Chrome log events—Events and attributes

The table below describes in detail the attributes of each Chrome event. The event to attribute mapping spreadsheet gives a high level view of which attributes you can view for chrome events in your organization.
Chrome eventAttribute name—
Reporting connector
Attribute name—
Google Admin console
Attribute descriptionAttribute example
Browser Crashagents
For Crowdstrike
Crowdstrike Agent ID and Crowdstrike Customer ID
Information about agents installed on the device. Only Crowdstrike agents are currently supported."crowdstrike": {
   "agent_id": "agent-123", 
   "customer_id": "customer-123" 
 }
Browser Crashbrowser_channelBrowser ChannelBrowser channel.dev, canary, unknown, stable
Browser Crashbrowser_versionBrowser VersionVersion of Chrome browser.113.0.5628.0
Browser Crashclient_typeClient TypeManaged Chrome surface where the event happened.Chrome browser, Chrome profile, ChromeOS, Unknown
Browser CrashDescriptionText description of the event.The browser (version 113.0.5653.2 on channel canary) crashed and uploaded a report with ID 88b738e0299cb2c1
Browser Crashdevice_idDevice IDThe ID of the device. The value is platform-specific.
Not reported for unmanaged devices with managed user profiles.
ab81082c-6839-450d-9ed6-7b3c268d6b94
Browser Crashdevice_nameDevice NameName of the device on which the event happened.
Not reported for unmanaged devices with managed user profiles.
KIRANWINDOWS
Browser Crashdevice_userDevice UserThe user's name as reported by the OS.
Not reported for unmanaged devices with managed user profiles.
ALTOSTRAT\kiran
Browser Crashdirectory_device_idDirectory Device IDDevice ID returned by the directory API. Not reported for unmanaged devices with managed user profiles.7e6d4bae-e869-4da3-8822-1de247d7542f
Browser CrasheventEventThe logged event action.browserCrashEvent—Browser crash
Browser Crashos_platformDevice PlatformThe OS that the browser is running. Not reported for unmanaged devices with managed user profiles.Windows 10
Browser Crashos_versionThe version of the OS that is running the browser. Not reported for unmanaged devices with managed user profiles.15278.64.0
Browser Crashprofile_userProfile UserUser name of the signed in user for the Chrome profile. Blank if the user has not signed into a profile.kiran
Browser Crashreport_idReport IDAlphanumeric ID.88b738e0299cb2c1
Browser CrashtimeDateDate and time when the event was received.2023-03-02T22:07:21-08:00
Browser Crashuser_agentUser AgentThe user agent string of the browser used to access the content.Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6)
AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/84.0.4140.0
Safari/537.36
Content Transferagents
For Crowdstrike
Crowdstrike Agent ID and Crowdstrike Customer ID
Information about agents installed on the device. Only Crowdstrike agents are currently supported."crowdstrike": {
   "agent_id": "agent-123", 
   "customer_id": "customer-123" 
 }
Content Transferbrowser_versionBrowser VersionVersion of Chrome browser.113.0.5628.0
Content Transferclient_typeClient TypeManaged Chrome surface where the event happened.Chrome browser, Chrome profile, ChromeOS, Unknown
Content Transfercontent_hashContent HashThe SHA256 hash of the content.
Content Transfercontent_nameContent NameThe name of the content, such as a filename.
Content Transfercontent_sizeContent SizeThe size of the content, in bytes.
Content Transfercontent_transfer_method Content Transfer MethodThe method for content transferring.file picker, drag and drop, file paste
Content Transfercontent_typeContent TypeThe media (MIME) type of content.text, html
Content TransferDescriptionText description of the event.Content was transferred
Content Transferdevice_idDevice IDThe ID of the device. The value is platform-specific.
Not reported for unmanaged devices with managed user profiles.
ab81082c-6839-450d-9ed6-7b3c268d6b94
Content Transferdevice_nameDevice NameName of the device on which the event happened.
Not reported for unmanaged devices with managed user profiles.
KIRANWINDOWS
Content Transferdevice_userDevice UserThe user's name as reported by the OS.
Not reported for unmanaged devices with managed user profiles.
ALTOSTRAT\kiran
Content Transferdirectory_device_idDirectory Device IDDevice ID returned by the directory API. Not reported for unmanaged devices with managed user profiles.7e6d4bae-e869-4da3-8822-1de247d7542f
Content TransfereventEventThe logged event action.contentTransferEvent—Content transfer
Content Transferos_platformDevice PlatformThe OS that the browser is running. Not reported for unmanaged devices with managed user profiles.Windows 10
Content Transferos_versionThe version of the OS that is running the browser. Not reported for unmanaged devices with managed user profiles.15278.64.0
Content Transferprofile_userProfile UserUser name of the signed in user for the Chrome profile. Blank if the user has not signed into a profile.kiran
Content TransferresultEvent resultThe result of the event based on the policies and rules set.Detected
Content Transferscan_idScan ID.4A43FB462E48008A30451B17E204CF6B529EA1828C9C92FF7A514925BECFFD8E609D84DB2AA362ECC475A6DBFFD8E0C681E12A5D786619D011966306640C440A1D4DE84A24D18824D1D1EC4C4463109EE67E24A0CA60BC764A6695158C35AD3D2E4E038C2FEB3C65EB22761E7165FDA1DB7E840696481427A86BEA296C2E30B2
Content Transfertab_urlTab URLOn a file download, the returned URL does not match the Tab URL.If the user is on Google Drive and they download a file, the URL is something like googleusercontents.com/myfile.txt, and the Tab Url is drive.google.com. In every other case, both URLs are the same.
Content TransfertimeDateDate and time when the event was received.2023-03-02T22:07:21-08:00
Content Transfertrigger_typeTrigger TypeThe user action that triggered the event.Unknown, Page printed, File upload, File download, Web content upload
Content Transferuser_agentUser AgentThe user agent string of the browser used to access the content.Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6)
AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/84.0.4140.0
Safari/537.36
Content TransferurlURLURL of file or upload page.
Content Unscannedagents
For Crowdstrike
Crowdstrike Agent ID and Crowdstrike Customer ID
Information about agents installed on the device. Only Crowdstrike agents are currently supported."crowdstrike": {
   "agent_id": "agent-123", 
   "customer_id": "customer-123" 
 }
Content Unscannedbrowser_versionBrowser VersionVersion of Chrome browser.113.0.5628.0
Content Unscannedclient_typeClient TypeManaged Chrome surface where the event happened.Chrome browser, Chrome profile, ChromeOS, Unknown
Content Unscannedcontent_hashContent HashThe SHA256 hash of the content.
Content Unscannedcontent_nameContent NameThe name of the content, such as a filename.
Content Unscannedcontent_sizeContent SizeThe size of the content, in bytes.
Content Unscannedcontent_transfer_method Content Transfer MethodThe method for content transferring.file picker, drag and drop, file paste
Content Unscannedcontent_typeContent TypeThe media (MIME) type of content.text, html
Content UnscannedDescriptionText description of the event.The transferred content was not scanned because of
Content Unscanneddevice_idDevice IDThe ID of the device. The value is platform-specific.
Not reported for unmanaged devices with managed user profiles.
ab81082c-6839-450d-9ed6-7b3c268d6b94
Content Unscanneddevice_nameDevice NameName of the device on which the event happened.
Not reported for unmanaged devices with managed user profiles.
KIRANWINDOWS
Content Unscanneddevice_userDevice UserThe user's name as reported by the OS.
Not reported for unmanaged devices with managed user profiles.
ALTOSTRAT\kiran
Content Unscanneddirectory_device_idDirectory Device IDDevice ID returned by the directory API. Not reported for unmanaged devices with managed user profiles.7e6d4bae-e869-4da3-8822-1de247d7542f
Content UnscannedeventEventThe logged event action.unscannedFileEvent—Content unscanned
Content Unscannedos_platformDevice PlatformThe OS that the browser is running. Not reported for unmanaged devices with managed user profiles.Windows 10
Content Unscannedos_versionThe version of the OS that is running the browser. Not reported for unmanaged devices with managed user profiles.15278.64.0
Content Unscannedprofile_userProfile UserUser name of the signed in user for the Chrome profile. Blank if the user has not signed into a profile.kiran
Content UnscannedreasonEvent reasonReason for the event. FILE_PASSWORD_PROTECTED, FILE_TOO_LARGE, DLP_SCAN_FAILED, MALWARE_SCAN_FAILED, MALWARE_SCAN_UNSUPPORTED_FILE_TYPE, SERVICE_UNAVAILABLE, TOO_MANY_REQUESTS TIMEOUT
Note: The Admin console appends the Event name, such as CONTENT_UNSCANNED_FILE_PASSWORD_PROTECTED
Content UnscannedtimeDateDate and time when the event was received.2023-03-02T22:07:21-08:00
Content UnscannedresultEvent resultThe result of the event based on the policies and rules set.Allowed.
Content Unscannedtab_urlTab URLOn a file download, the returned URL does not match the Tab URL.If the user is on Google Drive and they download a file, the URL is something like googleusercontents.com/myfile.txt, and the Tab Url is drive.google.com. In every other case, both URLs are the same.
Content Unscannedtrigger_typeTrigger TypeThe user action that triggered the event.Unknown, Page printed, File upload, File download, Web content upload
Content Unscanneduser_agentUser AgentThe user agent string of the browser used to access the content.Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6)
AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/84.0.4140.0
Safari/537.36
Content UnscannedurlURLUpload or download URL, depending on the event
Data Control Eventagents
For Crowdstrike
Crowdstrike Agent ID and Crowdstrike Customer ID
Information about agents installed on the device. Only Crowdstrike agents are currently supported."crowdstrike": {
   "agent_id": "agent-123", 
   "customer_id": "customer-123" 
 }
Data Control Eventbrowser_versionBrowser VersionVersion of Chrome browser.113.0.5628.0
Data Control Eventclient_typeClient TypeManaged Chrome surface where the event happened.Chrome browser, Chrome profile, ChromeOS, Unknown
Data Control EventDescriptionText description of the event.Data access control rule triggered by ChromeOS
Data Control EventdestinationDestinationDestination URL value that triggered the event.
Data Control Eventdevice_idDevice IDThe ID of the device. The value is platform-specific.
Not reported for unmanaged devices with managed user profiles.
ab81082c-6839-450d-9ed6-7b3c268d6b94
Data Control Eventdevice_nameDevice NameName of the device on which the event happened.
Not reported for unmanaged devices with managed user profiles.
KIRANWINDOWS
Data Control Eventdevice_userDevice UserThe user's name as reported by the OS.
Not reported for unmanaged devices with managed user profiles.
ALTOSTRAT\kiran
Data Control Eventdirectory_device_idDirectory Device IDDevice ID returned by the directory API. Not reported for unmanaged devices with managed user profiles.7e6d4bae-e869-4da3-8822-1de247d7542f
Data Control EventeventEventThe logged event action.dataAccessControlEvent—Data access control
Data Control Eventos_platformDevice PlatformThe OS that the browser is running. Not reported for unmanaged devices with managed user profiles.Windows 10
Data Control Eventos_versionThe version of the OS that is running the browser. Not reported for unmanaged devices with managed user profiles.15278.64.0
Data Control Eventprofile_userProfile UserUser name of the signed in user for the Chrome profile. Blank if the user has not signed into a profile.kiran
Data Control EventreasonEvent reasonReason for the event.This is not reported in reporting connector outputEVENT_REASON_DLP_EVENT
Data Control EventresultEvent resultThe result of the event based on the policies and rules set.The reporting connector sends the values in Capital letters.Warned, Blocked, Bypassed
Data Control EventsourceSourceSource URL value which triggered the event.
Data Control EventtimeDateDate and time when the event was received.2023-03-02T22:07:21-08:00
Data Control Eventtrigger_typeTrigger TypeThe user action that triggered the event.The reporting connector sends the values in Capital letters. Clipboard, Files, Screenshot, Screencast, Printing, Eprivacy
Data Control EventurlURLThe URLs which triggered the event. This field does not show up in the reporting connector output. Instead, this is represented as source and destination fields in the reporting connector output.Source "URL1" Destination "URL2"
Data Control Eventuser_agentUser AgentThe user agent string of the browser used to access the content.Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6)
AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/84.0.4140.0
Safari/537.36
Extension installagents
For Crowdstrike
Crowdstrike Agent ID and Crowdstrike Customer ID
Information about agents installed on the device. Only Crowdstrike agents are currently supported."crowdstrike": {
   "agent_id": "agent-123", 
   "customer_id": "customer-123" 
 }
Extension installbrowser_versionBrowser VersionVersion of Chrome browser.113.0.5628.0
Extension installclient_typeClient TypeManaged Chrome surface where the event happened.Chrome browser, Chrome profile, ChromeOS, Unknown
Extension installDescriptionText description of the event.The browser extension Chrome Web Store Payments with id nmmhkkegccagdldgiimedpiccmgmieda was installed
Extension installdevice_idDevice IDThe ID of the device. The value is platform-specific.
Not reported for unmanaged devices with managed user profiles.
ab81082c-6839-450d-9ed6-7b3c268d6b94
Extension installdevice_nameDevice NameName of the device on which the event happened.
Not reported for unmanaged devices with managed user profiles.
KIRANWINDOWS
Extension installdevice_userDevice UserThe user's name as reported by the OS.
Not reported for unmanaged devices with managed user profiles.
ALTOSTRAT\kiran
Extension installdirectory_device_idDirectory Device IDDevice ID returned by the directory API. Not reported for unmanaged devices with managed user profiles.7e6d4bae-e869-4da3-8822-1de247d7542f
Extension installeventEventThe logged event action.browserExtensionInstallEvent—Browser extension installed
Extension installextension_actionExtension action typeThe type of Chrome extension action that triggers the event.Install, Update, Uninstall
Extension installextension_descriptionDescription of the extension.
Extension installextension_idApplication IDChrome Web Store ID of the extension.nmmhkkegccagdldgiimedpiccmgmieda
Extension installextension_nameApplication NameName of the extension from the Chrome Web Store.Chrome Web Store Payments
Extension installextension_sourceExtension sourceThe source from where the Chrome extension was installed.Chrome Web Store, External, Unspecified
Extension installextension_versionExtension version
The version of the extension.
2.0.13
Extension installos_platformDevice PlatformThe OS that the browser is running. Not reported for unmanaged devices with managed user profiles.Windows 10
Extension installos_versionThe version of the OS that is running the browser. Not reported for unmanaged devices with managed user profiles.15278.64.0
Extension installprofile_userProfile UserUser name of the signed in user for the Chrome profile. Blank if the user has not signed into a profile.kiran
Extension installresultEvent resultThe result of the event based on the policies and rules set.Reported
Extension installtimeDateDate and time when the event was received.2023-03-02T22:07:21-08:00
Extension installuser_agentUser AgentThe user agent string of the browser used to access the content.Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6)
AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/84.0.4140.0
Safari/537.36
Loginagents
For Crowdstrike
Crowdstrike Agent ID and Crowdstrike Customer ID
Information about agents installed on the device. Only Crowdstrike agents are currently supported."crowdstrike": {
   "agent_id": "agent-123", 
   "customer_id": "customer-123" 
 }
Loginbrowser_versionBrowser VersionVersion of Chrome browser.113.0.5628.0
Loginclient_typeClient TypeManaged Chrome surface where the event happened.Chrome browser, Chrome profile, ChromeOS, Unknown
LoginDescriptionText description of the event.Login was detected for *****
Note: All email addresses are anonymized. Managed domain email addresses will show the domain only, such as ****@domain
Logindevice_idDevice IDThe ID of the device. The value is platform-specific.
Not reported for unmanaged devices with managed user profiles.
ab81082c-6839-450d-9ed6-7b3c268d6b94
Logindevice_nameDevice NameName of the device on which the event happened.
Not reported for unmanaged devices with managed user profiles.
KIRANWINDOWS
Logindevice_userDevice UserThe user's name as reported by the OS.
Not reported for unmanaged devices with managed user profiles.
ALTOSTRAT\kiran
Logindirectory_device_idDirectory Device IDDevice ID returned by the directory API. Not reported for unmanaged devices with managed user profiles.7e6d4bae-e869-4da3-8822-1de247d7542f
LogineventEventThe logged event action.loginEvent—Login
Loginos_platformDevice PlatformThe OS that the browser is running. Not reported for unmanaged devices with managed user profiles.Windows 10
Loginos_versionThe version of the OS that is running the browser. Not reported for unmanaged devices with managed user profiles.15278.64.0
Loginprofile_userProfile UserUser name of the signed in user for the Chrome profile. Blank if the user has not signed into a profile.kiran
LoginresultEvent resultThe result of the event based on the policies and rules set.Detected
LogintimeDateDate and time when the event was received.2023-03-02T22:07:21-08:00
LoginurlURLURL of login page.
Loginuser_agentUser AgentThe user agent string of the browser used to access the content.Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6)
AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/84.0.4140.0
Safari/537.36
Malware Transferagents
For Crowdstrike
Crowdstrike Agent ID and Crowdstrike Customer ID
Information about agents installed on the device. Only Crowdstrike agents are currently supported."crowdstrike": {
   "agent_id": "agent-123", 
   "customer_id": "customer-123" 
 }
Malware Transferbrowser_versionBrowser VersionVersion of Chrome browser.113.0.5628.0
Malware Transferclient_typeClient TypeManaged Chrome surface where the event happened.Chrome browser, Chrome profile, ChromeOS, Unknown
Malware Transfercontent_hashContent HashThe SHA256 hash of the content.
Malware Transfercontent_nameContent NameThe name of the content, such as a filename.
Malware Transfercontent_sizeContent SizeThe size of the content, in bytes.
Malware Transfercontent_transfer_method Content Transfer MethodThe method for content transferring.file picker, drag and drop, file paste
Malware Transfercontent_typeContent TypeThe media (MIME) type of content.text, html
Malware TransferDescriptionText description of the event.Malware was detected in the tranferred content for *****@gmail.com
Malware Transferdevice_idDevice IDThe ID of the device. The value is platform-specific.
Not reported for unmanaged devices with managed user profiles.
ab81082c-6839-450d-9ed6-7b3c268d6b94
Malware Transferdevice_nameDevice NameName of the device on which the event happened.
Not reported for unmanaged devices with managed user profiles.
KIRANWINDOWS
Malware Transferdevice_userDevice UserThe user's name as reported by the OS.
Not reported for unmanaged devices with managed user profiles.
ALTOSTRAT\kiran
Malware Transferdirectory_device_idDirectory Device IDDevice ID returned by the directory API. Not reported for unmanaged devices with managed user profiles.7e6d4bae-e869-4da3-8822-1de247d7542f
Malware TransfereventEventThe logged event action.dangerousDownloadEvent—Malware transfer
Malware Transferos_platformDevice PlatformThe OS that the browser is running. Not reported for unmanaged devices with managed user profiles.Windows 10
Malware Transferos_versionThe version of the OS that is running the browser. Not reported for unmanaged devices with managed user profiles.15278.64.0
Malware Transferprofile_userProfile UserUser name of the signed in user for the Chrome profile. Blank if the user has not signed into a profile.kiran
Malware TransferreasonEvent reasonReason for the event.DANGEROUS, DANGEROUS_HOST, DANGEROUS_FILE_TYPE, DANGEROUS_URL, UNWANTED_SOFTWARE, UNCOMMON, UNKNOWN
Note: The Admin console appends the Event name, such as MALWARE_TRANSFER_DANGEROUS
Malware TransferresultEvent resultThe result of the event based on the policies and rules set.Bypassed, Blocked, Warned, Allowed
Malware Transferscan_idScan ID.4A43FB462E48008A30451B17E204CF6B529EA1828C9C92FF7A514925BECFFD8E609D84DB2AA362ECC475A6DBFFD8E0C681E12A5D786619D011966306640C440A1D4DE84A24D18824D1D1EC4C4463109EE67E24A0CA60BC764A6695158C35AD3D2E4E038C2FEB3C65EB22761E7165FDA1DB7E840696481427A86BEA296C2E30B2
Malware Transferserver_scan_statusServer Scan StatusThe backend server scan status.complete, audit due to config, audit due to deadline exceeded
Malware Transfertab_urlTab URLOn a file download, the returned URL does not match the Tab URL.If the user is on Google Drive and they download a file, the URL is something like googleusercontents.com/myfile.txt, and the Tab Url is drive.google.com. In every other case, both URLs are the same.
Malware TransfertimeDateDate and time when the event was received.2023-03-02T22:07:21-08:00
Malware Transfertrigger_typeTrigger TypeThe user action that triggered the event.Unknown, File upload, File download
Malware TransferurlURLURL of the malware.
Malware Transferuser_agentUser AgentThe user agent string of the browser used to access the content.Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6)
AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/84.0.4140.0
Safari/537.36
Password Breachagents
For Crowdstrike
Crowdstrike Agent ID and Crowdstrike Customer ID
Information about agents installed on the device. Only Crowdstrike agents are currently supported."crowdstrike": {
   "agent_id": "agent-123", 
   "customer_id": "customer-123" 
 }
Password Breachbrowser_versionBrowser VersionVersion of Chrome browser.113.0.5628.0
Password Breachclient_typeClient TypeManaged Chrome surface where the event happened.Chrome browser, Chrome profile, ChromeOS, Unknown
Password BreachDescriptionText description of the event.Password breach was detected for *****@gmail.com
Password Breachdevice_idDevice IDThe ID of the device. The value is platform-specific.
Not reported for unmanaged devices with managed user profiles.
ab81082c-6839-450d-9ed6-7b3c268d6b94
Password Breachdevice_nameDevice NameName of the device on which the event happened.
Not reported for unmanaged devices with managed user profiles.
KIRANWINDOWS
Password Breachdevice_userDevice UserThe user's name as reported by the OS.
Not reported for unmanaged devices with managed user profiles.
ALTOSTRAT\kiran
Password Breachdirectory_device_idDirectory Device IDDevice ID returned by the directory API. Not reported for unmanaged devices with managed user profiles.7e6d4bae-e869-4da3-8822-1de247d7542f
Password BreacheventEventThe logged event action.passwordBreachEvent—Password Breach
Password Breachos_platformDevice PlatformThe OS that the browser is running. Not reported for unmanaged devices with managed user profiles.Windows 10
Password Breachos_versionThe version of the OS that is running the browser. Not reported for unmanaged devices with managed user profiles.15278.64.0
Password Breachprofile_userProfile UserUser name of the signed in user for the Chrome profile. Blank if the user has not signed into a profile.kiran
Password BreachreasonEvent reasonReason for the event.PASSWORD_ENTRY, SAFETY_CHECK, TRIGGER_TYPE_UNSPECIFIED
Password BreachresultEvent resultThe result of the event based on the policies and rules set.Warned
Password Breachtrigger_userTrigger UserUsername for which password breach was detected.Username is masked in the alert.
Only domain is unmasked.
For example, *****@gmail.com
Password BreachurlURLURL list of login pages impacted by the password breach. URLs stored in password manager.
Password Breachuser_agentUser AgentThe user agent string of the browser used to access the content.Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6)
AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/84.0.4140.0
Safari/537.36
Password Changeagents
For Crowdstrike
Crowdstrike Agent ID and Crowdstrike Customer ID
Information about agents installed on the device. Only Crowdstrike agents are currently supported."crowdstrike": {
   "agent_id": "agent-123", 
   "customer_id": "customer-123" 
 }
Password Changebrowser_versionBrowser VersionVersion of Chrome browser.113.0.5628.0
Password Changeclient_typeClient TypeManaged Chrome surface where the event happened.Chrome browser, Chrome profile, ChromeOS, Unknown
Password ChangeDescriptionText description of the event.Password changed for trigger_user
Password Changedevice_idDevice IDThe ID of the device. The value is platform-specific.
Not reported for unmanaged devices with managed user profiles.
ab81082c-6839-450d-9ed6-7b3c268d6b94
Password Changedevice_nameDevice NameName of the device on which the event happened.
Not reported for unmanaged devices with managed user profiles.
KIRANWINDOWS
Password Changedevice_userDevice UserThe user's name as reported by the OS.
Not reported for unmanaged devices with managed user profiles.
ALTOSTRAT\kiran
Password Changedirectory_device_idDirectory Device IDDevice ID returned by the directory API. Not reported for unmanaged devices with managed user profiles.7e6d4bae-e869-4da3-8822-1de247d7542f
Password ChangeeventEventThe logged event action.passwordChangedEvent—Password Change
Password Changeos_platformDevice PlatformThe OS that the browser is running. Not reported for unmanaged devices with managed user profiles.Windows 10
Password Changeos_versionThe version of the OS that is running the browser. Not reported for unmanaged devices with managed user profiles.15278.64.0
Password Changeprofile_userProfile UserUser name of the signed in user for the Chrome profile. Blank if the user has not signed into a profile.kiran
Password ChangeresultEvent resultThe result of the event based on the policies and rules set.Detected
Password ChangetimeDateDate and time when the event was received.2023-03-02T22:07:21-08:00
Password Changetrigger_userTrigger UserUsername for which password was changed.kiran
Password Changeuser_agentUser AgentThe user agent string of the browser used to access the content.Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6)
AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/84.0.4140.0
Safari/537.36
Password Reuseagents
For Crowdstrike
Crowdstrike Agent ID and Crowdstrike Customer ID
Information about agents installed on the device. Only Crowdstrike agents are currently supported."crowdstrike": {
   "agent_id": "agent-123", 
   "customer_id": "customer-123" 
 }
Password Reusebrowser_versionBrowser VersionVersion of Chrome browser.113.0.5628.0
Password Reuseclient_typeClient TypeManaged Chrome surface where the event happened.Chrome browser, Chrome profile, ChromeOS, Unknown
Password ReuseDescriptionText description of the event.Password reuse for trigger_user.
Note: Personal email addresses are anonymized
Password Reusedevice_idDevice IDThe ID of the device. The value is platform-specific.
Not reported for unmanaged devices with managed user profiles.
ab81082c-6839-450d-9ed6-7b3c268d6b94
Password Reusedevice_nameDevice NameName of the device on which the event happened.
Not reported for unmanaged devices with managed user profiles.
KIRANWINDOWS
Password Reusedevice_userDevice UserThe user's name as reported by the OS.
Not reported for unmanaged devices with managed user profiles.
ALTOSTRAT\kiran
Password Reusedirectory_device_idDirectory Device IDDevice ID returned by the directory API. Not reported for unmanaged devices with managed user profiles.7e6d4bae-e869-4da3-8822-1de247d7542f
Password ReuseeventEventThe logged event action.passwordReuseEvent—Password Reuse
Password Reuseos_platformDevice PlatformThe OS that the browser is running. Not reported for unmanaged devices with managed user profiles.Windows 10
Password Reuseos_versionThe version of the OS that is running the browser. Not reported for unmanaged devices with managed user profiles.15278.64.0
Password Reuseprofile_userProfile UserUser name of the signed in user for the Chrome profile. Blank if the user has not signed into a profile.kiran
Password ReusereasonEvent reasonReason for the event.PASSWORD_REUSED_UNAUTHORIZED_SITE, PASSWORD_REUSED_PHISHING_URL
Password ReuseresultEvent resultThe result of the event based on the policies and rules set.Allowed, Warned, and Detected.
Note: Detected value is reported by Chrome browser up to version 101
Password ReusetimeDateDate and time when the event was received.2023-03-02T22:07:21-08:00
Password Reusetrigger_userTrigger UserUsername that was reused.kiran
Password ReuseurlURLURL where the password was reused.
Password Reuseuser_agentUser AgentThe user agent string of the browser used to access the content.Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6)
AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/84.0.4140.0
Safari/537.36
Sensitive Data Transferagents
For Crowdstrike
Crowdstrike Agent ID and Crowdstrike Customer ID
Information about agents installed on the device. Only Crowdstrike agents are currently supported."crowdstrike": {
   "agent_id": "agent-123", 
   "customer_id": "customer-123" 
 }
Sensitive Data Transferbrowser_versionBrowser VersionVersion of Chrome browser.113.0.5628.0
Sensitive Data Transferclient_typeClient TypeManaged Chrome surface where the event happened.Chrome browser, Chrome profile, ChromeOS, Unknown
Sensitive Data Transfercontent_hashContent HashThe SHA256 hash of the content.
Sensitive Data Transfercontent_nameContent NameThe name of the content, such as a filename.
Sensitive Data Transfercontent_sizeContent SizeThe size of the content, in bytes.
Sensitive Data Transfercontent_transfer_method Content Transfer MethodThe method for content transferring.file picker, drag and drop, file paste
Sensitive Data Transfercontent_typeContent TypeThe media (MIME) type of content.text, html
Sensitive Data TransferDescriptionText description of the event. Sensitive data was detected in the transferred content for
Sensitive Data Transferdevice_idDevice IDThe ID of the device. The value is platform-specific.
Not reported for unmanaged devices with managed user profiles.
ab81082c-6839-450d-9ed6-7b3c268d6b94
Sensitive Data Transferdevice_nameDevice NameName of the device on which the event happened.
Not reported for unmanaged devices with managed user profiles.
KIRANWINDOWS
Sensitive Data Transferdevice_userDevice UserThe user's name as reported by the OS.
Not reported for unmanaged devices with managed user profiles.
ALTOSTRAT\kiran
Sensitive Data Transferdirectory_device_idDirectory Device IDDevice ID returned by the directory API. Not reported for unmanaged devices with managed user profiles.7e6d4bae-e869-4da3-8822-1de247d7542f
Sensitive Data TransfereventEventThe logged event action.sensitiveDataEvent—Sensitive data transfer
Sensitive Data Transferos_platformDevice PlatformThe OS that the browser is running. Not reported for unmanaged devices with managed user profiles.Windows 10
Sensitive Data Transferos_versionThe version of the OS that is running the browser. Not reported for unmanaged devices with managed user profiles.15278.64.0
Sensitive Data Transferprofile_userProfile UserUser name of the signed in user for the Chrome profile. Blank if the user has not signed into a profile.kiran
Sensitive Data TransferreasonEvent reasonList of rules that triggered the event.This field is called triggered_rules in reporting connector output.
Sensitive Data TransferresultEvent resultThe result of the event based on the policies and rules set.Detected
Sensitive Data Transferscan_idScan ID.4A43FB462E48008A30451B17E204CF6B529EA1828C9C92FF7A514925BECFFD8E609D84DB2AA362ECC475A6DBFFD8E0C681E12A5D786619D011966306640C440A1D4DE84A24D18824D1D1EC4C4463109EE67E24A0CA60BC764A6695158C35AD3D2E4E038C2FEB3C65EB22761E7165FDA1DB7E840696481427A86BEA296C2E30B2
Sensitive Data Transferserver_scan_statusServer Scan StatusThe backend server scan status.complete, audit due to config, audit due to deadline exceeded
Sensitive Data Transfertab_urlTab URLOn a file download, the returned URL does not match the Tab URL.If the user is on Google Drive and they download a file, the URL is something like googleusercontents.com/myfile.txt, and the Tab Url is drive.google.com. In every other case, both URLs are the same.
Sensitive Data TransfertimeDateDate and time when the event was received.2023-03-02T22:07:21-08:00
Sensitive Data Transfertrigger_typeTrigger TypeThe user action that triggered the event.Unknown, Page printed, File upload, File download, Web content upload
Sensitive Data Transferuser_agentUser AgentThe user agent string of the browser used to access the content.Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6)
AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/84.0.4140.0
Safari/537.36
Sensitive Data TransferurlURLURL of file or upload page.
Unsafe Site Visitagents
For Crowdstrike
Crowdstrike Agent ID and Crowdstrike Customer ID
Information about agents installed on the device. Only Crowdstrike agents are currently supported."crowdstrike": {
   "agent_id": "agent-123", 
   "customer_id": "customer-123" 
 }
Unsafe Site Visitbrowser_versionBrowser VersionVersion of Chrome browser.113.0.5628.0
Unsafe Site Visitclient_typeClient TypeManaged Chrome surface where the event happened.Chrome browser, Chrome profile, ChromeOS, Unknown
Unsafe Site VisitDescriptionText description of the event.Unsafe site visit warning shown for profile user.
Note: Personal email addresses are hidden. Only domain is shown, ****@gmail.com
Unsafe Site Visitdevice_idDevice IDThe ID of the device. The value is platform-specific.
Not reported for unmanaged devices with managed user profiles.
ab81082c-6839-450d-9ed6-7b3c268d6b94
Unsafe Site Visitdevice_nameDevice NameName of the device on which the event happened.
Not reported for unmanaged devices with managed user profiles.
KIRANWINDOWS
Unsafe Site Visitdevice_userDevice UserThe user's name as reported by the OS.
Not reported for unmanaged devices with managed user profiles.
ALTOSTRAT\kiran
Unsafe Site Visitdirectory_device_idDirectory Device IDDevice ID returned by the directory API. Not reported for unmanaged devices with managed user profiles.7e6d4bae-e869-4da3-8822-1de247d7542f
Unsafe Site VisiteventEventThe logged event action.badNavigationEvent—Unsafe site visit
Unsafe Site Visitos_platformDevice PlatformThe OS that the browser is running. Not reported for unmanaged devices with managed user profiles.Windows 10
Unsafe Site Visitos_versionThe version of the OS that is running the browser. Not reported for unmanaged devices with managed user profiles.15278.64.0
Unsafe Site Visitprofile_userProfile UserUser name of the signed in user for the Chrome profile. Blank if the user has not signed into a profile.kiran
Unsafe Site VisitreasonEvent reasonReason for the event.SSL_ERROR, MALWARE, SOCIAL_ENGINEERING, UNWANTED_SOFTWARE.
Note: The Admin console appends the Event name, such as UNSAFE_SITE_VISIT_MALWARE
Unsafe Site VisitresultEvent resultThe result of the event based on the policies and rules set.Bypassed, Blocked, Warned, Allowed
Unsafe Site VisittimeDateDate and time when the event was received.2023-03-02T22:07:21-08:00
Unsafe Site VisiturlURLURL of the unsafe site.
Unsafe Site Visituser_agentUser AgentThe user agent string of the browser used to access the content.Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6)
AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/84.0.4140.0
Safari/537.36
Url Filtering Interstitial Eventagents
For Crowdstrike
Crowdstrike Agent ID and Crowdstrike Customer ID
Information about agents installed on the device. Only Crowdstrike agents are currently supported."crowdstrike": {
   "agent_id": "agent-123", 
   "customer_id": "customer-123" 
 }
Url Filtering Interstitial Eventbrowser_versionBrowser VersionVersion of Chrome browser.113.0.5628.0
Url Filtering Interstitial Eventclient_typeClient TypeManaged Chrome surface where the event happened.Chrome browser, Chrome profile, ChromeOS, Unknown
Url Filtering Interstitial EventDescriptionText description of the event.URL filtering interstitial warning shown for url
Url Filtering Interstitial Eventdevice_idDevice IDThe ID of the device. The value is platform-specific.
Not reported for unmanaged devices with managed user profiles.
ab81082c-6839-450d-9ed6-7b3c268d6b94
Url Filtering Interstitial Eventdevice_nameDevice NameName of the device on which the event happened.
Not reported for unmanaged devices with managed user profiles.
KIRANWINDOWS
Url Filtering Interstitial Eventdevice_userDevice UserThe user's name as reported by the OS.
Not reported for unmanaged devices with managed user profiles.
ALTOSTRAT\kiran
Url Filtering Interstitial Eventdirectory_device_idDirectory Device IDDevice ID returned by the directory API. Not reported for unmanaged devices with managed user profiles.7e6d4bae-e869-4da3-8822-1de247d7542f
Url Filtering Interstitial EventeventEventThe logged event action.urlFilteringInterstitialEvent—URL Filtering
Url Filtering Interstitial Eventos_platformDevice PlatformThe OS that the browser is running. Not reported for unmanaged devices with managed user profiles.Windows 10
Url Filtering Interstitial Eventos_versionThe version of the OS that is running the browser. Not reported for unmanaged devices with managed user profiles.15278.64.0
Url Filtering Interstitial Eventprofile_userProfile UserUser name of the signed in user for the Chrome profile. Blank if the user has not signed into a profile.kiran
Url Filtering Interstitial EventreasonEvent reasonList of rules that triggered the event.This field is called triggered_rules in reporting connector output.
Url Filtering Interstitial EventresultEvent resultThe result of the event based on the policies and rules set.Warned—EVENT_RESULT_WARNED,
Blocked—EVENT_RESULT_BLOCKED,
Bypassed—EVENT_RESULT_BYPASSED
Url Filtering Interstitial EventtimeDateDate and time when the event was received.2023-03-02T22:07:21-08:00
Url Filtering Interstitial Eventurl_categoryURL categoryCategory of the URL.Reporting connector output: /Internet & Technology/Computer Security
Admin Console: Computer Security
Url Filtering Interstitial Eventuser_agentUser AgentThe user agent string of the browser used to access the content.Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6)
AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/84.0.4140.0
Safari/537.36
Search
Clear search
Close search
Google apps
Main menu
6842691320789158532
true
Search Help Center
true
true
true
true
true
410864
false