Google Workspace Drive Audit Log Events

Cloud & SaaSData Access & StorageGoogle WorkspaceCloud Control PlaneSIEM / Log Aggregator

Location

Google Admin Console > Reporting > Audit and investigation > Drive log events

Description

Google Drive and shared-drive audit events covering file access, downloads, external sharing, permission changes, ownership transfers, and bulk data movement indicators.

Forensic Value

Drive audit events are high-value evidence for insider threat, token abuse, and data-exfiltration cases. They identify exactly which documents were accessed or shared, by whom, from which IP, and whether sharing or permission changes expanded exposure.

Tools Required

Google Admin ConsoleReports APISIEM

Collection Commands

Google Admin Console

Reporting > Audit and investigation > Drive log events > Filter by actor, owner, shared-drive, and document ID > Export evidence

Reports API

GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/drive?startTime=2026-03-01T00:00:00.000Z

Collection Constraints

•Drive audit logging shows file actions and sharing metadata, not a preserved copy of the document content.
•Shared-drive and cross-domain visibility depends on admin scope and retention settings at export time.

MITRE ATT&CK Techniques

T1213.002T1530T1567

References

Drive log events Reports retention and availability

Used in Procedures

Identify Data Staging and Compression Activity

analyze

Collect DLP Policy Alerts and Hits

collect

Related Blockers

SaaS Audit Retention Expired Before Collection

The response started after the native retention window for Google Workspace, Okta, Slack, GitHub, or similar SaaS evidence had already passed. The necessary events are no longer available in the vendor UI or API even though the underlying accounts and content may still exist.