Google Workspace (GWS) Audit Logs enable the organization's IT team to detect the employee's logins to SaaS and web services using their official Google accounts without authorization. Using this feature helps, organizations gain valuable insights into how an organization's resources are being accessed, enabling businesses to monitor unauthorized application usage. In this article, you will learn how to detect when employees log into SaaS applications using their corporate Google Workspace accounts.
Feature Capabilities
GWS Audit Logis enables the detection of services and SaaS applications employees access using their official Google Workspace accounts.
- SaaS and Services detection: Josys browser extension identifies SaaS platforms and services employees log into using their organization's Google account.
- Cross-Platform detection: Monitors login activity across different platforms, including browsers, mobile apps, and desktop apps, when employees log in using their company’s Google Workspace account.
Limitations: The extension will not detect the SaaS usage performed using personal Google accounts. Also, logins made directly with an email address and password (even from an organization's domain), bypassing Google authentication, will not be detected.
Who Can Use This Service
This feature is available to all organizations integrated with Google Workspace. No additional configuration is needed, and Google Workspace does not need to be set as the "member master" for this to work.
The feature uses the "View G Suite Domain Management Report" permissions granted upon integrating Google Workspace. Since this permission was introduced in December 2022, if Google Workspace was integrated before then, re-integration will be required.
Detection Period
The detection duration defines the data availability and update.
- Data Acquisition: Data from one month before activating this feature will be acquired. After activation, the data will be accumulated and updated daily.
- Data Retention: Currently, there is a limit to how much data can be stored. Once the limit is exceeded, older data will be overwritten. Typically, this data will cover a period of 3 to 6 months, depending on the number of users and detected applications.
Feature Insights
You can detect SaaS Apps usage through
- Discovered Apps
- Managed Apps
- User Profiles
1. Check Detected SaaS Apps in Discovered Apps
You can review the list of apps detected through Google Workspace logins in the Discovered Apps. However, the following apps will not appear in this list:
- Managed Apps: Apps linked to "Managed Apps" will not appear in this list.
- Trackable Apps: Apps (Changed "Custom App" terminology to Trackable Apps): Apps that have been added as "Trackable Apps" (linked by app name) will also not appear in this list and will be displayed in Managed Apps.
Note: If an app is registered as a Tracked app, then its usage status is not available. However, if you remove the app from the Tracked App list under Managed Apps, it will become visible again.
If an app can be integrated, an “Integrate” button will appear in the bottom-right corner of the app's entry. For trackable apps, a “Track App” button will appear.
2. Check SaaS App Usage in the Managed Apps
You can check the SaaS usage details from the Managed Apps screen. To do this, click on the app name to see a list of employees detected using the app.
Managed apps data will not appear on the GWS Audit logs, but if the "Usage Count" is displayed on the Managed Apps screen, you can click on it to see a list of employees who accessed the app.
3. Check SaaS App Usage for the User
You can monitor individual app usage from the User Profiles. This section provides insights into which apps have been assigned to specific users and offers a breakdown of detected app usage.
By utilizing Google Workspace audit logs, organizations can gain valuable insights into how employees are using SaaS applications and services, ensuring proper governance and secure usage practices within the corporate environment.
Frequently Asked Questions
Q. When will the logs be updated?
Logs are updated every business day, with the updates available by the next morning.
Q. I integrated/reintegrated GWS, but nothing appears on the "Discovered Apps" screen.
Please wait until the next business day, as data acquisition occurs every morning on business days, not immediately after integration.
Q. The usage count seems low—why is that?
For GWS access logs, the usage count reflects the number of times login privileges were granted to accessing applications, not necessarily the number of actual logins using a Google account.
Q. Do we receive audit logs from all linked GWS tenants?
Yes, audit logs are collected from all linked Google Workspace tenants.
Q. If there are multiple tenants of the same application, can you distinguish and detect access to each of them?
The GWS audit logs used for this feature track "who logged into which application via Google," and it’s not possible to distinguish between different tenants. However, for many applications, it's not possible to create multiple accounts with the same email address, so by identifying the tenant linked to the Google account, you can determine which tenant the user is accessing.