Google Workspace Takeout Log Events

Cloud & SaaSData Access & StorageGoogle WorkspaceCloud Control PlaneSIEM / Log Aggregator

Location

Google Admin Console > Reporting > Audit and investigation > Google Takeout log events

Description

Audit events related to Google Takeout export activity, including export initiation and related user actions that may indicate bulk data collection from Google Workspace services.

Forensic Value

Takeout events are high-signal evidence for data-theft investigations because they show attempts to package large volumes of user data for export outside normal collaboration workflows. They also help separate bulk export behavior from normal per-file access.

Tools Required

Google Admin ConsoleReports APISIEM

Collection Commands

Google Admin Console

Reporting > Audit and investigation > Google Takeout log events > Filter by user and time range > Export the log set

Reports API

GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/takeout?startTime=2026-03-01T00:00:00.000Z

Collection Constraints

•Takeout logs record export activity, not the actual exported dataset contents or where an archive was later moved.
•Longer-term evidence still depends on audit retention and whether a preservation workflow such as Vault was available in time.

MITRE ATT&CK Techniques

T1020T1567T1213.002

References

Google Takeout log events Reports retention and availability

Used in Procedures

Identify Data Staging and Compression Activity

analyze

Collect DLP Policy Alerts and Hits

collect

Related Blockers

SaaS Audit Retention Expired Before Collection

The response started after the native retention window for Google Workspace, Okta, Slack, GitHub, or similar SaaS evidence had already passed. The necessary events are no longer available in the vendor UI or API even though the underlying accounts and content may still exist.