March 19, 2026
Workspace audit logs: New functionality and expanded event fields
We’re releasing a number of enhancements to Workspace audit logs, including:
- Log filtering enhancements for Resource fields in the security investigation tool for Gmail and Google Drive
- Updated Application and Network fields available in the Workspace audit log integration with Google Security Operations (SecOps)
- Expanded filtering in the AdminSDK Activities.List method
- New OwnerDetails field in the events published to the AdminSDK and BigQuery
Log filtering enhancements for Resource fields in the security investigation tool for Gmail and Google Drive
The security investigation tool now features improved filtering for the Resources attribute for Gmail and Google Drive log events. These updates enable administrators to execute more granular searches, particularly by utilizing classification labels. Because classification labels offer essential metadata for identifying sensitive content and enforcing security policies, the capability to filter audit logs through these labels is vital for analyzing data patterns and investigating security incidents.
Additionally, we have also added filtering support for the Actor application info attribute for Gmail log events.
Updated Application and Network fields available in the Workspace audit log integration with Google Security Operations (SecOps)
The following fields will now be included in the audit events sent to SecOps, where applicable:
Expanded filtering in the AdminSDK Activities.List method
We’re adding filtering for the following fields in the Activities.List method of the AdminSDK:
- RegionCode: Filter audit logs belonging to specified region using networkInfoFilter field in the api request
- OAuthClientId: Filter audit logs where actions are done by specified app using applicationInfoFilter field in the api request
New OwnerDetails field in the events published to the AdminSDK and BigQuery
A new OwnerDetails field in Resource Details identifies who owns a resource using two primary fields:
- Owner Type: This specifies the category of the owner. The owner of the resource can be an individual person (USER), entire organization (CUSTOMER), or a GROUP. SHARED_DRIVE
- Owner Identity: This contains specific details (like IDs or email addresses) of that owner
Getting started
- Admins: As the changes roll out, get started with your analysis in either the Audit and Investigation tool, Admin SDK (Reports API), SecOps, or BigQuery.
- End users: There is no end user setting for this feature.
Rollout pace
- Rapid Release and Scheduled Release domains: Gradual rollout (up to 15 days for feature visibility)
Availability
- Available for Google Workspace with Audit Log eligible licenses. Note that Classification labels are available only for some editions.
Resources
- Google Workspace Admin Help: