BatchUsageLogEvents

Batched event logs of events from the device.

JSON representation
{
  "device": string,
  "user": string,
  "retrievalTime": string,
  "usageLogEvents": [
    {
      object (UsageLogEvent)
    }
  ]
}
Fields
device

string

If present, the name of the device in the form ‘enterprises/{enterpriseId}/devices/{deviceId}’

user

string

If present, the resource name of the user that owns this device in the form ‘enterprises/{enterpriseId}/users/{userId}’.

retrievalTime

string (Timestamp format)

The device timestamp when the batch of events were collected from the device.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

usageLogEvents[]

object (UsageLogEvent)

The list of UsageLogEvent that were reported by the device, sorted chronologically by the event time.

UsageLogEvent

An event logged on the device.

JSON representation
{
  "eventId": string,
  "eventTime": string,
  "eventType": enum (EventType),

  // Union field event can be only one of the following:
  "adbShellCommandEvent": {
    object (AdbShellCommandEvent)
  },
  "adbShellInteractiveEvent": {
    object (AdbShellInteractiveEvent)
  },
  "appProcessStartEvent": {
    object (AppProcessStartEvent)
  },
  "keyguardDismissedEvent": {
    object (KeyguardDismissedEvent)
  },
  "keyguardDismissAuthAttemptEvent": {
    object (KeyguardDismissAuthAttemptEvent)
  },
  "keyguardSecuredEvent": {
    object (KeyguardSecuredEvent)
  },
  "filePulledEvent": {
    object (FilePulledEvent)
  },
  "filePushedEvent": {
    object (FilePushedEvent)
  },
  "certAuthorityInstalledEvent": {
    object (CertAuthorityInstalledEvent)
  },
  "certAuthorityRemovedEvent": {
    object (CertAuthorityRemovedEvent)
  },
  "certValidationFailureEvent": {
    object (CertValidationFailureEvent)
  },
  "cryptoSelfTestCompletedEvent": {
    object (CryptoSelfTestCompletedEvent)
  },
  "keyDestructionEvent": {
    object (KeyDestructionEvent)
  },
  "keyGeneratedEvent": {
    object (KeyGeneratedEvent)
  },
  "keyImportEvent": {
    object (KeyImportEvent)
  },
  "keyIntegrityViolationEvent": {
    object (KeyIntegrityViolationEvent)
  },
  "loggingStartedEvent": {
    object (LoggingStartedEvent)
  },
  "loggingStoppedEvent": {
    object (LoggingStoppedEvent)
  },
  "logBufferSizeCriticalEvent": {
    object (LogBufferSizeCriticalEvent)
  },
  "mediaMountEvent": {
    object (MediaMountEvent)
  },
  "mediaUnmountEvent": {
    object (MediaUnmountEvent)
  },
  "osShutdownEvent": {
    object (OsShutdownEvent)
  },
  "osStartupEvent": {
    object (OsStartupEvent)
  },
  "remoteLockEvent": {
    object (RemoteLockEvent)
  },
  "wipeFailureEvent": {
    object (WipeFailureEvent)
  },
  "connectEvent": {
    object (ConnectEvent)
  },
  "dnsEvent": {
    object (DnsEvent)
  },
  "stopLostModeUserAttemptEvent": {
    object (StopLostModeUserAttemptEvent)
  },
  "lostModeOutgoingPhoneCallEvent": {
    object (LostModeOutgoingPhoneCallEvent)
  },
  "lostModeLocationEvent": {
    object (LostModeLocationEvent)
  },
  "enrollmentCompleteEvent": {
    object (EnrollmentCompleteEvent)
  }
  // End of list of possible types for union field event.
}
Fields
eventId

string (int64 format)

Unique id of the event.

eventTime

string (Timestamp format)

Device timestamp when the event was logged.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

eventType

enum (EventType)

The particular usage log event type that was reported on the device. Use this to determine which event field to access.

Union field event. Types of events logged on the device. See each event type for more detail on when it is sent and restrictions on when event is logged and what fields are included. event can be only one of the following:
adbShellCommandEvent

object (AdbShellCommandEvent)

A shell command was issued over ADB via “adb shell command”. Part of SECURITY_LOGS.

adbShellInteractiveEvent

object (AdbShellInteractiveEvent)

An ADB interactive shell was opened via “adb shell”. Part of SECURITY_LOGS.

appProcessStartEvent

object (AppProcessStartEvent)

An app process was started. Part of SECURITY_LOGS.

keyguardDismissedEvent

object (KeyguardDismissedEvent)

The keyguard was dismissed. Part of SECURITY_LOGS.

keyguardDismissAuthAttemptEvent

object (KeyguardDismissAuthAttemptEvent)

An attempt was made to unlock the device. Part of SECURITY_LOGS.

keyguardSecuredEvent

object (KeyguardSecuredEvent)

The device was locked either by user or timeout. Part of SECURITY_LOGS.

filePulledEvent

object (FilePulledEvent)

A file was downloaded from the device. Part of SECURITY_LOGS.

filePushedEvent

object (FilePushedEvent)

A file was uploaded onto the device. Part of SECURITY_LOGS.

certAuthorityInstalledEvent

object (CertAuthorityInstalledEvent)

A new root certificate was installed into the system's trusted credential storage. Part of SECURITY_LOGS.

certAuthorityRemovedEvent

object (CertAuthorityRemovedEvent)

A root certificate was removed from the system's trusted credential storage. Part of SECURITY_LOGS.

certValidationFailureEvent

object (CertValidationFailureEvent)

An X.509v3 certificate failed to validate, currently this validation is performed on the Wi-FI access point and failure may be due to a mismatch upon server certificate validation. However it may in the future include other validation events of an X.509v3 certificate. Part of SECURITY_LOGS.

cryptoSelfTestCompletedEvent

object (CryptoSelfTestCompletedEvent)

Validates whether Android’s built-in cryptographic library (BoringSSL) is valid. Should always succeed on device boot, if it fails, the device should be considered untrusted. Part of SECURITY_LOGS.

keyDestructionEvent

object (KeyDestructionEvent)

A cryptographic key including user installed, admin installed and system maintained private key is removed from the device either by the user or management. Part of SECURITY_LOGS.

keyGeneratedEvent

object (KeyGeneratedEvent)

A cryptographic key including user installed, admin installed and system maintained private key is installed on the device either by the user or management. Part of SECURITY_LOGS.

keyImportEvent

object (KeyImportEvent)

A cryptographic key including user installed, admin installed and system maintained private key is imported on the device either by the user or management. Part of SECURITY_LOGS.

keyIntegrityViolationEvent

object (KeyIntegrityViolationEvent)

A cryptographic key including user installed, admin installed and system maintained private key is determined to be corrupted due to storage corruption, hardware failure or some OS issue. Part of SECURITY_LOGS.

loggingStartedEvent

object (LoggingStartedEvent)

usageLog policy has been enabled. Part of SECURITY_LOGS.

loggingStoppedEvent

object (LoggingStoppedEvent)

usageLog policy has been disabled. Part of SECURITY_LOGS.

logBufferSizeCriticalEvent

object (LogBufferSizeCriticalEvent)

The audit log buffer has reached 90% of its capacity, therefore older events may be dropped. Part of SECURITY_LOGS.

mediaMountEvent

object (MediaMountEvent)

Removable media was mounted. Part of SECURITY_LOGS.

mediaUnmountEvent

object (MediaUnmountEvent)

Removable media was unmounted. Part of SECURITY_LOGS.

osShutdownEvent

object (OsShutdownEvent)

Device was shutdown. Part of SECURITY_LOGS.

osStartupEvent

object (OsStartupEvent)

Device was started. Part of SECURITY_LOGS.

remoteLockEvent

object (RemoteLockEvent)

The device or profile has been remotely locked via the LOCK command. Part of SECURITY_LOGS.

wipeFailureEvent

object (WipeFailureEvent)

The work profile or company-owned device failed to wipe when requested. This could be user initiated or admin initiated e.g. delete was received. Part of SECURITY_LOGS.

connectEvent

object (ConnectEvent)

A TCP connect event was initiated through the standard network stack. Part of NETWORK_ACTIVITY_LOGS.

dnsEvent

object (DnsEvent)

A DNS lookup event was initiated through the standard network stack. Part of NETWORK_ACTIVITY_LOGS.

stopLostModeUserAttemptEvent

object (StopLostModeUserAttemptEvent)

An attempt to take a device out of lost mode.

lostModeOutgoingPhoneCallEvent

object (LostModeOutgoingPhoneCallEvent)

An outgoing phone call has been made when a device in lost mode.

lostModeLocationEvent

object (LostModeLocationEvent)

A lost mode location update when a device in lost mode.

enrollmentCompleteEvent

object (EnrollmentCompleteEvent)

Device has completed enrollment. Part of AMAPI_LOGS.

KeyguardDismissedEvent

This type has no fields.

The keyguard was dismissed. Intentionally empty.

KeyguardDismissAuthAttemptEvent

An attempt was made to unlock the device.

JSON representation
{
  "success": boolean,
  "strongAuthMethodUsed": boolean
}
Fields
success

boolean

Whether the unlock attempt was successful.

strongAuthMethodUsed

boolean

Whether a strong form of authentication (password, PIN, or pattern) was used to unlock device.

KeyguardSecuredEvent

This type has no fields.

The device was locked either by user or timeout. Intentionally empty.

FilePulledEvent

A file was downloaded from the device.

JSON representation
{
  "filePath": string
}
Fields
filePath

string

The path of the file being pulled.

FilePushedEvent

A file was uploaded onto the device.

JSON representation
{
  "filePath": string
}
Fields
filePath

string

The path of the file being pushed.

CertAuthorityInstalledEvent

A new root certificate was installed into the system's trusted credential storage. This is available device-wide on fully managed devices and within the work profile on organization-owned devices with a work profile.

JSON representation
{
  "certificate": string,
  "userId": integer,
  "success": boolean
}
Fields
certificate

string

Subject of the certificate.

userId

integer

The user in which the certificate install event happened. Only available for devices running Android 11 and above.

success

boolean

Whether the installation event succeeded.

CertAuthorityRemovedEvent

A root certificate was removed from the system's trusted credential storage. This is available device-wide on fully managed devices and within the work profile on organization-owned devices with a work profile.

JSON representation
{
  "certificate": string,
  "userId": integer,
  "success": boolean
}
Fields
certificate

string

Subject of the certificate.

userId

integer

The user in which the certificate removal event occurred. Only available for devices running Android 11 and above.

success

boolean

Whether the removal succeeded.

CertValidationFailureEvent

An X.509v3 certificate failed to validate, currently this validation is performed on the Wi-FI access point and failure may be due to a mismatch upon server certificate validation. However it may in the future include other validation events of an X.509v3 certificate.

JSON representation
{
  "failureReason": string
}
Fields
failureReason

string

The reason why certification validation failed.

CryptoSelfTestCompletedEvent

Validates whether Android’s built-in cryptographic library (BoringSSL) is valid. Should always succeed on device boot, if it fails, the device should be considered untrusted.

JSON representation
{
  "success": boolean
}
Fields
success

boolean

Whether the test succeeded.

KeyDestructionEvent

A cryptographic key including user installed, admin installed and system maintained private key is removed from the device either by the user or management. This is available device-wide on fully managed devices and within the work profile on organization-owned devices with a work profile.

JSON representation
{
  "keyAlias": string,
  "applicationUid": integer,
  "success": boolean
}
Fields
keyAlias

string

Alias of the key.

applicationUid

integer

UID of the application which owns the key.

success

boolean

Whether the operation was successful.

KeyGeneratedEvent

A cryptographic key including user installed, admin installed and system maintained private key is installed on the device either by the user or management.This is available device-wide on fully managed devices and within the work profile on organization-owned devices with a work profile.

JSON representation
{
  "keyAlias": string,
  "applicationUid": integer,
  "success": boolean
}
Fields
keyAlias

string

Alias of the key.

applicationUid

integer

UID of the application which generated the key.

success

boolean

Whether the operation was successful.

KeyImportEvent

A cryptographic key including user installed, admin installed and system maintained private key is imported on the device either by the user or management. This is available device-wide on fully managed devices and within the work profile on organization-owned devices with a work profile.

JSON representation
{
  "keyAlias": string,
  "applicationUid": integer,
  "success": boolean
}
Fields
keyAlias

string

Alias of the key.

applicationUid

integer

UID of the application which imported the key

success

boolean

Whether the operation was successful.

KeyIntegrityViolationEvent

A cryptographic key including user installed, admin installed and system maintained private key is determined to be corrupted due to storage corruption, hardware failure or some OS issue. This is available device-wide on fully managed devices and within the work profile on organization-owned devices with a work profile.

JSON representation
{
  "keyAlias": string,
  "applicationUid": integer
}
Fields
keyAlias

string

Alias of the key.

applicationUid

integer

UID of the application which owns the key

LoggingStartedEvent

This type has no fields.

usageLog policy has been enabled. Intentionally empty.

LoggingStoppedEvent

This type has no fields.

usageLog policy has been disabled. Intentionally empty.

LogBufferSizeCriticalEvent

This type has no fields.

The usageLog buffer on the device has reached 90% of its capacity, therefore older events may be dropped. Intentionally empty.

MediaMountEvent

Removable media was mounted.

JSON representation
{
  "mountPoint": string,
  "volumeLabel": string
}
Fields
mountPoint

string

Mount point.

volumeLabel

string

Volume label. Redacted to empty string on organization-owned managed profile devices.

MediaUnmountEvent

Removable media was unmounted.

JSON representation
{
  "mountPoint": string,
  "volumeLabel": string
}
Fields
mountPoint

string

Mount point.

volumeLabel

string

Volume label. Redacted to empty string on organization-owned managed profile devices.

OsShutdownEvent

This type has no fields.

Device was shutdown. Intentionally empty.

OsStartupEvent

Device was started.

JSON representation
{
  "verifiedBootState": enum (VerifiedBootState),
  "verityMode": enum (DmVerityMode)
}
Fields
verifiedBootState

enum (VerifiedBootState)

Verified Boot state.

verityMode

enum (DmVerityMode)

dm-verity mode.

RemoteLockEvent

The device or profile has been remotely locked via the LOCK command.

JSON representation
{
  "adminPackageName": string,
  "adminUserId": integer,
  "targetUserId": integer
}
Fields
adminPackageName

string

Package name of the admin app requesting the change.

adminUserId

integer

User ID of the admin app from the which the change was requested.

targetUserId

integer

User ID in which the change was requested in.

WipeFailureEvent

This type has no fields.

The work profile or company-owned device failed to wipe when requested. This could be user initiated or admin initiated e.g. delete was received. Intentionally empty.

ConnectEvent

A TCP connect event was initiated through the standard network stack.

JSON representation
{
  "destinationIpAddress": string,
  "destinationPort": integer,
  "packageName": string
}
Fields
destinationIpAddress

string

The destination IP address of the connect call.

destinationPort

integer

The destination port of the connect call.

packageName

string

The package name of the UID that performed the connect call.

DnsEvent

A DNS lookup event was initiated through the standard network stack.

JSON representation
{
  "hostname": string,
  "ipAddresses": [
    string
  ],
  "totalIpAddressesReturned": string,
  "packageName": string
}
Fields
hostname

string

The hostname that was looked up.

ipAddresses[]

string

The (possibly truncated) list of the IP addresses returned for DNS lookup (max 10 IPv4 or IPv6 addresses).

totalIpAddressesReturned

string (int64 format)

The number of IP addresses returned from the DNS lookup event. May be higher than the amount of ipAddresses if there were too many addresses to log.

packageName

string

The package name of the UID that performed the DNS lookup.

StopLostModeUserAttemptEvent

A lost mode event indicating the user has attempted to stop lost mode.

JSON representation
{
  "status": enum (Status)
}
Fields
status

enum (Status)

The status of the attempt to stop lost mode.

LostModeOutgoingPhoneCallEvent

This type has no fields.

An event indicating an outgoing phone call has been made when a device is in lost mode. Intentionally empty.

LostModeLocationEvent

A lost mode event containing the device location and battery level as a percentage.

JSON representation
{
  "location": {
    object (Location)
  },
  "batteryLevel": integer
}
Fields
location

object (Location)

The device location

batteryLevel

integer

The battery level as a number between 0 and 100 inclusive

Location

The device location containing the latitude and longitude.

JSON representation
{
  "latitude": number,
  "longitude": number
}
Fields
latitude

number

The latitude position of the location

longitude

number

The longitude position of the location

EnrollmentCompleteEvent

This type has no fields.

Represents that the device has completed enrollment. User should be in the launcher at this point, device at this point will be compliant and all setup steps have been completed. Intentionally empty.