GitHub Repo

Data Source: Google Workspace

Date: 2026-05-13

ID: f1a044e3-113a-4e4d-84f2-b153ade83087

Author: Bhavin Patel, Splunk

Description

Data source object for Google Workspace

Details

Property Value
Source google_workspace
Sourcetype gws:reports:login
Name ▲▼ Technique ▲▼ Type ▲▼
GCP Successful Single-Factor Authentication Cloud Accounts, Cloud Accounts TTP
GCP Multiple Users Failing To Authenticate From Ip Password Spraying, Credential Stuffing, Cloud Accounts Anomaly
GCP Multi-Factor Authentication Disabled Multi-Factor Authentication, Cloud Accounts TTP
GCP Unusual Number of Failed Authentications From Ip Password Spraying, Credential Stuffing, Cloud Accounts Anomaly
GCP Multiple Failed MFA Requests For User Cloud Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation TTP

Supported Apps

Event Fields

+ Fields 
  <span class="pill kill-chain">action</span>
  
  <span class="pill kill-chain">actor.callerType</span>
  
  <span class="pill kill-chain">actor.email</span>
  
  <span class="pill kill-chain">actor.profileId</span>
  
  <span class="pill kill-chain">app</span>
  
  <span class="pill kill-chain">change_type</span>
  
  <span class="pill kill-chain">command</span>
  
  <span class="pill kill-chain">date_hour</span>
  
  <span class="pill kill-chain">date_mday</span>
  
  <span class="pill kill-chain">date_minute</span>
  
  <span class="pill kill-chain">date_month</span>
  
  <span class="pill kill-chain">date_second</span>
  
  <span class="pill kill-chain">date_wday</span>
  
  <span class="pill kill-chain">date_year</span>
  
  <span class="pill kill-chain">date_zone</span>
  
  <span class="pill kill-chain">dest</span>
  
  <span class="pill kill-chain">dest_name</span>
  
  <span class="pill kill-chain">dest_url</span>
  
  <span class="pill kill-chain">dvc</span>
  
  <span class="pill kill-chain">email</span>
  
  <span class="pill kill-chain">etag</span>
  
  <span class="pill kill-chain">event.name</span>
  
  <span class="pill kill-chain">event.parameters{}.name</span>
  
  <span class="pill kill-chain">event.parameters{}.value</span>
  
  <span class="pill kill-chain">event.type</span>
  
  <span class="pill kill-chain">eventtype</span>
  
  <span class="pill kill-chain">filter_action</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">id.applicationName</span>
  
  <span class="pill kill-chain">id.customerId</span>
  
  <span class="pill kill-chain">id.time</span>
  
  <span class="pill kill-chain">id.uniqueQualifier</span>
  
  <span class="pill kill-chain">index</span>
  
  <span class="pill kill-chain">internal_message_id</span>
  
  <span class="pill kill-chain">ipAddress</span>
  
  <span class="pill kill-chain">kind</span>
  
  <span class="pill kill-chain">linecount</span>
  
  <span class="pill kill-chain">message_id</span>
  
  <span class="pill kill-chain">object</span>
  
  <span class="pill kill-chain">object_attrs</span>
  
  <span class="pill kill-chain">object_category</span>
  
  <span class="pill kill-chain">object_id</span>
  
  <span class="pill kill-chain">object_path</span>
  
  <span class="pill kill-chain">owner</span>
  
  <span class="pill kill-chain">owner_email</span>
  
  <span class="pill kill-chain">protocol</span>
  
  <span class="pill kill-chain">punct</span>
  
  <span class="pill kill-chain">result</span>
  
  <span class="pill kill-chain">result_id</span>
  
  <span class="pill kill-chain">signature_extra</span>
  
  <span class="pill kill-chain">source</span>
  
  <span class="pill kill-chain">sourcetype</span>
  
  <span class="pill kill-chain">splunk_server</span>
  
  <span class="pill kill-chain">splunk_server_group</span>
  
  <span class="pill kill-chain">src</span>
  
  <span class="pill kill-chain">src_user</span>
  
  <span class="pill kill-chain">src_user_id</span>
  
  <span class="pill kill-chain">src_user_name</span>
  
  <span class="pill kill-chain">src_user_type</span>
  
  <span class="pill kill-chain">status</span>
  
  <span class="pill kill-chain">tag</span>
  
  <span class="pill kill-chain">tag::action</span>
  
  <span class="pill kill-chain">tag::app</span>
  
  <span class="pill kill-chain">tag::eventtype</span>
  
  <span class="pill kill-chain">tag::object_category</span>
  
  <span class="pill kill-chain">tenant_id</span>
  
  <span class="pill kill-chain">timeendpos</span>
  
  <span class="pill kill-chain">timestartpos</span>
  
  <span class="pill kill-chain">user</span>
  
  <span class="pill kill-chain">user_email</span>
  
  <span class="pill kill-chain">user_email_extracted</span>
  
  <span class="pill kill-chain">user_id</span>
  
  <span class="pill kill-chain">user_name</span>
  
  <span class="pill kill-chain">user_type</span>
  
  <span class="pill kill-chain">vendor_account</span>
  
  <span class="pill kill-chain">vendor_product</span>
  
  <span class="pill kill-chain">_bkt</span>
  
  <span class="pill kill-chain">_cd</span>
  
  <span class="pill kill-chain">_eventtype_color</span>
  
  <span class="pill kill-chain">_indextime</span>
  
  <span class="pill kill-chain">_raw</span>
  
  <span class="pill kill-chain">_serial</span>
  
  <span class="pill kill-chain">_si</span>
  
  <span class="pill kill-chain">_sourcetype</span>
  
  <span class="pill kill-chain">_subsecond</span>
  
  <span class="pill kill-chain">_time</span>
  
</div>

Example Log

1"kind": "admin#reports#activity", "id": {"time": "2022-10-12T18:00:23.093Z", "uniqueQualifier": "-7844406841853338111", "applicationName": "admin", "customerId": "C046r85ir"}, "etag": "\"JCPRxFaiNR1s5TJ6ecIH8OpGdY4efiOYXbIB65itOzY/afZBU3WDeiuPqFyleWyTnwyU3fE\"", "actor": {"callerType": "USER", "email": "evil_admin@splunkresearch.com", "profileId": "100059258581444193973"}, "ipAddress": "22.33.111.55", "event": {"type": "USER_SETTINGS", "name": "UNENROLL_USER_FROM_STRONG_AUTH", "parameters": [{"name": "USER_EMAIL", "value": "victim_user@splunkresearch.com"}]}}

Source: GitHub | Version: 2