Google Workspace Gmail Log Events
Location
Google Admin Console > Reporting > Audit and investigation > Gmail log eventsDescription
Email-activity logs covering message delivery, route changes, spam/phish actions, mailbox access context, and selected message-handling metadata within Google Workspace.
Forensic Value
Gmail log events are essential for phishing, BEC, and data-exfiltration cases. They help determine which mailboxes were touched, whether suspicious forwarding or transport actions occurred, and which sending infrastructure or delivery path was involved.
Tools Required
Collection Commands
Google Admin Console
Reporting > Audit and investigation > Gmail log events > Filter by sender, recipient, IP, and message ID > Export the result set
Gmail log search
Apps > Google Workspace > Gmail > Gmail log search > Search by sender/recipient/message ID and export the results for the incident window
Collection Constraints
- •Gmail log events provide message-routing and audit context, not full mailbox content; content preservation requires Vault or mailbox export workflows.
- •Some searches and exports are limited by admin role, license, and retention boundaries.
MITRE ATT&CK Techniques
Used in Procedures
Related Blockers
SaaS Audit Logging Not Enabled or Not Licensed
The investigation depends on SaaS audit evidence that was never enabled, is unavailable under the current subscription tier, or requires a higher-privilege admin role than the response team currently has. This creates blind spots for identity abuse, collaboration-platform misuse, and source-code access.
SaaS Audit Retention Expired Before Collection
The response started after the native retention window for Google Workspace, Okta, Slack, GitHub, or similar SaaS evidence had already passed. The necessary events are no longer available in the vendor UI or API even though the underlying accounts and content may still exist.