Google Cloud Audit Logs sample event messages
Use these sample event messages to verify a successful integration with the QRadar® product.
Important: Due to formatting issues, paste the message format into a text editor and
then remove any carriage return or line feed characters.
Google Cloud Audit Logs sample message when you use the Google Cloud Pub/Sub connector: list of objects retrieved
The following sample event message shows the retrieval of a list of objects that match the criteria that are provided. This retrieval is the result of an action that was taken by Google Cloud Storage.
{"insertId":"a1aaaaa11aaa","logName":"projects/clover-pciprod/logs/cloudaudit.googleapis.
com%2Fdata_access","protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo":{"principalEmail":"user@test"},
"authorizationInfo":[{"granted":true,"permission":"storage.objects.list","resource":"projects
/_/buckets/rivus-file-cache-clover-pciprod","resourceAttributes":{}}],
"methodName":"storage.objects.list","requestMetadata":
{"callerIp":"10.135.0.42","callerNetwork":"//compute.googleapis.com/projec
ts/clover-vpc-pci/global/networks/__unknown__","callerSuppliedUserAgent":"Clover Google-API-Jav
a-Client Google-HTTP-Java-Client/1.28.0 (gzip),gzip(gfe)","destinationAttributes":{},"requestAt
tributes":{"auth":{},"time":"2020-04-08T23:35:14.487672816Z"}},"resourceLocation":{"currentLoca
tions":["location"]},"resourceName":"projects/_/buckets/rivus-file-cache-clover-pciprod",
"serviceName":"storage.googleapis.com","status":{}},
"receiveTimestamp":"2020-04-08T23:35:15.981168264Z","resource":{"labels":
{"bucket_name":"rivus-file-cache-clover-pciprod","location":"location","project_id":"clover-pc
iprod"},"type":"gcs_bucket"},"severity":"INFO","timestamp":"2020-04-08T23:35:14.483227095Z"}| QRadar product field name | Highlighted payload field name |
|---|---|
| Event ID | MethodName |
| Event Category | serviceName |
| Logsource Time | receivedTimestamp |
| Username | authenticationInfo + principalEmail |
| Source IP | requestMetadata + callerIp |
Google Cloud Audit Logs sample message when you use the Google Cloud Pub/Sub connector: object information modified
The following sample event message shows the modification of an object's information and is the result of an action that was taken by Google Cloud Storage.
{"insertId":"a1aaaaa11aaa","logName":"projects/clover-pciprod/logs/cloudaudit.googleapis.
com%2Fdata_access","protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo":{"principalEmail":"user@test"},"authorizationInfo":
[{"granted":true,"permission":"storage.objects.update","resource":"projects/_/buckets/rivus-
file-cache-clover-pciprod/objects/NORTH_ADJUSTMENT/2020/04/08/USER#A11AAA.11111111.111111.te
st.example","resourceAttributes":{}}],"methodName":"storage.objects.update"
,"requestMetadata":{"callerIp":"10.135.0.42","callerNetwork":"//compute.
googleapis.com/projects/clover-vpc-pci/global/networks/__unknown__","callerSuppliedUserAgent":
"Clover Google-API-Java-Client Google-HTTP-Java-Client/1.28.0 (gzip),gzip(gfe)","destinationAt
tributes":{},"requestAttributes":{"auth":{},"time":"2020-04-08T23:35:26.176068572Z"}},"resourc
eLocation":{"currentLocations":["location"]},"resourceName":"projects/_/buckets/rivus-file-cac
he-clover-pciprod/objects/NORTH_ADJUSTMENT/2020/04/08/USER#A11AAA.11111111.111111.test.example
","serviceName":"storage.googleapis.com","status":{}},"receiveTimestamp":
"2020-04-08T23:35:27.212247517Z","resource":{"labels":{"bucket_name":"rivus-file-cache-clover-
pciprod","location":"location","project_id":"clover-pciprod"},"type":"gcs_bucket"},"severity":
"INFO","timestamp":"2020-04-08T23:35:26.171189525Z"}| QRadar product field name | Highlighted payload field name |
|---|---|
| Event ID | principalEmail |
| Event Category | methodName |
| Logsource Time | callerIp |
| Username | serviceName |
| Source IP | timestamp |