Samples for Google Workspace Login Audit

This document provides samples of audit logs sent to Google Cloud by Google Workspace Login Audit.

For more information about the events and parameters for various types of Login Audit activity events, see the Login Audit Activity Events reference.

Available Login Audit logs

The following table lists the audit logs produced by Login Audit and their corresponding AuditLog.method_name. For more information, see Audit log format:

Description Event name AuditLog.method_name
Event type: 2-step verification enrollment changed
2-step verification disable 2sv_disable google.login.LoginService.2svDisable
2-step verification enroll 2sv_enroll google.login.LoginService.2svEnroll
Event type: Account password changed
Account password change password_edit google.login.LoginService.passwordEdit
Event type: Account recovery information changed
Account recovery email change recovery_email_edit google.login.LoginService.recoveryEmailEdit
Account recovery phone change recovery_phone_edit google.login.LoginService.recoveryPhoneEdit
Account recovery secret question/answer change recovery_secret_qa_edit google.login.LoginService.recoverySecretQaEdit
Event type: Account warning
Leaked password account_disabled_password_leak google.login.LoginService.accountDisabledPasswordLeak
Risky, sensitive action allowed risky_sensitive_action_allowed google.login.LoginService.riskySensitiveActionAllowed
Risky, sensitive action_blocked risky_sensitive_action_blocked google.login.LoginService.riskySensitiveActionBlocked
Suspicious login blocked suspicious_login google.login.LoginService.suspiciousLogin
Suspicious login from less secure app blocked suspicious_login_less_secure_app google.login.LoginService.suspiciousLoginLessSecureApp
Suspicious programmatic login blocked suspicious_programmatic_login google.login.LoginService.suspiciousProgrammaticLogin
User suspended account_disabled_generic google.login.LoginService.accountDisabledGeneric
User suspended (spam through relay) account_disabled_spamming_through_relay google.login.LoginService.accountDisabledSpammingThroughRelay
User suspended (spam) account_disabled_spamming google.login.LoginService.accountDisabledSpamming
User suspended (suspicious activity) account_disabled_hijacked google.login.LoginService.accountDisabledHijacked
Event type: Advanced Protection enrollment changed
Advanced Protection enroll titanium_enroll google.login.LoginService.titaniumEnroll
Advanced Protection unenroll titanium_unenroll google.login.LoginService.titaniumUnenroll
Event type: Attack warning
Government-backed attack gov_attack_warning google.login.LoginService.govAttackWarning
Event type: Email forwarding settings changed
Out of domain email forwarding enabled email_forwarding_out_of_domain google.login.LoginService.emailForwardingOutOfDomain
Event type: Login
Failed login login_failure google.login.LoginService.loginFailure
Login challenge login_challenge google.login.LoginService.loginChallenge
Login verification login_verification google.login.LoginService.loginVerification
Logout logout google.login.LoginService.logout
Successful login login_success google.login.LoginService.loginSuccess

Samples

Following are samples of audit logs for Login Audit according to event type and event name.