Workspace audit logs: New functionality and expanded event fields in the Admin console

Today we’re announcing the release of several enhancements to deepen the security investigation capabilities of the Workspace audit log, including expanded fields across many data sources.

These new enhancements include:

• Introduction of owner details for resource attribute
• Expansion of resource and actor attributes to additional data sources
• Introduction of new device info attribute for multiple data sources

** **

New owner details for enhanced resource visibility in Security Investigation Tool and Audit logs

We’re adding a new “Owner details” field to the “Resources” attribute, making it easier to identify who owns a resource during security investigations. This field uses two primary components:

• **Owner Type: **Specifies the category of the owner, which can be an individual person (User), the entire organization (Customer), or a Group.
• **Owner Identity: **Contains specific details, such as IDs or email addresses, of that owner.

It will be available for all data sources wherever the resource field is present: Directory sync, Gmail, Meet, Groups, Keep, Looker Studio, Drive, Meet hardware, Chat, Admin, Data migration, Chrome, Voice, Calendar, Vault, Assignments and Groups enterprise log events.

Expanded coverage for resources and actor application info in Security Investigation tool / Audit and Investigation tool

To ensure you have a complete view across various Workspace services, we are expanding two critical attributes to additional log events:

• **Resources: **Expanding to Chrome, Voice, Vault, and Assignment log events
• Actor application info: Expanding to Chrome, Voice, Group, Meet, Assignments, and Admin data action log events

Comprehensive device information in Security Investigation tool / Audit and Investigation tool, Admin SDK (Reports API), SecOps, and BigQuery

Administrators can now gain crucial context about the devices used to perform actions. We are introducing the User device info attribute, which provides details such as User device ID, User device OS version, or User device type (e.g., DESKTOP_MAC, DESKTOP_WINDOWS).

This information is available for many log sources, including: Contact, Gemini workspace, Keep, Meet hardware, Chat, Chrome, Directory sync, Drive, Group, Meet, Rule, Looker studio and SAML log events. 

Detail for Admin SDK (Reports API)

Getting started

• **Admins: **As the changes roll out, get started with your analysis in either the Audit and Investigation tool, Admin SDK (Reports API), SecOps, or BigQuery.
• End users: There is no end user setting for this feature.

Rollout pace

• Rapid Release and Scheduled Release domains: Gradual rollout (up to 15 days for feature visibility) starting on April 29, 2026

Availability

• Available for Google Workspace editions with Audit Log eligible licenses

Resources

• Google Workspace Admin Help: About the security investigation tool
• Google Developers Help: Admin SDK (Reports API)
• Google Workspace Admin Help: Export log events to Google Security Operations to monitor insider risk
• Google Workspace Admin Help: About reporting logs and BigQuery
• Google Workspace Admin Help: Compare Google Workspace editions