gsuite fields

edit

gsuite Module

gsuite

edit

Gsuite specific fields. More information about specific fields can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list

gsuite.actor.type

The type of actor. Values can be: USER: Another user in the same domain. EXTERNAL_USER: A user outside the domain. KEY: A non-human actor.

type: keyword

gsuite.actor.key

Only present when actor.type is KEY. Can be the consumer_key of the requestor for OAuth 2LO API requests or an identifier for robot accounts.

type: keyword

gsuite.event.type

The type of GSuite event, mapped from items[].events[].type in the original payload. Each fileset can have a different set of values for it, more details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list

type: keyword

example: audit#activity

gsuite.kind

The type of API resource, mapped from kind in the original payload. More details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list

type: keyword

example: audit#activity

gsuite.organization.domain

The domain that is affected by the report’s event.

type: keyword

gsuite.admin.application.edition

The GSuite edition.

type: keyword

gsuite.admin.application.name

The application’s name.

type: keyword

gsuite.admin.application.enabled

The enabled application.

type: keyword

gsuite.admin.application.licences_order_number

Order number used to redeem licenses.

type: keyword

gsuite.admin.application.licences_purchased

Number of licences purchased.

type: keyword

gsuite.admin.application.id

The application ID.

type: keyword

gsuite.admin.application.asp_id

The application specific password ID.

type: keyword

gsuite.admin.application.package_id

The mobile application package ID.

type: keyword

gsuite.admin.group.email

The group’s primary email address.

type: keyword

gsuite.admin.new_value

The new value for the setting.

type: keyword

gsuite.admin.old_value

The old value for the setting.

type: keyword

gsuite.admin.org_unit.name

The organizational unit name.

type: keyword

gsuite.admin.org_unit.full

The org unit full path including the root org unit name.

type: keyword

gsuite.admin.setting.name

The setting name.

type: keyword

gsuite.admin.user_defined_setting.name

The name of the user-defined setting.

type: keyword

gsuite.admin.setting.description

The setting name.

type: keyword

gsuite.admin.group.priorities

Group priorities.

type: keyword

gsuite.admin.domain.alias

The domain alias.

type: keyword

gsuite.admin.domain.name

The primary domain name.

type: keyword

gsuite.admin.domain.secondary_name

The secondary domain name.

type: keyword

gsuite.admin.managed_configuration

The name of the managed configuration.

type: keyword

gsuite.admin.non_featured_services_selection

Non-featured services selection. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings#FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED

type: keyword

gsuite.admin.field

The name of the field.

type: keyword

gsuite.admin.resource.id

The name of the resource identifier.

type: keyword

gsuite.admin.user.email

The user’s primary email address.

type: keyword

gsuite.admin.user.nickname

The user’s nickname.

type: keyword

gsuite.admin.user.birthdate

The user’s birth date.

type: date

gsuite.admin.gateway.name

Gateway name. Present on some chat settings.

type: keyword

gsuite.admin.chrome_os.session_type

Chrome OS session type.

type: keyword

gsuite.admin.device.serial_number

Device serial number.

type: keyword

gsuite.admin.device.id

type: keyword

gsuite.admin.device.type

Device type.

type: keyword

gsuite.admin.print_server.name

The name of the print server.

type: keyword

gsuite.admin.printer.name

The name of the printer.

type: keyword

gsuite.admin.device.command_details

Command details.

type: keyword

gsuite.admin.role.id

Unique identifier for this role privilege.

type: keyword

gsuite.admin.role.name

The role name. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings

type: keyword

gsuite.admin.privilege.name

Privilege name.

type: keyword

gsuite.admin.service.name

The service name.

type: keyword

gsuite.admin.url.name

The website name.

type: keyword

gsuite.admin.product.name

The product name.

type: keyword

gsuite.admin.product.sku

The product SKU.

type: keyword

gsuite.admin.bulk_upload.failed

Number of failed records in bulk upload operation.

type: long

gsuite.admin.bulk_upload.total

Number of total records in bulk upload operation.

type: long

gsuite.admin.group.allowed_list

Names of allow-listed groups.

type: keyword

gsuite.admin.email.quarantine_name

The name of the quarantine.

type: keyword

gsuite.admin.email.log_search_filter.message_id

The log search filter’s email message ID.

type: keyword

gsuite.admin.email.log_search_filter.start_date

The log search filter’s start date.

type: date

gsuite.admin.email.log_search_filter.end_date

The log search filter’s ending date.

type: date

gsuite.admin.email.log_search_filter.recipient.value

The log search filter’s email recipient.

type: keyword

gsuite.admin.email.log_search_filter.sender.value

The log search filter’s email sender.

type: keyword

gsuite.admin.email.log_search_filter.recipient.ip

The log search filter’s email recipient’s IP address.

type: ip

gsuite.admin.email.log_search_filter.sender.ip

The log search filter’s email sender’s IP address.

type: ip

gsuite.admin.chrome_licenses.enabled

Licences enabled. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-org-settings

type: keyword

gsuite.admin.chrome_licenses.allowed

Licences enabled. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-org-settings

type: keyword

gsuite.admin.oauth2.service.name

OAuth2 service name. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings

type: keyword

gsuite.admin.oauth2.application.id

OAuth2 application ID.

type: keyword

gsuite.admin.oauth2.application.name

OAuth2 application name.

type: keyword

gsuite.admin.oauth2.application.type

OAuth2 application type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings

type: keyword

gsuite.admin.verification_method

Related verification method. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings and https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings

type: keyword

gsuite.admin.alert.name

The alert name.

type: keyword

gsuite.admin.rule.name

The rule name.

type: keyword

gsuite.admin.api.client.name

The API client name.

type: keyword

gsuite.admin.api.scopes

The API scopes.

type: keyword

gsuite.admin.mdm.token

The MDM vendor enrollment token.

type: keyword

gsuite.admin.mdm.vendor

The MDM vendor’s name.

type: keyword

gsuite.admin.info_type

This will be used to state what kind of information was changed. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings

type: keyword

gsuite.admin.email_monitor.dest_email

The destination address of the email monitor.

type: keyword

gsuite.admin.email_monitor.level.chat

The chat email monitor level.

type: keyword

gsuite.admin.email_monitor.level.draft

The draft email monitor level.

type: keyword

gsuite.admin.email_monitor.level.incoming

The incoming email monitor level.

type: keyword

gsuite.admin.email_monitor.level.outgoing

The outgoing email monitor level.

type: keyword

gsuite.admin.email_dump.include_deleted

Indicates if deleted emails are included in the export.

type: boolean

gsuite.admin.email_dump.package_content

The contents of the mailbox package.

type: keyword

gsuite.admin.email_dump.query

The search query used for the dump.

type: keyword

gsuite.admin.request.id

The request ID.

type: keyword

gsuite.admin.mobile.action.id

The mobile device action’s ID.

type: keyword

gsuite.admin.mobile.action.type

The mobile device action’s type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings

type: keyword

gsuite.admin.mobile.certificate.name

The mobile certificate common name.

type: keyword

gsuite.admin.mobile.company_owned_devices

The number of devices a company owns.

type: long

gsuite.admin.distribution.entity.name

The distribution entity value, which can be a group name or an org-unit name. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings

type: keyword

gsuite.admin.distribution.entity.type

The distribution entity type, which can be a group or an org-unit. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings

type: keyword

gsuite.drive.billable

Whether this activity is billable.

type: boolean

gsuite.drive.source_folder_id

type: keyword

gsuite.drive.source_folder_title

type: keyword

gsuite.drive.destination_folder_id

type: keyword

gsuite.drive.destination_folder_title

type: keyword

gsuite.drive.file.id

type: keyword

gsuite.drive.file.type

Document Drive type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive

type: keyword

gsuite.drive.originating_app_id

The Google Cloud Project ID of the application that performed the action.

type: keyword

gsuite.drive.file.owner.email

type: keyword

gsuite.drive.file.owner.is_shared_drive

Boolean flag denoting whether owner is a shared drive.

type: boolean

gsuite.drive.primary_event

Whether this is a primary event. A single user action in Drive may generate several events.

type: boolean

gsuite.drive.shared_drive_id

The unique identifier of the Team Drive. Only populated for for events relating to a Team Drive or item contained inside a Team Drive.

type: keyword

gsuite.drive.visibility

Visibility of target file. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive

type: keyword

gsuite.drive.new_value

When a setting or property of the file changes, the new value for it will appear here.

type: keyword

gsuite.drive.old_value

When a setting or property of the file changes, the old value for it will appear here.

type: keyword

gsuite.drive.sheets_import_range_recipient_doc

Doc ID of the recipient of a sheets import range.

type: keyword

gsuite.drive.old_visibility

When visibility changes, this holds the old value.

type: keyword

gsuite.drive.visibility_change

When visibility changes, this holds the new overall visibility of the file.

type: keyword

gsuite.drive.target_domain

The domain for which the acccess scope was changed. This can also be the alias all to indicate the access scope was changed for all domains that have visibility for this document.

type: keyword

gsuite.drive.added_role

Added membership role of a user/group in a Team Drive. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive

type: keyword

gsuite.drive.membership_change_type

Type of change in Team Drive membership of a user/group. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive

type: keyword

gsuite.drive.shared_drive_settings_change_type

Type of change in Team Drive settings. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive

type: keyword

gsuite.drive.removed_role

Removed membership role of a user/group in a Team Drive. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive

type: keyword

gsuite.drive.target

Target user or group.

type: keyword

gsuite.groups.acl_permission

Group permission setting updated. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups

type: keyword

gsuite.groups.email

Group email.

type: keyword

gsuite.groups.member.email

Member email.

type: keyword

gsuite.groups.member.role

Member role. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups

type: keyword

gsuite.groups.setting

Group setting updated. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups

type: keyword

gsuite.groups.new_value

New value(s) of the group setting. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups

type: keyword

gsuite.groups.old_value

Old value(s) of the group setting. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups

type: keyword

gsuite.groups.value

Value of the group setting. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups

type: keyword

gsuite.groups.message.id

SMTP message Id of an email message. Present for moderation events.

type: keyword

gsuite.groups.message.moderation_action

Message moderation action. Possible values are approved and rejected.

type: keyword

gsuite.groups.status

A status describing the output of an operation. Possible values are failed and succeeded.

type: keyword

gsuite.login.affected_email_address

type: keyword

gsuite.login.challenge_method

Login challenge method. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login.

type: keyword

gsuite.login.failure_type

Login failure type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login.

type: keyword

gsuite.login.type

Login credentials type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login.

type: keyword

gsuite.login.is_second_factor

type: boolean

gsuite.login.is_suspicious

type: boolean

gsuite.saml.application_name

Saml SP application name.

type: keyword

gsuite.saml.failure_type

Login failure type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/saml.

type: keyword

gsuite.saml.initiated_by

Requester of SAML authentication.

type: keyword

gsuite.saml.orgunit_path

User orgunit.

type: keyword

gsuite.saml.status_code

SAML status code.

type: keyword

gsuite.saml.second_level_status_code

SAML second level status code.

type: keyword