Login Audit Activity Events

This document lists the events and parameters for various types of Login Audit activity events. You can retrieve these events by calling Activities.list() with applicationName=login.

Account warning

Account warning event type. Events of this type are returned with type=account_warning.

Leaked password

Account warning event account disabled password leak description.

Event details
Event name account_disabled_password_leak
Parameters
affected_email_address

string

Email-id of the user affected by the event.

Sample request
GET https://www.googleapis.com/admin/reports/v1/activity/users/all/applications/login?eventName=account_disabled_password_leak&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
Account {affected_email_address} disabled because Google has become aware that someone else knows its password

Suspicious login blocked

Account warning event suspicious login description.

Event details
Event name suspicious_login
Parameters
affected_email_address

string

Email-id of the user affected by the event.

login_timestamp

integer

Login time of account warning event in micros.

Sample request
GET https://www.googleapis.com/admin/reports/v1/activity/users/all/applications/login?eventName=suspicious_login&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
Google has detected a suspicious login for {affected_email_address}

Suspicious login from less secure app blocked

Account warning event suspicious login less secure app description.

Event details
Event name suspicious_login_less_secure_app
Parameters
affected_email_address

string

Email-id of the user affected by the event.

login_timestamp

integer

Login time of account warning event in micros.

Sample request
GET https://www.googleapis.com/admin/reports/v1/activity/users/all/applications/login?eventName=suspicious_login_less_secure_app&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
Google has detected a suspicious login for {affected_email_address} from a less secure app

Suspicious programmatic login blocked

Account warning event suspicious programmatic login description.

Event details
Event name suspicious_programmatic_login
Parameters
affected_email_address

string

Email-id of the user affected by the event.

login_timestamp

integer

Login time of account warning event in micros.

Sample request
GET https://www.googleapis.com/admin/reports/v1/activity/users/all/applications/login?eventName=suspicious_programmatic_login&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
Google has detected a suspicious programmatic login for {affected_email_address}

User suspended

Account warning event account disabled generic description.

Event details
Event name account_disabled_generic
Parameters
affected_email_address

string

Email-id of the user affected by the event.

Sample request
GET https://www.googleapis.com/admin/reports/v1/activity/users/all/applications/login?eventName=account_disabled_generic&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
Account {affected_email_address} disabled

User suspended (spam through relay)

Account warning event account disabled spamming through relay description.

Event details
Event name account_disabled_spamming_through_relay
Parameters
affected_email_address

string

Email-id of the user affected by the event.

Sample request
GET https://www.googleapis.com/admin/reports/v1/activity/users/all/applications/login?eventName=account_disabled_spamming_through_relay&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
Account {affected_email_address} disabled because Google has become aware that it was used to engage in spamming through SMTP relay service

User suspended (spam)

Account warning event account disabled spamming description.

Event details
Event name account_disabled_spamming
Parameters
affected_email_address

string

Email-id of the user affected by the event.

Sample request
GET https://www.googleapis.com/admin/reports/v1/activity/users/all/applications/login?eventName=account_disabled_spamming&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
Account {affected_email_address} disabled because Google has become aware that it was used to engage in spamming

User suspended (suspicious activity)

Account warning event account disabled hijacked description.

Event details
Event name account_disabled_hijacked
Parameters
affected_email_address

string

Email-id of the user affected by the event.

login_timestamp

integer

Login time of account warning event in micros.

Sample request
GET https://www.googleapis.com/admin/reports/v1/activity/users/all/applications/login?eventName=account_disabled_hijacked&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
Account {affected_email_address} disabled because Google has detected a suspicious activity indicating it might have been compromised

Attack Warning

Attack Warning Event Type. Events of this type are returned with type=attack_warning.

Government-backed Attack

Government-backed attack warning event name.

Event details
Event name gov_attack_warning
Sample request
GET https://www.googleapis.com/admin/reports/v1/activity/users/all/applications/login?eventName=gov_attack_warning&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
{actor} might have been targeted by government-backed attack

Login

Login Event Type. Events of this type are returned with type=login.

Failed Login

A login attempt was unsuccessful.

Event details
Event name login_failure
Parameters
login_challenge_method

string

Login challenge method. Possible values:

  • backup_code
    Asks user to enter a backup verification code.
  • google_authenticator
    Asks user to enter OTP from authenticator app.
  • google_prompt
    Login challenge method Google Prompt.
  • idv_any_phone
    User asked for phone number and then enters code sent to that phone.
  • idv_preregistered_phone
    User enters code sent to their preregistered phone.
  • internal_two_factor
    Login challenge method Internal Two Factor.
  • knowledge_employee_id
    Login challenge method Knowledge Employee Id.
  • knowledge_preregistered_email
    User proves knowledge of preregistered email.
  • knowledge_preregistered_phone
    User proves knowledge of preregistered phone.
  • login_location
    User enters from where they usually sign in.
  • none
    No login challenge was faced.
  • offline_otp
    User enters OTP code they get from settings on their phone (android only).
  • other
    Login challenge method other.
  • password
    Password.
  • security_key
    User passes the security key cryptographic challenge.
  • security_key_otp
    Login challenge method Security Key OTP.
login_failure_type

string

The reason for the login failure. Possible values:

  • login_failure_access_code_disallowed
    The user does not have permission to login to the service.
  • login_failure_account_disabled
    The user's account is disabled.
  • login_failure_invalid_password
    The user's password was invalid.
  • login_failure_unknown
    The reason for the login failure is not known.
login_type

string

The type of credentials used to attempt login. Possible values:

  • exchange
    Login type Exchange.
  • google_password
    Login type Google Password.
  • reauth
    Login type Reauth.
  • saml
    Login type SAML.
  • unknown
    Login type Unknown.
Sample request
GET https://www.googleapis.com/admin/reports/v1/activity/users/all/applications/login?eventName=login_failure&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
{actor} failed to login

Login Challenge

A login was challenged, to verify the user's identity. See the G Suite Help Center documentation for more information about login challenges.

Event details
Event name login_challenge
Parameters
login_challenge_method

string

Login challenge method. Possible values:

  • backup_code
    Asks user to enter a backup verification code.
  • google_authenticator
    Asks user to enter OTP from authenticator app.
  • google_prompt
    Login challenge method Google Prompt.
  • idv_any_phone
    User asked for phone number and then enters code sent to that phone.
  • idv_preregistered_phone
    User enters code sent to their preregistered phone.
  • internal_two_factor
    Login challenge method Internal Two Factor.
  • knowledge_employee_id
    Login challenge method Knowledge Employee Id.
  • knowledge_preregistered_email
    User proves knowledge of preregistered email.
  • knowledge_preregistered_phone
    User proves knowledge of preregistered phone.
  • login_location
    User enters from where they usually sign in.
  • none
    No login challenge was faced.
  • offline_otp
    User enters OTP code they get from settings on their phone (android only).
  • other
    Login challenge method other.
  • password
    Password.
  • security_key
    User passes the security key cryptographic challenge.
  • security_key_otp
    Login challenge method Security Key OTP.
login_challenge_status

string

Whether the login challenge succeeded or failed, represented as "Challenge Passed." and "Challenge Failed." respectively. An empty string indicates an unknown status.

login_type

string

The type of credentials used to attempt login. Possible values:

  • exchange
    Login type Exchange.
  • google_password
    Login type Google Password.
  • reauth
    Login type Reauth.
  • saml
    Login type SAML.
  • unknown
    Login type Unknown.
Sample request
GET https://www.googleapis.com/admin/reports/v1/activity/users/all/applications/login?eventName=login_challenge&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
{actor} was presented with a login challenge

Login Verification

Login verification event name.

Event details
Event name login_verification
Parameters
is_second_factor

boolean

Whether the login verification is 2SV. Possible values:

  • false
    Boolean value false.
  • true
    Boolean value true.
login_challenge_method

string

Login challenge method. Possible values:

  • backup_code
    Asks user to enter a backup verification code.
  • google_authenticator
    Asks user to enter OTP from authenticator app.
  • google_prompt
    Login challenge method Google Prompt.
  • idv_any_phone
    User asked for phone number and then enters code sent to that phone.
  • idv_preregistered_phone
    User enters code sent to their preregistered phone.
  • internal_two_factor
    Login challenge method Internal Two Factor.
  • knowledge_employee_id
    Login challenge method Knowledge Employee Id.
  • knowledge_preregistered_email
    User proves knowledge of preregistered email.
  • knowledge_preregistered_phone
    User proves knowledge of preregistered phone.
  • login_location
    User enters from where they usually sign in.
  • none
    No login challenge was faced.
  • offline_otp
    User enters OTP code they get from settings on their phone (android only).
  • other
    Login challenge method other.
  • password
    Password.
  • security_key
    User passes the security key cryptographic challenge.
  • security_key_otp
    Login challenge method Security Key OTP.
login_challenge_status

string

Whether the login challenge succeeded or failed, represented as "Challenge Passed." and "Challenge Failed." respectively. An empty string indicates an unknown status.

login_type

string

The type of credentials used to attempt login. Possible values:

  • exchange
    Login type Exchange.
  • google_password
    Login type Google Password.
  • reauth
    Login type Reauth.
  • saml
    Login type SAML.
  • unknown
    Login type Unknown.
Sample request
GET https://www.googleapis.com/admin/reports/v1/activity/users/all/applications/login?eventName=login_verification&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
{actor} was presented with login verification

Logout

The user logged out.

Event details
Event name logout
Parameters
login_type

string

The type of credentials used to attempt login. Possible values:

  • exchange
    Login type Exchange.
  • google_password
    Login type Google Password.
  • reauth
    Login type Reauth.
  • saml
    Login type SAML.
  • unknown
    Login type Unknown.
Sample request
GET https://www.googleapis.com/admin/reports/v1/activity/users/all/applications/login?eventName=logout&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
{actor} logged out

Successful Login

A login attempt was successful.

Event details
Event name login_success
Parameters
is_suspicious

boolean

The login attempt had some unusual characteristics, for example the user logged in from an unfamiliar IP address. Possible values:

  • false
    Boolean value false.
  • true
    Boolean value true.
login_challenge_method

string

Login challenge method. Possible values:

  • backup_code
    Asks user to enter a backup verification code.
  • google_authenticator
    Asks user to enter OTP from authenticator app.
  • google_prompt
    Login challenge method Google Prompt.
  • idv_any_phone
    User asked for phone number and then enters code sent to that phone.
  • idv_preregistered_phone
    User enters code sent to their preregistered phone.
  • internal_two_factor
    Login challenge method Internal Two Factor.
  • knowledge_employee_id
    Login challenge method Knowledge Employee Id.
  • knowledge_preregistered_email
    User proves knowledge of preregistered email.
  • knowledge_preregistered_phone
    User proves knowledge of preregistered phone.
  • login_location
    User enters from where they usually sign in.
  • none
    No login challenge was faced.
  • offline_otp
    User enters OTP code they get from settings on their phone (android only).
  • other
    Login challenge method other.
  • password
    Password.
  • security_key
    User passes the security key cryptographic challenge.
  • security_key_otp
    Login challenge method Security Key OTP.
login_type

string

The type of credentials used to attempt login. Possible values:

  • exchange
    Login type Exchange.
  • google_password
    Login type Google Password.
  • reauth
    Login type Reauth.
  • saml
    Login type SAML.
  • unknown
    Login type Unknown.
Sample request
GET https://www.googleapis.com/admin/reports/v1/activity/users/all/applications/login?eventName=login_success&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
{actor} logged in