-
Notifications
You must be signed in to change notification settings - Fork 354
/
google_workspace_login_failure.yml
56 lines (56 loc) · 1.43 KB
/
google_workspace_login_failure.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
name: Google Workspace login_failure
id: cabec7cf-4008-4899-b47e-39c34a9a1255
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
description: Data source object for Google Workspace login_failure
source: gws:reports:admin
sourcetype: gws:reports:admin
separator: event.name
supported_TA:
- name: Splunk Add-on for Google Workspace
url: https://splunkbase.splunk.com/app/5556
version: 2.8.1
fields:
- _time
- actor.email
- actor.profileId
- date_hour
- date_mday
- date_minute
- date_month
- date_second
- date_wday
- date_year
- date_zone
- etag
- event.name
- event.parameters{}.multiValue{}
- event.parameters{}.name
- event.parameters{}.value
- event.type
- eventtype
- host
- id.applicationName
- id.customerId
- id.time
- id.uniqueQualifier
- index
- ipAddress
- kind
- linecount
- punct
- source
- sourcetype
- splunk_server
- tag
- tag::eventtype
- timeendpos
- timestartpos
example_log: '{"kind": "admin#reports#activity", "id": {"time": "2022-10-12T01:05:35.119Z",
"uniqueQualifier": "720229394436", "applicationName": "login", "customerId": "C046r85ir"},
"etag": "\"JCPRxFaiNR1s5TJ6ecIH8OpGdY4efiOYXbIB65itOzY/_lixtTooT11WXorGf6w6ElN0m0g\"",
"actor": {"email": "[email protected]", "profileId": "114679690119024644513"},
"ipAddress": "141.254.89.27", "event": {"type": "login", "name": "login_failure",
"parameters": [{"name": "login_type", "value": "unknown"}, {"name": "login_challenge_method",
"multiValue": ["password"]}]}}'