Link Menu Expand (external link) Document Search Copy Copied
This website is for Zenphi public documentation.

Google Audit Actictivity

Definition

The Google Audit Activity trigger starts a flow when a specified Google Workspace audit log event occurs. It allows organizations to track and respond to various user and system activities across multiple Google services in near real time. By leveraging the Reports API, this trigger monitors events such as file sharing in Drive, logins, calendar access, admin actions, Meet sessions, and more.

Key capabilities include:

  • Monitoring over 20 Google Workspace applications (e.g., Drive, Admin, Calendar, Meet, Chrome).
  • Filtering events based on user email, customer ID, or specific event parameters (e.g., file ID, IP address).
  • Supporting granular conditions using filters like parameter==value for precise activity tracking.
  • Providing detailed output such as actor identity, event timestamp, IP address, and custom parameters.

This trigger is essential for automating security workflows, compliance enforcement, user behavior analysis, and auditing in a Google Workspace environment.

Example Use Cases

  1. Monitor Sensitive File Access in Drive Trigger flows when specific Drive documents (e.g., labeled “confidential”) are accessed, edited, or shared. Use filters like doc_id==<document_id> to watch particular assets.

  2. Detect Suspicious Login Attempts Automatically run security checks or alert admins when a login occurs from an unfamiliar IP address or geolocation. Useful with conditional run on output fields like Actor.email or IP Address.

  3. Track Admin Role Changes Detect and log when a user’s admin privileges are changed. Use application name Admin and event name like CHANGE_ROLE. Conditional logic can route different alerts depending on the user or action.

  4. Two-Step Verification Events Trigger workflows when users enable or disable 2-Step Verification (2sv_enroll or 2sv_disable) to enforce security training or notify the IT department.

  5. Calendar Sharing Policy Enforcement React when a calendar is shared externally by checking Drive or Calendar audit logs. Use conditional filters to determine sharing target or domain.

  6. Investigate High-Risk Token Usage Trigger on OAuth authorize or revoke events to monitor third-party app connections. Use conditional runs based on event_name or app identifiers in the parameters.

  7. Flag External Forwarding Setup Start a flow when email forwarding to out-of-domain addresses is configured. Monitor email_forwarding_out_of_domain in the User Accounts application with filters like parameter==external.

  8. Detect Data Export from Data Studio Catch when reports are exported or downloaded from Data Studio. Combine the trigger with conditions checking the event_name==data_export or user identity.

  9. Log Meet Recording Activity Start flows when a meeting is recorded (recording_activity) or transcription starts. Helpful for logging compliance or archiving meeting metadata.

Configuration

1. Connection

This is the Google Audit Reports API connection your trigger will use to access activity data from your Google Workspace environment.

  • Purpose: The connection securely authenticates your system to Google’s Admin SDK Reports API, enabling it to fetch audit logs across various services (Drive, Calendar, Login, etc.).

2. Application Name

This specifies which Google service’s audit logs the trigger should monitor. It determines the type of events you’ll be notified about.

  • Purpose: Selecting an application filters audit events to only those originating from the chosen service (e.g., Drive file sharing, login attempts, calendar changes).

Supported Application Names:

Application Name Description
access_transparency Logs of Google’s internal access to your data (e.g., support actions). Use this to track data access by Google staff.
admin Changes made in the Admin console (e.g., user creation, group settings, admin role updates). Useful for administrative policy monitoring.
calendar Events related to Google Calendar usage (e.g., event creation, deletion, calendar sharing). Helps track schedule manipulation or leaks.
chat Google Chat activity (messages sent, rooms created, membership changes). Use it to audit internal communication.
drive Drive file events: access, share, download, rename, move, etc. Essential for data loss prevention or file abuse monitoring.
gcp Google Cloud Platform project-level events (e.g., IAM changes, billing). Helps monitor cloud infrastructure security.
google_plus Activity related to Google+ (legacy), such as post creation or deletion. Usually only relevant for archival review.
groups Tracks activity in Google Groups (e.g., group creation, settings change, membership updates). Supports access control audits.
groups_enterprise More advanced tracking for Google Groups, such as content posting or message moderation in enterprise environments.
jamboard Logs collaboration actions on Google Jamboard (e.g., sessions started, whiteboards edited).
login Authentication events: successful or failed logins, suspicious logins, 2SV events. Crucial for security monitoring.
meet Events in Google Meet such as recordings, participants joining/leaving, Q&A activity. Use for compliance or meeting oversight.
mobile Device management events: wipe, sync, approve/block devices. Important for mobile device security audits.
rules When rules (set in the Admin console) are triggered, matched, or result in actions like labels or alerts. Useful for compliance workflows.
saml SAML login events for third-party apps. Useful to monitor federated identity activity.
token OAuth token usage (e.g., apps authorized/revoked by users). Ideal for shadow IT detection or app governance.
user_accounts Account changes like password updates, 2SV status, recovery email/phone edits. Important for detecting account takeovers.
context_aware_access Logs access denials due to context-aware policies (e.g., device state, location). Helps enforce zero-trust policies.
chrome Activity from Chrome and ChromeOS devices (e.g., extension installs, logins, DLP activity, policy changes). Useful in Chrome-managed environments.
data_studio Google Data Studio (now Looker Studio) events such as report edits, exports, views. Useful for tracking report distribution.
keep Google Keep note activities (create, edit, share, delete, permission changes). Helps manage sensitive note content.

Tip: You can refer to the official Google Admin SDK documentation on application names for more details or the latest supported applications.

3. Event Name

The specific event you want to monitor within the selected application (e.g., file shared, login failed, calendar event created).

  • Purpose: This narrows down the trigger to only respond when a certain kind of activity happens—providing precision and avoiding unnecessary trigger runs.
  • How to use it:
    • If you leave it blank, the trigger will fire for all event types within the selected application.
    • If you want to target specific events, enter the corresponding event name (e.g., edit for Drive, login_failure for Login).

4. User Key

This defines which user’s activity should be monitored by the trigger.

  • Purpose: It helps filter logs by user, allowing you to monitor activity for a single user, a service account, or the entire domain.
  • How to use it:
    • Use an email address (e.g., jane.doe@company.com) to filter by a specific user.
    • Use all to include all users in your Google Workspace domain.

5. Filters

A powerful way to filter events by specific event parameters using logical conditions. It ensures the trigger fires only when certain conditions are met in the audit event details.

  • Purpose: Helps reduce noise and target only meaningful activities.

How to use it: Use comma-separated conditions in the format: parameter_name==value.

Example: doc_id==12345,owner==john.doe@company.com