Google Workspace (GWS) Audit Logs enable the organization's IT team to detect the employee's logins to SaaS and web services using their official Google accounts without authorization. Using this feature helps, organizations gain valuable insights into how an organization's resources are being accessed, enabling businesses to monitor unauthorized application usage. In this article, you will learn how to detect when employees log into SaaS applications using their corporate Google Workspace accounts.
Who Can Use This Service
This feature is available to all organizations integrated with Google Workspace. No additional configuration is needed, and Google Workspace does not need to be set as the External data source for this to work.
The feature uses the "View audit reports for your Google Workspace domain" permissions granted upon integrating Google Workspace.
Detection Period
The detection duration defines the data availability and update.
- Data Acquisition: Data from one month before activating this feature will be acquired. After activation, the data will be accumulated and updated daily.
- Data Retention: Currently, there is a limit to how much data can be stored. Once the limit is exceeded, older data will be overwritten. Typically, this data will cover a period of 3 to 6 months, depending on the number of users and detected applications.
Check Detected SaaS Apps in Discovered Apps
You can review the list of apps detected through Google Workspace logins in the Discovered Apps. However, the following apps will not appear in this list:
- Managed Apps: Apps linked to "Managed Apps" will not appear in this list.
- Trackable Apps: Apps : Apps that have been added as "Trackable Apps" (linked by app name) will also not appear in this list and will be displayed in Managed Apps.
Note: If an app is registered as a Tracked app, then its usage status is not available. However, if you remove the app from the Tracked App list under Managed Apps, it will become visible again.
If an app can be integrated, an “Integrate” button will appear in the bottom-right corner of the app's entry. For trackable apps, a “Track App” button will appear.
Check SaaS App Usage for the User
You can monitor individual app usage from the User Profiles. This section provides insights into which apps have been assigned to specific users and offers a breakdown of detected app usage.
By utilizing Google Workspace audit logs, organizations can gain valuable insights into how employees are using SaaS applications and services, ensuring proper governance and secure usage practices within the corporate environment.
Frequently Asked Questions
Q. When will the logs be updated?
Logs are updated every business day, with the updates available by the next morning.
Q. I integrated/reintegrated GWS, but nothing appears on the "Discovered Apps" screen.
Please wait until the next business day, as data acquisition occurs every morning on business days, not immediately after integration.
Q. The usage count seems low—why is that?
For GWS access logs, the usage count reflects the number of times login privileges were granted to accessing applications, not necessarily the number of actual logins using a Google account.
Q. Do we receive audit logs from all linked GWS tenants?
Yes, audit logs are collected from all linked Google Workspace tenants.
Q. If there are multiple tenants of the same application, can you distinguish and detect access to each of them?
The GWS audit logs used for this feature track "who logged into which application via Google," and it’s not possible to distinguish between different tenants. However, for many applications, it's not possible to create multiple accounts with the same email address, so by identifying the tenant linked to the Google account, you can determine which tenant the user is accessing.