Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Discrepancy between gam audit login and actual audit login reports

See original GitHub issue

Full steps to reproduce the issue:

  1. User suspended via google for suspicious activity
  2. Find event report in Audit > Login
  3. gam report login event <known-event-type> start <start-date> end <end-date> user <user>

Expected outcome: Trying to programmatically fetch user suspensions so that they can be handled in real-time.

In this test case, the event thrown was account_disabled_hijacked - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login#account_disabled_hijacked - actual log verbiage corresponding to event name Account <account> disabled because Google has detected a suspicious activity indicating it might have been compromised

Actual outcome: gam reports no instances of the event, whereas google’s login audit does. I allowed for roughly 5 hours between the event and when I tried to poll, however, even 1 hour time delay makes this fairly impractical, as we have additional processes that need to happen when Google suspends a user.

Issue Analytics

  • State:closed
  • Created 4 years ago
  • Comments:7 (2 by maintainers)

github_iconTop GitHub Comments

1reaction
taers232ccommented, Oct 12, 2019

Chris,

Here are the events from the console:

2019-10-11T15:54:53.374Z: (account_disabled_hijacked) 2019-10-04T14:03:47.190Z: (account_disabled_hijacked)

Here is your query: gam report login event account_disabled_hijacked start 2019-10-11T00:00:00.000Z end 2019-10-11T11:59:59.999Z

Note that your query end 2019-10-11T11:59:59.999Z is before the event 2019-10-11T15:54:53.374Z, i believe you want 23:59:59 not 11:59:59

gam report login event account_disabled_hijacked start 2019-10-11T00:00:00.000Z end 2019-10-11T23:59:59.999Z

Ross

ross.scroggs@gmail.com

On Oct 12, 2019, at 7:48 AM, Chris Deaton notifications@github.com wrote:

Yes but GAM isn’t seeing that entry because you were looking for account_disabled_generic… … x-msg://13/# On Sat, Oct 12, 2019, 10:12 AM Chris Deaton @.***> wrote: Additional information - I did a direct pull from the Reports API (and the PHP client https://github.com/googleapis/google-api-php-client https://github.com/googleapis/google-api-php-client), and confirmed that the API itself is returning the data: Logins: 2019-10-11T15:54:53.374Z: (account_disabled_hijacked) 2019-10-04T14:03:47.190Z: (account_disabled_hijacked) … — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#1028 https://github.com/jay0lee/GAM/issues/1028?email_source=notifications&email_token=ABDIZMGN74E2BGQCQFVZBGLQOHLORA5CNFSM4I77ACIKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEBCAJ4Y#issuecomment-541328627>, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABDIZMBBXFJBAEDD4D5XGSDQOHLORANCNFSM4I77ACIA https://github.com/notifications/unsubscribe-auth/ABDIZMBBXFJBAEDD4D5XGSDQOHLORANCNFSM4I77ACIA .

To be clear, I’ve tried both events (generic and hijacked). Both return 0 results.

unity% gam report login event account_disabled_hijacked start 2019-10-11T00:00:00.000Z end 2019-10-11T11:59:59.999Z Got 0 items unity% gam report login event account_disabled_generic start 2019-10-11T00:00:00.000Z end 2019-10-11T11:59:59.999Z Got 0 items — You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/jay0lee/GAM/issues/1028?email_source=notifications&email_token=ACCTYL4MQJDI6EAXGX63OJTQOHPTBA5CNFSM4I77ACIKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEBCBACQ#issuecomment-541331466, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACCTYLYMFWEVHH7UTARG2GLQOHPTBANCNFSM4I77ACIA.

0reactions
flashadvocatecommented, Oct 12, 2019

Yep, that was it. Sigh. Thanks Ross!

Read more comments on GitHub >

github_iconTop Results From Across the Web

Audit Success and Failed Logon Attempts in Active Directory
Learn how to audit successful and failed logon/logoff attempts in Windows Active Directroy by using network audit policies.
Read more >
Audit Analytics and Continuous Audit - AICPA
AICPA developed a research report entitled Continuous Auditing. This report discussed the viability of continuous audits, described a.
Read more >
Login Audit Activity Events | Admin console - Google Developers
This document lists the events and parameters for various types of Login Audit activity events. You can retrieve these events by calling Activities.list() ......
Read more >
Auditing reports in the Exchange admin center in Exchange ...
Learn about the auditing reports that are available in the Exchange ... We recommend that you search the audit log in the Microsoft...
Read more >
Data discrepancies between Google Ads and Analytics
The Analytics reports and Google Ads reports import data directly from the Google Ads system. The data in Google Ads and Analytics is...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

group update clear behaves oddly when there are no members

Next page

GAM install doesn't install in ZSH (or other shells)