homepage
Menu
Open menu
  • Training
    Go one level top Back

    Training

    • Courses

      Build cyber prowess with training from renowned experts

    • Hands-On Simulations

      Hands-on learning exercises keep you at the top of your cyber game

    • Certifications

      Demonstrate cybersecurity expertise with GIAC certifications

    • Ways to Train

      Multiple training options to best fit your schedule and preferred learning style

    • Training Events & Summits

      Expert-led training at locations around the world

    • Free Training Events

      Upcoming workshops, webinars and local events

    • Security Awareness

      Harden enterprise security with end-user and role-based training

    Featured: Solutions for Emerging Risks

    Discover tailored resources that translate emerging threats into actionable strategies

    Risk-Based Solutions

    Can't find what you are looking for?

    Let us help.
    Contact us
  • Learning Paths
    Go one level top Back

    Learning Paths

    • By Focus Area

      Chart your path to job-specific training courses

    • By NICE Framework

      Navigate cybersecurity training through NICE framework roles

    • DoDD 8140 Work Roles

      US DoD 8140 Directive Frameworks

    • By European Skills Framework

      Align your enterprise cyber skills with ECSF profiles

    • By Skills Roadmap

      Find the right training path based on critical skills

    • New to Cyber

      Give your cybersecurity career the right foundation for success

    • Leadership

      Training designed to help security leaders reduce organizational risk

    • Degree and Certificate Programs

      Gain the skills, certifications, and confidence to launch or advance your cybersecurity career.

    Featured

    New to Cyber resources

    Start your career
  • Community Resources
    Go one level top Back

    Community Resources

    Watch & Listen

    • Webinars
    • Live Streams
    • Podcasts

    Read

    • Blog
    • Newsletters
    • White Papers
    • Internet Storm Center

    Download

    • Open Source Tools
    • Posters & Cheat Sheets
    • Policy Templates
    • Summit Presentations
    • SANS Community Benefits

      Connect, learn, and share with other cybersecurity professionals

    • CISO Network

      Engage, challenge, and network with fellow CISOs in this exclusive community of security leaders

  • For Organizations
    Go one level top Back

    For Organizations

    Team Development

    • Why Partner with SANS
    • Group Purchasing
    • Skills & Talent Assessments
    • Private & Custom Training

    Leadership Development

    • Leadership Courses & Accreditation
    • Executive Cybersecurity Exercises
    • CISO Network

    Security Awareness

    • End-User Training
    • Phishing Simulation
    • Specialized Role-Based Training
    • Risk Assessments
    • Public Sector Partnerships

      Explore industry-specific programming and customized training solutions

    • Sponsorship Opportunities

      Sponsor a SANS event or research paper

    Interested in developing a training plan to fit your organization’s needs?

    We're here to help.
    Contact us
  • Talk with an expert
  • Log In
  • Join - it's free
  • Account
    • Account Dashboard
    • Log Out
  1. Home >
  2. Blog >
  3. Following the Trail of Threat Actors in Google Workspace Audit Logs
Megan_Roddie_370x370.png
Megan Roddie-Fonseca

Following the Trail of Threat Actors in Google Workspace Audit Logs

Many of the events we highlight in this blog post and the cheat sheet occur as part of normal business operations...

April 19, 2024

When approaching incident response in an environment you may not be very familiar with, the biggest challenge is often knowing what to look for. This is especially true when you’re facing dozens of data sources with hundreds of event types. As an incident responder, it’s your job to determine what is legitimate and what is not among a sea of activity, which is easier said than done. This blog post and its accompanying cheat sheet provide guidance on some key events of interest that can be a starting point for reviewing Google Workspace activity in the scope of an incident.

Many of the events we highlight in this blog post and the cheat sheet occur as part of normal business operations, so it's up to your analysis as an incident responder to find the behavior that stands out or can be tied to existing evidence.

Gmail and Google Chat

Gmail is one of the key services leveraged in Google Workspace organizations, providing all email services needed to carry out business. Google Chat may not be as widely used as Gmail but we cover it here because, like Gmail, it provides a way to communicate with end users and share files. Through both these services, threat actors obtain a method of social engineering for either initial access or lateral movement.

As mentioned, both services provide the ability to share files, which can lead to further phishing attempts or malware distribution in the scope of threat actor behavior. Luckily, activities involving attachments are logged. In the Gmail audit logs we can find both Attachment download and Attachment link click events. For Google Chat, we not only see Attachment downloaded events, but also  Attachment uploaded. In Gmail, we will see Link click events which can tell a similar story to attachments being shared.

Some basic event types that will be broadly observed but provide key insights into communication patterns are the Send and Open events in Gmail, as well as the Direct message started, Room member added, and Invite accept events in Google Chat. All of these events indicate a communication channel being established and can provide a root cause in phishing attempts.

Lastly, because Google performs spam analysis on emails, as well as providing users the ability to report spam emails, events such as Late spam classification and User spam classification may help unearth suspicious emails.

User and Admin Actions

Once an account is compromised, we must track down how that compromised account was abused. One of the first places to look is the User Accounts audit log, which provides records of both sign-in attempts and settings changes.

Logins show us initial access and any follow on access activity. Because of the significance of authentication activity to understanding an attack, most events in this log provide value. Failed login, Successful login, Login challenge, Login verification, and Logout are all common authentication events, but in the scope of a compromised account tell the story of how and when a threat actor accessed the account. One notable event that will also appear with relative frequency but has more serious implications if the account is compromised is the Sensitive action allowed event.

More interesting are suspicious login events, which can fall into one of the following categories: Suspicious login, Suspicious login (less secure app), Suspicious programmatic login, and User signed out due to suspicious session cookie. The latter two are especially rare but any of these warrants investigation. The definition of “suspicious” is based on Google’s analysis so it may result in false positives, but it’s worth reviewing to determine the true nature of the activity.

Users have control over various account settings and changing those settings results in an event in the User Accounts audit log. The below settings are worth auditing in the scope of an investigation as they could be an attempt by a threat actor to gain persistence. Changes to these settings can either result in hindering a user’s access or ensuring the threat actor can regain access if they are removed:

  • Out of domain email forwarding
  • 2-step verification disable
  • 2-step verification enroll
  • Account password change
  • Account recovery email change
  • Account recovery phone change

The final category of user account events to look for that should not be common and could indicate an account compromise is user suspended events. There are three types of user suspended events, all indicating that one of the organization’s users is doing something that they should not: User suspended (spam through relay), User suspended (spam), and User suspended (suspicious activity).

Google Drive and Google Takeout

Another widely used Google Workspace service is Google Drive, Google’s file editing, storage, and sharing product. The primary risk here is that confidential business data stored within Google Drive can be exposed, either accidentally or intentionally. As with the other data sources, there’s a lot of events that are both widely observed with normal user activity but also highly relevant to investigators when viewed through the lens of an incident. These events include:

  • Download
  • Edit
  • Delete
  • Trash

On top of those, any permissions changes could be significant. It could indicate a user unintentionally over-permissioning a file or folder, or a threat actor attempting to gain access to files from outside the organization. There are many events that indicate such activity with the primary ones listed below:

  • Owner changed
  • Owner changed from parent folder
  • Change document visibility
  • Shared Drive Settings Change
  • User Sharing Permissions Change
  • Change access scope
  • Change ACL editors
  • Change document visibility
  • Change shared drive membership
  • Change user access from Parent Folder

The last event worth mentioning is the Script trigger created event. Google has a scripting engine built into Google Docs, which could hypothetically be abused by threat actors to run unauthorized code. In most environments, this event is likely to be rare so it should stand out if it is observed.

Google Takeout is a unique service that allows Google users, both personal and business accounts, to export copies of all data tied to their account. For Google Workspace, this service is on by default and provides threat actors or malicious insiders with an easy way to export mass amounts of potentially sensitive data. The audit log for Google Takeout has four event types, all worth monitoring for malicious usage:

  • User completed a takeout
  • User downloaded a takeout
  • User initiated a takeout
  • User scheduled takeout(s)

Ideally in enterprise environments this service should be disabled and only enabled on an as needed basis, but if it is enabled it’s usage needs to be closely monitored.

OAuth Usage

The final audit log we’ll look at in the scope of this blog post is the OAuth audit log. The amount of data in this log will vary depending on the organization. Often there is Google Chrome related activity in this log by users logging into the Chrome browser with their organization credentials, which is completely normal. Other activity will depend on both the organization’s third-party application policies and whether users leverage such applications, which are the most common source of OAuth traffic. When discussing the OAuth audit log, we can briefly cover each event type as there are only five possible event types:

  • Request - a request was made for OAuth access
  • Grant - OAuth access was granted
  • Deny - a request for was denied
  • Revoke - OAuth access was revoked
  • API call - An API call was made with OAuth credentials

The most significant of these is API call as it shows exactly what action was taken with the credentials, which is the scope of OAuth abuse tells you what a threat actor did with their access. This event type, however, is only available to Enterprise and other premium licenses, so it may or may not be available depending on the organization’s subscription. The other events at minimum help audit granting of credentials and can tell you if access was obtained via OAuth, even if you can’t tell what API calls were made after access was obtained.

Summary

Although this blog post is not a comprehensive guide to incident response investigations in the cloud, it provides insights into some key events that could lead you in the direction of answers to investigative questions. As mentioned before, just because an event isn’t listed here doesn’t mean it cannot be noteworthy, but if you do not know where to start, this is a good place. To summarize the events highlighted in this blog post, we are releasing the “Google Workspace Artifact Reference Guide” cheat sheet, which can be downloaded here.

Share:
TwitterLinkedInFacebook
Copy url Url was copied to clipboard
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Cote D'ivoire
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Eswatini
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
North Macedonia
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania, United Republic Of
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City State
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Tags:
  • Digital Forensics, Incident Response & Threat Hunting

Related Content

Blog
emerging threats summit 340x340.png
Digital Forensics, Incident Response & Threat Hunting, Offensive Operations, Pen Testing, and Red Teaming, Cyber Defense, Industrial Control Systems Security, Cybersecurity Leadership
May 14, 2025
Visual Summary of SANS Emerging Threats Summit 2025
Check out these graphic recordings created in real-time throughout the event for SANS Emerging Threats Summit 2025
No Headshot Available
Alison Kim
read more
Blog
DFIR - Blog - Running EZ Tools Natively on Linux_340 x 340.jpg
Digital Forensics, Incident Response & Threat Hunting
April 23, 2025
Running EZ Tools Natively on Linux: A Step-by-Step Guide
Developed by Eric Zimmerman, the EZ Tools suite is a collection of utilities written to assist with multiple aspects of forensic analysis.
Seth_Enoka_370x370.png
Seth Enoka
read more
Blog
powershell_option_340x340.jpg
Cyber Defense, Digital Forensics, Incident Response & Threat Hunting, Cybersecurity and IT Essentials, Offensive Operations, Pen Testing, and Red Teaming
July 12, 2022
Month of PowerShell - Windows File Server Enumeration
In this Month of PowerShell article we look at several commands to interrogate Windows SMB servers as part of our incident response toolkit.
Josh Wright - Headshot - 370x370 2025.jpg
Joshua Wright
read more
  • Company
  • Mission
  • Instructors
  • About
  • FAQ
  • Press
  • Contact Us
  • Careers
  • Policies
  • Training Programs
  • Work Study
  • Academies & Scholarships
  • Public Sector Partnerships
  • Law Enforcement
  • SkillsFuture Singapore
  • Degree Programs
  • Get Involved
  • Join the Community
  • Become an Instructor
  • Become a Sponsor
  • Speak at a Summit
  • Join the CISO Network
  • Award Programs
  • Partner Portal
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Cote D'ivoire
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Eswatini
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
North Macedonia
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania, United Republic Of
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City State
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
  • Privacy Policy
  • Terms and Conditions
  • Do Not Sell/Share My Personal Information
  • Contact
  • Careers
© 2025 The Escal Institute of Advanced Technologies, Inc. d/b/a SANS Institute. Our Terms and Conditions detail our trademark and copyright rights. Any unauthorized use is expressly prohibited.
  • Twitter
  • Facebook
  • Youtube
  • LinkedIn