Using G Suite audit logs, you can see a record of actions taken by your internal staff. Access Transparency logs provide information about actions of Google staff when they access your data.
In the G Suite Admin console, you can review the Access Transparency log report, which includes information about:
- The affected resource and action.
- The time of the action.
- The reason for the action (for example, the case number associated with a customer support request).
- Information about the Google staff member acting on the data (for example, office location).
Generate the Access Transparency log report
Open the Access Transparency log report
Customize or export the log report
To narrow the scope of the log data that’s displayed, on the left, select one or more filters (such as G Suite product or date range).
Change the type of data that’s displayed
To change the type of log data that’s displayed in the report (such as date or justification), at the top right, click Manage columns .
Export the log
To export the log data to a CSV file or Google Sheets, at the top right, click Download .
Understand the Access Transparency log report data
Log field descriptions
|Report field name||System field name||Description|
|Date||items:id:time||Time the log was written.|
|Log ID||items:events:parameters:LOG_ID||Unique log ID.|
|G Suite Product||items:events:parameters:GSUITE_PRODUCT_NAME||Customer’s G Suite product that was accessed. Upper case required. Can be:
|Actor Home Office||items:events:parameters:ACTOR_HOME_OFFICE||
ISO 3166-1 alpha-2 country code in which the accessor has a permanent desk:
Access justifications, such as “Customer Initiated Support - Case Number: 12345678”.
|Tickets||tickets||Tickets associated with the justification, if any.|
|Resource Name||items:events:parameters:RESOURCE_NAME||Name of the resource that was accessed.|
|Owner Email||items:events:parameters:OWNER_EMAIL||The email ID or team identifier of the customer who owns the resource.|
|CUSTOMER_INTIATED_SUPPORT||Customer-Initiated support, such as a case number|
|Externally initiated abuse reviews are invoked by the content being flagged to Google for review.|
|GOOGLE_INITIATED_REVIEW||Google-initiated access for security, fraud, abuse, or compliance purposes, including:
|GOOGLE_INITIATED_SERVICE||Google-initiated access to perform system management and troubleshooting, including:
|THIRD_PARTY_DATA_REQUEST||Google accesses customer data to respond to a legal request or legal process. This includes when we respond to legal process from the customer that requires that we access the customer's own data.
In this case, Access Transparency logs might not be available if Google can’t legally inform you of such a request or process.
Set up an Access Transparency alert
You can set up an email alert for one or more log filters, such as Owner Email and Actor Home Office. You can also enable an alert for all logs across all G Suite products that support Access Transparency.
From the Admin console Home page, go to Reports.
To see Reports, you might have to click More controls at the bottom.
- On the left, under Audit, click Access Transparency.
- Click + Add Filter.
- Select one or more filters and click Apply.
- (Optional) To enable an alert for all logs across all supported G Suite products, select Event Name, then click Access below the search line. This creates a filter called Event Name: Access.
- Click Create Alert , name your new alert, and enter the email IDs of any additional alert recipients.
- Click Create to complete the process.
Integrate Access Transparency log data with third-party tools
You can use the Reports API to integrate Access Transparency logs with your existing security information and event management (SIEM) tools. For more information, refer to Access Transparency Activity Events.
Make an inquiry on a log entry
To request an access investigation on a particular Access Transparency log entry:
- Note the Log ID of the entry you want to research.
From the Admin console Home page, go to Support.
To see Support, you might have to click More controls at the bottom.
- Click Contact Support.
- Provide this information to Support:
- Log ID of the entry in question
- Note that the inquiry is for Access Transparency
- Ask for more details on the activity