As your organization's administrator, you can use the audit and investigation page to run searches related to OAuth log events. There you can view a record of actions to review which users are using which third-party mobile or web applications in your domain. For example, when a user opens a Google Workspace Marketplace app, the log records the name of the app and the person using it.
The log also records each time a third-party application is authorized to access Google Account data, such as Google Contacts, Calendar, and Drive files (Google Workspace only).
For a full list of services and activities that you can investigate, such as Google Drive or user activity, read through the About the audit and investigation tool.
Forward log event data to Google Cloud
This feature is available with Cloud Identity Premium edition. Compare editions
You can opt in to share the log event data with Google Cloud. If you turn on sharing, data is forwarded to Cloud Logging, where you can query and view your logs, and control how you route and store your logs.
Open the audit and investigation page
- On the left, click ReportingAudit and investigationOAuth log events.
Filter the data
- Open the log events as described above in Access OAuth log event data.
- Click Add a filter, and then select an attribute.
- In the pop-up window, select an operatorselect a valueclick Apply.
(Optional) To create multiple filters for your search:
- Click Add a filter and repeat step 3.
- (Optional) To add a search operator, above Add a filter, select AND or OR.
- Click Search.
Note: Using the Filter tab, you can include simple parameter and value pairs to filter the search results. You can also use the Condition builder tab, where the filters are represented as conditions with AND/OR operators.
For this data source, you can use the following attributes when searching log event data:
|Actor group name
Group name of the actor. For more information, go to Filtering results by Google Group.
To add a group to your filtering groups allowlist:
|Actor organizational unit
|Organizational unit of the actor
|Name of the API method that was called using the OAuth token
|Name of the API that was called using the OAuth token
|OAuth client ID of the application for which access was authorized or revoked
|The application for which access was granted or revoked
|Type of client—for example, Connected device, Native Android, or Native iOS
|Date and time the event occurred (displayed in your browser's default time zone)
The logged event action, such as API call or Grant
Note: API call events are available only for Enterprise Plus, Education Plus, Enterprise Standard, Education Standard, and Cloud Identity Premium.
|Internet Protocol (IP) address of the user for whom access was authorized or revoked. This might reflect their physical location, but it can be something else like a proxy server or a Virtual Private Network (VPN) address.
Note: If an event was not directly triggered by a user action (for example, token expiration), it's possible that an IP address will not be logged.
|Number of response bytes
|Size of the response in bytes
|Name of the Google product for which OAuth token was granted
|Scopes to which access was authorized or revoked
|User for whom access was authorized or revoked
Manage log event data
Manage search results column data
You can control which data columns appear in your search results.
- At the top-right of the search results table, click Manage columns .
- (Optional) To remove current columns, click Remove .
- (Optional) To add columns, next to Add new column, click the Down arrow and select the data column.
Repeat as needed.
- (Optional) To change the order of the columns, drag the data column names.
- Click Save.
Export search result data
- At the top of the search results table, click Export all.
- Enter a name click Export.
The export displays below the search results table under Export action results.
- To view the data, click the name of your export.
The export opens in Google Sheets.
Create reporting rules
When and how long is data available?
Go to Data retention and lag times.