...
Introduction
The tags beginning with cloud.gsuite
identify events generated by Google Workspace (formerly Google G Suite).
...
The full tag must have four levels. The first two are fixed as cloud.gsuite
and represent technology and brand. The third level corresponds to the service while the fourth identifies the type of events sent.
...
Technology
...
Brand
...
Service
...
Type
...
cloud
...
gsuite
...
alerts
...
activity_rule
appmaker_default_cloud_sql_setup
customer_takeout_initiated
data_loss_prevention
device_compromised
google_operations
government_attack_warning
leaked_password
malware_reclassification
misconfigured_whitelist
phising_reclassification
suspicious_message_reported
suspicious_login
suspicious_login_less_secure_app
suspicious_programmatic_login
suspended_spam_through_relay
suspended_suspicious_activity
suspicious_activity
super_admin_password_reset
user_reported_phising
user_reported_spam_spike
user_suspended
user_suspended_spam
...
reports
...
access_transparency
admin
calendar
chat
data_studio
drive
gcp
gplus
groups
groups_entreprise
jamboard
login
meet
mobile
rules
saml
token
user_accounts
These are the valid tags and corresponding data tables that will receive the parsers' data:
Data tableTag | Tags | Data tables |
---|
Google Workspace admin logs | cloud.gsuite.admin.alertcenter
| cloud.gsuite.admin.alertcenter
|
Google Workspace alerts | cloud.gsuite.alerts
| cloud.gsuite.alerts
|
cloud.gsuite.alerts.activity_rule
| cloud.gsuite.alerts.activity_rule
|
cloud.gsuite.alerts.appmaker_default_cloud_sql_setup
| cloud.gsuite.alerts.appmaker_default_cloud_sql_setup
|
cloud.gsuite.alerts.customer_takeout_initiated
| cloud.gsuite.alerts.customer_takeout_initiated
|
cloud.gsuite.alerts.data_loss_prevention
| cloud.gsuite.alerts.data_loss_prevention
|
cloud.gsuite.alerts.device_compromised
| cloud.gsuite.alerts.device_compromised
|
cloud.gsuite.alerts.google_operations
| cloud.gsuite.alerts.google_operations
|
cloud.gsuite.alerts.government_attack_warning
| cloud.gsuite.alerts.government_attack_warning
|
cloud.gsuite.alerts.leaked_password
| cloud.gsuite.alerts.leaked_password
|
cloud.gsuite.alerts.malware_reclassification
| cloud.gsuite.alerts.malware_reclassification
|
cloud.gsuite.alerts.misconfigured_whitelist
| cloud.gsuite.alerts.misconfigured_whitelist
|
cloud.gsuite.alerts.phising_reclassification
| cloud.gsuite.alerts.phising_reclassification
|
cloud.gsuite.alerts.
|
suspicious_message_reportedsuper_admin_password_reset
| cloud.gsuite.alerts.super_admin_password_reset
|
cloud.gsuite.alerts.suspicious_
|
message_reportedactivity
| cloud.gsuite.alerts.suspicious_activity
|
cloud.gsuite.alerts.suspicious_login
| cloud.gsuite.alerts.suspicious_login
|
cloud.gsuite.alerts.suspicious_login_less_secure_app
| cloud.gsuite.alerts.suspicious_login_less_secure_app
|
cloud.gsuite.alerts.suspicious_
|
programmaticloginreported
| cloud.gsuite.alerts.suspicious_
|
programmaticloginreported
|
cloud.gsuite.alerts.
|
suspendedspamthrough_relaylogin
| cloud.gsuite.alerts.
|
suspendedspamthrough_relaylogin
|
cloud.gsuite.alerts.
|
suspendedsuspiciousactivityphising
| cloud.gsuite.alerts.
|
suspendedsuspiciousactivityphising
|
cloud.gsuite.alerts.
|
suspicious_activitycloud.gsuite.alerts.suspicious_activityuser_reported_spam_spike
| cloud.gsuite.alerts.
|
superadminpasswordresetspike
|
cloud.gsuite.alerts.
|
super_admin_password_resetuser_suspended
| cloud.gsuite.alerts.user_
|
reported_phisingsuspended
|
cloud.gsuite.alerts.user_
|
reported_phisingcloud.gsuite.alertsreported_spike | cloud.gsuite.alerts.user_
|
reportedsuspended.user_suspended_spam
|
_spike |
cloud.gsuite.alerts.user_suspended_spam_through_relay
| cloud.gsuite.alerts.user_suspended_spam_through_relay
|
cloud.gsuite.alerts.user_suspended
|
.usersuspendedspamactivity
| cloud.gsuite.alerts.user_suspended
|
.usersuspended_spamsuspicious_activity
|
Google Workspace reports | cloud.gsuite.reports
|
.generic | cloud.gsuite.reports
|
cloud.gsuite.reports.access_transparency
| cloud.gsuite.reports.access_transparency
|
cloud.gsuite.reports.admin
| cloud.gsuite.reports.admin
|
cloud.gsuite.reports.calendar
| cloud.gsuite.reports.calendar
|
cloud.gsuite.reports.chat
| cloud.gsuite.reports.chat
|
cloud.gsuite.reports.data_studio
| cloud.gsuite.reports.data_studio
|
cloud.gsuite.reports.drive
| cloud.gsuite.reports.drive
|
cloud.gsuite.reports.gcp
| cloud.gsuite.reports.gcp
|
cloud.gsuite.reports.gplus
| cloud.gsuite.reports.gplus
|
cloud.gsuite.reports.groups
| cloud.gsuite.reports.groups
|
cloud.gsuite.reports.
|
gplusgroups_enterprise
| cloud.gsuite.reports.
|
gplusgroups_enterprise
|
cloud.gsuite.reports.jamboard
| cloud.gsuite.reports.jamboard
|
cloud.gsuite.reports.login
| cloud.gsuite.reports.login
|
cloud.gsuite.reports.meet
| cloud.gsuite.reports.meet
|
cloud.gsuite.reports.mobile
| cloud.gsuite.reports.mobile
|
cloud.gsuite.reports.rules
| cloud.gsuite.reports.rules
|
cloud.gsuite.reports.saml
| cloud.gsuite.reports.saml
|
cloud.gsuite.reports.token
| cloud.gsuite.reports.token
|
cloud.gsuite.reports.user_accounts
| cloud.gsuite.reports.user_accounts
|