GoogleGoogle WorkspaceTech

Google Workspace audit logs get three big security upgrades

Google has rolled out three new enhancements to Workspace audit logs that give admins deeper visibility into resource ownership, device details, and activity across more apps.

By
Shubham Sawarkar
Shubham Sawarkar's avatar
ByShubham Sawarkar
Editor-in-Chief
I’m a tech enthusiast who loves exploring gadgets, trends, and innovations. With certifications in CISCO Routing & Switching and Windows Server Administration, I bring a sharp...
Follow:
- Editor-in-Chief
We may get a commission from retail offers. Learn more
A smartphone screen displaying the Google Workspace logo and icons for Gmail, Calendar, Drive, Docs, and Meet, with a blurred colorful Google logo in the background.
Photo by Thomas Fuller / SOPA Images via ZUMA Press Wire / Alamy

If you manage Google Workspace for an organization – whether it’s a mid-sized company or a large enterprise – you already know how much rides on audit logs. They’re the paper trail that answers the most important question in IT security: “Who did what, and when?” Google has quietly but meaningfully upgraded that paper trail with three new enhancements to Workspace audit logs, and if you’re responsible for keeping your organization’s data safe, this update is worth paying close attention to.

Google announced these changes on April 29, 2026, rolling them out to both Rapid Release and Scheduled Release domains as a gradual rollout that could take up to 15 days to fully surface in the Admin console. At first glance, the announcement might read like a dry list of technical improvements. But dig a little deeper, and you’ll find changes that actually make a meaningful difference for security teams trying to investigate incidents, stay compliant, and understand how their Workspace environment is being used.

The first enhancement is something Google is calling “Owner details for the resource attribute.” Basically, when you’re using the Security Investigation Tool or browsing audit logs and come across a resource – say, a Drive file or a Calendar event – you can now see exactly who owns it. This might sound like a small thing, but it fills a real gap. Before this change, you could see that a file was shared or accessed, but tracing it back to the actual owner often required extra digging. Now, each resource entry surfaces two clean data points: the Owner Type (whether that’s an individual user, the entire customer organization, or a group) and the Owner Identity (the specific ID or email tied to that owner).

Google Admin console investigation tool showing log details for a security event, including timestamp, rule trigger description, resource ID, and owner information highlighted in a side panel.
Image: Google

Think about what this means in practice. An admin gets an alert that a sensitive file was accessed after hours. In the old world, they’d have to cross-reference multiple logs to figure out who the file originally belonged to. Now, that answer is right there in the resource field, saving time during what can often be a stressful investigation window. This owner detail is available across virtually every data source in Workspace – from Gmail and Drive to Meet, Chat, Calendar, Vault, Chrome, Voice, Keep, and more.

The second enhancement is about expanding coverage for two critical audit attributes: Resources and Actor application info. Google is essentially broadening the scope of what gets logged with context. Resources – meaning the actual objects involved in an event, like files, emails, or devices – are now being tracked in Chrome, Voice, Vault, and Assignments log events, where they weren’t fully available before. And Actor application info, which tells you which application performed a given action (super useful for catching when a third-party app is behaving unexpectedly), is being expanded to Chrome, Voice, Group, Meet, Assignments, and Admin data action log events.

Google Admin console “Draft investigation” screen with a condition builder interface for filtering Drive log events using fields like owner identity, user identity, and user ID.
Image: Google

This is the kind of enhancement that enterprise security teams have been quietly asking for. The Google Workspace Security Investigation Tool, which is available to Enterprise edition customers, lets admins search user activity across Gmail, Drive, and other apps and then take direct actions like deleting an email or unsharing a file from a single dashboard. But the tool is only as useful as the data behind it – and if Chrome activity or Vault events were showing up without full resource context, you were working with an incomplete picture. These expanded fields close those gaps.

The third enhancement might be the most immediately practical of the three: a brand new “User device info” attribute is now available across a wide range of log sources. This attribute captures details about the device used to perform a logged action – things like the device ID, the operating system version, and the device type (for example, whether it was a DESKTOP_MAC or DESKTOP_WINDOWS).

Table of event fields and descriptions listing device-related attributes such as device ID, device type, and operating system version with their data types and explanations.
Image: Google

Device context is something that often gets overlooked until something goes wrong. When an unusual login or data access event shows up in the logs, one of the first questions an admin asks is: “What device did this come from?” Until now, that information wasn’t consistently available across all log sources. With this update, device information is visible across a broad set of logs including Drive, Gmail via Chat, Chrome, Meet, Gemini Workspace, SAML, Looker Studio, Directory sync, Keep, and more. That’s a serious quality-of-life improvement for anyone running incident response workflows.

All three enhancements feed into a broader ecosystem that organizations can use for security monitoring. Workspace audit logs don’t just live in the Admin console – they can be exported to Google Security Operations (SecOps) for threat detection and investigation, piped to BigQuery for SQL-based analysis, or accessed programmatically through the Admin SDK Reports API. The new owner details, expanded resource fields, and device info attributes will be reflected across all of these surfaces, which means organizations that have built monitoring pipelines on top of Workspace logs will benefit without having to change their setup.

For context, Google has been iterating on Workspace audit log improvements throughout 2026. Back in March 2026, the company had already pushed out a related set of enhancements – including filtering support for resource fields in the Gmail and Drive investigation tools, updated Application and Network fields in the SecOps integration, and a new OwnerDetails field in Admin SDK and BigQuery events. The April update builds on that momentum and shows a clear pattern: Google is systematically filling in the gaps in what Workspace logs actually capture and making the data more actionable.

These changes are available to Google Workspace editions that include Audit Log eligible licenses – which generally means Business Plus and above, with the most advanced investigation features reserved for Enterprise tiers. If you’re already in the Audit and Investigation tool or working through the Admin SDK, the new fields will start appearing as the rollout progresses, so it’s worth refreshing your saved queries and reporting dashboards to take advantage of the additional context.

For admins who have been dealing with the challenge of tracking down resource ownership during investigations, filling in blind spots around Chrome and Vault activity, or trying to understand what devices are touching sensitive data, this is a genuinely useful set of improvements – not just another bullet point in a changelog.

Discover more from GadgetBond

Subscribe to get the latest posts sent to your email.

Leave a Comment

Leave a Reply

Most Popular
Also Read