This documentation does not apply to the most recent version of Data Manager.
For documentation on the most recent version, go to the latest release.
Download topic as PDF
Overview of source types for Data Manager
You can use Data Manager to ingest data of the following source types.
Data Manager supports Common Information Model (CIM) normalization when the add-on that is applicable to your data input type is installed on the part of your Splunk Cloud deployment that performs the parsing or search-time functionality for your data. The applicable add-on must be installed, but does not need to be configured.
For more information on which add-on applies to your data input type, see the Prerequisites topic in the chapter of your cloud data input type in this manual.
For information on the CIM, see the Overview of the Splunk Common Information Model topic in the Common Information Model Add-on manual.
Getting data in for AWS
You can get data in for the following AWS data sources.
| Data source | Description | Source type and example event |
|---|---|---|
| Amazon API Gateway | Amazon API Gateway is an AWS service for creating, publishing, maintaining, monitoring, and securing REST, HTTP, and WebSocket APIs at any scale. Amazon API Gateway reports metrics through Amazon CloudWatch. | Source type:
Example event: (37d02891-fca7-4116-a83f-9dd972fed7a3) Method request headers: {Accept=*/*, User-Agent=PostmanRuntime/7.28.1, X-Forwarded-Proto=https, X-Forwarded-For=12.26.0.2, Host=e87d557a2.execute-api.us-east-1.amazonaws.com, , Accept-Encoding=gzip, deflate, br, X-Forwarded-Port=443, X-Amzn-Trace-Id=Root=1-60fef6a5-e67957dd4683a5d6aec7d944995c978a}
|
| AWS CloudHSM | AWS CloudHSM is a cloud-based hardware security module (HSM) that lets you generate and use your own encryption keys on the AWS Cloud. | Source type:
Example event: Time: 07/28/21 04:53:43.950772, usecs:1238567943875641 Sequence No : 0x2 Reboot counter : 0x2 Command Type(hex) : CN_MGMT_CMD (0x0) Opcode : CN_CREATE_PRE_OFFICER (0x23) Session Handle : 0x9004001 Response : 0:HSM Return: SUCCESS Log type : MINIMAL_LOG_ENTRY (0) |
| AWS CloudTrail | AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. | Source type:
Example event: {
"eventVersion": "1.08",
"userIdentity": {
"type": "AWSService",
"invokedBy": "vpc-flow-logs.amazonaws.com"
},
"eventTime": "2021-04-30T20:39:37Z",
"eventSource": "sts.amazonaws.com",
"eventName": "AssumeRole",
"awsRegion": "us-west-1",
"sourceIPAddress": "vpc-flow-logs.amazonaws.com",
"userAgent": "vpc-flow-logs.amazonaws.com",
"requestParameters": {
"roleArn": "arn:aws:iam::xxxxxxxxxxxx:role/flowlogsRole",
"roleSessionName": "vpc-flow-logging+xxxxxxxxxxxx",
"externalId": "vpc-flow-logging+xxxxxxxxxxxx",
"durationSeconds": 3600
},
"responseElements": {
"credentials": {
"accessKeyId": "xxxxxxxxxxxxxxxx",
"expiration": "Apr 30, 2021 9:39:37 PM",
"sessionToken": "XXXXXXXXXXXXXX/xxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxx/oq9gIIlv//////////xxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxx/=="
},
"assumedRoleUser": {
"assumedRoleId": "xxxxxxxxxxxxxxxx:vpc-flow-logging+xxxxxxxxxxxx",
"arn": "arn:aws:sts::xxxxxxxxxxxx:assumed-role/flowlogsRole/vpc-flow-logging+xxxxxxxxxxxx"
}
},
"requestID": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"eventID": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"readOnly": true,
"resources": [
{
"accountId": "xxxxxxxxxxxx",
"type": "AWS::IAM::Role",
"ARN": "arn:aws:iam::xxxxxxxxxxxx:role/flowlogsRole"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"eventCategory": "Management",
"recipientAccountId": "xxxxxxxxxxxx",
"sharedEventID": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
}
|
| Amazon DocumentDB | Amazon DocumentDB (with MongoDB compatibility) is a fully managed database service that is purpose-built for JSON data management at scale. | Source type:
Example event: {
"atype": "createDatabase",
"ts": 1627408556217,
"remote_ip": "239.88.146.128:60654",
"user": "testuser",
"param": {
"ns": "test"
}
}
|
| Amazon EKS | Amazon EKS is a managed service that you can use to run Kubernetes on AWS without installing, operating, and maintaining your own Kubernetes control plane or nodes. | Source type:
Example event: E0728 15:02:03.612101 1 reflector.go:138] k8s.io/client-go/informers/factory.go:134: Failed to watch *v1.StorageClass: failed to list *v1.StorageClass: Get "https://50.0.875.42:443/apis/storage.k8s.io/v1/storageclasses?limit=500&resourceVersion=0": dial tcp 50.0.875.42:443: connect: connection refused |
| Amazon GuardDuty | Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts, workloads, and data stored in Amazon S3. | Source type:
Example event: {
"schemaVersion": "2.0",
"accountId": "xxxxxxxxxxxx",
"region": "us-east-1",
"partition": "aws",
"id": "xxxxxxxxxxxxxxxx",
"arn": "arn:aws:guardduty:us-east-1:xxxxxxxxxxxx:detector/xxxxxxxxxxxxxxxx/finding/xxxxxxxxxxxxxxxx",
"type": "UnauthorizedAccess:EC2/SSHBruteForce",
"resource": {
"resourceType": "Instance",
"instanceDetails": {
"instanceId": "i-xxxxxxxxxxxxxxxx",
"instanceType": "t2.nano",
"launchTime": "2021-02-07T20:29:15Z",
"platform": null,
"productCodes": [],
"iamInstanceProfile": null,
"networkInterfaces": [
{
"ipv6Addresses": [],
"networkInterfaceId": "eni-xxxxxxxxxxxxxxxx",
"privateDnsName": "ip-xxx-xx-xx-x.ec2.internal",
"privateIpAddress": "xxx.xx.xx.x",
"privateIpAddresses": [
{
"privateDnsName": "ip-xxx-xx-xx-x.ec2.internal",
"privateIpAddress": "xxx.xx.xx.x"
}
],
"subnetId": "subnet-xxxxxxxx",
"vpcId": "vpc-xxxxxxxx",
"securityGroups": [
{
"groupName": "launch-wizard-1",
"groupId": "sg-xxxxxxxx"
}
],
"publicDnsName": "ec2-xx-xxx-xx-xx.compute-1.amazonaws.com",
"publicIp": "xx.xxx.xx.xx"
}
],
"outpostArn": null,
"tags": [],
"instanceState": "running",
"availabilityZone": "us-east-1e",
"imageId": "ami-xxxxxxxxxxxxxxxx",
"imageDescription": "Amazon Linux 2 AMI 2.0.20210126.0 x86_64 HVM gp2"
}
},
"service": {
"serviceName": "guardduty",
"detectorId": "xxxxxxxxxxxxxxxx",
"action": {
"actionType": "NETWORK_CONNECTION",
"networkConnectionAction": {
"connectionDirection": "INBOUND",
"remoteIpDetails": {
"ipAddressV4": "xx.xx.xx.xxx",
"organization": {
"asn": "6128",
"asnOrg": "CABLE-NET-1",
"isp": "Optimum Online",
"org": "Optimum Online"
},
"country": {
"countryName": "United States"
},
"city": {
"cityName": "Islip"
},
"geoLocation": {
"lat": 10,
"lon": -10
}
},
"remotePortDetails": {
"port": 52390,
"portName": "Unknown"
},
"localPortDetails": {
"port": 22,
"portName": "SSH"
},
"protocol": "TCP",
"blocked": false,
"localIpDetails": {
"ipAddressV4": "xxx.xx.xx.x"
}
}
},
"resourceRole": "TARGET",
"additionalInfo": {},
"evidence": null,
"eventFirstSeen": "2021-02-27T00:01:39Z",
"eventLastSeen": "2021-03-15T05:12:23Z",
"archived": false,
"count": 6
},
"severity": 2,
"createdAt": "2021-02-27T00:17:28.503Z",
"updatedAt": "2021-03-15T05:25:07.256Z",
"title": "xx.xx.xx.xxx is performing SSH brute force attacks against i-xxxxxxxxxxxxxxxx.",
"description": "xx.xx.xx.xxx is performing SSH brute force attacks against i-xxxxxxxxxxxxxxxx. Brute force attacks are used to gain unauthorized access to your instance by guessing the SSH password."
}
|
| AWS IAM Access Analyzer | AWS IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity. | Source type:
Example event: {
"version": "1.0",
"id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"status": "ACTIVE",
"resourceType": "AWS::S3::Bucket",
"resource": "arn:aws:s3:::do-not-delete-iam-aa-test-acl-us-west-1",
"createdAt": "2021-02-25T21:47:47.079Z",
"analyzedAt": "2021-03-05T03:40:02.785Z",
"updatedAt": "2021-02-25T21:47:47.079Z",
"accountId": "xxxxxxxxxxxx",
"region": "us-west-1",
"principal": {
"CanonicalUser": "xxxxxxxxxxxxxxxxxxx"
},
"action": [
"s3:ListBucket",
"s3:ListBucketByTags",
"s3:ListBucketMultipartUploads",
"s3:ListBucketVersions"
],
"condition": {},
"isDeleted": true,
"isPublic": false
}
|
| AWS IAM Credential Report | AWS IAM Credential Report lists all users in your account and the status of their various credentials, including passwords, access keys, and MFA devices. | Source type:
Example event: {
"user": "some_user",
"arn": "arn:aws:iam::xxxxxxxxxxxx:user/some_user",
"user_creation_time": "2020-11-06T05:23:02+00:00",
"password_enabled": "true",
"password_last_used": "no_information",
"password_last_changed": "2020-11-06T05:24:08+00:00",
"password_next_rotation": "N/A",
"mfa_active": "false",
"access_key_1_active": "true",
"access_key_1_last_rotated": "2020-11-06T05:23:02+00:00",
"access_key_1_last_used_date": "2021-03-16T19:58:00+00:00",
"access_key_1_last_used_region": "us-west-1",
"access_key_1_last_used_service": "sqs",
"access_key_2_active": "false",
"access_key_2_last_rotated": "N/A",
"access_key_2_last_used_date": "N/A",
"access_key_2_last_used_region": "N/A",
"access_key_2_last_used_service": "N/A",
"cert_1_active": "false",
"cert_1_last_rotated": "N/A",
"cert_2_active": "false",
"cert_2_last_rotated": "N/A",
"account_id": "xxxxxxxxxxxx",
"cloudconnect_aws_configid": "xxxxxxxxxxxx"
}
|
| AWS Lambda | AWS Lambda is a compute service that lets you run code without provisioning or managing servers. | Source type:
Example event: REPORT RequestId: e419d350-1f32-3ad993428781f8fb4feca900190dcecd Duration: 2686.32 ms Billed Duration: 2687 ms Memory Size: 128 MB Max Memory Used: 90 MB Init Duration: 367.15 ms |
| Metadata | Metadata is data about your instance that you can use to configure or manage items such as EC2 Instances, IAM Roles, and Security Groups. | Source type:
Example event: {
"Description": "default VPC security group",
"GroupName": "default",
"IpPermissions": [
{
"IpProtocol": "-1",
"IpRanges": [],
"Ipv6Ranges": [],
"PrefixListIds": [],
"UserIdGroupPairs": [
{
"GroupId": "sg-xxxxxxxx",
"UserId": "xxxxxxxxxxxx"
}
]
}
],
"OwnerId": "xxxxxxxxxxxx",
"GroupId": "sg-xxxxxxxx",
"IpPermissionsEgress": [
{
"IpProtocol": "-1",
"IpRanges": [
{
"CidrIp": "0.0.0.0/0"
}
],
"Ipv6Ranges": [],
"PrefixListIds": [],
"UserIdGroupPairs": []
}
],
"VpcId": "vpc-xxxxxxxx",
"Region": "us-east-1",
"AccountId": "xxxxxxxxxxxx",
"data_manager_input_id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
}
|
| Amazon RDS | Amazon RDS is a web service that allows users to set up, operate, and scale a relational database in the cloud. | Source type:
Example event: 2021-07-26T20:40:33.642111Z 9 [Warning] 'user' entry 'rdsadmin@localhost' ignored in --skip-name-resolve mode. |
| AWS Security Hub | AWS Security Hub gives you a comprehensive view of your security alerts and security posture across your AWS accounts. | Source type:
Example event: {
"ProductArn": "arn:aws:securityhub:us-east-1::product/aws/guardduty",
"Types": [
"TTPs/Initial Access/UnauthorizedAccess:EC2-SSHBruteForce"
],
"SourceUrl": "https://us-east-1.console.aws.amazon.com/guardduty/home?region=us-east-1#/findings?macros=current&fId=xxxxxxxxxxxxxxxx",
"Description": "91.134.134.58 is performing SSH brute force attacks against i-xxxxxxxxxxxxxxxx. Brute force attacks are used to gain unauthorized access to your instance by guessing the SSH password.",
"SchemaVersion": "2018-10-08",
"GeneratorId": "arn:aws:guardduty:us-east-1:123123123123:detector/xxxxxxxxxxxxxxxx",
"FirstObservedAt": "2021-03-08T22:25:24Z",
"CreatedAt": "2021-03-08T22:37:18.615Z",
"RecordState": "ACTIVE",
"Title": "xx.xxx.xxx.xx is performing SSH brute force attacks against i-xxxxxxxxxxxxxxxx.",
"Workflow": {
"Status": "NEW"
},
"LastObservedAt": "2021-03-09T05:51:21Z",
"Severity": {
"Normalized": 40,
"Label": "LOW",
"Product": 2
},
"UpdatedAt": "2021-03-09T06:01:13.038Z",
"FindingProviderFields": {
"Types": [
"TTPs/Initial Access/UnauthorizedAccess:EC2-SSHBruteForce"
],
"Severity": {
"Normalized": 40,
"Label": "LOW",
"Product": 2
}
},
"WorkflowState": "NEW",
"ProductFields": {
"aws/guardduty/service/action/networkConnectionAction/remotePortDetails/portName": "Unknown",
"aws/guardduty/service/archived": "false",
"aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/organization/asnOrg": "OVH SAS",
"aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/geoLocation/lat": "48.8582",
"aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/ipAddressV4": "91.134.134.58",
"aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/geoLocation/lon": "2.3387",
"aws/guardduty/service/action/networkConnectionAction/blocked": "false",
"aws/guardduty/service/action/networkConnectionAction/remotePortDetails/port": "32849",
"aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/country/countryName": "France",
"aws/guardduty/service/serviceName": "guardduty",
"aws/guardduty/service/evidence": "",
"aws/guardduty/service/action/networkConnectionAction/localIpDetails/ipAddressV4": "xxx.xx.xx.xxx",
"aws/guardduty/service/detectorId": "xxxxxxxxxxxxxxxx",
"aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/organization/org": "OVH SAS",
"aws/guardduty/service/action/networkConnectionAction/connectionDirection": "INBOUND",
"aws/guardduty/service/eventFirstSeen": "2021-03-08T22:25:24Z",
"aws/guardduty/service/eventLastSeen": "2021-03-09T05:51:21Z",
"aws/guardduty/service/action/networkConnectionAction/localPortDetails/portName": "SSH",
"aws/guardduty/service/action/actionType": "NETWORK_CONNECTION",
"aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/city/cityName": "",
"aws/guardduty/service/additionalInfo": "",
"aws/guardduty/service/resourceRole": "TARGET",
"aws/guardduty/service/action/networkConnectionAction/localPortDetails/port": "22",
"aws/guardduty/service/action/networkConnectionAction/protocol": "TCP",
"aws/guardduty/service/count": "44",
"aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/organization/asn": "16276",
"aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/organization/isp": "OVH SAS",
"aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/guardduty/arn:aws:guardduty:us-east-1:123123123123:detector/xxxxxxxxxxxxxxxx/finding/xxxxxxxxxxxxxxxx",
"aws/securityhub/ProductName": "GuardDuty",
"aws/securityhub/CompanyName": "Amazon"
},
"AwsAccountId": "123123123123",
"Id": "arn:aws:guardduty:us-east-1:123123123123:detector/xxxxxxxxxxxxxxxx/finding/xxxxxxxxxxxxxxxx",
"Resources": [
{
"Partition": "aws",
"Type": "AwsEc2Instance",
"Details": {
"AwsEc2Instance": {
"Type": "t2.micro",
"VpcId": "vpc-d320xxxx",
"ImageId": "ami-xxxxxxxxxxxxxxxx",
"IpV4Addresses": [
"xxx.xx.xx.xxx",
"x.xx.xxx.xxx"
],
"SubnetId": "subnet-xxxxxxxx",
"LaunchedAt": "2020-12-21T20:24:52Z"
}
},
"Region": "us-east-1",
"Id": "arn:aws:ec2:us-east-1:123123123123:instance/i-xxxxxxxxxxxxxxxx"
}
]
}
|
| Amazon VPC Flow Logs | Gain visibility into your virtual network environment. Get insight into the connections, screen traffic, and instance access inside your virtual network. | Source type:
Example event: 2 xxxxxxxxxxxx eni-07xx6ce5xxxc459xx xxx.31.xx.xx xx.189.xx.x 47215 123 17 1 76 1654029151 1654029209 ACCEPT OK |
Getting data in for Microsoft Azure
You can get data in for the following Microsoft Azure data sources.
| Data source | Description | Source type and example event |
|---|---|---|
| Azure Active Directory | Azure Active Directory is a cloud computing service created by Microsoft for building, testing, deploying, and managing applications and services through Microsoft-managed data centers. | Source type:
Example event: { [-]
Level: 4
callerIpAddress: 52.43.55.129
category: ServicePrincipalSignInLogs
correlationId: 17b0805a-13f0-4800-a81a-d1ea2d1a9921
data_manager_input_id: 089a37ba-59f3-450a-9201-e8aa9032027e
durationMs: 0
location: US
operationName: Sign-in activity
operationVersion: 1.0
properties: { [+]
}
resourceId: /tenants/501792f2-ef2c-4251-957b-293fadb63ddc/providers/Microsoft.aadiam
resultSignature: None
resultType: 0
tenantId: 501792f2-ef2c-4251-957b-293fadb63ddc
time: 2021-09-18T18:00:09.4379696Z
|
| Azure Activity Logs | Azure Activity Logs are platform logs in Azure that provide insight into subscription-level events. This includes such information as when a resource is modified or when a virtual machine is started. | Source type:
Example event: { [-]
ReleaseVersion: 6.2021.41.6+f1cf8a2.release_2021w41
RoleLocation: East US
callerIpAddress: 20.42.74.11
category: Administrative
correlationId: 804f69ae-aedb-499f-9e13-1157121456b4
durationMs: 69
identity: { [+]
}
level: Information
operationName: MICROSOFT.STORAGE/STORAGEACCOUNTS/LISTACCOUNTSAS/ACTION
properties: { [+]
}
resourceId: /SUBSCRIPTIONS/C83C2282-2E21-4F64-86AE-FDFA66B673EB/RESOURCEGROUPS/SIMON-DEMO/PROVIDERS/MICROSOFT.STORAGE/STORAGEACCOUNTS/DSPCDCSIMONTEST
resultSignature: Succeeded.OK
resultType: Success
tenantId: 501792f2-ef2c-4251-957b-293fadb63ddc
time: 2021-10-21T17:36:11.2611638Z
}
|
Getting data in for Google Cloud Platform
You can get data in for the following Google Cloud Platform data sources.
| Data source | Description | Source type and example event |
|---|---|---|
| Audit Logs - Admin Activity | Audit Logs - Admin Activity contains log entries for API calls or other actions that modify the configuration or metadata of your Google Cloud resources. | Source type:
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalEmail": "system:kube-controller-manager"
},
"authorizationInfo": [
{
"granted": true,
"permission": "io.k8s.coordination.v1.leases.update",
"resource": "coordination.k8s.io/v1/namespaces/kube-system/leases/kube-controller-manager"
}
],
"methodName": "io.k8s.coordination.v1.leases.update",
"requestMetadata": {
"callerIp": "::1",
"callerSuppliedUserAgent": "kube-controller-manager/v1.19.10 (linux/amd64) kubernetes/xxxxxx/leader-election"
},
"resourceName": "coordination.k8s.io/v1/namespaces/kube-system/leases/kube-controller-manager",
"serviceName": "k8s.io",
"status": {
"code": 0
}
},
"insertId": "ffffffff-31b8-4291-b8bd-30dc6ab7f6a8",
"resource": {
"type": "k8s_cluster",
"labels": {
"cluster_name": "cal2z-example",
"location": "us-west1-a",
"project_id": "dev-example"
}
},
"timestamp": "2021-06-24T17:28:09.822777Z",
"labels": {
"authorization.k8s.io/reason": "RBAC: allowed by ClusterRoleBinding 'system:kube-controller-manager' of ClusterRole 'system:kube-controller-manager' to User 'system:kube-controller-manager'",
"authorization.k8s.io/decision": "allow"
},
"logName": "projects/dev-example/logs/cloudaudit.googleapis.com%2Factivity",
"operation": {
"id": "ffffffff-31b8-4291-b8bd-30dc6ab7f6a8",
"producer": "k8s.io",
"first": true,
"last": true
},
"receiveTimestamp": "2021-06-24T17:28:11.494703030Z"
}
|
| Audit Logs - System Events | Audit Logs - System Events contains log entries for actions that modify the configuration of your Google Cloud resources. | Source type:
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"serviceName": "pubsub.googleapis.com",
"methodName": "Subscriber.InternalExpireInactiveSubscription",
"resourceName": "projects/123456789101/subscriptions/splunk_example-7d26e38e2e7d_8a7df49a6fc708a33cb5def0fffeeed6b22bd5699d50a1afb2ce891663cc34"
},
"insertId": "suv6x4c3ho",
"resource": {
"type": "pubsub_subscription",
"labels": {
"subscription_id": "projects/123456789101/subscriptions/splunk_example-7d26e38e2e7d_8a7df49a6fc708a33cb5def0fffeeed6b22bd5699d50a1afb2ce891663cc34",
"project_id": "dev-example"
}
},
"timestamp": "2021-06-24T09:59:13.553133776Z",
"severity": "INFO",
"logName": "projects/dev-example/logs/cloudaudit.googleapis.com%2Fsystem_event",
"receiveTimestamp": "2021-06-24T09:59:14.440519798Z"
}
|
| Audit Logs - Policy Denied | Audit Logs - Policy Denied records administrative activities when a Google Cloud service denies access to a user or service account because of a security policy violation. | Source type:
{
"insertId": "1234ljc6f7",
"logName": "projects/corp-storage/logs/cloudaudit.googleapis.com%2Fpolicy",
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalEmail": "someone@google.com"
},
"metadata": {
"@type": "type.googleapis.com/google.cloud.audit.VpcServiceControlAuditMetadata",
"resourceNames": [
{
"0": "projects/_"
}
],
"violationReason": "NO_MATCHING_ACCESS_LEVEL"
},
"methodName": "google.storage.NoBillingOk",
"requestMetadata": {
"callerIp": "xxxx:xxxx:xxxx:xxxx:d358:586b:db59:9617",
"destinationAttributes": {},
"requestAttributes": {}
},
"resourceName": "projects/987654321012",
"serviceName": "storage.googleapis.com",
"status": {
"code": 7,
"details": [
{
"0": {
"@type": "type.googleapis.com/google.rpc.PreconditionFailure",
"violations": [
{
"0": {
"type": "VPC_SERVICE_CONTROLS"
}
}
]
}
}
],
"message": "Request is prohibited by organization's policy"
}
},
"receiveTimestamp": "2018-11-27T21:40:43.823209571Z",
"resource": {
"labels": {
"method": "google.storage.NoBillingOk",
"project_id": "corp-storage",
"service": "storage.googleapis.com"
},
"type": "audited_resource"
},
"severity": "ERROR",
"timestamp": "2018-11-27T21:40:42.973784140Z"
}
|
| Audit Logs - Data Access | Audit Logs - Data Access contains API calls that read the configuration, metadata, or user-provided resources. | Source type:
Example event:
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalEmail": "109633456012-compute@developer.example.com",
"serviceAccountDelegationInfo": [
{
"firstPartyPrincipal": {
"principalEmail": "service-109633456012-compute@developer.example.com"
}
}
]
},
"requestMetadata": {
"callerIp": "xx.xxx.xx.xx",
"callerSuppliedUserAgent": "opentelemetry-collector-contrib grpc-go/1.36.1,gzip(gfe)",
"callerNetwork": "//compute.googleapis.com/projects/dev-example/global/networks/__unknown__",
"requestAttributes": {
"time": "2021-06-28T22:43:18.758057304Z",
"auth": {}
},
"destinationAttributes": {}
},
"serviceName": "monitoring.googleapis.com",
"methodName": "google.monitoring.v3.MetricService.CreateTimeSeries",
"authorizationInfo": [
{
"resource": "109633456012",
"permission": "monitoring.timeSeries.create",
"granted": true,
"resourceAttributes": {}
}
],
"resourceName": "projects/dev-example",
"request": {
"@type": "type.googleapis.com/google.monitoring.v3.CreateTimeSeriesRequest",
"name": "projects/dev-example"
}
},
"insertId": "1lq2cbckjjo123xt0",
"resource": {
"type": "audited_resource",
"labels": {
"method": "google.monitoring.v3.MetricService.CreateTimeSeries",
"project_id": "dev-example",
"service": "monitoring.googleapis.com"
}
},
"timestamp": "2021-06-28T22:43:18.754427398Z",
"severity": "INFO",
"logName": "projects/dev-example/logs/cloudaudit.googleapis.com%2Fdata_access",
"receiveTimestamp": "2021-06-28T22:43:19.714577654Z"
}
|
| Access Transparency Logs - Access Transparency | Review logs of actions taken by Google staff when accessing user content. User-generated content is text entered into Gmail, Docs, Sheets, Slides, and other apps. | Source type:
Example event: {
"insertId": "abcdefg12345",
"jsonPayload": {
"@type": "type.googleapis.com/google.cloud.audit.TransparencyLog",
"location": {
"principalOfficeCountry": "US",
"principalEmployingEntity": "Google LLC",
"principalPhysicalLocationCountry": "CA"
},
"product": [
{
"0": "Cloud Storage"
}
],
"reason": [
{
"detail": "Case number: bar123",
"type": "CUSTOMER_INITIATED_SUPPORT"
}
],
"accesses": [
{
"0": {
"methodName": "GoogleInternal.Read",
"resourceName": "//googleapis.com/storage/buckets/BUCKET_NAME/objects/foo123"
}
}
],
"accessApprovals": [
{
"0": "projects/123/approvalRequests/abcdef12345"
}
]
},
"logName": "projects/PROJECT_ID/logs/cloudaudit.googleapis.com%2Faccess_transparency",
"operation": {
"id": "12345xyz"
},
"receiveTimestamp": "2021-06-28T22:43:19.714577654Z",
"resource": {
"labels": {
"project_id": "1234567890"
},
"type": "project"
},
"severity": "NOTICE",
"timestamp": "2021-06-28T22:43:19.714577654Z"
}
|
Last modified on 16 September, 2022
|
PREVIOUS Set up Data Manager |
NEXT Data ingestion mechanisms and intervals in Data Manager |
This documentation applies to the following versions of Data Manager: 1.7.0
Feedback submitted, thanks!