi" } ], "eventType": "password_change" } ], "activityId": { "uniqQualifier": "8894052787391296929", "timeUsec": "1632803013900566" } } }, "insertId": "-u8coc0d6n78", "resource": { "type": "audited_resource", "labels": { "service": "login.googleapis.com", "method": "google.login.LoginService.passwordEdit" } }, "timestamp": "2021-09-28T04:23:33.900566Z", "severity": "NOTICE", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", "receiveTimestamp": "2021-09-28T04:23:37.724654918Z" }
已變更帳戶救援資訊
recovery_email_edit
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalEmail": "test-user@example.com" }, "requestMetadata": { "callerIp": "203.0.113.255", "requestAttributes": {}, "destinationAttributes": {} }, "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.recoveryEmailEdit", "resourceName": "organizations/123", "metadata": { "activityId": { "timeUsec": "1632802942940979", "uniqQualifier": "-7373127890859496609" }, "event": [ { "eventType": "recovery_info_change", "eventName": "recovery_email_edit", "parameter": [ { "label": "LABEL_OPTIONAL", "type": "TYPE_STRING", "value": "INfDlrzP9IH8_QE", "name": "dusi" } ], "status": { "success": true } } ], "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto" } }, "insertId": "-nkwfupd26zt", "resource": { "type": "audited_resource", "labels": { "service": "login.googleapis.com", "method": "google.login.LoginService.recoveryEmailEdit" } }, "timestamp": "2021-09-28T04:22:22.940979Z", "severity": "NOTICE", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", "receiveTimestamp": "2021-09-28T04:22:26.523242112Z" }
recovery_phone_edit
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalEmail": "test-user@example.com" }, "requestMetadata": { "callerIp": "203.0.113.255", "requestAttributes": {}, "destinationAttributes": {} }, "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.recoveryPhoneEdit", "resourceName": "organizations/123", "metadata": { "event": [ { "status": { "success": true }, "eventType": "recovery_info_change", "eventName": "recovery_phone_edit", "parameter": [ { "label": "LABEL_OPTIONAL", "value": "INfDlrzP9IH8_QE", "type": "TYPE_STRING", "name": "dusi" } ] } ], "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto", "activityId": { "timeUsec": "1632804439611095", "uniqQualifier": "1470137036135837564" } } }, "insertId": "-1xtrgbd2vl2", "resource": { "type": "audited_resource", "labels": { "service": "login.googleapis.com", "method": "google.login.LoginService.recoveryPhoneEdit" } }, "timestamp": "2021-09-28T04:47:19.611095Z", "severity": "NOTICE", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", "receiveTimestamp": "2021-09-28T04:47:25.741574446Z"
recovery_secret_qa_edit
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalEmail": "test-user@example.com" }, "requestMetadata": { "callerIp": "203.0.113.255", "requestAttributes": {}, "destinationAttributes": {} }, "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.recoverySecretQaEdit", "resourceName": "organizations/123", "metadata": { "activityId": { "uniqQualifier": "8328506129139272243", "timeUsec": "1632804455273424" }, "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto", "event": [ { "eventName": "recovery_secret_qa_edit", "eventType": "recovery_info_change", "status": { "success": true }, "parameter": [ { "type": "TYPE_STRING", "value": "INfDlrzP9IH8_QE", "name": "dusi", "label": "LABEL_OPTIONAL" } ] } ] } }, "insertId": "vn31slcpmy", "resource": { "type": "audited_resource", "labels": { "method": "google.login.LoginService.recoverySecretQaEdit", "service": "login.googleapis.com" } }, "timestamp": "2021-09-28T04:47:35.273424Z", "severity": "NOTICE", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", "receiveTimestamp": "2021-09-28T04:47:37.650432219Z"
帳戶警告
account_disabled_password_leak
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": {}, "requestMetadata": { "callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff" }, "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.accountDisabledPasswordLeak", "resourceName": "organizations/123", "metadata": { "activityId": { "timeUsec": "1619808083475000", "uniqQualifier": "6286848759980589624" }, "event": [ { "eventType": "account_warning", "eventName": "account_disabled_password_leak", "parameter": [ { "name": "affected_email_address", "value": "test-user@example.com", "label": "LABEL_OPTIONAL", "type": "TYPE_STRING" } ], "status": { "success": true } } ], "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto" } }, "insertId": "-xkklkzcxkl", "resource": { "type": "audited_resource", "labels": { "method": "google.login.LoginService.accountDisabledPasswordLeak", "service": "login.googleapis.com" } }, "timestamp": "2021-04-30T18:41:23.475Z", "severity": "NOTICE", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", "receiveTimestamp": "2021-04-30T18:41:24.650965796Z" }
suspicious_login
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": {}, "requestMetadata": { "callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff" }, "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.suspiciousLogin", "resourceName": "organizations/123", "metadata": { "activityId": { "timeUsec": "1620095181000000", "uniqQualifier": "-2034771694824799453" }, "event": [ { "eventType": "account_warning", "eventName": "suspicious_login", "parameter": [ { "name": "affected_email_address", "value": "test-user@example.com", "label": "LABEL_OPTIONAL", "type": "TYPE_STRING" } ], "status": { "success": true } } ], "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto" } }, "insertId": "-778d70d2n5b", "resource": { "type": "audited_resource", "labels": { "service": "login.googleapis.com", "method": "google.login.LoginService.suspiciousLogin" } }, "timestamp": "2021-05-04T02:26:21Z", "severity": "NOTICE", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", "receiveTimestamp": "2021-05-04T02:56:23.806722355Z" }
suspicious_login_less_secure_app
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": {}, "requestMetadata": { "callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff" }, "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.suspiciousLoginLessSecureApp", "resourceName": "organizations/123", "metadata": { "activityId": { "timeUsec": "1620095181000000", "uniqQualifier": "-2034771694824799453" }, "event": [ { "eventType": "account_warning", "eventName": "suspicious_login_less_secure_app", "parameter": [ { "name": "affected_email_address", "value": "test-user@example.com", "label": "LABEL_OPTIONAL", "type": "TYPE_STRING" } ], "status": { "success": true } } ], "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto" } }, "insertId": "-778d70d2n5b", "resource": { "type": "audited_resource", "labels": { "service": "login.googleapis.com", "method": "google.login.LoginService.suspiciousLoginLessSecureApp" } }, "timestamp": "2021-05-04T02:26:21Z", "severity": "NOTICE", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", "receiveTimestamp": "2021-05-04T02:56:23.806722355Z" }
suspicious_programmatic_login
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": {}, "requestMetadata": { "callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff" }, "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.suspiciousProgrammaticLogin", "resourceName": "organizations/123", "metadata": { "activityId": { "timeUsec": "1620095181000000", "uniqQualifier": "-2034771694824799453" }, "event": [ { "eventType": "account_warning", "eventName": "suspicious_programmatic_login", "parameter": [ { "name": "affected_email_address", "value": "test-user@example.com", "label": "LABEL_OPTIONAL", "type": "TYPE_STRING" } ], "status": { "success": true } } ], "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto" } }, "insertId": "-778d70d2n5b", "resource": { "type": "audited_resource", "labels": { "service": "login.googleapis.com", "method": "google.login.LoginService.suspiciousProgrammaticLogin" } }, "timestamp": "2021-05-04T02:26:21Z", "severity": "NOTICE", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", "receiveTimestamp": "2021-05-04T02:56:23.806722355Z" }
account_disabled_generic
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": {}, "requestMetadata": { "callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff" }, "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.accountDisabledGeneric", "resourceName": "organizations/123", "metadata": { "activityId": { "timeUsec": "1619825589352000", "uniqQualifier": "-3303614929287073633" }, "event": [ { "eventType": "account_warning", "eventName": "account_disabled_generic", "parameter": [ { "name": "affected_email_address", "value": "test-user@example.com", "label": "LABEL_OPTIONAL", "type": "TYPE_STRING" } ], "status": { "success": true } } ], "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto" } }, "insertId": "nlgrf8d6ygj", "resource": { "type": "audited_resource", "labels": { "method": "google.login.LoginService.accountDisabledGeneric", "service": "login.googleapis.com" } }, "timestamp": "2021-04-30T23:33:09.352Z", "severity": "NOTICE", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", "receiveTimestamp": "2021-04-30T23:33:10.673412983Z" }
account_disabled_spamming_through_relay
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": {}, "requestMetadata": { "callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff" }, "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.accountDisabledSpammingThroughRelay", "resourceName": "organizations/123", "metadata": { "activityId": { "timeUsec": "1619808083475000", "uniqQualifier": "6286848759980589624" }, "event": [ { "eventType": "account_warning", "eventName": "account_disabled_spamming_through_relay", "parameter": [ { "name": "affected_email_address", "value": "test-user@example.com", "label": "LABEL_OPTIONAL", "type": "TYPE_STRING" } ], "status": { "success": true } } ], "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto" } }, "insertId": "-xkklkzcxkl", "resource": { "type": "audited_resource", "labels": { "method": "google.login.LoginService.accountDisabledSpammingThroughRelay", "service": "login.googleapis.com" } }, "timestamp": "2021-04-30T18:41:23.475Z", "severity": "NOTICE", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", "receiveTimestamp": "2021-04-30T18:41:24.650965796Z" }
account_disabled_spamming
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": {}, "requestMetadata": { "callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff" }, "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.accountDisabledSpamming", "resourceName": "organizations/123", "metadata": { "activityId": { "timeUsec": "1619808083475000", "uniqQualifier": "6286848759980589624" }, "event": [ { "eventType": "account_warning", "eventName": "account_disabled_spamming", "parameter": [ { "name": "affected_email_address", "value": "test-user@example.com", "label": "LABEL_OPTIONAL", "type": "TYPE_STRING" } ], "status": { "success": true } } ], "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto" } }, "insertId": "-xkklkzcxkl", "resource": { "type": "audited_resource", "labels": { "method": "google.login.LoginService.accountDisabledSpamming", "service": "login.googleapis.com" } }, "timestamp": "2021-04-30T18:41:23.475Z", "severity": "NOTICE", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", "receiveTimestamp": "2021-04-30T18:41:24.650965796Z" }
account_disabled_hijacked
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": {}, "requestMetadata": { "callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff" }, "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.accountDisabledHijacked", "resourceName": "organizations/123", "metadata": { "activityId": { "timeUsec": "1619825589352000", "uniqQualifier": "-3303614929287073633" }, "event": [ { "eventType": "account_warning", "eventName": "account_disabled_hijacked", "parameter": [ { "name": "affected_email_address", "value": "test-user@example.com", "label": "LABEL_OPTIONAL", "type": "TYPE_STRING" } ], "status": { "success": true } } ], "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto" } }, "insertId": "nlgrf8d6ygj", "resource": { "type": "audited_resource", "labels": { "method": "google.login.LoginService.accountDisabledHijacked", "service": "login.googleapis.com" } }, "timestamp": "2021-04-30T23:33:09.352Z", "severity": "NOTICE", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", "receiveTimestamp": "2021-04-30T23:33:10.673412983Z" }
已變更進階保護註冊狀態
titanium_enroll
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalEmail": "test-user@example.com" }, "requestMetadata": { "callerIp": "203.0.113.255", "requestAttributes": {}, "destinationAttributes": {} }, "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.titaniumEnroll", "resourceName": "organizations/123", "metadata": { "activityId": { "uniqQualifier": "4206430548119220064", "timeUsec": "1632843484846000" }, "event": [ { "eventName": "titanium_enroll", "status": { "success": true }, "parameter": [ { "label": "LABEL_OPTIONAL", "value": "INfDlrzP9IH8_QE", "type": "TYPE_STRING", "name": "dusi" } ], "eventType": "titanium_change" } ], "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto" } }, "insertId": "-bxbn5bd167i", "resource": { "type": "audited_resource", "labels": { "service": "login.googleapis.com", "method": "google.login.LoginService.titaniumEnroll" } }, "timestamp": "2021-09-28T15:38:04.846Z", "severity": "NOTICE", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", "receiveTimestamp": "2021-09-28T15:38:05.969683854Z" }
titanium_unenroll
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalEmail": "test-user@example.com" }, "requestMetadata": { "callerIp": "203.0.113.255", "requestAttributes": {}, "destinationAttributes": {} }, "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.titaniumUnenroll", "resourceName": "organizations/123", "metadata": { "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto", "event": [ { "eventType": "titanium_change", "status": { "success": true }, "eventName": "titanium_unenroll", "parameter": [ { "type": "TYPE_STRING", "label": "LABEL_OPTIONAL", "value": "INfDlrzP9IH8_QE", "name": "dusi" } ] } ], "activityId": { "timeUsec": "1632843914653434", "uniqQualifier": "-6706492269209711994" } } }, "insertId": "-vw60qad1861", "resource": { "type": "audited_resource", "labels": { "service": "login.googleapis.com", "method": "google.login.LoginService.titaniumUnenroll" } }, "timestamp": "2021-09-28T15:45:14.653434Z", "severity": "NOTICE", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", "receiveTimestamp": "2021-09-28T15:45:15.862755277Z" }
攻擊警告
gov_attack_warning
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalEmail": "test-user@example.com" }, "requestMetadata": { "callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff", "requestAttributes": {}, "destinationAttributes": {} }, "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.govAttackWarning", "resourceName": "organizations/123", "metadata": { "activityId": { "timeUsec": "1619825837106000", "uniqQualifier": "7230131091737932677" }, "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto", "event": [ { "eventName": "gov_attack_warning", "eventType": "attack_warning", "status": { "success": true } } ] } }, "insertId": "bxuophd1vlw", "resource": { "type": "audited_resource", "labels": { "service": "login.googleapis.com", "method": "google.login.LoginService.govAttackWarning" } }, "timestamp": "2021-04-30T23:37:17.106Z", "severity": "NOTICE", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", "receiveTimestamp": "2021-04-30T23:37:18.488559815Z" }
已變更電子郵件轉寄設定
email_forwarding_out_of_domain
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalEmail": "test-user@example.com" }, "requestMetadata": { "callerIp": "203.0.113.255", "requestAttributes": {}, "destinationAttributes": {} }, "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.emailForwardingOutOfDomain", "resourceName": "organizations/123", "metadata": { "activityId": { "uniqQualifier": "-5683698025624301037", "timeUsec": "1632501152256000" }, "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto", "event": [ { "eventName": "email_forwarding_out_of_domain", "status": { "success": true }, "parameter": [ { "name": "dusi", "type": "TYPE_STRING", "value": "INfDlrzP9IH8_QE", "label": "LABEL_OPTIONAL" }, { "type": "TYPE_STRING", "label": "LABEL_OPTIONAL", "value": "test-user@google.com", "name": "email_forwarding_destination_address" } ], "eventType": "email_forwarding_change" } ] } }, "insertId": "rrcp9gd3y2f", "resource": { "type": "audited_resource", "labels": { "method": "google.login.LoginService.emailForwardingOutOfDomain", "service": "login.googleapis.com" } }, "timestamp": "2021-09-24T16:32:32.256Z", "severity": "NOTICE", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", "receiveTimestamp": "2021-09-24T16:32:33.319260836Z" }
登入
login_failure
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalEmail": "test-user@example.com" }, "requestMetadata": { "callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff", "requestAttributes": {}, "destinationAttributes": {} }, "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.loginFailure", "resourceName": "organizations/123", "metadata": { "event": [ { "eventName": "login_failure", "eventType": "login", "parameter": [ { "value": "google_password", "type": "TYPE_STRING", "name": "login_type", "label": "LABEL_OPTIONAL" }, { "name": "login_challenge_method", "type": "TYPE_STRING", "label": "LABEL_REPEATED", "multiStrValue": [ "password", "idv_preregistered_phone", "idv_preregistered_phone" ] }, { "label": "LABEL_OPTIONAL", "name": "dusi", "type": "TYPE_STRING", "value": "IOWJlfPwgvrTfg" } ] } ], "activityId": { "uniqQualifier": "358068855354", "timeUsec": "1632500217183212" }, "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto" } }, "insertId": "-nahbepd4l1x", "resource": { "type": "audited_resource", "labels": { "method": "google.login.LoginService.loginFailure", "service": "login.googleapis.com" } }, "timestamp": "2021-09-24T16:16:57.183212Z", "severity": "NOTICE", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", "receiveTimestamp": "2021-09-24T17:51:25.034361197Z" }
login_challenge
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalEmail": "test-user@example.com" }, "requestMetadata": { "callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff", "requestAttributes": {}, "destinationAttributes": {} }, "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.loginChallenge", "resourceName": "organizations/123", "metadata": { "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto", "event": [ { "eventName": "login_challenge", "parameter": [ { "name": "login_type", "value": "google_password", "type": "TYPE_STRING", "label": "LABEL_OPTIONAL" }, { "type": "TYPE_STRING", "label": "LABEL_REPEATED", "name": "login_challenge_method", "multiStrValue": [ "idv_preregistered_phone" ] }, { "label": "LABEL_OPTIONAL", "type": "TYPE_STRING", "value": "incorrect_answer_entered", "name": "login_challenge_status" }, { "type": "TYPE_STRING", "name": "dusi", "label": "LABEL_OPTIONAL", "value": "IOWJlfPwgvrTfg" } ], "eventType": "login" } ], "activityId": { "timeUsec": "1632500217183211", "uniqQualifier": "358068855354" } } }, "insertId": "-nahbepd4l2j", "resource": { "type": "audited_resource", "labels": { "service": "login.googleapis.com", "method": "google.login.LoginService.loginChallenge" } }, "timestamp": "2021-09-24T16:16:57.183211Z", "severity": "NOTICE", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", "receiveTimestamp": "2021-09-24T17:51:28.041126044Z"
login_verification
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalEmail": "test-user@example.com" }, "requestMetadata": { "callerIp": "203.0.113.255", "requestAttributes": {}, "destinationAttributes": {} }, "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.loginVerification", "resourceName": "organizations/123", "metadata": { "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto", "event": [ { "eventName": "login_verification", "parameter": [ { "name": "login_type", "type": "TYPE_STRING", "value": "google_password", "label": "LABEL_OPTIONAL" }, { "name": "login_challenge_method", "multiStrValue": [ "idv_preregistered_phone" ], "label": "LABEL_REPEATED", "type": "TYPE_STRING" }, { "value": "passed", "name": "login_challenge_status", "type": "TYPE_STRING", "label": "LABEL_OPTIONAL" }, { "value": "INfDlrzP9IH8_QE", "label": "LABEL_OPTIONAL", "name": "dusi", "type": "TYPE_STRING" }, { "label": "LABEL_OPTIONAL", "boolValue": true, "type": "TYPE_BOOL", "name": "is_second_factor" } ], "eventType": "login" } ], "activityId": { "uniqQualifier": "358068855354", "timeUsec": "1632459936762000" } } }, "insertId": "ivb9z4d41rh", "resource": { "type": "audited_resource", "labels": { "method": "google.login.LoginService.loginVerification", "service": "login.googleapis.com" } }, "timestamp": "2021-09-24T05:05:36.762Z", "severity": "NOTICE", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", "receiveTimestamp": "2021-09-24T06:39:22.386813664Z" }
logout
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalEmail": "test-user@example.com" }, "requestMetadata": { "callerIp": "203.0.113.255", "requestAttributes": {}, "destinationAttributes": {} }, "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.logout", "resourceName": "organizations/123", "metadata": { "event": [ { "eventName": "logout", "eventType": "login", "parameter": [ { "type": "TYPE_STRING", "label": "LABEL_OPTIONAL", "name": "login_type", "value": "google_password" }, { "type": "TYPE_STRING", "name": "dusi", "label": "LABEL_OPTIONAL", "value": "INfDlrzP9IH8_QE" } ] } ], "activityId": { "uniqQualifier": "358068855354", "timeUsec": "1632459903014598" }, "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto" } }, "insertId": "v37ytid14th", "resource": { "type": "audited_resource", "labels": { "service": "login.googleapis.com", "method": "google.login.LoginService.logout" } }, "timestamp": "2021-09-24T05:05:03.014598Z", "severity": "NOTICE", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", "receiveTimestamp": "2021-09-24T06:39:22.229734504Z" }
login_success
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalEmail": "test-user@example.com" }, "requestMetadata": { "callerIp": "203.0.113.255", "requestAttributes": {}, "destinationAttributes": {} }, "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.loginSuccess", "resourceName": "organizations/123", "metadata": { "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto", "activityId": { "timeUsec": "1632458429811809", "uniqQualifier": "358068855354" }, "event": [ { "parameter": [ { "type": "TYPE_STRING", "value": "google_password", "name": "login_type", "label": "LABEL_OPTIONAL" }, { "name": "login_challenge_method", "label": "LABEL_REPEATED", "type": "TYPE_STRING", "multiStrValue": [ "password" ] }, { "type": "TYPE_BOOL", "boolValue": false, "name": "is_suspicious", "label": "LABEL_OPTIONAL" }, { "value": "INfDlrzP9IH8_QE", "name": "dusi", "type": "TYPE_STRING", "label": "LABEL_OPTIONAL" } ], "eventType": "login", "eventName": "login_success" } ] } }, "insertId": "ci1svzd3hfk", "resource": { "type": "audited_resource", "labels": { "service": "login.googleapis.com", "method": "google.login.LoginService.loginSuccess" } }, "timestamp": "2021-09-24T04:40:29.811809Z", "severity": "NOTICE", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", "receiveTimestamp": "2021-09-24T05:43:20.474338130Z" }