Admin Console GoogleWorkspace-admin

54 operations, identified by eventName in the audit log.

eventName	Description
any	Source-only rules that filter on applicationName 'admin' without specifying an eventName attribute here.
ADD_APPLICATION	An application was added to the Google Workspace domain.
ADD_GROUP_MEMBER	A user was added to a group.
ADD_PRIVILEGE	A privilege was added to a role.
ADD_TRUSTED_DOMAINS	A domain was added to the trusted domains list.
ALLOW_STRONG_AUTHENTICATION	The administrator changed the MFA enforcement setting (allow/require strong authentication).
ASSIGN_ROLE	An admin role was assigned to a user or service account.
AUTHORIZE_API_CLIENT_ACCESS	An API client was authorized domain-wide access via OAuth.
CHANGE_APPLICATION_SETTING	A setting for a Google Workspace application was modified.
CHANGE_GMAIL_SETTING	A Gmail routing or mail-flow setting was changed.
CREATE_APPLICATION_SETTING	A new application setting was created.
CREATE_DATA_TRANSFER_REQUEST	An admin initiated a data transfer (Drive file ownership reassignment) to another user.
CREATE_GMAIL_SETTING	A new Gmail routing or mail-flow setting was created.
CREATE_ROLE	A custom admin role was created.
CUSTOMER_TAKEOUT_CREATED	An admin initiated a Takeout export job for organizational data.
DELETE_ROLE	An admin role was permanently deleted.
ENFORCE_STRONG_AUTHENTICATION	The MFA/2SV enforcement policy was changed for the domain or an organizational unit.
GRANT_ADMIN_PRIVILEGE	Administrator privileges were granted to a user account.
GRANT_DELEGATED_ADMIN_PRIVILEGES	Delegated administrator privileges were granted to a user.
MOVE_USER_TO_ORG_UNIT	A user was moved to a different organizational unit.
REMOVE_APPLICATION	An application was removed from the Google Workspace domain.
REMOVE_APPLICATION_FROM_WHITELIST	An application was removed from the domain's marketplace allowlist.
REMOVE_PRIVILEGE	A privilege was removed from a role.
RENAME_ROLE	An admin role was renamed.
SAML2_SERVICE_PROVIDER_CONFIG	A SAML 2.0 service provider configuration was added, modified, or removed.
TOGGLE_OUTBOUND_RELAY	Outbound email relay routing was enabled or disabled.
TURN_OFF_2_STEP_VERIFICATION	2-Step Verification was disabled for a user or the domain.
UNSUSPEND_USER	A suspended user account was reactivated.
UPDATE_ROLE	An existing admin role was modified (e.g. description or privileges changed).
BLOCK_ALL_THIRD_PARTY_API_ACCESS	An admin blocked all third-party application access to Google Workspace APIs.
UNBLOCK_ALL_THIRD_PARTY_API_ACCESS	An admin unblocked third-party application access to Google Workspace APIs.
ADD_TO_TRUSTED_OAUTH2_APPS	An OAuth2 application was added to the trusted apps list.
ADD_TO_BLOCKED_OAUTH2_APPS	An OAuth2 application was blocked from accessing Google Workspace data.
REMOVE_FROM_BLOCKED_OAUTH2_APPS	An OAuth2 application was removed from the blocked apps list.
REMOVE_FROM_TRUSTED_OAUTH2_APPS	An OAuth2 application was removed from the trusted apps list.
CREATE_USER	A new user account was created in the Google Workspace domain.
DELETE_USER	A user account was deleted from the Google Workspace domain.
SUSPEND_USER	A user account was suspended by an administrator.
RENAME_USER	A user's primary email address was changed.
CHANGE_PASSWORD	An administrator changed a user's password.
REVOKE_ASP	An administrator revoked an application-specific password (ASP) for a user.
REVOKE_3LO_TOKEN	An administrator revoked an OAuth token for a user.
SESSION_CONTROL_SETTINGS_CHANGE	Web session duration or re-authentication settings were changed.
WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED	Settings controlling less-secure app access (LSA/basic auth) were changed.
CHANGE_SSO_SETTINGS	SAML/SSO settings for the domain were changed.
TOGGLE_SSO_ENABLED	SSO (SAML-based single sign-on) was enabled or disabled for the domain.
REVOKE_ADMIN_PRIVILEGE	Administrator privileges were revoked from a user account.
ALLOW_SERVICE_FOR_OAUTH2_ACCESS	A Google service was allowed for OAuth2 API access.
DISALLOW_SERVICE_FOR_OAUTH2_ACCESS	A Google service was disallowed for OAuth2 API access.
TOGGLE_CAA_ENABLEMENT	Context-Aware Access was enabled or disabled for the domain.
CHANGE_GROUP_SETTING	A setting for a Google Group was changed by an administrator.
ADD_APPLICATION_TO_WHITELIST	An application was added to the domain's Google Workspace Marketplace allowlist.
CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION	The enrollment period for 2-Step Verification was changed.
CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS	The allowed methods for 2-Step Verification were changed.

any: Admin Console (any event)

Application: GoogleWorkspace-admin

Description

Source-only rules that filter on applicationName 'admin' without specifying an eventName attribute here.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

References #

Reports API: admin activity events https://developers.google.com/workspace/admin/reports/v1/appendix/activity/admin
Reports API activities.list reference https://developers.google.com/workspace/admin/reports/reference/rest/v1/activities/list

ADD_APPLICATION: Add Application

Application: GoogleWorkspace-admin

Description

An application was added to the Google Workspace domain.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Provider_Name`	eq	`admin`	1 rule	elastic

Detection Rules #

View all rules referencing this event →

Elastic #

Application Added to Google Workspace Domain source medium: Detects when a Google marketplace application is added to the Google Workspace domain. An adversary may add a malicious application to an organization’s Google Workspace domain in order to maintain a presence in their target’s organization and steal data.

YARA-L #

Google Workspace Application Added source: Identifies when a Marketplace app is added in a Google Workspace organization. Installing certain apps may increase the organization's risk of data exfiltration/leakage and increase its attack surface.

References #

Admin Activity Events: ADD_APPLICATION https://developers.google.com/workspace/admin/reports/v1/appendix/activity/admin-domain-settings#ADD_APPLICATION

ADD_GROUP_MEMBER: Add Group Member

Application: GoogleWorkspace-admin

Description

A user was added to a group.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

Detection Rules #

View all rules referencing this event →

Elastic #

External User Added to Google Workspace Group source medium: Detects an external Google Workspace user account being added to an existing group. Adversaries may add external user accounts as a means to intercept shared files or emails with that specific group.

YARA-L #

Google Workspace External User Added To Group source: Identifies when an external user account is added to a group in Google Workspace. Security teams can monitor for unexpected user accounts being added to Google Workspace groups to prevent unauthorized access to data.

References #

Admin Activity Events: ADD_GROUP_MEMBER https://developers.google.com/workspace/admin/reports/v1/appendix/activity/admin-group-settings#ADD_GROUP_MEMBER

ADD_PRIVILEGE: Add Privilege

Application: GoogleWorkspace-admin

Description

A privilege was added to a role.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

Detection Rules #

View all rules referencing this event →

Elastic #

Google Workspace Role Modified source medium: Detects when a custom admin role or its permissions are modified. An adversary may modify a custom admin role in order to elevate the permissions of other user accounts and persist in their target’s environment.↳ also matches UPDATE_ROLE: Update Role

References #

Admin Activity Events: role and privilege management https://developers.google.com/workspace/admin/reports/v1/appendix/activity/admin-user-settings

ADD_TRUSTED_DOMAINS: Add Trusted Domains

Application: GoogleWorkspace-admin

Description

A domain was added to the trusted domains list.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Provider_Name`	eq	`admin`	1 rule	elastic

Detection Rules #

View all rules referencing this event →

Elastic #

Domain Added to Google Workspace Trusted Domains source high: Detects when a domain is added to the list of trusted Google Workspace domains. An adversary may add a trusted domain in order to collect and exfiltrate data from their target’s organization with less restrictive security controls.

YARA-L #

Google Workspace New Trusted Domain Added source: Identifies when a domain is added to the list of trusted domains in Google Workspace. An adversary may attempt to manipulate sharing settings for trusted domains to gain unauthorized access to sensitive files and folders within an organization.

References #

Admin Activity Events: ADD_TRUSTED_DOMAINS https://developers.google.com/workspace/admin/reports/v1/appendix/activity/admin-domain-settings#ADD_TRUSTED_DOMAINS

ALLOW_STRONG_AUTHENTICATION: Allow Strong Authentication

Application: GoogleWorkspace-admin

Description

The administrator changed the MFA enforcement setting (allow/require strong authentication).

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`gcp::service_name`	eq	`admin.googleapis.com`	1 rule	sigma
`gws::admin_new_value`	eq	`false`	1 rule	elastic

Detection Rules #

View all rules referencing this event →

Sigma #

Google Workspace MFA Disabled source medium: Detects when multi-factor authentication (MFA) is disabled.↳ also matches ENFORCE_STRONG_AUTHENTICATION: Enforce Strong Authentication

Elastic #

MFA Disabled for Google Workspace Organization source medium: Detects when multi-factor authentication (MFA) is disabled for a Google Workspace organization. An adversary may attempt to modify a password policy in order to weaken an organization’s security controls.↳ also matches ENFORCE_STRONG_AUTHENTICATION: Enforce Strong Authentication

YARA-L #

Google Workspace MFA Disabled source: Identifies when multi-factor authentication (MFA) is disabled for a Google Workspace organization. Security teams can monitor for changes to MFA configuration that may weaken the organization's security posture.↳ also matches ENFORCE_STRONG_AUTHENTICATION: Enforce Strong Authentication

References #

Admin Activity Events: ALLOW_STRONG_AUTHENTICATION https://developers.google.com/workspace/admin/reports/v1/appendix/activity/admin-security-settings#ALLOW_STRONG_AUTHENTICATION

ASSIGN_ROLE: Assign Role

Application: GoogleWorkspace-admin

Description

An admin role was assigned to a user or service account.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`security_result.category_details`	eq	`DELEGATED_ADMIN_SETTINGS`	1 rule	chronicle

Detection Rules #

View all rules referencing this event →

Elastic #

Google Workspace Admin Role Assigned to a User source high: Assigning the administrative role to a user will grant them access to the Google Admin console and grant them administrator privileges which allow them to access and manage various resources and applications. An adversary may create a new administrator account for persistence or apply the admin role to an existing user to carry out further intrusion efforts. Users with super-admin privileges can bypass single-sign on if enabled in Google Workspace.

YARA-L #

Google Workspace Admin Role Assignment source: Identifies when an administrator role is assigned to a user account in Google Workspace. Security teams can monitor for the malicious or accidental assignment of administrator privileges to prevent unauthorized access to data.

References #

Admin Activity Events: role assignment https://developers.google.com/workspace/admin/reports/v1/appendix/activity/admin-user-settings

AUTHORIZE_API_CLIENT_ACCESS: Authorize API Client Access

Application: GoogleWorkspace-admin

Description

An API client was authorized domain-wide access via OAuth.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Provider_Name`	eq	`admin`	1 rule	elastic
`gcp::service_name`	eq	`admin.googleapis.com`	1 rule	sigma

Detection Rules #

View all rules referencing this event →

Sigma #

Google Workspace Granted Domain API Access source medium: Detects when an API access service account is granted domain authority.

Elastic #

Google Workspace API Access Granted via Domain-Wide Delegation source medium: Detects when a domain-wide delegation of authority is granted to a service account. Domain-wide delegation can be configured to grant third-party and internal applications to access the data of Google Workspace users. An adversary may configure domain-wide delegation to maintain access to their target’s data.

References #

Admin Activity Events: AUTHORIZE_API_CLIENT_ACCESS https://developers.google.com/workspace/admin/reports/v1/appendix/activity/admin-domain-settings#AUTHORIZE_API_CLIENT_ACCESS

CHANGE_APPLICATION_SETTING: Change Application Setting

Application: GoogleWorkspace-admin

Description

A setting for a Google Workspace application was modified.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`EventType`	eq	`CHANGE_APPLICATION_SETTING`	3 rules	elastic
`gws::admin_application_name`	eq	`Google Workspace Marketplace`	2 rules	elastic
`security_result.category_details`	eq	`APPLICATION_SETTINGS`	2 rules	chronicle
`Provider_Name`	eq	`admin`	1 rule	elastic
`gcp::service_name`	eq	`admin.googleapis.com`	1 rule	sigma

Detection Rules #

View all rules referencing this event →

Sigma #

Google Workspace Application Access Level Modified source medium: Detects when an access level is changed for a Google workspace application. An access level is part of BeyondCorp Enterprise which is Google Workspace's way of enforcing Zero Trust model. An adversary would be able to remove access levels to gain easier access to Google workspace resources.

Elastic #

Application Removed from Blocklist in Google Workspace source medium: Google Workspace administrators may be aware of malicious applications within the Google marketplace and block these applications for user security purposes. An adversary, with administrative privileges, may remove this application from the explicit block list to allow distribution of the application amongst users. This may also indicate the unauthorized use of an application that had been previously blocked before by a user with admin privileges.
Google Workspace Bitlocker Setting Disabled source medium: Google Workspace administrators whom manage Windows devices and have Windows device management enabled may also enable BitLocker drive encryption to mitigate unauthorized data access on lost or stolen computers. Adversaries with valid account access may disable BitLocker to access sensitive data on an endpoint added to Google Workspace device management.
Google Workspace Restrictions for Marketplace Modified to Allow Any App source medium: Detects when the Google Marketplace restrictions are changed to allow any application for users in Google Workspace. Malicious APKs created by adversaries may be uploaded to the Google marketplace but not installed on devices managed within Google Workspace. Administrators should set restrictions to not allow any application from the marketplace for security reasons. Adversaries may enable any app to be installed and executed on mobile devices within a Google Workspace environment prior to distributing the malicious APK to the end user.

Show 1 more (4 total)

Google Workspace Password Policy Modified source medium: Detects when a Google Workspace password policy is modified. An adversary may attempt to modify a password policy in order to weaken an organization’s security controls.↳ also matches CREATE_APPLICATION_SETTING: Create Application Setting

YARA-L #

Google Workspace Marketplace Allowlist Configuration source: Identifies when the Google Workspace Marketplace allowlist is configured to allow users to install and run any apps from the Marketplace. Allowing users to install and run any apps may increase the organization's risk of data exfiltration/leakage and increase its attack surface.
Google Workspace Password Policy Changed source: Identifies when Google Workspace password policy is changed. Security teams can monitor for changes to password policy configuration that may weaken the organization's security posture.↳ also matches CREATE_APPLICATION_SETTING: Create Application Setting

References #

Admin Activity Events: CHANGE_APPLICATION_SETTING https://developers.google.com/workspace/admin/reports/v1/appendix/activity/admin-application-settings#CHANGE_APPLICATION_SETTING

CHANGE_GMAIL_SETTING: Change Gmail Setting

Application: GoogleWorkspace-admin

Description

A Gmail routing or mail-flow setting was changed.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

Detection Rules #

View all rules referencing this event →

Elastic #

Google Workspace Custom Gmail Route Created or Modified source medium: Detects when a custom Gmail route is added or modified in Google Workspace. Adversaries can add a custom e-mail route for outbound mail to route these e-mails to their own inbox of choice for data gathering. This allows adversaries to capture sensitive information from e-mail and potential attachments, such as invoices or payment documents. By default, all email from current Google Workspace users with accounts are routed through a domain's mail server for inbound and outbound mail.↳ also matches CREATE_GMAIL_SETTING: Create Gmail Setting

References #

Admin Activity Events: Gmail/email settings https://developers.google.com/workspace/admin/reports/v1/appendix/activity/admin-email-log-settings

CREATE_APPLICATION_SETTING: Create Application Setting

Application: GoogleWorkspace-admin

Description

A new application setting was created.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Provider_Name`	eq	`admin`	1 rule	elastic
`security_result.category_details`	eq	`APPLICATION_SETTINGS`	1 rule	chronicle

Detection Rules #

View all rules referencing this event →

Elastic #

Google Workspace Password Policy Modified source medium: Detects when a Google Workspace password policy is modified. An adversary may attempt to modify a password policy in order to weaken an organization’s security controls.↳ also matches CHANGE_APPLICATION_SETTING: Change Application Setting

YARA-L #

Google Workspace Password Policy Changed source: Identifies when Google Workspace password policy is changed. Security teams can monitor for changes to password policy configuration that may weaken the organization's security posture.↳ also matches CHANGE_APPLICATION_SETTING: Change Application Setting

References #

Admin Activity Events: CREATE_APPLICATION_SETTING https://developers.google.com/workspace/admin/reports/v1/appendix/activity/admin-application-settings#CREATE_APPLICATION_SETTING

CREATE_DATA_TRANSFER_REQUEST: Create Data Transfer Request

Application: GoogleWorkspace-admin

Description

An admin initiated a data transfer (Drive file ownership reassignment) to another user.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`security_result.category_details`	eq	`USER_SETTINGS`	1 rule	chronicle

Detection Rules #

View all rules referencing this event →

Elastic #

Google Workspace Drive Data Transfer or Takeout Export Initiated source medium: Detects when Google Workspace administrators initiate bulk movement or export of user Drive data. This includes admin data transfer requests that reassign a user's Drive files to another account, and Customer Takeout export jobs that package organizational data for download or off-platform transfer. Adversaries with administrative access may abuse these mechanisms to stage or exfiltrate sensitive files.↳ also matches CUSTOMER_TAKEOUT_CREATED: Customer Takeout Created

YARA-L #

Google Workspace Ownership Transferred On Google Drive source: Identifies when a Google Workspace user transfers the ownership of a file.

References #

Admin Activity Events: CREATE_DATA_TRANSFER_REQUEST https://developers.google.com/workspace/admin/reports/v1/appendix/activity/admin-user-settings#CREATE_DATA_TRANSFER_REQUEST

CREATE_GMAIL_SETTING: Create Gmail Setting

Application: GoogleWorkspace-admin

Description

A new Gmail routing or mail-flow setting was created.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

Detection Rules #

View all rules referencing this event →

Elastic #

Google Workspace Custom Gmail Route Created or Modified source medium: Detects when a custom Gmail route is added or modified in Google Workspace. Adversaries can add a custom e-mail route for outbound mail to route these e-mails to their own inbox of choice for data gathering. This allows adversaries to capture sensitive information from e-mail and potential attachments, such as invoices or payment documents. By default, all email from current Google Workspace users with accounts are routed through a domain's mail server for inbound and outbound mail.↳ also matches CHANGE_GMAIL_SETTING: Change Gmail Setting

References #

Admin Activity Events: Gmail/email settings https://developers.google.com/workspace/admin/reports/v1/appendix/activity/admin-email-log-settings

CREATE_ROLE: Create Role

Application: GoogleWorkspace-admin

Description

A custom admin role was created.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Provider_Name`	eq	`admin`	1 rule	elastic
`security_result.category_details`	eq	`DELEGATED_ADMIN_SETTINGS`	1 rule	chronicle

Detection Rules #

View all rules referencing this event →

Elastic #

Google Workspace Custom Admin Role Created source medium: Detects when a custom admin role is created in Google Workspace. An adversary may create a custom admin role in order to elevate the permissions of other user accounts and persist in their target’s environment.

YARA-L #

Google Workspace Custom Admin Role Created source: Identifies when a custom administrator role is created in Google Workspace. Security teams can monitor for malicious or accidental configuration of administrator privileges to prevent unauthorized access to data.

References #

Admin Activity Events: role management https://developers.google.com/workspace/admin/reports/v1/appendix/activity/admin-user-settings

CUSTOMER_TAKEOUT_CREATED: Customer Takeout Created

Application: GoogleWorkspace-admin

Description

An admin initiated a Takeout export job for organizational data.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

Detection Rules #

View all rules referencing this event →

Elastic #

Google Workspace Drive Data Transfer or Takeout Export Initiated source medium: Detects when Google Workspace administrators initiate bulk movement or export of user Drive data. This includes admin data transfer requests that reassign a user's Drive files to another account, and Customer Takeout export jobs that package organizational data for download or off-platform transfer. Adversaries with administrative access may abuse these mechanisms to stage or exfiltrate sensitive files.↳ also matches CREATE_DATA_TRANSFER_REQUEST: Create Data Transfer Request

References #

Admin Activity Events: CUSTOMER_TAKEOUT_CREATED https://developers.google.com/workspace/admin/reports/v1/appendix/activity/admin-user-settings

DELETE_ROLE: Delete Role

Application: GoogleWorkspace-admin

Description

An admin role was permanently deleted.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Provider_Name`	eq	`admin`	1 rule	elastic
`gcp::service_name`	eq	`admin.googleapis.com`	1 rule	sigma

Detection Rules #

View all rules referencing this event →

Sigma #

Google Workspace Role Modified or Deleted source medium: Detects when an a role is modified or deleted in Google Workspace.↳ also matches RENAME_ROLE: Rename Role, UPDATE_ROLE: Update Role

Elastic #

Google Workspace Admin Role Deletion source medium: Detects when a custom admin role is deleted. An adversary may delete a custom admin role in order to impact the permissions or capabilities of system administrators.

References #

Admin Activity Events: role management https://developers.google.com/workspace/admin/reports/v1/appendix/activity/admin-user-settings

ENFORCE_STRONG_AUTHENTICATION: Enforce Strong Authentication

Application: GoogleWorkspace-admin

Description

The MFA/2SV enforcement policy was changed for the domain or an organizational unit.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Provider_Name`	eq	`admin`	2 rules	elastic
`gws::admin_new_value`	eq	`false`	2 rules	elastic
`gcp::service_name`	eq	`admin.googleapis.com`	1 rule	sigma

Detection Rules #

View all rules referencing this event →

Sigma #

Google Workspace MFA Disabled source medium: Detects when multi-factor authentication (MFA) is disabled.↳ also matches ALLOW_STRONG_AUTHENTICATION: Allow Strong Authentication

Elastic #

Google Workspace MFA Enforcement Disabled source medium: Detects when multi-factor authentication (MFA) enforcement is disabled for Google Workspace users. An adversary may disable MFA enforcement in order to weaken an organization’s security controls.
MFA Disabled for Google Workspace Organization source medium: Detects when multi-factor authentication (MFA) is disabled for a Google Workspace organization. An adversary may attempt to modify a password policy in order to weaken an organization’s security controls.↳ also matches ALLOW_STRONG_AUTHENTICATION: Allow Strong Authentication

YARA-L #

Google Workspace MFA Disabled source: Identifies when multi-factor authentication (MFA) is disabled for a Google Workspace organization. Security teams can monitor for changes to MFA configuration that may weaken the organization's security posture.↳ also matches ALLOW_STRONG_AUTHENTICATION: Allow Strong Authentication

References #

Admin Activity Events: ENFORCE_STRONG_AUTHENTICATION https://developers.google.com/workspace/admin/reports/v1/appendix/activity/admin-security-settings#ENFORCE_STRONG_AUTHENTICATION

GRANT_ADMIN_PRIVILEGE: Grant Admin Privilege

Application: GoogleWorkspace-admin

Description

Administrator privileges were granted to a user account.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

Detection Rules #

View all rules referencing this event →

Sigma #

Google Workspace User Granted Admin Privileges source medium: Detects when an Google Workspace user is granted admin privileges.↳ also matches GRANT_DELEGATED_ADMIN_PRIVILEGES: Grant Delegated Admin Privileges

Kusto #

GWorkspace - Admin permissions granted source high: Triggers on admin permissions granted.

References #

Admin Activity Events: GRANT_ADMIN_PRIVILEGE https://developers.google.com/workspace/admin/reports/v1/appendix/activity/admin-user-settings#GRANT_ADMIN_PRIVILEGE

GRANT_DELEGATED_ADMIN_PRIVILEGES: Grant Delegated Admin Privileges

Application: GoogleWorkspace-admin

Description

Delegated administrator privileges were granted to a user.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

Detection Rules #

View all rules referencing this event →

Sigma #

Google Workspace User Granted Admin Privileges source medium: Detects when an Google Workspace user is granted admin privileges.↳ also matches GRANT_ADMIN_PRIVILEGE: Grant Admin Privilege

References #

Admin Activity Events: GRANT_DELEGATED_ADMIN_PRIVILEGES https://developers.google.com/workspace/admin/reports/v1/appendix/activity/admin-user-settings#GRANT_DELEGATED_ADMIN_PRIVILEGES

MOVE_USER_TO_ORG_UNIT: Move User to Org Unit

Application: GoogleWorkspace-admin

Description

A user was moved to a different organizational unit.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`gws::event_type`	eq	`USER_SETTINGS`	1 rule	elastic
`security_result.category_details`	eq	`USER_SETTINGS`	1 rule	chronicle

Detection Rules #

View all rules referencing this event →

Elastic #

Google Workspace User Organizational Unit Changed source low: Users in Google Workspace are typically assigned a specific organizational unit that grants them permissions to certain services and roles that are inherited from this organizational unit. Adversaries may compromise a valid account and change which organizational account the user belongs to which then could allow them to inherit permissions to applications and resources inaccessible prior to.

YARA-L #

Google Workspace User Ou Changed source: Identifies when a Google Workspace user account is moved between Organizational Units.

References #

Admin Activity Events: MOVE_USER_TO_ORG_UNIT https://developers.google.com/workspace/admin/reports/v1/appendix/activity/admin-user-settings#MOVE_USER_TO_ORG_UNIT

REMOVE_APPLICATION: Remove Application

Application: GoogleWorkspace-admin

Description

An application was removed from the Google Workspace domain.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`gcp::service_name`	eq	`admin.googleapis.com`	1 rule	sigma

Detection Rules #

View all rules referencing this event →

Sigma #

Google Workspace Application Removed source medium: Detects when an an application is removed from Google Workspace.↳ also matches REMOVE_APPLICATION_FROM_WHITELIST: Remove Application from Allowlist

References #

Admin Activity Events: REMOVE_APPLICATION https://developers.google.com/workspace/admin/reports/v1/appendix/activity/admin-domain-settings#REMOVE_APPLICATION

REMOVE_APPLICATION_FROM_WHITELIST: Remove Application from Allowlist

Application: GoogleWorkspace-admin

Description

An application was removed from the domain's marketplace allowlist.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`gcp::service_name`	eq	`admin.googleapis.com`	1 rule	sigma

Detection Rules #

View all rules referencing this event →

Sigma #

Google Workspace Application Removed source medium: Detects when an an application is removed from Google Workspace.↳ also matches REMOVE_APPLICATION: Remove Application

References #

Admin Activity Events: REMOVE_APPLICATION_FROM_WHITELIST https://developers.google.com/workspace/admin/reports/v1/appendix/activity/admin-domain-settings#REMOVE_APPLICATION_FROM_WHITELIST

REMOVE_PRIVILEGE: Remove Privilege

Application: GoogleWorkspace-admin

Description

A privilege was removed from a role.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

Detection Rules #

View all rules referencing this event →

Sigma #

Google Workspace Role Privilege Deleted source medium: Detects when an a role privilege is deleted in Google Workspace.

References #

Admin Activity Events: role and privilege management https://developers.google.com/workspace/admin/reports/v1/appendix/activity/admin-user-settings

RENAME_ROLE: Rename Role

Application: GoogleWorkspace-admin

Description

An admin role was renamed.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`gcp::service_name`	eq	`admin.googleapis.com`	1 rule	sigma

Detection Rules #

View all rules referencing this event →

Sigma #

Google Workspace Role Modified or Deleted source medium: Detects when an a role is modified or deleted in Google Workspace.↳ also matches DELETE_ROLE: Delete Role, UPDATE_ROLE: Update Role

References #

Admin Activity Events: role management https://developers.google.com/workspace/admin/reports/v1/appendix/activity/admin-user-settings

SAML2_SERVICE_PROVIDER_CONFIG: SAML2 Service Provider Config

Application: GoogleWorkspace-admin

Description

A SAML 2.0 service provider configuration was added, modified, or removed.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

References #

Admin Activity Events: SAML2_SERVICE_PROVIDER_CONFIG https://developers.google.com/workspace/admin/reports/v1/appendix/activity/admin-security-settings#SAML2_SERVICE_PROVIDER_CONFIG

TOGGLE_OUTBOUND_RELAY: Toggle Outbound Relay

Application: GoogleWorkspace-admin

Description

Outbound email relay routing was enabled or disabled.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

References #

Admin Activity Events: TOGGLE_OUTBOUND_RELAY https://developers.google.com/workspace/admin/reports/v1/appendix/activity/admin-domain-settings#TOGGLE_OUTBOUND_RELAY

TURN_OFF_2_STEP_VERIFICATION: Turn Off 2-Step Verification

Application: GoogleWorkspace-admin

Description

2-Step Verification was disabled for a user or the domain.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

Detection Rules #

View all rules referencing this event →

Kusto #

GWorkspace - Two-step authentification disabled for a user source medium: Triggers on two-step authentification disabled for a user.

References #

Admin Activity Events: 2SV settings https://developers.google.com/workspace/admin/reports/v1/appendix/activity/admin-security-settings

UNSUSPEND_USER: Unsuspend User

Application: GoogleWorkspace-admin

Description

A suspended user account was reactivated.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`gws::event_type`	eq	`USER_SETTINGS`	1 rule	elastic

Detection Rules #

View all rules referencing this event →

Elastic #

Google Workspace Suspended User Account Renewed source low: Detects when a previously suspended user's account is renewed in Google Workspace. An adversary may renew a suspended user account to maintain access to the Google Workspace organization with a valid account.

YARA-L #

Google Workspace User Unsuspended source: Identifies when a user account is unsuspended in Google Workspace.

References #

Admin Activity Events: UNSUSPEND_USER https://developers.google.com/workspace/admin/reports/v1/appendix/activity/admin-user-settings#UNSUSPEND_USER

UPDATE_ROLE: Update Role

Application: GoogleWorkspace-admin

Description

An existing admin role was modified (e.g. description or privileges changed).

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

Detection Rules #

View all rules referencing this event →

Sigma #

Google Workspace Role Modified or Deleted source medium: Detects when an a role is modified or deleted in Google Workspace.↳ also matches DELETE_ROLE: Delete Role, RENAME_ROLE: Rename Role

Elastic #

Google Workspace Role Modified source medium: Detects when a custom admin role or its permissions are modified. An adversary may modify a custom admin role in order to elevate the permissions of other user accounts and persist in their target’s environment.↳ also matches ADD_PRIVILEGE: Add Privilege

References #

Admin Activity Events: role management https://developers.google.com/workspace/admin/reports/v1/appendix/activity/admin-user-settings

BLOCK_ALL_THIRD_PARTY_API_ACCESS: Block All Third-Party API Access

Application: GoogleWorkspace-admin

Description

An admin blocked all third-party application access to Google Workspace APIs.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

References #

Admin Activity Events: BLOCK_ALL_THIRD_PARTY_API_ACCESS https://developers.google.com/workspace/admin/reports/v1/appendix/activity/admin-security-settings#BLOCK_ALL_THIRD_PARTY_API_ACCESS

UNBLOCK_ALL_THIRD_PARTY_API_ACCESS: Unblock All Third-Party API Access

Application: GoogleWorkspace-admin

Description

An admin unblocked third-party application access to Google Workspace APIs.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

References #

Admin Activity Events: UNBLOCK_ALL_THIRD_PARTY_API_ACCESS https://developers.google.com/workspace/admin/reports/v1/appendix/activity/admin-security-settings#UNBLOCK_ALL_THIRD_PARTY_API_ACCESS

ADD_TO_TRUSTED_OAUTH2_APPS: Add to Trusted OAuth2 Apps

Application: GoogleWorkspace-admin

Description

An OAuth2 application was added to the trusted apps list.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

References #

Admin Activity Events: ADD_TO_TRUSTED_OAUTH2_APPS https://developers.google.com/workspace/admin/reports/v1/appendix/activity/admin-security-settings#ADD_TO_TRUSTED_OAUTH2_APPS

ADD_TO_BLOCKED_OAUTH2_APPS: Add to Blocked OAuth2 Apps

Application: GoogleWorkspace-admin

Description

An OAuth2 application was blocked from accessing Google Workspace data.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

References #

Admin Activity Events: ADD_TO_BLOCKED_OAUTH2_APPS https://developers.google.com/workspace/admin/reports/v1/appendix/activity/admin-security-settings#ADD_TO_BLOCKED_OAUTH2_APPS

REMOVE_FROM_BLOCKED_OAUTH2_APPS: Remove from Blocked OAuth2 Apps

Application: GoogleWorkspace-admin

Description

An OAuth2 application was removed from the blocked apps list.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

References #

Admin Activity Events: REMOVE_FROM_BLOCKED_OAUTH2_APPS https://developers.google.com/workspace/admin/reports/v1/appendix/activity/admin-security-settings#REMOVE_FROM_BLOCKED_OAUTH2_APPS

REMOVE_FROM_TRUSTED_OAUTH2_APPS: Remove from Trusted OAuth2 Apps

Application: GoogleWorkspace-admin

Description

An OAuth2 application was removed from the trusted apps list.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

References #

Admin Activity Events: OAuth2 app management https://developers.google.com/workspace/admin/reports/v1/appendix/activity/admin-security-settings

CREATE_USER: Create User

Application: GoogleWorkspace-admin

Description

A new user account was created in the Google Workspace domain.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

References #

Admin Activity Events: CREATE_USER https://developers.google.com/workspace/admin/reports/v1/appendix/activity/admin-user-settings#CREATE_USER

DELETE_USER: Delete User

Application: GoogleWorkspace-admin

Description

A user account was deleted from the Google Workspace domain.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

References #

Admin Activity Events: DELETE_USER https://developers.google.com/workspace/admin/reports/v1/appendix/activity/admin-user-settings#DELETE_USER

SUSPEND_USER: Suspend User

Application: GoogleWorkspace-admin

Description

A user account was suspended by an administrator.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

References #

Admin Activity Events: SUSPEND_USER https://developers.google.com/workspace/admin/reports/v1/appendix/activity/admin-user-settings#SUSPEND_USER

RENAME_USER: Rename User

Application: GoogleWorkspace-admin

Description

A user's primary email address was changed.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

References #

Admin Activity Events: RENAME_USER https://developers.google.com/workspace/admin/reports/v1/appendix/activity/admin-user-settings#RENAME_USER

CHANGE_PASSWORD: Change Password

Application: GoogleWorkspace-admin

Description

An administrator changed a user's password.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

References #

Admin Activity Events: CHANGE_PASSWORD https://developers.google.com/workspace/admin/reports/v1/appendix/activity/admin-user-settings#CHANGE_PASSWORD

REVOKE_ASP: Revoke Application-Specific Password

Application: GoogleWorkspace-admin

Description

An administrator revoked an application-specific password (ASP) for a user.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

References #

Admin Activity Events: REVOKE_ASP https://developers.google.com/workspace/admin/reports/v1/appendix/activity/admin-user-settings#REVOKE_ASP

REVOKE_3LO_TOKEN: Revoke OAuth Token

Application: GoogleWorkspace-admin

Description

An administrator revoked an OAuth token for a user.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

References #

Admin Activity Events: REVOKE_3LO_TOKEN https://developers.google.com/workspace/admin/reports/v1/appendix/activity/admin-user-settings#REVOKE_3LO_TOKEN

SESSION_CONTROL_SETTINGS_CHANGE: Session Control Settings Change

Application: GoogleWorkspace-admin

Description

Web session duration or re-authentication settings were changed.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

References #

Admin Activity Events: SESSION_CONTROL_SETTINGS_CHANGE https://developers.google.com/workspace/admin/reports/v1/appendix/activity/admin-security-settings#SESSION_CONTROL_SETTINGS_CHANGE

WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED: Weak Programmatic Login Settings Changed

Application: GoogleWorkspace-admin

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

CHANGE_SSO_SETTINGS: Change SSO Settings

Application: GoogleWorkspace-admin

Description

SAML/SSO settings for the domain were changed.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

References #

Admin Activity Events: CHANGE_SSO_SETTINGS https://developers.google.com/workspace/admin/reports/v1/appendix/activity/admin-domain-settings#CHANGE_SSO_SETTINGS

TOGGLE_SSO_ENABLED: Toggle SSO Enabled

Application: GoogleWorkspace-admin

Description

SSO (SAML-based single sign-on) was enabled or disabled for the domain.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

References #

Admin Activity Events: TOGGLE_SSO_ENABLED https://developers.google.com/workspace/admin/reports/v1/appendix/activity/admin-domain-settings#TOGGLE_SSO_ENABLED

REVOKE_ADMIN_PRIVILEGE: Revoke Admin Privilege

Application: GoogleWorkspace-admin

Description

Administrator privileges were revoked from a user account.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

References #

Admin Activity Events: REVOKE_ADMIN_PRIVILEGE https://developers.google.com/workspace/admin/reports/v1/appendix/activity/admin-user-settings#REVOKE_ADMIN_PRIVILEGE

ALLOW_SERVICE_FOR_OAUTH2_ACCESS: Allow Service for OAuth2 Access

Application: GoogleWorkspace-admin

Description

A Google service was allowed for OAuth2 API access.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

References #

Admin Activity Events: ALLOW_SERVICE_FOR_OAUTH2_ACCESS https://developers.google.com/workspace/admin/reports/v1/appendix/activity/admin-security-settings#ALLOW_SERVICE_FOR_OAUTH2_ACCESS

DISALLOW_SERVICE_FOR_OAUTH2_ACCESS: Disallow Service for OAuth2 Access

Application: GoogleWorkspace-admin

Description

A Google service was disallowed for OAuth2 API access.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

References #

Admin Activity Events: DISALLOW_SERVICE_FOR_OAUTH2_ACCESS https://developers.google.com/workspace/admin/reports/v1/appendix/activity/admin-security-settings#DISALLOW_SERVICE_FOR_OAUTH2_ACCESS

TOGGLE_CAA_ENABLEMENT: Toggle Context-Aware Access Enablement

Application: GoogleWorkspace-admin

Description

Context-Aware Access was enabled or disabled for the domain.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

References #

Admin Activity Events: TOGGLE_CAA_ENABLEMENT https://developers.google.com/workspace/admin/reports/v1/appendix/activity/admin-security-settings#TOGGLE_CAA_ENABLEMENT

CHANGE_GROUP_SETTING: Change Group Setting

Application: GoogleWorkspace-admin

Description

A setting for a Google Group was changed by an administrator.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

References #

Admin Activity Events: CHANGE_GROUP_SETTING https://developers.google.com/workspace/admin/reports/v1/appendix/activity/admin-group-settings#CHANGE_GROUP_SETTING

ADD_APPLICATION_TO_WHITELIST: Add Application to Allowlist

Application: GoogleWorkspace-admin

Description

An application was added to the domain's Google Workspace Marketplace allowlist.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

References #

Admin Activity Events: ADD_APPLICATION_TO_WHITELIST https://developers.google.com/workspace/admin/reports/v1/appendix/activity/admin-domain-settings#ADD_APPLICATION_TO_WHITELIST

CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION: Change 2SV Enrollment Period Duration

Application: GoogleWorkspace-admin

Description

The enrollment period for 2-Step Verification was changed.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

References #

Admin Activity Events: 2SV settings https://developers.google.com/workspace/admin/reports/v1/appendix/activity/admin-security-settings

CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS: Change Allowed 2SV Methods

Application: GoogleWorkspace-admin

Description

The allowed methods for 2-Step Verification were changed.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

References #

Admin Activity Events: 2SV settings https://developers.google.com/workspace/admin/reports/v1/appendix/activity/admin-security-settings

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)