Serving Vancouver, Washington and remote U.S. businesses

Google Workspace Security

How to Review Google Workspace Audit and Investigation Logs

A practical guide to using Google Workspace audit and investigation tools to review sign-ins, administrator changes, file sharing, Gmail activity, OAuth applications, devices, and suspicious events.

Google Workspace logs help administrators investigate what happened, who performed an action, which account or application was involved, and what response may be required.

Why Audit Visibility Matters

Google Workspace can record login events, administrator changes, Drive activity, Gmail activity, group changes, OAuth activity, device events, and other actions depending on the edition and service.

Logs support troubleshooting, access reviews, security investigations, compliance, and incident response. They provide value only when the organization knows which data is available and who is responsible for reviewing it.

Understand Edition Differences

Google Workspace log availability, investigation features, retention, and remediation actions vary by edition. The security investigation tool and some advanced capabilities require supported editions.

Document the organization's subscriptions and verify current Google Admin Help documentation before relying on a specific data source or action.

Know what your edition can investigate

Do not wait for an incident to discover that a needed log, search field, retention period, or remediation action is unavailable.

Start With Login Events

Login events can help identify successful sign-ins, failed sign-ins, suspicious attempts, verification challenges, password changes, and other authentication activity.

Review the user, time, internet address, location, event type, login type, challenge, and related account activity. Compare the event with the employee's expected device, location, and work schedule.

Review Repeated Failures

Many failed sign-ins across several users can indicate password spraying. Repeated failures against one user can indicate a targeted attack, old application, or forgotten device.

Review whether a successful sign-in followed the failures and whether account settings changed afterward.

Review 2-Step Verification Changes

Investigate newly enrolled methods, disabled verification, regenerated backup codes, security-key changes, and administrator resets.

Confirm that the user requested the change and that support followed the identity-verification procedure.

A successful login can still be suspicious

An attacker with a stolen session, approved malicious OAuth application, or valid verification method may create a successful event.

Review Administrator Log Events

Administrator logs can show user changes, role assignments, service settings, security-policy changes, domain changes, Gmail routing changes, Drive settings, device-management actions, and application controls.

Review high-impact changes with the request, approver, administrator, implementation time, and expected outcome.

Monitor Super Administrator Activity

Super administrator actions require special review. Investigate new super administrators, role changes, recovery changes, security-setting changes, and unusual access times.

Every emergency or recovery administrator use should have a documented reason and post-use review.

Review Drive Log Events

Drive logs can help investigate file viewing, downloading, editing, deletion, sharing, ownership changes, shared-drive membership, and other events depending on edition and event type.

Focus on sensitive files, large downloads, external sharing, link changes, bulk deletion, and activity by former employees or unfamiliar applications.

Review Shared Drive Activity

Shared drives retain organizational ownership, but members and managers can still create security risk through broad access or external sharing.

Review member changes, manager assignments, external users, file movement, deletions, and unusual download patterns.

Review Gmail Log Events

Available Gmail log events can support investigations into user actions and email activity depending on edition. Email Log Search can help trace delivery and routing.

Correlate suspicious messages with login events, forwarding, filters, delegated access, OAuth applications, and administrator routing changes.

Review OAuth Log Events

OAuth logs can show application authorization and token-related activity. Investigate unfamiliar applications, high-risk scopes, consent by administrators, and activity after a vendor or employee relationship ends.

Review the application in API controls and remove access when it is not approved.

Review Device Log Events

Device events can provide information about enrollment, management, account access, device state, operating system, and security actions depending on the device type and edition.

Investigate lost devices, unenrolled devices, unsupported operating systems, failed compliance, and privileged access from unmanaged endpoints.

Review Group Events

Groups can provide access to email, Drive, shared drives, applications, and security settings. Review group creation, deletion, membership, ownership, and posting changes.

Investigate high-risk groups, administrator groups, external members, and membership added outside the approved process.

Use the Audit and Investigation Tool

The audit and investigation tool allows administrators to select a data source, create conditions, search events, and review results according to assigned privileges and edition.

Save or document recurring searches for super administrator activity, failed sign-ins, external sharing, OAuth grants, device changes, and sensitive groups.

Use the Security Investigation Tool Where Available

Supported editions can provide expanded investigation and remediation capabilities. Administrators may be able to take actions such as suspending a user, deleting a message, or changing access depending on data source and privileges.

Use remediation actions carefully. Confirm scope, preserve evidence, and document the action before changing or deleting data.

Define a Triage Process

  1. Confirm the event source and time.
  2. Identify affected users, devices, files, messages, and applications.
  3. Determine whether the activity is expected.
  4. Review related login, admin, Drive, Gmail, OAuth, and device events.
  5. Contain active risk.
  6. Preserve evidence.
  7. Correct the root cause.
  8. Document the result and lessons learned.

Correlate Events

A login event alone may not show the complete incident. Build a timeline that includes authentication, administrator changes, OAuth consent, Gmail forwarding, file sharing, downloads, group changes, and device activity.

Correlation can distinguish a normal employee trip from an attacker who signed in, authorized an application, downloaded files, and changed forwarding.

Maintain a Business Baseline

Document normal office locations, remote-work patterns, approved applications, devices, vendors, administrator schedules, shared drives, and expected bulk activity.

Update the baseline after office moves, new vendors, staffing changes, device migrations, and mergers.

Confirm Log Retention

Retention differs by data source and edition. Determine how long login, admin, Drive, Gmail, OAuth, group, and device events remain available.

Decide whether the organization needs export to BigQuery, the Reports API, Google Security Operations, or another approved monitoring platform.

Assign Review Ownership

Assign primary and backup owners for alerts, daily review, weekly privileged review, monthly trend review, and incident escalation.

Security alerts sent to an unattended mailbox do not provide effective monitoring.

Create a Review Schedule

Review critical alerts continuously or daily, super administrator and authentication activity weekly, and broader sharing, application, device, and group trends monthly.

Complete a formal quarterly review of administrators, OAuth applications, external access, devices, alerts, and retention.

Audit and Investigation Checklist

  • Confirm edition, data sources, privileges, and retention.
  • Review login events and repeated failures.
  • Review 2-Step Verification changes.
  • Monitor administrator and super administrator actions.
  • Review Drive and shared-drive activity.
  • Review Gmail delivery, routing, and user events.
  • Review OAuth applications and consent activity.
  • Review device and group events.
  • Use a consistent triage process.
  • Correlate related events into a timeline.
  • Assign active alert and review owners.
  • Document investigations and corrective actions.

Frequently Asked Questions

Are all Google Workspace logs available in every edition?

No. Data sources, retention, search capabilities, and remediation actions vary by edition.

What should be reviewed first during a suspicious login?

Review the user, time, internet address, event type, verification details, related administrator changes, OAuth activity, Gmail changes, and Drive activity.

How often should logs be reviewed?

Review critical alerts daily, privileged activity weekly, broader trends monthly, and complete a formal quarterly security review.

When Professional Support Helps

Professional support can identify available logs, build recurring searches, review alerts, investigate suspicious activity, document response procedures, and establish a monitoring schedule.

Need help applying this?

Implement Google Workspace security with confidence.

J3 Systems Group LLC can implement 2-Step Verification, Context-Aware Access, Gmail protection, super admin recovery, audit monitoring, OAuth controls, and supporting security procedures.

Book a Free Consultation