Google Workspace User Account and Login Audit Events
Location
Google Admin Console > Reporting > Audit and investigation > User log events / Login log eventsDescription
User-account and authentication events covering account creation and suspension, password resets, login attempts, 2-step verification changes, and risk-relevant sign-in context.
Forensic Value
These logs establish who authenticated, from where, and what account lifecycle changes occurred before or after suspicious access. They are critical for distinguishing a simple password reset from a full identity takeover involving MFA changes or high-risk login behavior.
Tools Required
Collection Commands
Google Admin Console
Reporting > Audit and investigation > Login log events or User log events > Filter by user, IP, event name, and status > Export results
Reports API
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/login?startTime=2026-03-01T00:00:00.000Z
Collection Constraints
- •Login and user-event visibility depends on admin roles, API scopes, and service retention; older events may already have expired.
- •These logs show authentication and account changes, not mailbox or Drive content access by themselves.
MITRE ATT&CK Techniques
Used in Procedures
Related Blockers
SaaS Audit Logging Not Enabled or Not Licensed
The investigation depends on SaaS audit evidence that was never enabled, is unavailable under the current subscription tier, or requires a higher-privilege admin role than the response team currently has. This creates blind spots for identity abuse, collaboration-platform misuse, and source-code access.
SaaS Audit Retention Expired Before Collection
The response started after the native retention window for Google Workspace, Okta, Slack, GitHub, or similar SaaS evidence had already passed. The necessary events are no longer available in the vendor UI or API even though the underlying accounts and content may still exist.