Login Audit Activity Events

This document lists the events and parameters for various types of Login Audit activity events. You can retrieve these events by calling Activities.list() with applicationName=login.

2-step verification enrollment changed

Events of this type are returned with type=2sv_change.

2-step verification disable

Event details
Event name 2sv_disable
Sample request
GET https://www.googleapis.com/admin/reports/v1/activity/users/all/applications/login?eventName=2sv_disable&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
{actor} has disabled 2-step verification

2-step verification enroll

Event details
Event name 2sv_enroll
Sample request
GET https://www.googleapis.com/admin/reports/v1/activity/users/all/applications/login?eventName=2sv_enroll&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
{actor} has enrolled for 2-step verification

Account password changed

Events of this type are returned with type=password_change.

Account password change

Event details
Event name password_edit
Sample request
GET https://www.googleapis.com/admin/reports/v1/activity/users/all/applications/login?eventName=password_edit&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
{actor} has changed Account password

Account recovery info changed

Account recovery information changed. Events of this type are returned with type=recovery_info_change.

Account recovery email change

Event details
Event name recovery_email_edit
Sample request
GET https://www.googleapis.com/admin/reports/v1/activity/users/all/applications/login?eventName=recovery_email_edit&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
{actor} has changed Account recovery email

Account recovery phone change

Event details
Event name recovery_phone_edit
Sample request
GET https://www.googleapis.com/admin/reports/v1/activity/users/all/applications/login?eventName=recovery_phone_edit&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
{actor} has changed Account recovery phone

Account recovery secret question/answer change

Event details
Event name recovery_secret_qa_edit
Sample request
GET https://www.googleapis.com/admin/reports/v1/activity/users/all/applications/login?eventName=recovery_secret_qa_edit&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
{actor} has changed Account recovery secret question/answer

Account warning

Account warning event type. Events of this type are returned with type=account_warning.

Leaked password

Account warning event account disabled password leak description.

Event details
Event name account_disabled_password_leak
Parameters
affected_email_address

string

Email-id of the user affected by the event.

Sample request
GET https://www.googleapis.com/admin/reports/v1/activity/users/all/applications/login?eventName=account_disabled_password_leak&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
Account {affected_email_address} disabled because Google has become aware that someone else knows its password

Suspicious login blocked

Account warning event suspicious login description.

Event details
Event name suspicious_login
Parameters
affected_email_address

string

Email-id of the user affected by the event.

login_timestamp

integer

Login time of account warning event in micros.

Sample request
GET https://www.googleapis.com/admin/reports/v1/activity/users/all/applications/login?eventName=suspicious_login&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
Google has detected a suspicious login for {affected_email_address}

Suspicious login from less secure app blocked

Account warning event suspicious login less secure app description.

Event details
Event name suspicious_login_less_secure_app
Parameters
affected_email_address

string

Email-id of the user affected by the event.

login_timestamp

integer

Login time of account warning event in micros.

Sample request
GET https://www.googleapis.com/admin/reports/v1/activity/users/all/applications/login?eventName=suspicious_login_less_secure_app&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
Google has detected a suspicious login for {affected_email_address} from a less secure app

Suspicious programmatic login blocked

Account warning event suspicious programmatic login description.

Event details
Event name suspicious_programmatic_login
Parameters
affected_email_address

string

Email-id of the user affected by the event.

login_timestamp

integer

Login time of account warning event in micros.

Sample request
GET https://www.googleapis.com/admin/reports/v1/activity/users/all/applications/login?eventName=suspicious_programmatic_login&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
Google has detected a suspicious programmatic login for {affected_email_address}

User suspended

Account warning event account disabled generic description.

Event details
Event name account_disabled_generic
Parameters
affected_email_address

string

Email-id of the user affected by the event.

Sample request
GET https://www.googleapis.com/admin/reports/v1/activity/users/all/applications/login?eventName=account_disabled_generic&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
Account {affected_email_address} disabled

User suspended (spam through relay)

Account warning event account disabled spamming through relay description.

Event details
Event name account_disabled_spamming_through_relay
Parameters
affected_email_address

string

Email-id of the user affected by the event.

Sample request
GET https://www.googleapis.com/admin/reports/v1/activity/users/all/applications/login?eventName=account_disabled_spamming_through_relay&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
Account {affected_email_address} disabled because Google has become aware that it was used to engage in spamming through SMTP relay service

User suspended (spam)

Account warning event account disabled spamming description.

Event details
Event name account_disabled_spamming
Parameters
affected_email_address

string

Email-id of the user affected by the event.

Sample request
GET https://www.googleapis.com/admin/reports/v1/activity/users/all/applications/login?eventName=account_disabled_spamming&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
Account {affected_email_address} disabled because Google has become aware that it was used to engage in spamming

User suspended (suspicious activity)

Account warning event account disabled hijacked description.

Event details
Event name account_disabled_hijacked
Parameters
affected_email_address

string

Email-id of the user affected by the event.

login_timestamp

integer

Login time of account warning event in micros.

Sample request
GET https://www.googleapis.com/admin/reports/v1/activity/users/all/applications/login?eventName=account_disabled_hijacked&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
Account {affected_email_address} disabled because Google has detected a suspicious activity indicating it might have been compromised

Advanced Protection enrollment changed

Events of this type are returned with type=titanium_change.

Advanced Protection enroll

Event details
Event name titanium_enroll
Sample request
GET https://www.googleapis.com/admin/reports/v1/activity/users/all/applications/login?eventName=titanium_enroll&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
{actor} has enrolled for Advanced Protection

Advanced Protection unenroll

Event details
Event name titanium_unenroll
Sample request
GET https://www.googleapis.com/admin/reports/v1/activity/users/all/applications/login?eventName=titanium_unenroll&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
{actor} has disabled Advanced Protection

Attack Warning

Attack Warning Event Type. Events of this type are returned with type=attack_warning.

Government-backed Attack

Government-backed attack warning event name.

Event details
Event name gov_attack_warning
Sample request
GET https://www.googleapis.com/admin/reports/v1/activity/users/all/applications/login?eventName=gov_attack_warning&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
{actor} might have been targeted by government-backed attack

Email forwarding settings changed

Events of this type are returned with type=email_forwarding_change.

Out of domain email forwarding enabled

Event details
Event name email_forwarding_out_of_domain
Sample request
GET https://www.googleapis.com/admin/reports/v1/activity/users/all/applications/login?eventName=email_forwarding_out_of_domain&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
{actor} has enabled out of domain email forwarding to {email_forwarding_destination_address}.

Login

Login Event Type. Events of this type are returned with type=login.

Failed Login

A login attempt was unsuccessful.

Event details
Event name login_failure
Parameters
login_challenge_method

string

Login challenge method. Possible values:

  • backup_code
    Asks user to enter a backup verification code.
  • google_authenticator
    Asks user to enter OTP from authenticator app.
  • google_prompt
    Login challenge method Google Prompt.
  • idv_any_phone
    User asked for phone number and then enters code sent to that phone.
  • idv_preregistered_phone
    User enters code sent to their preregistered phone.
  • internal_two_factor
    Login challenge method Internal Two Factor.
  • knowledge_employee_id
    Login challenge method Knowledge Employee Id.
  • knowledge_preregistered_email
    User proves knowledge of preregistered email.
  • knowledge_preregistered_phone
    User proves knowledge of preregistered phone.
  • login_location
    User enters from where they usually sign in.
  • none
    No login challenge was faced.
  • offline_otp
    User enters OTP code they get from settings on their phone (android only).
  • other
    Login challenge method other.
  • password
    Password.
  • security_key
    User passes the security key cryptographic challenge.
  • security_key_otp
    Login challenge method Security Key OTP.
login_failure_type

string

The reason for the login failure. Possible values:

  • login_failure_access_code_disallowed
    The user does not have permission to login to the service.
  • login_failure_account_disabled
    The user's account is disabled.
  • login_failure_invalid_password
    The user's password was invalid.
  • login_failure_unknown
    The reason for the login failure is not known.
login_type

string

The type of credentials used to attempt login. Possible values:

  • exchange
    Login type Exchange.
  • google_password
    Login type Google Password.
  • reauth
    Login type Reauth.
  • saml
    Login type SAML.
  • unknown
    Login type Unknown.
Sample request
GET https://www.googleapis.com/admin/reports/v1/activity/users/all/applications/login?eventName=login_failure&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
{actor} failed to login

Login Challenge

A login was challenged, to verify the user's identity. See the Google Workspace Help Center documentation for more information about login challenges.

Event details
Event name login_challenge
Parameters
login_challenge_method

string

Login challenge method. Possible values:

  • backup_code
    Asks user to enter a backup verification code.
  • google_authenticator
    Asks user to enter OTP from authenticator app.
  • google_prompt
    Login challenge method Google Prompt.
  • idv_any_phone
    User asked for phone number and then enters code sent to that phone.
  • idv_preregistered_phone
    User enters code sent to their preregistered phone.
  • internal_two_factor
    Login challenge method Internal Two Factor.
  • knowledge_employee_id
    Login challenge method Knowledge Employee Id.
  • knowledge_preregistered_email
    User proves knowledge of preregistered email.
  • knowledge_preregistered_phone
    User proves knowledge of preregistered phone.
  • login_location
    User enters from where they usually sign in.
  • none
    No login challenge was faced.
  • offline_otp
    User enters OTP code they get from settings on their phone (android only).
  • other
    Login challenge method other.
  • password
    Password.
  • security_key
    User passes the security key cryptographic challenge.
  • security_key_otp
    Login challenge method Security Key OTP.
login_challenge_status

string

Whether the login challenge succeeded or failed, represented as "Challenge Passed." and "Challenge Failed." respectively. An empty string indicates an unknown status.

login_type

string

The type of credentials used to attempt login. Possible values:

  • exchange
    Login type Exchange.
  • google_password
    Login type Google Password.
  • reauth
    Login type Reauth.
  • saml
    Login type SAML.
  • unknown
    Login type Unknown.
Sample request
GET https://www.googleapis.com/admin/reports/v1/activity/users/all/applications/login?eventName=login_challenge&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
{actor} was presented with a login challenge

Login Verification

Login verification event name.

Event details
Event name login_verification
Parameters
is_second_factor

boolean

Whether the login verification is 2SV. Possible values:

  • false
    Boolean value false.
  • true
    Boolean value true.
login_challenge_method

string

Login challenge method. Possible values:

  • backup_code
    Asks user to enter a backup verification code.
  • google_authenticator
    Asks user to enter OTP from authenticator app.
  • google_prompt
    Login challenge method Google Prompt.
  • idv_any_phone
    User asked for phone number and then enters code sent to that phone.
  • idv_preregistered_phone
    User enters code sent to their preregistered phone.
  • internal_two_factor
    Login challenge method Internal Two Factor.
  • knowledge_employee_id
    Login challenge method Knowledge Employee Id.
  • knowledge_preregistered_email
    User proves knowledge of preregistered email.
  • knowledge_preregistered_phone
    User proves knowledge of preregistered phone.
  • login_location
    User enters from where they usually sign in.
  • none
    No login challenge was faced.
  • offline_otp
    User enters OTP code they get from settings on their phone (android only).
  • other
    Login challenge method other.
  • password
    Password.
  • security_key
    User passes the security key cryptographic challenge.
  • security_key_otp
    Login challenge method Security Key OTP.
login_challenge_status

string

Whether the login challenge succeeded or failed, represented as "Challenge Passed." and "Challenge Failed." respectively. An empty string indicates an unknown status.

login_type

string

The type of credentials used to attempt login. Possible values:

  • exchange
    Login type Exchange.
  • google_password
    Login type Google Password.
  • reauth
    Login type Reauth.
  • saml
    Login type SAML.
  • unknown
    Login type Unknown.
Sample request
GET https://www.googleapis.com/admin/reports/v1/activity/users/all/applications/login?eventName=login_verification&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
{actor} was presented with login verification

Logout

The user logged out.

Event details
Event name logout
Parameters
login_type

string

The type of credentials used to attempt login. Possible values:

  • exchange
    Login type Exchange.
  • google_password
    Login type Google Password.
  • reauth
    Login type Reauth.
  • saml
    Login type SAML.
  • unknown
    Login type Unknown.
Sample request
GET https://www.googleapis.com/admin/reports/v1/activity/users/all/applications/login?eventName=logout&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
{actor} logged out

Successful Login

A login attempt was successful.

Event details
Event name login_success
Parameters
is_suspicious

boolean

The login attempt had some unusual characteristics, for example the user logged in from an unfamiliar IP address. Possible values:

  • false
    Boolean value false.
  • true
    Boolean value true.
login_challenge_method

string

Login challenge method. Possible values:

  • backup_code
    Asks user to enter a backup verification code.
  • google_authenticator
    Asks user to enter OTP from authenticator app.
  • google_prompt
    Login challenge method Google Prompt.
  • idv_any_phone
    User asked for phone number and then enters code sent to that phone.
  • idv_preregistered_phone
    User enters code sent to their preregistered phone.
  • internal_two_factor
    Login challenge method Internal Two Factor.
  • knowledge_employee_id
    Login challenge method Knowledge Employee Id.
  • knowledge_preregistered_email
    User proves knowledge of preregistered email.
  • knowledge_preregistered_phone
    User proves knowledge of preregistered phone.
  • login_location
    User enters from where they usually sign in.
  • none
    No login challenge was faced.
  • offline_otp
    User enters OTP code they get from settings on their phone (android only).
  • other
    Login challenge method other.
  • password
    Password.
  • security_key
    User passes the security key cryptographic challenge.
  • security_key_otp
    Login challenge method Security Key OTP.
login_type

string

The type of credentials used to attempt login. Possible values:

  • exchange
    Login type Exchange.
  • google_password
    Login type Google Password.
  • reauth
    Login type Reauth.
  • saml
    Login type SAML.
  • unknown
    Login type Unknown.
Sample request
GET https://www.googleapis.com/admin/reports/v1/activity/users/all/applications/login?eventName=login_success&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
{actor} logged in