Google Workspace OAuth Token and App Access Audit Events
Location
Google Admin Console > Reporting > Audit and investigation > OAuth log eventsDescription
Audit events related to OAuth token issuance, third-party app access, API client authorization, and application grants against Google Workspace data.
Forensic Value
OAuth and token events are the main evidence source for consent-style persistence in Google Workspace. They reveal when a malicious application gained token-based access, which user granted that access, and which app or client ID must be revoked to fully remove persistence.
Tools Required
Collection Commands
Google Admin Console
Reporting > Audit and investigation > OAuth log events > Filter by application name, client ID, user, and event > Export the incident window
Reports API
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/token?startTime=2026-03-01T00:00:00.000Z
Collection Constraints
- •Token and app-access logs show authorization activity, but investigators still need downstream Gmail, Drive, or Vault evidence to prove what data was accessed.
- •Visibility depends on admin privilege, configured logging, and surviving retention windows.
MITRE ATT&CK Techniques
Used in Procedures
Related Blockers
SaaS Audit Logging Not Enabled or Not Licensed
The investigation depends on SaaS audit evidence that was never enabled, is unavailable under the current subscription tier, or requires a higher-privilege admin role than the response team currently has. This creates blind spots for identity abuse, collaboration-platform misuse, and source-code access.
SaaS Audit Retention Expired Before Collection
The response started after the native retention window for Google Workspace, Okta, Slack, GitHub, or similar SaaS evidence had already passed. The necessary events are no longer available in the vendor UI or API even though the underlying accounts and content may still exist.
Cloud or Container Logging Coverage Missing
The investigation depends on cloud-control-plane or container telemetry that was never enabled, was retained too briefly, or was routed to an unavailable destination. This creates blind spots around identity misuse, cluster administration, and workload behavior.