- JSON representation
- UsageLogEvent
- KeyguardDismissedEvent
- KeyguardDismissAuthAttemptEvent
- KeyguardSecuredEvent
- FilePulledEvent
- FilePushedEvent
- CertAuthorityInstalledEvent
- CertAuthorityRemovedEvent
- CertValidationFailureEvent
- CryptoSelfTestCompletedEvent
- KeyDestructionEvent
- KeyGeneratedEvent
- KeyImportEvent
- KeyIntegrityViolationEvent
- LoggingStartedEvent
- LoggingStoppedEvent
- LogBufferSizeCriticalEvent
- MediaMountEvent
- MediaUnmountEvent
- OsShutdownEvent
- OsStartupEvent
- RemoteLockEvent
- WipeFailureEvent
- ConnectEvent
- DnsEvent
Batched event logs of events
from the device.
JSON representation |
---|
{
"device": string,
"user": string,
"retrievalTime": string,
"usageLogEvents": [
{
object ( |
Fields | |
---|---|
device |
The name of the device in the form ‘enterprises/{enterpriseId}/devices/{deviceId}’ |
user |
The resource name of the user that owns this device in the form ‘enterprises/{enterpriseId}/users/{userId}’. |
retrievalTime |
The device timestamp when the batch of events were collected from the device. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |
usageLogEvents[] |
The list of UsageLogEvent that were reported by the device, sorted chronologically by the event time. |
UsageLogEvent
An event logged on the device.
JSON representation |
---|
{ "eventId": string, "eventTime": string, "eventType": enum ( |
Fields | |
---|---|
eventId |
Unique id of the event. |
eventTime |
Device timestamp when the event was logged. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |
eventType |
The particular usage log event type that was reported on the device. Use this to determine which |
Union field event . Types of events logged on the device. See each event type for more detail on when it is sent and restrictions on when event is logged and what fields are included. event can be only one of the following: |
|
adbShellCommandEvent |
A shell command was issued over ADB via “adb shell command”. Part of |
adbShellInteractiveEvent |
An ADB interactive shell was opened via “adb shell”. Part of |
appProcessStartEvent |
An app process was started. Part of |
keyguardDismissedEvent |
The keyguard was dismissed. Part of |
keyguardDismissAuthAttemptEvent |
An attempt was made to unlock the device. Part of |
keyguardSecuredEvent |
The device was locked either by user or timeout. Part of |
filePulledEvent |
A file was downloaded from the device. Part of |
filePushedEvent |
A file was uploaded onto the device. Part of |
certAuthorityInstalledEvent |
A new root certificate was installed into the system's trusted credential storage. Part of |
certAuthorityRemovedEvent |
A root certificate was removed from the system's trusted credential storage. Part of |
certValidationFailureEvent |
An X.509v3 certificate failed to validate, currently this validation is performed on the Wi-FI access point and failure may be due to a mismatch upon server certificate validation. However it may in the future include other validation events of an X.509v3 certificate. Part of |
cryptoSelfTestCompletedEvent |
Validates whether Android’s built-in cryptographic library (BoringSSL) is valid. Should always succeed on device boot, if it fails, the device should be considered untrusted. Part of |
keyDestructionEvent |
A cryptographic key including user installed, admin installed and system maintained private key is removed from the device either by the user or management. Part of |
keyGeneratedEvent |
A cryptographic key including user installed, admin installed and system maintained private key is installed on the device either by the user or management. Part of |
keyImportEvent |
A cryptographic key including user installed, admin installed and system maintained private key is imported on the device either by the user or management. Part of |
keyIntegrityViolationEvent |
A cryptographic key including user installed, admin installed and system maintained private key is determined to be corrupted due to storage corruption, hardware failure or some OS issue. Part of |
loggingStartedEvent |
|
loggingStoppedEvent |
|
logBufferSizeCriticalEvent |
The audit log buffer has reached 90% of its capacity, therefore older events may be dropped. Part of |
mediaMountEvent |
Removable media was mounted. Part of |
mediaUnmountEvent |
Removable media was unmounted. Part of |
osShutdownEvent |
Device was shutdown. Part of |
osStartupEvent |
Device was started. Part of |
remoteLockEvent |
The device or profile has been remotely locked via the |
wipeFailureEvent |
The work profile or company-owned device failed to wipe when requested. This could be user initiated or admin initiated e.g. |
connectEvent |
A TCP connect event was initiated through the standard network stack. Part of |
dnsEvent |
A DNS lookup event was initiated through the standard network stack. Part of |
KeyguardDismissedEvent
The keyguard was dismissed. Intentionally empty.
KeyguardDismissAuthAttemptEvent
An attempt was made to unlock the device.
JSON representation |
---|
{ "success": boolean, "strongAuthMethodUsed": boolean } |
Fields | |
---|---|
success |
Whether the unlock attempt was successful. |
strongAuthMethodUsed |
Whether a strong form of authentication (password, PIN, or pattern) was used to unlock device. |
KeyguardSecuredEvent
The device was locked either by user or timeout. Intentionally empty.
FilePulledEvent
A file was downloaded from the device.
JSON representation |
---|
{ "filePath": string } |
Fields | |
---|---|
filePath |
The path of the file being pulled. |
FilePushedEvent
A file was uploaded onto the device.
JSON representation |
---|
{ "filePath": string } |
Fields | |
---|---|
filePath |
The path of the file being pushed. |
CertAuthorityInstalledEvent
A new root certificate was installed into the system's trusted credential storage. This is available device-wide on fully managed devices and within the work profile on organization-owned devices with a work profile.
JSON representation |
---|
{ "certificate": string, "userId": integer, "success": boolean } |
Fields | |
---|---|
certificate |
Subject of the certificate. |
userId |
The user in which the certificate install event happened. Only available for devices running Android 11 and above. |
success |
Whether the installation event succeeded. |
CertAuthorityRemovedEvent
A root certificate was removed from the system's trusted credential storage. This is available device-wide on fully managed devices and within the work profile on organization-owned devices with a work profile.
JSON representation |
---|
{ "certificate": string, "userId": integer, "success": boolean } |
Fields | |
---|---|
certificate |
Subject of the certificate. |
userId |
The user in which the certificate removal event occurred. Only available for devices running Android 11 and above. |
success |
Whether the removal succeeded. |
CertValidationFailureEvent
An X.509v3 certificate failed to validate, currently this validation is performed on the Wi-FI access point and failure may be due to a mismatch upon server certificate validation. However it may in the future include other validation events of an X.509v3 certificate.
JSON representation |
---|
{ "failureReason": string } |
Fields | |
---|---|
failureReason |
The reason why certification validation failed. |
CryptoSelfTestCompletedEvent
Validates whether Android’s built-in cryptographic library (BoringSSL) is valid. Should always succeed on device boot, if it fails, the device should be considered untrusted.
JSON representation |
---|
{ "success": boolean } |
Fields | |
---|---|
success |
Whether the test succeeded. |
KeyDestructionEvent
A cryptographic key including user installed, admin installed and system maintained private key is removed from the device either by the user or management. This is available device-wide on fully managed devices and within the work profile on organization-owned devices with a work profile.
JSON representation |
---|
{ "keyAlias": string, "applicationUid": integer, "success": boolean } |
Fields | |
---|---|
keyAlias |
Alias of the key. |
applicationUid |
UID of the application which owns the key. |
success |
Whether the operation was successful. |
KeyGeneratedEvent
A cryptographic key including user installed, admin installed and system maintained private key is installed on the device either by the user or management.This is available device-wide on fully managed devices and within the work profile on organization-owned devices with a work profile.
JSON representation |
---|
{ "keyAlias": string, "applicationUid": integer, "success": boolean } |
Fields | |
---|---|
keyAlias |
Alias of the key. |
applicationUid |
UID of the application which generated the key. |
success |
Whether the operation was successful. |
KeyImportEvent
A cryptographic key including user installed, admin installed and system maintained private key is imported on the device either by the user or management. This is available device-wide on fully managed devices and within the work profile on organization-owned devices with a work profile.
JSON representation |
---|
{ "keyAlias": string, "applicationUid": integer, "success": boolean } |
Fields | |
---|---|
keyAlias |
Alias of the key. |
applicationUid |
UID of the application which imported the key |
success |
Whether the operation was successful. |
KeyIntegrityViolationEvent
A cryptographic key including user installed, admin installed and system maintained private key is determined to be corrupted due to storage corruption, hardware failure or some OS issue. This is available device-wide on fully managed devices and within the work profile on organization-owned devices with a work profile.
JSON representation |
---|
{ "keyAlias": string, "applicationUid": integer } |
Fields | |
---|---|
keyAlias |
Alias of the key. |
applicationUid |
UID of the application which owns the key |
LoggingStartedEvent
policy has been enabled. Intentionally empty.usageLog
LoggingStoppedEvent
policy has been disabled. Intentionally empty.usageLog
LogBufferSizeCriticalEvent
The
buffer on the device has reached 90% of its capacity, therefore older events may be dropped. Intentionally empty.usageLog
MediaMountEvent
Removable media was mounted.
JSON representation |
---|
{ "mountPoint": string, "volumeLabel": string } |
Fields | |
---|---|
mountPoint |
Mount point. |
volumeLabel |
Volume label. Redacted to empty string on organization-owned managed profile devices. |
MediaUnmountEvent
Removable media was unmounted.
JSON representation |
---|
{ "mountPoint": string, "volumeLabel": string } |
Fields | |
---|---|
mountPoint |
Mount point. |
volumeLabel |
Volume label. Redacted to empty string on organization-owned managed profile devices. |
OsShutdownEvent
Device was shutdown. Intentionally empty.
OsStartupEvent
Device was started.
JSON representation |
---|
{ "verifiedBootState": enum ( |
Fields | |
---|---|
verifiedBootState |
Verified Boot state. |
verityMode |
dm-verity mode. |
RemoteLockEvent
The device or profile has been remotely locked via the
command.LOCK
JSON representation |
---|
{ "adminPackageName": string, "adminUserId": integer, "targetUserId": integer } |
Fields | |
---|---|
adminPackageName |
Package name of the admin app requesting the change. |
adminUserId |
User ID of the admin app from the which the change was requested. |
targetUserId |
User ID in which the change was requested in. |
WipeFailureEvent
The work profile or company-owned device failed to wipe when requested. This could be user initiated or admin initiated e.g. delete
was received. Intentionally empty.
ConnectEvent
A TCP connect event was initiated through the standard network stack.
JSON representation |
---|
{ "destinationIpAddress": string, "destinationPort": integer, "packageName": string } |
Fields | |
---|---|
destinationIpAddress |
The destination IP address of the connect call. |
destinationPort |
The destination port of the connect call. |
packageName |
The package name of the UID that performed the connect call. |
DnsEvent
A DNS lookup event was initiated through the standard network stack.
JSON representation |
---|
{ "hostname": string, "ipAddresses": [ string ], "totalIpAddressesReturned": string, "packageName": string } |
Fields | |
---|---|
hostname |
The hostname that was looked up. |
ipAddresses[] |
The (possibly truncated) list of the IP addresses returned for DNS lookup (max 10 IPv4 or IPv6 addresses). |
totalIpAddressesReturned |
The number of IP addresses returned from the DNS lookup event. May be higher than the amount of ipAddresses if there were too many addresses to log. |
packageName |
The package name of the UID that performed the DNS lookup. |