Google Workspace Admin Audit Events

Cloud & SaaSIdentity & DirectoryGoogle WorkspaceCloud Control PlaneSIEM / Log Aggregator

Location

Google Admin Console > Reporting > Audit and investigation > Admin log events

Description

Administrative audit events covering privileged changes in Google Workspace, including admin-role updates, security-setting changes, application configuration changes, and delegated-admin actions.

Forensic Value

Admin audit events are the primary source for reconstructing attacker changes in Google Workspace. They show who changed tenant settings, which admin role was used, the originating IP address, and which controls were weakened or disabled during the compromise window.

Tools Required

Google Admin ConsoleReports APISIEM

Collection Commands

Google Admin Console

Reporting > Audit and investigation > Admin log events > Filter by actor, event name, and date range > Export to CSV or Google Sheets

Reports API

GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?startTime=2026-03-01T00:00:00.000Z

Collection Constraints

  • Available event families and lookback depth depend on Google Workspace edition, retention settings, and delegated admin privileges.
  • Exports capture audit metadata, not the underlying document or mailbox content.

MITRE ATT&CK Techniques

T1098T1484T1078.004

References

Admin SDK Reports API overviewAdmin audit log events

Related Blockers

Cloud or Container Logging Coverage Missing

The investigation depends on cloud-control-plane or container telemetry that was never enabled, was retained too briefly, or was routed to an unavailable destination. This creates blind spots around identity misuse, cluster administration, and workload behavior.

SaaS Audit Logging Not Enabled or Not Licensed

The investigation depends on SaaS audit evidence that was never enabled, is unavailable under the current subscription tier, or requires a higher-privilege admin role than the response team currently has. This creates blind spots for identity abuse, collaboration-platform misuse, and source-code access.

SaaS Audit Retention Expired Before Collection

The response started after the native retention window for Google Workspace, Okta, Slack, GitHub, or similar SaaS evidence had already passed. The necessary events are no longer available in the vendor UI or API even though the underlying accounts and content may still exist.