OAuth log events

Review 3rd-party application usage and data access requests

Depending on your Google Workspace edition, you might have access to the security investigation tool, which has more advanced features. For example, super admins can identify, triage, and take action on security and privacy issues. Learn more

As your organization's administrator, you can run searches and take action on OAuth log events. For example, you can view a record of actions to review which users are using which third-party mobile or web applications in your domain. For example, when a user opens a Google Workspace Marketplace app, the log records the name of the app and the person using it.

The log also records each time a third-party application is authorized to access Google Account data, such as Google Contacts, Calendar, and Drive files (Google Workspace only).

Forward log event data to Google Cloud

You can opt in to share log event data with Google Cloud. If you turn on sharing, data is forwarded to Cloud Logging where you can query and view your logs and control how you route and store your logs.

The type of log event data you can share with Google Cloud depends on your Google Workspace, Cloud Identity, or Essentials account.

Run a search for log events

Your ability to run a search depends on your Google edition, your administrative privileges, and the data source. You can run a search on all users, regardless of their Google Workspace edition.

Audit and investigation tool

Security investigation tool

Supported editions for this feature: Frontline Standard and Frontline Plus; Enterprise Standard and Enterprise Plus; Education Standard and Education Plus; Enterprise Essentials Plus; Cloud Identity Premium. Compare your edition

To run a search in the security investigation tool, first choose a data source. Then, choose one or more conditions for your search. For each condition, choose an attribute, an operator, and a value.

Sign in with an administrator account to the Google Admin console.
If you aren’t using an administrator account, you can’t access the Admin console.
Go to Menu Security > Security center > Investigation tool.
Requires having the Security center administrator privilege.
Click Data source and select OAuth log events.
Click Add Condition.
Tip: You can include one or more conditions in your search or customize your search with nested queries. For details, go to Customize your search with nested queries.
Click Attributeselect an option.
For a complete list of attributes, go to the Attribute descriptions section.
Select an operator.
Enter a value or select a value from the list.
(Optional) To add more search conditions, repeat steps 4–7.
Click Search.
You can review the search results from the investigation tool in a table at the bottom of the page.
(Optional) To save your investigation, click Save enter a title and descriptionclick Save.

Notes

In the Condition builder tab, filters are represented as conditions with AND/OR operators. You can also use the Filter tab to include simple parameter and value pairs to filter the search results.
If you give a user a new name, you will not see query results with the user's old name. For example, if you rename OldName@example.com to NewName@example.com, you will not see results for events related to OldName@example.com.

Attribute descriptions

For this data source, you can use the following attributes when searching log event data:

Attribute	Description
Actor group name	The group name of the actor. For more information, go to Filtering results by Google Group. To add a group to your filtering groups allowlist: Select Actor group name. Click Filtering groups. The Filtering groups page appears. Click Add Groups. Search for a group by entering the first few characters of its name or email address. When you see the group you want, select it. (Optional) To add another group, search for and select the group. When you finish selecting groups, click Add. (Optional) To remove a group, click Remove group . Click Save.
Actor organizational unit	Organizational unit of the actor
API method	Name of the API method that was called using the OAuth token
API name	Name of the API that was called using the OAuth token
Application ID	OAuth client ID of the application for which access was authorized or revoked
Application name	The application for which access was granted or revoked
Client type	Type of client—for example, Connected device, Native Android, or Native iOS
Date	Date and time the event occurred (displayed in your browser's default time zone)
Event	The logged event action, such as API call or Grant Note: API call events are available only for Enterprise Plus, Education Plus, Enterprise Standard, Education Standard, and Cloud Identity Premium.
IP address	Internet Protocol (IP) address of the user for whom access was authorized or revoked. This might reflect their physical location, but it can be something else like a proxy server or a Virtual Private Network (VPN) address. Note: If an event was not directly triggered by a user action (for example, token expiration), it's possible that an IP address will not be logged.
Number of response bytes	Size of the response in bytes
Product*	Name of the Google product for which OAuth token was granted
Scope*	Scopes to which access was authorized or revoked
User	User for whom access was authorized or revoked

* You cannot create reporting rules with these filters. Learn more about reporting rules versus activity rules.

Note: If you gave a user a new name, you will not see query results with the user's old name. For example, if you rename OldName@example.com to NewName@example.com, you will not see results for events related to OldName@example.com.