Login Audit Activity Events

This document lists the events and parameters for various types of Login Audit activity events. You can retrieve these events by calling Activities.list() with applicationName=login .

2-step verification enrollment changed

Events of this type are returned with type=2sv_change .

2-step verification disable

Event details
Event name	`2sv_disable`
Sample request	`GET https://admin.googleapis.com /admin /reports /v1 /activity /users /all /applications / login ?eventName= 2sv_disable &maxResults=10 &access_token= YOUR_ACCESS_TOKEN`
Admin Console message format	`{actor} has disabled 2-step verification`

2-step verification enroll

Event details
Event name	`2sv_enroll`
Sample request	`GET https://admin.googleapis.com /admin /reports /v1 /activity /users /all /applications / login ?eventName= 2sv_enroll &maxResults=10 &access_token= YOUR_ACCESS_TOKEN`
Admin Console message format	`{actor} has enrolled for 2-step verification`

Account password changed

Events of this type are returned with type=password_change .

Account password change

Event details
Event name	`password_edit`
Sample request	`GET https://admin.googleapis.com /admin /reports /v1 /activity /users /all /applications / login ?eventName= password_edit &maxResults=10 &access_token= YOUR_ACCESS_TOKEN`
Admin Console message format	`{actor} has changed Account password`

Account recovery info changed

Account recovery information changed. Events of this type are returned with type=recovery_info_change .

Account recovery email change

Event details
Event name	`recovery_email_edit`
Sample request	`GET https://admin.googleapis.com /admin /reports /v1 /activity /users /all /applications / login ?eventName= recovery_email_edit &maxResults=10 &access_token= YOUR_ACCESS_TOKEN`
Admin Console message format	`{actor} has changed Account recovery email`

Account recovery phone change

Event details
Event name	`recovery_phone_edit`
Sample request	`GET https://admin.googleapis.com /admin /reports /v1 /activity /users /all /applications / login ?eventName= recovery_phone_edit &maxResults=10 &access_token= YOUR_ACCESS_TOKEN`
Admin Console message format	`{actor} has changed Account recovery phone`

Account recovery secret question/answer change

Event details
Event name	`recovery_secret_qa_edit`
Sample request	`GET https://admin.googleapis.com /admin /reports /v1 /activity /users /all /applications / login ?eventName= recovery_secret_qa_edit &maxResults=10 &access_token= YOUR_ACCESS_TOKEN`
Admin Console message format	`{actor} has changed Account recovery secret question/answer`

Account warning

Account warning event type. Events of this type are returned with type=account_warning .

Leaked password

Account warning event account disabled password leak description.

Event details

Event name

account_disabled_password_leak

Parameters

affected_  
email_  
address

string

Email-id of the user affected by the event.

Sample request

GET https://admin.googleapis.com  
/admin  
/reports  
/v1  
/activity  
/users  
/all  
/applications  
/ login 
  
?eventName= account_disabled_password_leak 
  
&maxResults=10  
&access_token= YOUR_ACCESS_TOKEN

Admin Console message format

Account {affected_email_address} 
disabled because Google has become aware that someone else knows its password

Passkey enrolled

Passkey enrolled by user.

Event details
Event name	`passkey_enrolled`
Sample request	`GET https://admin.googleapis.com /admin /reports /v1 /activity /users /all /applications / login ?eventName= passkey_enrolled &maxResults=10 &access_token= YOUR_ACCESS_TOKEN`
Admin Console message format	`{actor} enrolled a new passkey`

Passkey removed

Passkey removed by user.

Event details
Event name	`passkey_removed`
Sample request	`GET https://admin.googleapis.com /admin /reports /v1 /activity /users /all /applications / login ?eventName= passkey_removed &maxResults=10 &access_token= YOUR_ACCESS_TOKEN`
Admin Console message format	`{actor} removed passkey`

Suspicious login blocked

Account warning event suspicious login description.

Event details

Event name

suspicious_login

Parameters

affected_  
email_  
address

string

Email-id of the user affected by the event.

login_  
timestamp

integer

Sample request

GET https://admin.googleapis.com  
/admin  
/reports  
/v1  
/activity  
/users  
/all  
/applications  
/ login 
  
?eventName= suspicious_login 
  
&maxResults=10  
&access_token= YOUR_ACCESS_TOKEN

Admin Console message format

Google has detected a suspicious login for {affected_email_address}

Suspicious login from less secure app blocked

Account warning event suspicious login less secure app description.

Event details

Event name

suspicious_login_less_secure_app

Parameters

affected_  
email_  
address

string

Email-id of the user affected by the event.

login_  
timestamp

integer

Sample request

GET https://admin.googleapis.com  
/admin  
/reports  
/v1  
/activity  
/users  
/all  
/applications  
/ login 
  
?eventName= suspicious_login_less_secure_app 
  
&maxResults=10  
&access_token= YOUR_ACCESS_TOKEN

Admin Console message format

Google has detected a suspicious login for {affected_email_address} 
from a less secure app

Suspicious programmatic login blocked

Account warning event suspicious programmatic login description.

Event details

Event name

suspicious_programmatic_login

Parameters

affected_  
email_  
address

string

Email-id of the user affected by the event.

login_  
timestamp

integer

Sample request

GET https://admin.googleapis.com  
/admin  
/reports  
/v1  
/activity  
/users  
/all  
/applications  
/ login 
  
?eventName= suspicious_programmatic_login 
  
&maxResults=10  
&access_token= YOUR_ACCESS_TOKEN

Admin Console message format

Google has detected a suspicious programmatic login for {affected_email_address}

User signed out due to suspicious session cookie

User signed out due to suspicious session cookie(Cookie Cutter Malware Event).

Event details

Event name

user_signed_out_due_to_suspicious_session_cookie

Parameters

affected_  
email_  
address

string

Email-id of the user affected by the event.

Sample request

GET https://admin.googleapis.com  
/admin  
/reports  
/v1  
/activity  
/users  
/all  
/applications  
/ login 
  
?eventName= user_signed_out_due_to_suspicious_session_cookie 
  
&maxResults=10  
&access_token= YOUR_ACCESS_TOKEN

Admin Console message format

Suspicious session cookie detected for user {affected_email_address}

User suspended

Account warning event account disabled generic description.

Event details

Event name

account_disabled_generic

Parameters

affected_  
email_  
address

string

Email-id of the user affected by the event.

Sample request

GET https://admin.googleapis.com  
/admin  
/reports  
/v1  
/activity  
/users  
/all  
/applications  
/ login 
  
?eventName= account_disabled_generic 
  
&maxResults=10  
&access_token= YOUR_ACCESS_TOKEN

Admin Console message format

Account {affected_email_address} 
disabled

User suspended (spam through relay)

Account warning event account disabled spamming through relay description.

Event details

Event name

account_disabled_spamming_through_relay

Parameters

affected_  
email_  
address

string

Email-id of the user affected by the event.

Sample request

GET https://admin.googleapis.com  
/admin  
/reports  
/v1  
/activity  
/users  
/all  
/applications  
/ login 
  
?eventName= account_disabled_spamming_through_relay 
  
&maxResults=10  
&access_token= YOUR_ACCESS_TOKEN

Admin Console message format

Account {affected_email_address} 
disabled because Google has become aware that it was used to engage in spamming through SMTP relay service

User suspended (spam)

Account warning event account disabled spamming description.

Event details

Event name

account_disabled_spamming

Parameters

affected_  
email_  
address

string

Email-id of the user affected by the event.

Sample request

GET https://admin.googleapis.com  
/admin  
/reports  
/v1  
/activity  
/users  
/all  
/applications  
/ login 
  
?eventName= account_disabled_spamming 
  
&maxResults=10  
&access_token= YOUR_ACCESS_TOKEN

Admin Console message format

Account {affected_email_address} 
disabled because Google has become aware that it was used to engage in spamming

User suspended (suspicious activity)

Account warning event account disabled hijacked description.

Event details

Event name

account_disabled_hijacked

Parameters

affected_  
email_  
address

string

Email-id of the user affected by the event.

login_  
timestamp

integer

Sample request

GET https://admin.googleapis.com  
/admin  
/reports  
/v1  
/activity  
/users  
/all  
/applications  
/ login 
  
?eventName= account_disabled_hijacked 
  
&maxResults=10  
&access_token= YOUR_ACCESS_TOKEN

Admin Console message format

Account {affected_email_address} 
disabled because Google has detected a suspicious activity indicating it might have been compromised

Advanced Protection enrollment changed

Events of this type are returned with type=titanium_change .

Advanced Protection enroll

Event details
Event name	`titanium_enroll`
Sample request	`GET https://admin.googleapis.com /admin /reports /v1 /activity /users /all /applications / login ?eventName= titanium_enroll &maxResults=10 &access_token= YOUR_ACCESS_TOKEN`
Admin Console message format	`{actor} has enrolled for Advanced Protection`

Advanced Protection unenroll

Event details
Event name	`titanium_unenroll`
Sample request	`GET https://admin.googleapis.com /admin /reports /v1 /activity /users /all /applications / login ?eventName= titanium_unenroll &maxResults=10 &access_token= YOUR_ACCESS_TOKEN`
Admin Console message format	`{actor} has disabled Advanced Protection`

Attack Warning

Attack Warning Event Type. Events of this type are returned with type=attack_warning .

Government-backed Attack

Government-backed attack warning event name.

Event details
Event name	`gov_attack_warning`
Sample request	`GET https://admin.googleapis.com /admin /reports /v1 /activity /users /all /applications / login ?eventName= gov_attack_warning &maxResults=10 &access_token= YOUR_ACCESS_TOKEN`
Admin Console message format	`{actor} might have been targeted by government-backed attack`

Blocked sender settings changed

Events of this type are returned with type=blocked_sender_change .

Blocked all future emails from the sender.

Blocked email address.

Event details
Event name	`blocked_sender`
Sample request	`GET https://admin.googleapis.com /admin /reports /v1 /activity /users /all /applications / login ?eventName= blocked_sender &maxResults=10 &access_token= YOUR_ACCESS_TOKEN`
Admin Console message format	`{actor} has blocked all future messages from {affected_email_address} .`

Email forwarding settings changed

Events of this type are returned with type=email_forwarding_change .

Out of domain email forwarding enabled

Event details
Event name	`email_forwarding_out_of_domain`
Sample request	`GET https://admin.googleapis.com /admin /reports /v1 /activity /users /all /applications / login ?eventName= email_forwarding_out_of_domain &maxResults=10 &access_token= YOUR_ACCESS_TOKEN`
Admin Console message format	`{actor} has enabled out of domain email forwarding to {email_forwarding_destination_address} .`

Failed Login

A login attempt was unsuccessful.

Event details

Event name

login_failure

Parameters

login_  
challenge_  
method

string

access_to_preregistered_email
A challenge requiring access to a verification email in the inbox.
assistant_approval
A challenge that lets the user approve authentication by a Google Assistant product.
backup_code
Asks user to enter a backup verification code.
captcha
A challenge to distinguish humans from automated bots using captcha.
cname
A challenge that requires the user to prove ownership of a domain by changing the CNAME record at their hosting provider.
cross_account
A challenge that lets products start an authentication session on one device under the primary account, delegate it for completion under another account, and then receive credentials for the session on the original initiating device owned by the primary account.
cross_device
A challenge that requires the user to complete authentication on a secondary device.
deny
User sign-in is denied.
device_assertion
A challenge based on recognizing a previously used device.
device_preregistered_phone
A challenge that requires the user to verify their phone number on the device. It's currently only used in username recovery and isn’t intended for use in other authentication flows.
device_prompt
A challenge on the user’s mobile device.
extended_botguard
A challenge that uses a series of additional verification steps to ensure human interaction.
google_authenticator
Asks user to enter OTP from authenticator app.
google_prompt
Login challenge method Google Prompt.
idv_any_email
A challenge that requires the user to provide a code that Google sent to any email address they provided during the challenge.
idv_any_phone
User asked for phone number and then enters code sent to that phone.
idv_preregistered_email
A challenge in which a code is sent to another email address the user provided before.
idv_preregistered_phone
User enters code sent to their preregistered phone.
internal_two_factor
Login challenge method Internal Two Factor.
knowledge_account_creation_date
A challenge that requires the user to provide the approximate date their account was created.
knowledge_cloud_pin
A challenge based on the user's cloud service PIN.
knowledge_date_of_birth
A challenge that requires the user to provide the date of birth registered on their Google Account.
knowledge_domain_title
A challenge that asks the user to provide their domain title (organization name).
knowledge_employee_id
Login challenge method Knowledge Employee Id.
knowledge_historical_password
A challenge that lets the user enter either current or previous passwords. When this challenge is used, KNOWLEDGE_PASSWORD will refer only to the current password.
knowledge_last_login_date
A challenge that asks the user the approximate date of their last sign-in.
knowledge_lockscreen
A challenge which allows users to enter the lock screen knowledge factor on an eligible device.
knowledge_preregistered_email
User proves knowledge of preregistered email.
knowledge_preregistered_phone
User proves knowledge of preregistered phone.
knowledge_real_name
A challenge that requires the user to provide the name(first name, last name) as registered on their Google account.
knowledge_secret_question
A challenge that requires the user to provide the answer to a question they chose.
knowledge_user_count
A challenge that asks the user to provide number of users in the domain.
knowledge_youtube
A challenge based on the user's knowledge of their YouTube account details.
login_location
User enters from where they usually sign in.
manual_recovery
The user can recover their account only with their admin’s help.
math
A challenge requiring the solution of a mathematical equation.
none
No login challenge was faced.
offline_otp
User enters OTP code they get from settings on their phone (android only).
oidc
A challenge that uses the OIDC protocol.
other
Login challenge method other.
outdated_app_warning
A warning page, designed as a challenge, that notifies the user that they may be using an outdated version of an application. The user has the option to proceed.
parent_auth
A challenge requiring authorization from a parent or guardian.
passkey
A challenge that uses FIDO2 compliant passkeys or security keys to verify the user’s identity.
password
Password.
recaptcha
A challenge that protects the user against spam and other types of automated abuse with reCAPTCHA v2 API.
rescue_code
A challenge that allows the user to enter their rescue code, which is a 32 character alphanumeric string that the user is expected to keep safe, and use it to recover their account.
same_device_screenlock
A challenge that requires the user to unlock the device on which they are trying to sign in or perform a sensitive action.
saml
The user provides a SAML assertion from a SAML identity provider.
security_key
User passes the security key cryptographic challenge.
security_key_otp
Login challenge method Security Key OTP.
time_delay
An asynchronous challenge that sends a link by email once a defined hold period has elapsed.
userless_fido
A FIDO challenge that’s not tied to a specific user.
web_approval
A challenge that lets the user scan a QR code using their Apple iOS device’s native camera, and use web approval for sign-in.

login_  
failure_  
type

string

(Deprecated) The reason for the login failure. Possible values:

login_failure_access_code_disallowed
The user does not have permission to login to the service.
login_failure_account_disabled
The user's account is disabled.
login_failure_invalid_password
The user's password was invalid.
login_failure_unknown
The reason for the login failure is not known.

login_  
type

string

The type of credentials used to attempt login. Possible values:

exchange
The user provides an existing credential and exchanges it for another type—for example, exchanging an OAuth token for a SID. May indicate that the user was already logged into a session and the two sessions were merged.
google_password
The user provides a Google account password.
reauth
The user is already authenticated but must reauthorize.
saml
The user provides a SAML assertion from a SAML identity provider.
unknown
Login type Unknown.

Sample request

GET https://admin.googleapis.com  
/admin  
/reports  
/v1  
/activity  
/users  
/all  
/applications  
/ login 
  
?eventName= login_failure 
  
&maxResults=10  
&access_token= YOUR_ACCESS_TOKEN

Admin Console message format

 {actor} 
failed to login

Login Challenge

A login was challenged to verify the user's identity. Any login challenges encountered during a login session are grouped into a single events entry. For example, if a user enters an incorrect password twice, then enters the correct password, which is then followed by a two-step verification using a security key, the events field of the activities.list response looks like the following:

 "events" 
 : 
  
 [ 
  
 { 
  
 "type" 
 : 
  
 "login" 
 , 
  
 "name" 
 : 
  
 "login_success" 
 , 
  
 "parameters" 
 : 
  
 [ 
  
 { 
  
 "name" 
 : 
  
 "login_type" 
 , 
  
 "value" 
 : 
  
 "google_password" 
  
 }, 
  
 { 
  
 "name" 
 : 
  
 "login_challenge_method" 
 , 
  
 "multiValue" 
 : 
  
 [ 
  
 "password" 
 , 
  
 "password" 
 , 
  
 "password" 
 , 
  
 "security_key" 
  
 ] 
  
 }, 
  
 { 
  
 "name" 
 : 
  
 "is_suspicious" 
 , 
  
 "boolValue" 
 : 
  
 false 
  
 } 
  
 ] 
  
 } 
 ]

For more information about login challenges, see Verify a user’s identity with extra security .

Event details

Event name

login_challenge

Parameters

login_  
challenge_  
method

string

access_to_preregistered_email
A challenge requiring access to a verification email in the inbox.
assistant_approval
A challenge that lets the user approve authentication by a Google Assistant product.
backup_code
Asks user to enter a backup verification code.
captcha
A challenge to distinguish humans from automated bots using captcha.
cname
A challenge that requires the user to prove ownership of a domain by changing the CNAME record at their hosting provider.
cross_account
A challenge that lets products start an authentication session on one device under the primary account, delegate it for completion under another account, and then receive credentials for the session on the original initiating device owned by the primary account.
cross_device
A challenge that requires the user to complete authentication on a secondary device.
deny
User sign-in is denied.
device_assertion
A challenge based on recognizing a previously used device.
device_preregistered_phone
A challenge that requires the user to verify their phone number on the device. It's currently only used in username recovery and isn’t intended for use in other authentication flows.
device_prompt
A challenge on the user’s mobile device.
extended_botguard
A challenge that uses a series of additional verification steps to ensure human interaction.
google_authenticator
Asks user to enter OTP from authenticator app.
google_prompt
Login challenge method Google Prompt.
idv_any_email
A challenge that requires the user to provide a code that Google sent to any email address they provided during the challenge.
idv_any_phone
User asked for phone number and then enters code sent to that phone.
idv_preregistered_email
A challenge in which a code is sent to another email address the user provided before.
idv_preregistered_phone
User enters code sent to their preregistered phone.
internal_two_factor
Login challenge method Internal Two Factor.
knowledge_account_creation_date
A challenge that requires the user to provide the approximate date their account was created.
knowledge_cloud_pin
A challenge based on the user's cloud service PIN.
knowledge_date_of_birth
A challenge that requires the user to provide the date of birth registered on their Google Account.
knowledge_domain_title
A challenge that asks the user to provide their domain title (organization name).
knowledge_employee_id
Login challenge method Knowledge Employee Id.
knowledge_historical_password
A challenge that lets the user enter either current or previous passwords. When this challenge is used, KNOWLEDGE_PASSWORD will refer only to the current password.
knowledge_last_login_date
A challenge that asks the user the approximate date of their last sign-in.
knowledge_lockscreen
A challenge which allows users to enter the lock screen knowledge factor on an eligible device.
knowledge_preregistered_email
User proves knowledge of preregistered email.
knowledge_preregistered_phone
User proves knowledge of preregistered phone.
knowledge_real_name
A challenge that requires the user to provide the name(first name, last name) as registered on their Google account.
knowledge_secret_question
A challenge that requires the user to provide the answer to a question they chose.
knowledge_user_count
A challenge that asks the user to provide number of users in the domain.
knowledge_youtube
A challenge based on the user's knowledge of their YouTube account details.
login_location
User enters from where they usually sign in.
manual_recovery
The user can recover their account only with their admin’s help.
math
A challenge requiring the solution of a mathematical equation.
none
No login challenge was faced.
offline_otp
User enters OTP code they get from settings on their phone (android only).
oidc
A challenge that uses the OIDC protocol.
other
Login challenge method other.
outdated_app_warning
A warning page, designed as a challenge, that notifies the user that they may be using an outdated version of an application. The user has the option to proceed.
parent_auth
A challenge requiring authorization from a parent or guardian.
passkey
A challenge that uses FIDO2 compliant passkeys or security keys to verify the user’s identity.
password
Password.
recaptcha
A challenge that protects the user against spam and other types of automated abuse with reCAPTCHA v2 API.
rescue_code
A challenge that allows the user to enter their rescue code, which is a 32 character alphanumeric string that the user is expected to keep safe, and use it to recover their account.
same_device_screenlock
A challenge that requires the user to unlock the device on which they are trying to sign in or perform a sensitive action.
saml
The user provides a SAML assertion from a SAML identity provider.
security_key
User passes the security key cryptographic challenge.
security_key_otp
Login challenge method Security Key OTP.
time_delay
An asynchronous challenge that sends a link by email once a defined hold period has elapsed.
userless_fido
A FIDO challenge that’s not tied to a specific user.
web_approval
A challenge that lets the user scan a QR code using their Apple iOS device’s native camera, and use web approval for sign-in.

login_  
challenge_  
status

string

Whether the login challenge succeeded or failed, represented as "Challenge Passed." and "Challenge Failed." respectively. An empty string indicates an unknown status.

login_  
type

string

The type of credentials used to attempt login. Possible values:

exchange
The user provides an existing credential and exchanges it for another type—for example, exchanging an OAuth token for a SID. May indicate that the user was already logged into a session and the two sessions were merged.
google_password
The user provides a Google account password.
reauth
The user is already authenticated but must reauthorize.
saml
The user provides a SAML assertion from a SAML identity provider.
unknown
Login type Unknown.

Sample request

GET https://admin.googleapis.com  
/admin  
/reports  
/v1  
/activity  
/users  
/all  
/applications  
/ login 
  
?eventName= login_challenge 
  
&maxResults=10  
&access_token= YOUR_ACCESS_TOKEN

Admin Console message format

 {actor} 
was presented with a login challenge

Login Verification

Event details

Event name

login_verification

Parameters

is_  
second_  
factor

boolean

Whether the login verification is 2SV. Possible values:

false
Boolean value false.
true
Boolean value true.

login_  
challenge_  
method

string

access_to_preregistered_email
A challenge requiring access to a verification email in the inbox.
assistant_approval
A challenge that lets the user approve authentication by a Google Assistant product.
backup_code
Asks user to enter a backup verification code.
captcha
A challenge to distinguish humans from automated bots using captcha.
cname
A challenge that requires the user to prove ownership of a domain by changing the CNAME record at their hosting provider.
cross_account
A challenge that lets products start an authentication session on one device under the primary account, delegate it for completion under another account, and then receive credentials for the session on the original initiating device owned by the primary account.
cross_device
A challenge that requires the user to complete authentication on a secondary device.
deny
User sign-in is denied.
device_assertion
A challenge based on recognizing a previously used device.
device_preregistered_phone
A challenge that requires the user to verify their phone number on the device. It's currently only used in username recovery and isn’t intended for use in other authentication flows.
device_prompt
A challenge on the user’s mobile device.
extended_botguard
A challenge that uses a series of additional verification steps to ensure human interaction.
google_authenticator
Asks user to enter OTP from authenticator app.
google_prompt
Login challenge method Google Prompt.
idv_any_email
A challenge that requires the user to provide a code that Google sent to any email address they provided during the challenge.
idv_any_phone
User asked for phone number and then enters code sent to that phone.
idv_preregistered_email
A challenge in which a code is sent to another email address the user provided before.
idv_preregistered_phone
User enters code sent to their preregistered phone.
internal_two_factor
Login challenge method Internal Two Factor.
knowledge_account_creation_date
A challenge that requires the user to provide the approximate date their account was created.
knowledge_cloud_pin
A challenge based on the user's cloud service PIN.
knowledge_date_of_birth
A challenge that requires the user to provide the date of birth registered on their Google Account.
knowledge_domain_title
A challenge that asks the user to provide their domain title (organization name).
knowledge_employee_id
Login challenge method Knowledge Employee Id.
knowledge_historical_password
A challenge that lets the user enter either current or previous passwords. When this challenge is used, KNOWLEDGE_PASSWORD will refer only to the current password.
knowledge_last_login_date
A challenge that asks the user the approximate date of their last sign-in.
knowledge_lockscreen
A challenge which allows users to enter the lock screen knowledge factor on an eligible device.
knowledge_preregistered_email
User proves knowledge of preregistered email.
knowledge_preregistered_phone
User proves knowledge of preregistered phone.
knowledge_real_name
A challenge that requires the user to provide the name(first name, last name) as registered on their Google account.
knowledge_secret_question
A challenge that requires the user to provide the answer to a question they chose.
knowledge_user_count
A challenge that asks the user to provide number of users in the domain.
knowledge_youtube
A challenge based on the user's knowledge of their YouTube account details.
login_location
User enters from where they usually sign in.
manual_recovery
The user can recover their account only with their admin’s help.
math
A challenge requiring the solution of a mathematical equation.
none
No login challenge was faced.
offline_otp
User enters OTP code they get from settings on their phone (android only).
oidc
A challenge that uses the OIDC protocol.
other
Login challenge method other.
outdated_app_warning
A warning page, designed as a challenge, that notifies the user that they may be using an outdated version of an application. The user has the option to proceed.
parent_auth
A challenge requiring authorization from a parent or guardian.
passkey
A challenge that uses FIDO2 compliant passkeys or security keys to verify the user’s identity.
password
Password.
recaptcha
A challenge that protects the user against spam and other types of automated abuse with reCAPTCHA v2 API.
rescue_code
A challenge that allows the user to enter their rescue code, which is a 32 character alphanumeric string that the user is expected to keep safe, and use it to recover their account.
same_device_screenlock
A challenge that requires the user to unlock the device on which they are trying to sign in or perform a sensitive action.
saml
The user provides a SAML assertion from a SAML identity provider.
security_key
User passes the security key cryptographic challenge.
security_key_otp
Login challenge method Security Key OTP.
time_delay
An asynchronous challenge that sends a link by email once a defined hold period has elapsed.
userless_fido
A FIDO challenge that’s not tied to a specific user.
web_approval
A challenge that lets the user scan a QR code using their Apple iOS device’s native camera, and use web approval for sign-in.

login_  
challenge_  
status

string

Whether the login challenge succeeded or failed, represented as "Challenge Passed." and "Challenge Failed." respectively. An empty string indicates an unknown status.

login_  
type

string

The type of credentials used to attempt login. Possible values:

exchange
The user provides an existing credential and exchanges it for another type—for example, exchanging an OAuth token for a SID. May indicate that the user was already logged into a session and the two sessions were merged.
google_password
The user provides a Google account password.
reauth
The user is already authenticated but must reauthorize.
saml
The user provides a SAML assertion from a SAML identity provider.
unknown
Login type Unknown.

Sample request

GET https://admin.googleapis.com  
/admin  
/reports  
/v1  
/activity  
/users  
/all  
/applications  
/ login 
  
?eventName= login_verification 
  
&maxResults=10  
&access_token= YOUR_ACCESS_TOKEN

Admin Console message format

 {actor} 
was presented with login verification

Logout

The user logged out.

Event details

Event name

logout

Parameters

login_  
type

string

The type of credentials used to attempt login. Possible values:

exchange
The user provides an existing credential and exchanges it for another type—for example, exchanging an OAuth token for a SID. May indicate that the user was already logged into a session and the two sessions were merged.
google_password
The user provides a Google account password.
reauth
The user is already authenticated but must reauthorize.
saml
The user provides a SAML assertion from a SAML identity provider.
unknown
Login type Unknown.

Sample request

GET https://admin.googleapis.com  
/admin  
/reports  
/v1  
/activity  
/users  
/all  
/applications  
/ login 
  
?eventName= logout 
  
&maxResults=10  
&access_token= YOUR_ACCESS_TOKEN

Admin Console message format

 {actor} 
logged out

Sensitive action allowed

Event details

Event name

risky_sensitive_action_allowed

Parameters

is_  
suspicious

boolean

The login attempt had some unusual characteristics, for example the user logged in from an unfamiliar IP address. Possible values:

false
Boolean value false.
true
Boolean value true.

login_  
challenge_  
method

string

access_to_preregistered_email
A challenge requiring access to a verification email in the inbox.
assistant_approval
A challenge that lets the user approve authentication by a Google Assistant product.
backup_code
Asks user to enter a backup verification code.
captcha
A challenge to distinguish humans from automated bots using captcha.
cname
A challenge that requires the user to prove ownership of a domain by changing the CNAME record at their hosting provider.
cross_account
A challenge that lets products start an authentication session on one device under the primary account, delegate it for completion under another account, and then receive credentials for the session on the original initiating device owned by the primary account.
cross_device
A challenge that requires the user to complete authentication on a secondary device.
deny
User sign-in is denied.
device_assertion
A challenge based on recognizing a previously used device.
device_preregistered_phone
A challenge that requires the user to verify their phone number on the device. It's currently only used in username recovery and isn’t intended for use in other authentication flows.
device_prompt
A challenge on the user’s mobile device.
extended_botguard
A challenge that uses a series of additional verification steps to ensure human interaction.
google_authenticator
Asks user to enter OTP from authenticator app.
google_prompt
Login challenge method Google Prompt.
idv_any_email
A challenge that requires the user to provide a code that Google sent to any email address they provided during the challenge.
idv_any_phone
User asked for phone number and then enters code sent to that phone.
idv_preregistered_email
A challenge in which a code is sent to another email address the user provided before.
idv_preregistered_phone
User enters code sent to their preregistered phone.
internal_two_factor
Login challenge method Internal Two Factor.
knowledge_account_creation_date
A challenge that requires the user to provide the approximate date their account was created.
knowledge_cloud_pin
A challenge based on the user's cloud service PIN.
knowledge_date_of_birth
A challenge that requires the user to provide the date of birth registered on their Google Account.
knowledge_domain_title
A challenge that asks the user to provide their domain title (organization name).
knowledge_employee_id
Login challenge method Knowledge Employee Id.
knowledge_historical_password
A challenge that lets the user enter either current or previous passwords. When this challenge is used, KNOWLEDGE_PASSWORD will refer only to the current password.
knowledge_last_login_date
A challenge that asks the user the approximate date of their last sign-in.
knowledge_lockscreen
A challenge which allows users to enter the lock screen knowledge factor on an eligible device.
knowledge_preregistered_email
User proves knowledge of preregistered email.
knowledge_preregistered_phone
User proves knowledge of preregistered phone.
knowledge_real_name
A challenge that requires the user to provide the name(first name, last name) as registered on their Google account.
knowledge_secret_question
A challenge that requires the user to provide the answer to a question they chose.
knowledge_user_count
A challenge that asks the user to provide number of users in the domain.
knowledge_youtube
A challenge based on the user's knowledge of their YouTube account details.
login_location
User enters from where they usually sign in.
manual_recovery
The user can recover their account only with their admin’s help.
math
A challenge requiring the solution of a mathematical equation.
none
No login challenge was faced.
offline_otp
User enters OTP code they get from settings on their phone (android only).
oidc
A challenge that uses the OIDC protocol.
other
Login challenge method other.
outdated_app_warning
A warning page, designed as a challenge, that notifies the user that they may be using an outdated version of an application. The user has the option to proceed.
parent_auth
A challenge requiring authorization from a parent or guardian.
passkey
A challenge that uses FIDO2 compliant passkeys or security keys to verify the user’s identity.
password
Password.
recaptcha
A challenge that protects the user against spam and other types of automated abuse with reCAPTCHA v2 API.
rescue_code
A challenge that allows the user to enter their rescue code, which is a 32 character alphanumeric string that the user is expected to keep safe, and use it to recover their account.
same_device_screenlock
A challenge that requires the user to unlock the device on which they are trying to sign in or perform a sensitive action.
saml
The user provides a SAML assertion from a SAML identity provider.
security_key
User passes the security key cryptographic challenge.
security_key_otp
Login challenge method Security Key OTP.
time_delay
An asynchronous challenge that sends a link by email once a defined hold period has elapsed.
userless_fido
A FIDO challenge that’s not tied to a specific user.
web_approval
A challenge that lets the user scan a QR code using their Apple iOS device’s native camera, and use web approval for sign-in.

login_  
challenge_  
status

string

Whether the login challenge succeeded or failed, represented as "Challenge Passed." and "Challenge Failed." respectively. An empty string indicates an unknown status.

login_  
type

string

The type of credentials used to attempt login. Possible values:

exchange
The user provides an existing credential and exchanges it for another type—for example, exchanging an OAuth token for a SID. May indicate that the user was already logged into a session and the two sessions were merged.
google_password
The user provides a Google account password.
reauth
The user is already authenticated but must reauthorize.
saml
The user provides a SAML assertion from a SAML identity provider.
unknown
Login type Unknown.

sensitive_  
action_  
name

string

Description for sensitive action name in risky sensitive action challenged event.

Sample request

GET https://admin.googleapis.com  
/admin  
/reports  
/v1  
/activity  
/users  
/all  
/applications  
/ login 
  
?eventName= risky_sensitive_action_allowed 
  
&maxResults=10  
&access_token= YOUR_ACCESS_TOKEN

Admin Console message format

 {actor} 
was allowed to attempt sensitive action: {sensitive_action_name} 
. This action might be restricted based on privileges or other limitations.

Sensitive action blocked

Event details

Event name

risky_sensitive_action_blocked

Parameters

is_  
suspicious

boolean

The login attempt had some unusual characteristics, for example the user logged in from an unfamiliar IP address. Possible values:

false
Boolean value false.
true
Boolean value true.

login_  
challenge_  
method

string

access_to_preregistered_email
A challenge requiring access to a verification email in the inbox.
assistant_approval
A challenge that lets the user approve authentication by a Google Assistant product.
backup_code
Asks user to enter a backup verification code.
captcha
A challenge to distinguish humans from automated bots using captcha.
cname
A challenge that requires the user to prove ownership of a domain by changing the CNAME record at their hosting provider.
cross_account
A challenge that lets products start an authentication session on one device under the primary account, delegate it for completion under another account, and then receive credentials for the session on the original initiating device owned by the primary account.
cross_device
A challenge that requires the user to complete authentication on a secondary device.
deny
User sign-in is denied.
device_assertion
A challenge based on recognizing a previously used device.
device_preregistered_phone
A challenge that requires the user to verify their phone number on the device. It's currently only used in username recovery and isn’t intended for use in other authentication flows.
device_prompt
A challenge on the user’s mobile device.
extended_botguard
A challenge that uses a series of additional verification steps to ensure human interaction.
google_authenticator
Asks user to enter OTP from authenticator app.
google_prompt
Login challenge method Google Prompt.
idv_any_email
A challenge that requires the user to provide a code that Google sent to any email address they provided during the challenge.
idv_any_phone
User asked for phone number and then enters code sent to that phone.
idv_preregistered_email
A challenge in which a code is sent to another email address the user provided before.
idv_preregistered_phone
User enters code sent to their preregistered phone.
internal_two_factor
Login challenge method Internal Two Factor.
knowledge_account_creation_date
A challenge that requires the user to provide the approximate date their account was created.
knowledge_cloud_pin
A challenge based on the user's cloud service PIN.
knowledge_date_of_birth
A challenge that requires the user to provide the date of birth registered on their Google Account.
knowledge_domain_title
A challenge that asks the user to provide their domain title (organization name).
knowledge_employee_id
Login challenge method Knowledge Employee Id.
knowledge_historical_password
A challenge that lets the user enter either current or previous passwords. When this challenge is used, KNOWLEDGE_PASSWORD will refer only to the current password.
knowledge_last_login_date
A challenge that asks the user the approximate date of their last sign-in.
knowledge_lockscreen
A challenge which allows users to enter the lock screen knowledge factor on an eligible device.
knowledge_preregistered_email
User proves knowledge of preregistered email.
knowledge_preregistered_phone
User proves knowledge of preregistered phone.
knowledge_real_name
A challenge that requires the user to provide the name(first name, last name) as registered on their Google account.
knowledge_secret_question
A challenge that requires the user to provide the answer to a question they chose.
knowledge_user_count
A challenge that asks the user to provide number of users in the domain.
knowledge_youtube
A challenge based on the user's knowledge of their YouTube account details.
login_location
User enters from where they usually sign in.
manual_recovery
The user can recover their account only with their admin’s help.
math
A challenge requiring the solution of a mathematical equation.
none
No login challenge was faced.
offline_otp
User enters OTP code they get from settings on their phone (android only).
oidc
A challenge that uses the OIDC protocol.
other
Login challenge method other.
outdated_app_warning
A warning page, designed as a challenge, that notifies the user that they may be using an outdated version of an application. The user has the option to proceed.
parent_auth
A challenge requiring authorization from a parent or guardian.
passkey
A challenge that uses FIDO2 compliant passkeys or security keys to verify the user’s identity.
password
Password.
recaptcha
A challenge that protects the user against spam and other types of automated abuse with reCAPTCHA v2 API.
rescue_code
A challenge that allows the user to enter their rescue code, which is a 32 character alphanumeric string that the user is expected to keep safe, and use it to recover their account.
same_device_screenlock
A challenge that requires the user to unlock the device on which they are trying to sign in or perform a sensitive action.
saml
The user provides a SAML assertion from a SAML identity provider.
security_key
User passes the security key cryptographic challenge.
security_key_otp
Login challenge method Security Key OTP.
time_delay
An asynchronous challenge that sends a link by email once a defined hold period has elapsed.
userless_fido
A FIDO challenge that’s not tied to a specific user.
web_approval
A challenge that lets the user scan a QR code using their Apple iOS device’s native camera, and use web approval for sign-in.

login_  
challenge_  
status

string

Whether the login challenge succeeded or failed, represented as "Challenge Passed." and "Challenge Failed." respectively. An empty string indicates an unknown status.

login_  
type

string

The type of credentials used to attempt login. Possible values:

exchange
The user provides an existing credential and exchanges it for another type—for example, exchanging an OAuth token for a SID. May indicate that the user was already logged into a session and the two sessions were merged.
google_password
The user provides a Google account password.
reauth
The user is already authenticated but must reauthorize.
saml
The user provides a SAML assertion from a SAML identity provider.
unknown
Login type Unknown.

sensitive_  
action_  
name

string

Description for sensitive action name in risky sensitive action challenged event.

Sample request

GET https://admin.googleapis.com  
/admin  
/reports  
/v1  
/activity  
/users  
/all  
/applications  
/ login 
  
?eventName= risky_sensitive_action_blocked 
  
&maxResults=10  
&access_token= YOUR_ACCESS_TOKEN

Admin Console message format

 {actor} 
wasn't allowed to attempt sensitive action: {sensitive_action_name} 
.

Successful Login

A login attempt was successful.

Event details

Event name

login_success

Parameters

is_  
suspicious

boolean

The login attempt had some unusual characteristics, for example the user logged in from an unfamiliar IP address. Possible values:

false
Boolean value false.
true
Boolean value true.

login_  
challenge_  
method

string

access_to_preregistered_email
A challenge requiring access to a verification email in the inbox.
assistant_approval
A challenge that lets the user approve authentication by a Google Assistant product.
backup_code
Asks user to enter a backup verification code.
captcha
A challenge to distinguish humans from automated bots using captcha.
cname
A challenge that requires the user to prove ownership of a domain by changing the CNAME record at their hosting provider.
cross_account
A challenge that lets products start an authentication session on one device under the primary account, delegate it for completion under another account, and then receive credentials for the session on the original initiating device owned by the primary account.
cross_device
A challenge that requires the user to complete authentication on a secondary device.
deny
User sign-in is denied.
device_assertion
A challenge based on recognizing a previously used device.
device_preregistered_phone
A challenge that requires the user to verify their phone number on the device. It's currently only used in username recovery and isn’t intended for use in other authentication flows.
device_prompt
A challenge on the user’s mobile device.
extended_botguard
A challenge that uses a series of additional verification steps to ensure human interaction.
google_authenticator
Asks user to enter OTP from authenticator app.
google_prompt
Login challenge method Google Prompt.
idv_any_email
A challenge that requires the user to provide a code that Google sent to any email address they provided during the challenge.
idv_any_phone
User asked for phone number and then enters code sent to that phone.
idv_preregistered_email
A challenge in which a code is sent to another email address the user provided before.
idv_preregistered_phone
User enters code sent to their preregistered phone.
internal_two_factor
Login challenge method Internal Two Factor.
knowledge_account_creation_date
A challenge that requires the user to provide the approximate date their account was created.
knowledge_cloud_pin
A challenge based on the user's cloud service PIN.
knowledge_date_of_birth
A challenge that requires the user to provide the date of birth registered on their Google Account.
knowledge_domain_title
A challenge that asks the user to provide their domain title (organization name).
knowledge_employee_id
Login challenge method Knowledge Employee Id.
knowledge_historical_password
A challenge that lets the user enter either current or previous passwords. When this challenge is used, KNOWLEDGE_PASSWORD will refer only to the current password.
knowledge_last_login_date
A challenge that asks the user the approximate date of their last sign-in.
knowledge_lockscreen
A challenge which allows users to enter the lock screen knowledge factor on an eligible device.
knowledge_preregistered_email
User proves knowledge of preregistered email.
knowledge_preregistered_phone
User proves knowledge of preregistered phone.
knowledge_real_name
A challenge that requires the user to provide the name(first name, last name) as registered on their Google account.
knowledge_secret_question
A challenge that requires the user to provide the answer to a question they chose.
knowledge_user_count
A challenge that asks the user to provide number of users in the domain.
knowledge_youtube
A challenge based on the user's knowledge of their YouTube account details.
login_location
User enters from where they usually sign in.
manual_recovery
The user can recover their account only with their admin’s help.
math
A challenge requiring the solution of a mathematical equation.
none
No login challenge was faced.
offline_otp
User enters OTP code they get from settings on their phone (android only).
oidc
A challenge that uses the OIDC protocol.
other
Login challenge method other.
outdated_app_warning
A warning page, designed as a challenge, that notifies the user that they may be using an outdated version of an application. The user has the option to proceed.
parent_auth
A challenge requiring authorization from a parent or guardian.
passkey
A challenge that uses FIDO2 compliant passkeys or security keys to verify the user’s identity.
password
Password.
recaptcha
A challenge that protects the user against spam and other types of automated abuse with reCAPTCHA v2 API.
rescue_code
A challenge that allows the user to enter their rescue code, which is a 32 character alphanumeric string that the user is expected to keep safe, and use it to recover their account.
same_device_screenlock
A challenge that requires the user to unlock the device on which they are trying to sign in or perform a sensitive action.
saml
The user provides a SAML assertion from a SAML identity provider.
security_key
User passes the security key cryptographic challenge.
security_key_otp
Login challenge method Security Key OTP.
time_delay
An asynchronous challenge that sends a link by email once a defined hold period has elapsed.
userless_fido
A FIDO challenge that’s not tied to a specific user.
web_approval
A challenge that lets the user scan a QR code using their Apple iOS device’s native camera, and use web approval for sign-in.

login_  
type

string

The type of credentials used to attempt login. Possible values:

exchange
The user provides an existing credential and exchanges it for another type—for example, exchanging an OAuth token for a SID. May indicate that the user was already logged into a session and the two sessions were merged.
google_password
The user provides a Google account password.
reauth
The user is already authenticated but must reauthorize.
saml
The user provides a SAML assertion from a SAML identity provider.
unknown
Login type Unknown.

Sample request

GET https://admin.googleapis.com  
/admin  
/reports  
/v1  
/activity  
/users  
/all  
/applications  
/ login 
  
?eventName= login_success 
  
&maxResults=10  
&access_token= YOUR_ACCESS_TOKEN

Admin Console message format

 {actor} 
logged in

Login Audit Activity Events Stay organized with collections Save and categorize content based on your preferences.

2-step verification enrollment changed

2-step verification disable

2-step verification enroll

Account password changed

Account password change

Account recovery info changed

Account recovery email change

Account recovery phone change

Account recovery secret question/answer change

Account warning

Leaked password

Passkey enrolled

Passkey removed

Suspicious login blocked

Suspicious login from less secure app blocked

Suspicious programmatic login blocked

User signed out due to suspicious session cookie

User suspended

User suspended (spam through relay)

User suspended (spam)

User suspended (suspicious activity)

Advanced Protection enrollment changed

Advanced Protection enroll

Advanced Protection unenroll

Attack Warning

Government-backed Attack

Blocked sender settings changed

Blocked all future emails from the sender.

Email forwarding settings changed

Out of domain email forwarding enabled

Login

Failed Login

Login Challenge

Login Verification

Logout

Sensitive action allowed

Sensitive action blocked

Successful Login

Login Audit Activity Events