Improving consistency of Gmail data across the Security Investigation Tool and BigQuery

What’s changing 

In August 2022, we announced the movement of the existing Gmail logs in BigQuery to Google Workspace logs and reports in BigQuery, creating a single space to access all of your Google Workspace audit events. 

To further improve this experience, you’ll see all Gmail log events from the Security Investigation Tool (SIT) in your Google Workspace logs and reports in BigQuery. This includes device types and post-delivery actions (for example open, delete, clicked links, and attachment downloads). This change will give admins a more complete picture of Gmail activity happening in their domain, and bring consistency across reporting tools. 

Use the table below to familiarize yourself with the newly added columns — complete details can be found in our Help Center.

List of newly added columns	Description
event_info.mail_event_type	The event type corresponds to the Event attribute in Gmail log events in Security Investigation Tool.
event_info.client_context.client_type	The type of client or device where the action occurred, including: WEB, IOS, ANDROID, IMAP, POP3, and API.
event_info.client_context.session_context.delegate_user_email	Email address of the delegated user who performed the action on the account owner's behalf.
message_info.attachment.file_name	File attachment name.
message_info.post_delivery_info	Information about the post-delivery event.
message_info.post_delivery_info.action_type	Post-delivery action type.
message_info.post_delivery_info.interaction	Information about the user's interaction with message links, Drive items, or attachments.
message_info.post_delivery_info.interaction.link_url	The URL associated with the interaction, which is set only for link click interactions.
message_info.post_delivery_info.interaction.drive_id	The unique ID of the Google Drive item associated with the interaction. This ID is used to access the item in Drive.
message_info.post_delivery_info.interaction.attachment	The target attachments of the interaction, which are set only for attachment interactions.
message_info.post_delivery_info.interaction.attachment.file_extension_type	File extension (not MIME part type), not including the period.
message_info.post_delivery_info.interaction.attachment.malware_family	Malware type, if malware is detected during message handling.
message_info.post_delivery_info.interaction.attachment.file_name	Attachment file name.
message_info.post_delivery_info.interaction.attachment.sha256	SHA256 hash of the attachment.

Getting started

• Admins: 
• Visit the Help Center to learn more about Google Workspace logs and reports in BigQuery, schemas for Gmail logs in BigQuery and Gmail log events.
• This update adheres to the standard BigQuery pricing — see here for more information.
• End users: There is no end user impact. 

Rollout pace

• Rapid Release and Scheduled Release domains: Available now

Availability

• Available to Google Workspace Enterprise Essentials, Enterprise Standard, Enterprise Plus, Education Plus, Education Standard 
• Not available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Frontline, and Nonprofits, as well as legacy G Suite Basic and Business customers

Resources

• Google Workspace Admin Help: Google Workspace logs and reports in BigQuery