Admin console Contact us

    Admin log event changes

    In an effort to make the reports for Admin log events more understandable, detailed, and precise, there are updates to some event names and types as well as reporting frequency and event conditions. Between now and August 2026, legacy and updated event names and types will be available. After August 2026, only the new event names and types will be available.

    Saved investigations will continue to work, but they will be based on legacy events and will stop working after August 2026. After August 2026, custom charts will be based on old data.

    Important: If you don't update rules that have changes to more than one event condition, you'll get increased alerts. Rules that have 2 conditions that are true will trigger an alert if only one condition is true. For example, if a rule triggers an alert for a change to a specific Gmail setting, you will get an alert for all Gmail setting changes.

    What you need to do

    Review the changes listed on this page. If you're using or relying on any of the events listed on this page, you might need to make changes to your existing queries, alerts, reports, and rules. Between now and August 2026, rules that are affected will be automatically migrated and you might need to make changes to your rules.

    Changes to Admin log events

    App access control

    Reports API & SecOps events[].name
    & BigQuery Export
    event_name     		Security & Audit and
    investigation tool event name    		 New events[].name & event_name New Security & Audit and investigation tool event name
    DISALLOW_SERVICE_FOR_
    OAUTH2_ACCESS
    		 API Access Blocked CHANGE_API_ACCESS API Access Changed
    ALLOW_SERVICE_FOR_
    OAUTH2_ACCESS
    		 API Access Allowed CHANGE_API_ACCESS API Access Changed
    ADD_TO_BLOCKED_OAUTH2
    _APPS
    		 App Added to Blocked List CHANGE_APP_ACCESS App Configuration Changed
    ADD_TO_LIMITED_OAUTH2
    _APPS
    		 App Added to Limited List CHANGE_APP_ACCESS App Configuration Changed
    ADD_TO_TRUSTED_OAUTH2
    _APPS
    		 App Added to Trusted Allowlist CHANGE_APP_ACCESS App Configuration Changed
    ADD_TO_TRUSTED_BY_
    OAUTH_SCOPE_OAUTH2_
    APPS
    		 App added to Trusted by OAuth Scope list CHANGE_APP_ACCESS App Configuration Changed
    ADD_TO_CAA_EXEMPT
    _OAUTH2_APPS
    		 App allowlisted for exemption from API access blocks CHANGE_APP_ACCESS App Configuration Changed
    REMOVE_FROM_TRUSTED
    _OAUTH2_APPS
    		 App Removed from Trusted Allowlist CHANGE_APP_ACCESS App Configuration Changed
    REMOVE_FROM_CAA_
    EXEMPT_OAUTH2_APPS
    		 App no longer allowlisted for exemption from API access blocks CHANGE_APP_ACCESS App Configuration Changed
    REMOVE_FROM_BLOCKED
    _OAUTH2_APPS
    		 App Removed from Blocked List CHANGE_APP_ACCESS App Configuration Changed
    REMOVE_FROM_LIMITED
    _OAUTH2_APPS
    		 App removed from Limited list CHANGE_APP_ACCESS App Configuration Changed
    REMOVE_FROM_TRUSTED
    _BY_OAUTH_SCOPE_
    OAUTH2_APPS
    		 App removed from Trusted by OAuth Scope list CHANGE_APP_ACCESS App Configuration Changed
    BLOCK_ALL_THIRD_PARTY
    _API_ACCESS
    		 All third party API access blocked CHANGE_
    UNCONFIGURED_APPS
    _ACCESS    		 Unconfigured Apps Access Changed
    UNBLOCK_ALL_THIRD_
    PARTY_API_ACCESS
    		 All third party API access unblocked CHANGE_
    UNCONFIGURED_APPS
    _ACCESS    		 Unconfigured Apps Access Changed
    SIGN_IN_ONLY_THIRD_
    PARTY_API_ACCESS
    		 Allow Google Sign-in only third party API access CHANGE_
    UNCONFIGURED_APPS
    _ACCESS    		 Unconfigured Apps Access Changed
    UNDERAGE_BLOCK_ALL
    _THIRD_PARTY_API_
    ACCESS
    		 All third party API access blocked CHANGE_UNDERAGE
    _UNCONFIGURED_APPS
    _ACCESS    		 Under 18 Unconfigured Apps Access Changed
    UNDERAGE_SIGN_IN_
    ONLY_THIRD_PARTY_
    API_ACCESS
    		 Allow Google Sign-in only third party API access CHANGE_UNDERAGE
    _UNCONFIGURED_APPS
    _ACCESS    		 Under 18 Unconfigured Apps Access Changed

    Google Drive settings with inherited values

    Previously, Google Drive settings that were overridden from an inherited value or reverted to an inherited value used the same log event identifiers, with INHERIT_FROM_PARENT in the old value and new value attributes:

    • Security & Audit and investigation tool: The Change Drive Setting event name showed INHERIT_FROM_PARENT in Old value and New value
    • Reports API & SecOps: events[].type=DOCS_SETTINGS , events[].name=CHANGE_DOCS_SETTING showed INHERIT_FROM_PARENT in admin.old_value and admin.new_value
    • BigQuery Export: events_type=DOCS_SETTINGS , event_name=CHANGE_DOCS_SETTING showed INHERIT_FROM_PARENT in admin.old_value and admin.new_value
    The updated Admin log events use the following event identifiers instead of INHERIT_FROM_PARENT values:
    Tool Override an inherited value Change an existing value Revert to an inherited value
    Security & Audit and investigation tool Event name: Create
    Application Setting    		 Event name: Change
    Application Setting    		 Event name: Delete
    Application Setting
    Reports API & SecOps Event type: APPLICATION_SETTINGS
    Event name: CREATE_APPLICATION_ SETTING    		 Event type: APPLICATION_SETTINGS
    Event name: CHANGE_APPLICATION_ SETTING    		 Event type: APPLICATION_SETTINGS
    Event name: DELETE_APPLICATION_ SETTING
    BigQuery Export Event type: APPLICATION_SETTINGS
    Event name: CREATE_APPLICATION_ SETTING    		 Event type: APPLICATION_SETTINGS
    Event name: CHANGE_APPLICATION_ SETTING    		 Event type: APPLICATION_SETTINGS
    Event name: DELETE_APPLICATION_ SETTING

      Drive settings

      The table below lists updated log event information for the following Admin log event attributes and values:

      • Security & Audit and investigation tool : Setting name, Old value, New value
      • BigQuery Export : admin.setting_name , admin.old_value , admin.new_value
      • Reports API & SecOps : events[].parameters[].name=setting_name , events[].parameters[].name=OLD_VALUE or NEW_VALUE

      Old event

      Updated event

      Setting name

      Old or new value

      Setting name

      Old or new value

      SHARING_OUTSIDE_ DOMAIN

      SHARING_NOT_ ALLOWED_BUT_MAY _RECEIVE_FILES

      ExternalSharing external_sharing_mode

      DISALLOWED

      ExternalSharing allow_receiving_external _files

      true

      SHARING_NOT_ ALLOWED

      ExternalSharing external_sharing_mode

      DISALLOWED

      ExternalSharing allow_receiving_external _files

      false

      TRUSTED_DOMAINS_ ALLOWED_WITH_ WARNING_MAY_ RECEIVE _FILES_ FROM_ ANYONE

      ExternalSharing external_sharing_mode

      ALLOWLISTED_ DOMAINS

      ExternalSharing warn_for_sharing_ outside_allowlisted_ domains

      true

      ExternalSharing allow_receiving_files_ outside_allowlisted_ domains changed

      true

      TRUSTED_DOMAINS_ ALLOWED_WITH_ WARNING

      ExternalSharing external_sharing_mode

      ALLOWLISTED_ DOMAINS

      ExternalSharing warn_for _sharing_outside_ allowlisted_domains

      true

      ExternalSharing allow_ receiving_files_outside_ allowlisted_domains changed

      false

      TRUSTED_DOMAINS_ ALLOWED_AND_MAY_ RECEIVE_FILES_FROM _ANYONE

      ExternalSharing external_sharing_mode

      ALLOWLISTED_ DOMAINS

      ExternalSharing warn_ for_sharing_outside_ allowlisted_domains

      false

      ExternalSharing allow_ receiving_files_outside_ allowlisted_domains changed

      true

      TRUSTED_DOMAINS_ ALLOWED

      ExternalSharing external_sharing_mode

      ALLOWLISTED_ DOMAINS

      ExternalSharing warn_for_sharing _outside_allowlisted_ domains

      false

      ExternalSharing allow_receiving_files _outside_allowlisted_ domains changed

      false

      SHARING_ALLOWED_ WITH_WARNING

      ExternalSharing external_sharing_mode

      ALLOWED

      ExternalSharing warn_for_external_ sharing

      true

      SHARING_ALLOWED

      ExternalSharing external_sharing_mode

      ALLOWED

      ExternalSharing warn_for_external_ sharing

      false

      SHARING_INVITES_TO_ NON_GOOGLE_ ACCOUNTS

      NOT_ALLOWED

      ExternalSharing allow_non_google_ invites

      false

      ANONYMOUS_ PREVIEW

      ExternalSharing allow_non_google_ invites

      true

      PUBLISHING_TO_WEB


      NOT_ALLOWED

      ExternalSharing allow_publishing_files

      false

      ALLOWED

      true

      SHARING_ACCESS_ CHECKER_OPTIONS




      NAMED_PARTIES_ ONLY

      ExternalSharing access_checker_ suggestions



      RECIPIENTS_ONLY

      DOMAIN_OR_NAMED _PARTIES

      RECIPIENTS_OR_ AUDIENCE

      ALL

      RECIPIENTS_OR_ AUDIENCE_OR_ PUBLIC

      SHARING_TEAM_DRIVE _CROSS_DOMAIN_ OPTIONS




      CROSS_DOMAIN_ FROM_INTERNAL_OR _EXTERNAL

      ExternalSharing allowed_parties _for_distributing_ content



      ALL_ELIGIBLE_ USERS

      CROSS_DOMAIN_ FROM_INTERNAL_ ONLY

      ELIGIBLE_INTERNAL _USERS

      CROSS_DOMAIN_ MOVES_BLOCKED

      NONE

      DEFAULT_LINK_ SHARING_FOR_NEW _DOCS





      PRIVATE

      GeneralAccessDefault default_file_access





      PRIVATE_TO_OWNER

      PEOPLE_WITH_LINK

      PRIMARY_ AUDIENCE_WITH_ LINK

      PUBLIC

      PRIMARY_ AUDIENCE_WITH_ LINK_OR _SEARCH

      DOCS_OFFLINE_ ENABLED



      false

      DocsOffline enable_docs_offline


      false

      true

      true

      ENABLE_DRIVE_APPS

      false

      DriveSdk enable_drive_sdk_api _access

      false

      true

      true

      Gmail settings

      For all affected settings in Reports API & SecOps:

      • events[].type EMAIL_SETTINGS is renamed to APPLICATION_SETTINGS
      • events[].parameters[].name= USER_DEFINED_SETTING_NAME is moved to events[].parameters[].name= SETTING_METADATA.USER_DEFINED_NAME

      For all affected settings in BigQuery Export:

      • event_type EMAIL_SETTINGS is renamed to APPLICATION_SETTINGS
      • admin.user_defined_setting_name is moved to admin.setting_metadata.user_defined_name

      Gmail setting

      		 Security & Audit and
      investigation tool      		 Reports API & SecOps BigQuery Export

      Mail delegation

      Change Email Setting is renamed to Change Application Setting

      ENABLE_SENDER_ ATTRIBUTION is renamed to MailDelegation sender_attribution_ desired

      events[].name
      CHANGE_EMAIL_SETTING is renamed to CHANGE_APPLICATION
      _SETTING

      events[]. parameters[].name ENABLE_SENDER_ ATTRIBUTION is renamed to MailDelegation sender _attribution_desired

      event_name CHANGE_EMAIL_ SETTING is renamed to CHANGE_APPLICATION _SETTING

      admin.setting_name ENABLE_SENDER_ ATTRIBUTION is renamed to MailDelegation sender_attribution _desired

      Image URL proxy allowlist

      Change Email Setting is renamed to Change Application Setting

      NUMBER_OF_EMAIL _IMAGE_URL_ WHITELIST _PATTERNS is renamed to MailImage Proxy external _image_bypass_ pattern

      events[].name
      CHANGE_EMAIL_ SETTING is renamed to CHANGE_APPLICATION
      _SETTING

      events[]. parameters[].name NUMBER_OF_EMAIL_ IMAGE_URL_WHITELIST _PATTERNS is renamed to MailImageProxy external _image_bypass_pattern

      event_name CHANGE_EMAIL_ SETTING is renamed to CHANGE_APPLICATION _SETTING

      admin.setting_name NUMBER_OF_EMAIL_ IMAGE_URL_WHITELIST _PATTERNS is renamed to MailImageProxy external_image_ bypass_pattern

      Compliance > Restrict delivery

      Change/Delete/Create Gmail Setting is renamed to Change/Delete/Create Application Setting

      RESTRICT_DELIVERY is renamed to RestrictDelivery rules walled_garden_info or RuleState rule_state enabled

      events[].name CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/ CREATE/DELETE_ APPLICATION_SETTING

      events[]. parameters[].name RESTRICT_DELIVERY is renamed to RestrictDelivery rules walled_ garden_info or RuleState rule_state enabled

      event_name CHANGE/CREATE/ DELETE_GMAIL _SETTING is renamed to CHANGE/CREATE/ DELETE_APPLICATION _SETTING

      admin.setting_name RESTRICT_DELIVERY is renamed to RestrictDelivery rules walled_garden_info or RuleState rule_state enabled

      Compliance > Comprehensive mail storage

      Change/Delete/Create Gmail Setting is renamed to Change/Delete/Create Application Setting

      COMPREHENSIVE_ MAIL _STORAGE is renamed to RuleState rule_state enabled

      events[].name CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/ CREATE/DELETE_ APPLICATION_SETTING

      events[]. parameters[].name COMPREHENSIVE_ MAIL_STORAGE is renamed to RuleState rule_state enabled

      event_name CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/CREATE/ DELETE_APPLICATION _SETTING

      admin.setting_name COMPREHENSIVE_MAIL _STORAGE is renamed to RuleState rule_state enabled

      Spam, phishing, and malware > Inbound gateway

      Change/Delete/Create Gmail Setting is renamed to Change/Delete/Create Application Setting

      INBOUND_GATEWAY is renamed to RuleState rule_state enabled or InboundGateway {field}

      events[].name CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/ CREATE/DELETE_ APPLICATION_SETTING

      events[]. parameters[].name INBOUND_GATEWAY is renamed to RuleState rule_state enabled or Inbound Gateway {field}

      event_name CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/CREATE/ DELETE_APPLICATION _SETTING

      admin.setting_name INBOUND_GATEWAY is renamed to RuleState rule_state enabled or InboundGateway {field}

      Routing > Email forwarding using recipient address map

      Change/Delete/Create Gmail Setting is renamed to Change/Delete/Create Application Setting

      ALIAS_TABLE is renamed to AliasTable rules alias_table_info or RuleState rule_state enabled

      events[].name CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/ CREATE/DELETE_ APPLICATION_SETTING

      events[]. parameters[].name ALIAS_TABLE is renamed to AliasTable rules alias_table_info or RuleState rule_state enabled

      event_name CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/CREATE/ DELETE_APPLICATION _SETTING

      admin.setting_name ALIAS_TABLE is renamed to AliasTable rules alias_table_info or RuleState rule_state enabled

      Compliance > Content compliance

      Change/Delete/Create Gmail Setting is renamed to Change/Delete/Create Application Setting

      CONTENT_ COMPLIANCE is renamed to ContentCompliance rules content _compliance _info or RuleState rule_state enabled

      events[].name CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/ CREATE/DELETE_ APPLICATION_SETTING

      events[]. parameters[].name CONTENT_ COMPLIANCE is renamed to ContentCompliance rules content_ compliance_ info or RuleState rule_state enabled

      event_name CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/CREATE/ DELETE_APPLICATION _SETTING


      admin.setting_name
      CONTENT_ COMPLIANCE is renamed to ContentCompliance rules content_compliance _info or RuleState rule_state enabled

      Default Routing > Default Routing

      Change/Delete/Create Gmail Setting is renamed to Change/Delete/Create Application Setting

      DOMAIN_DEFAULT is renamed to DomainDefault rules domain_default_info or RuleState rule_state enabled

      events[].name CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/ CREATE/DELETE_ APPLICATION_SETTING

      events[]. parameters[].name DOMAIN_DEFAULT is renamed to DomainDefault rules domain_default_info or RuleState rule_state enabled

      Event_name CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/CREATE/ DELETE_APPLICATION _SETTING

      admin.setting_name DOMAIN_DEFAULT is renamed to DomainDefault rules domain_default_info or RuleState rule_state enabled

      Routing > Routing

      Change/Delete/Create Gmail Setting is renamed to Change/Delete/Create Application Setting

      UNIFIED_MAIL_ ROUTING is renamed to Routing rules routing_info or RuleState rule_state enabled

      events[].name CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/ CREATE/DELETE_ APPLICATION_SETTING

      events[]. parameters[].name UNIFIED_MAIL_ ROUTING is renamed to Routing rules routing_info or RuleState rule_state enabled

      event_name CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/CREATE/ DELETE_APPLICATION _SETTING

      admin.setting_name UNIFIED_MAIL_ ROUTING is renamed to Routing rules routing_info or RuleState rule_state enabled

      Routing > Inbound email journal acceptance in Vault

      Change/Delete/Create Gmail Setting is renamed to Change/Delete/Create Application Setting

      INBOUND_EMAIL_ JOURNAL_ ACCEPTANCE is renamed to RuleState rule_state enabled or ExchangeJournal Ingestion {field}

      events[].name CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/ CREATE/DELETE_ APPLICATION_SETTING

      events[]. parameters[].name INBOUND_ EMAIL_ JOURNAL_ ACCEPTANCE is renamed to RuleState rule_state enabled or ExchangeJournal Ingestion {field}

      event_name CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/CREATE/ DELETE_APPLICATION _SETTING

      admin.setting_name INBOUND_EMAIL_ JOURNAL _ACCEPTANCE is renamed to RuleState rule_state enabled or ExchangeJournal Ingestion {field}

      Blocked senders

      Change/Delete/Create Gmail Setting is renamed to Change/Delete/Create Application Setting

      BLOCKED_SENDERS is renamed to BlockedSenders rules blocked_senders_info or RuleState rule_state enabled

      events[].name CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/ CREATE/DELETE_ APPLICATION_SETTING

      events[]. parameters[].name BLOCKED_SENDERS is renamed to BlockedSenders rules blocked_senders_info or RuleState rule_state enabled

      event_name CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/CREATE/ DELETE_APPLICATION _SETTING

      admin.setting_name BLOCKED_SENDERS is renamed to BlockedSenders rules blocked_senders_info or RuleState rule_state enabled

      Routing > Third-party email archiving

      Change/Delete/Create Gmail Setting is renamed to Change/Delete/Create Application Setting

      OUTBOUND_EMAIL_ JOURNAL_ GENERATION is renamed to ExchangeJournal Generation rules exchange_journal_ generation _info or RuleState rule_state enabled

      events[].name CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/ CREATE/DELETE_ APPLICATION_SETTING

      events[]. parameters[].name OUTBOUND_EMAIL_ JOURNAL_ GENERATION is renamed to ExchangeJournal Generation rules exchange_journal _generation_info or RuleState rule_state enabled

      event_name CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/CREATE/ DELETE_APPLICATION _SETTING

      admin.setting_name OUTBOUND_EMAIL_ JOURNAL_GENERATION is renamed to ExchangeJournal Generation rules exchange_journal_ generation_info or RuleState rule_state enabled

      Routing > Non-Gmail mailbox

      Change/Delete/Create Gmail Setting is renamed to Change/Delete/Create Application Setting

      QUARANTINE_ SUMMARY is renamed to NonGmail Mailbox rules quarantine _summary _info or RuleState rule_state enabled

      events[].name CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/ CREATE/DELETE_ APPLICATION_SETTING

      events[]. parameters[].name QUARANTINE_ SUMMARY is renamed to NonGmailMailbox rules quarantine_summary _info or RuleState rule_state enabled

      event_name CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/CREATE/ DELETE_APPLICATION _SETTING

      admin.setting_name QUARANTINE_ SUMMARY is renamed to NonGmailMailbox rules quarantine_summary_ info or RuleState rule_state enabled

      Routing > SMTP relay service

      Change/Delete/Create Gmail Setting is renamed to Change/Delete/Create Application Setting

      OUTBOUND_RELAY is renamed to RuleState rule_state enabled

      events[].name CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/ CREATE/DELETE_ APPLICATION_SETTING

      events[]. parameters[].name OUTBOUND_RELAY is renamed to RuleState rule_state enabled

      event_name CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/CREATE/ DELETE_APPLICATION _SETTING

      admin.setting_name OUTBOUND_RELAY is renamed to RuleState rule_state enabled

      Spam, phishing, and malware > Security sandbox rules

      Change/Delete/Create Gmail Setting is renamed to Change/Delete/Create Application Setting

      SECURITY_SANDBOX_ RULE is renamed to DeepScanning rules deep_scanning_info or RuleState rule_state enabled

      events[].name CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/ CREATE/DELETE_ APPLICATION_SETTING

      events[]. parameters[].name SECURITY_ SANDBOX_RULE is renamed to DeepScanning rules deep_scanning_info or RuleState rule_state enabled

      event_name CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/CREATE/ DELETE_APPLICATION _SETTING

      admin.setting_name SECURITY_SANDBOX_ RULE is renamed to DeepScanning rules deep_scanning_info or RuleState rule_state enabled

      Compliance > Secure transport (TLS) compliance

      Change/Delete/Create Gmail Setting is renamed to Change/Delete/Create Application Setting

      TLS_COMPLIANCE is renamed to TlsCompliance rules tls_compliance_info or RuleState rule_state enabled

      events[].name CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/ CREATE/DELETE_ APPLICATION_SETTING

      events[]. parameters[].name TLS_ COMPLIANCE is renamed to TlsCompliance rules tls_compliance_info or RuleState rule_state enabled

      event_name CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/CREATE/ DELETE_APPLICATION _SETTING

      admin.setting_name TLS_COMPLIANCE is renamed to TlsCompliance rules tls_compliance_info or RuleState rule_state enabled

      Spam, phishing, and malware > Spam

      Change/Delete/Create Gmail Setting is renamed to Change/Delete/Create Application Setting

      SPAM_CONTROL is renamed to SpamOverride rules spam_override_info or RuleState rule_state enabled

      events[].name CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/ CREATE/DELETE_ APPLICATION_SETTING

      events[]. parameters[].name SPAM_CONTROL is renamed to SpamOverride rules spam_override_info or RuleState rule_state enabled

      event_name CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/CREATE/ DELETE_APPLICATION _SETTING

      admin.setting_name SPAM_CONTROL is renamed to SpamOverride rules spam_override_info or RuleState rule_state enabled

      Compliance > Objectable content

      Change/Delete/Create Gmail Setting is renamed to Change/Delete/Create Application Setting

      OBJECTIONABLE_ CONTENT is renamed to Objectionable Content rules objectionable_content _info or RuleState rule_state enabled

      events[].name CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/ CREATE/DELETE_ APPLICATION_SETTING

      events[]. parameters[].name OBJECTIONABLE_ CONTENT is renamed to ObjectionableContent rules objectionable_ content_info or RuleState rule_state enabled

      event_name CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/CREATE/ DELETE_APPLICATION _SETTING

      admin.setting_name OBJECTIONABLE_ CONTENT is renamed to ObjectionableContent rules objectionable _content_ info or RuleState rule_state enabled

      Routing > Alternate secure route

      Change/Delete/Create Gmail Setting is renamed to Change/Delete/Create Application Setting

      ALTERNATE_SECURE _ROUTE is renamed to AlternateSecureRoute alternate_route_id or RuleState rule_state enabled

      events[].name CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/ CREATE/DELETE_ APPLICATION_SETTING

      events[]. parameters[].name ALTERNATE_SECURE _ROUTE is renamed to AlternateSecure Route alternate_route_id or RuleState rule_state enabled

      event_name CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/CREATE/ DELETE_APPLICATION _SETTING

      admin.setting_name ALTERNATE_SECURE_ ROUTE is renamed to AlternateSecureRoute alternate_route_id or RuleState rule_state enabled

      Compliance > Attachment compliance

      Change/Delete/Create Gmail Setting is renamed to Change/Delete/Create Application Setting

      ATTACHMENT_ COMPLIANCE is renamed to Attachment Compliance rules attachment_ compliance_ info or RuleState rule_state enabled

      events[].name CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/ CREATE/DELETE_ APPLICATION_SETTING

      events[]. parameters[].name ATTACHMENT _COMPLIANCE was renamed to AttachmentCompliance rules attachment_compliance _info or RuleState rule_state enabled

      event_name CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/CREATE/ DELETE_APPLICATION _SETTING

      admin.setting_name ATTACHMENT_ COMPLIANCE was renamed to AttachmentCompliance rules attachment_compliance _info or RuleState rule_state enabled

      Compliance > Restrict delivery for S/MIME

      Change/Delete/Create Gmail Setting is renamed to Change/Delete/Create Application Setting

      SMIME_RESTRICT_ DELIVERY is renamed to SmimeRestrict Delivery rules smime_restrict_ delivery_ info or RuleState rule_state enabled

      events[].name CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/ CREATE/DELETE_ APPLICATION_SETTING

      events[]. parameters[].name SMIME_RESTRICT_ DELIVERY is renamed to SmimeRestrictDelivery rules smime_restrict_ delivery_info or RuleState rule_state enabled

      event_name CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/CREATE/ DELETE_APPLICATION _SETTING

      admin.setting_name SMIME_RESTRICT_ DELIVERY is renamed to SmimeRestrictDelivery rules smime_restrict _delivery_info or RuleState rule_state enabled

      Hosts > Hosts

      Change/Delete/Create Gmail Setting is renamed to Change/Delete/Create Application Setting

      EMAIL_ROUTE is renamed to Mail DeliveryRoutes available_route receiving_route_info

      events[].name CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/ CREATE/DELETE_ APPLICATION_SETTING

      events[]. parameters[].name EMAIL_ROUTE is renamed to MailDeliveryRoutes available_route receiving_route_info

      event_name CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/CREATE/ DELETE_APPLICATION _SETTING

      admin.setting_name EMAIL_ROUTE is renamed to MailDeliveryRoutes available_route receiving_route_info

      Compliance > Append footer

      Change/Delete/Create Gmail Setting is renamed to Change/Delete/Create Application Setting

      COMPLIANCE_FOOTER is renamed to AppendFooter rules append_footer_info or RuleState rule_state enabled

      events[].name CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/ CREATE/DELETE_ APPLICATION_SETTING

      events[]. parameters[].name COMPLIANCE_FOOTER is renamed to AppendFooter rules append_footer_info or RuleState rule_state enabled

      event_name CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/CREATE/ DELETE_APPLICATION _SETTING

      admin.setting_name COMPLIANCE_FOOTER is renamed to AppendFooter rules append_footer_info or RuleState rule_state enabled

      Routing > Outbound Gateway

      Change/Delete/Create Gmail Setting is renamed to Change/Delete/Create Application Setting

      EMAIL_ROUTE is renamed to MailDeliveryRoutes available_route receiving_route_info

      events[].name CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/ CREATE/DELETE_ APPLICATION_SETTING

      events[]. parameters[].name EMAIL_ROUTE is renamed to MailDeliveryRoutes available_route receiving_route_info

      event_name CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/CREATE/ DELETE_APPLICATION _SETTING

      admin.setting_name EMAIL_ROUTE is renamed to MailDeliveryRoutes available_route receiving_route_info

      User Settings > Email read receipts

      Change Email Setting is renamed to Change Application Setting

      EMAIL_READ_ RECEIPTS_ALLOWED_ DESTINATIONS is renamed to ReadReceipts {field name}

      events[].name CHANGE_EMAIL_ SETTING is renamed to CHANGE_APPLICATION _SETTING

      events[]. parameters[].name EMAIL_READ_ RECEIPTS_ALLOWED _DESTINATIONS is renamed to ReadReceipts {field name}

      event_name CHANGE_EMAIL_ SETTING is renamed to CHANGE_APPLICATION _SETTING

      admin.setting_name EMAIL_READ_RECEIPTS _ALLOWED_ DESTINATIONS is renamed to ReadReceipts {field name}

      User Settings > Name Format

      Change Email Setting is renamed to Change Application Setting

      DEFAULT_NAME_ FORMAT is renamed to NameFormat default_display_name _format

      events[].name CHANGE_EMAIL_ SETTING is renamed to CHANGE_APPLICATION _SETTING

      events[]. parameters[].name DEFAULT_NAME_ FORMAT is renamed to NameFormat default_ display_name_format

      event_name CHANGE_EMAIL_ SETTING is renamed to CHANGE_APPLICATION _SETTING

      admin.setting_name DEFAULT_NAME_ FORMAT is renamed to NameFormat default_display_name _format

      End User Access > Allow per user outbound gateways

      Change Email Setting is renamed to Change Application Setting

      ALLOW_NAME_ FORMAT_ CUSTOMIZATION is renamed to PerUserOutbound Gateway enable_smtp_relay

      events[].name CHANGE_EMAIL_ SETTING is renamed to CHANGE_APPLICATION _SETTING

      events[]. parameters[].name ALLOW_NAME_FORMAT _CUSTOMIZATION is renamed to PerUserOutbound Gateway enable_smtp_relay

      event_name CHANGE_EMAIL_ SETTING is renamed to CHANGE_APPLICATION _SETTING

      admin.setting_name ALLOW_NAME_FORMAT _CUSTOMIZATION is renamed to PerUserOutbound Gateway enable_smtp_relay

      End User Access > Pop and Imap access

      Change Email Setting is renamed to Change Application Setting

      IMAP_ACCESS is renamed to ImapSettings {field name}

      ENABLE_POP_ACCESS is renamed to PopSettings pop_disabled

      events[].name CHANGE_EMAIL_ SETTING is renamed to CHANGE_APPLICATION _SETTING

      events[]. parameters[].name IMAP_ACCESS is renamed to ImapSettings {field name}

      admin.setting_name ENABLE_POP_ACCESS is renamed to PopSettings pop_disabled

      event_name CHANGE_EMAIL_ SETTING is renamed to CHANGE_APPLICATION _SETTING

      admin.setting_name IMAP_ACCESS is renamed to ImapSettings {field name}

      admin.setting_name ENABLE_POP_ACCESS is renamed to PopSettings pop_disabled

      End User Access > Automatic Forwarding

      Change Email Setting is renamed to Change Application Setting

      ENABLE_EMAIL_ AUTOFORWARDING is renamed to AutoForwarding auto_forwarding_ disabled

      events[].name CHANGE_EMAIL_ SETTING is renamed to CHANGE_APPLICATION _SETTING

      events[]. parameters[].name ENABLE_EMAIL _AUTOFORWARDING is renamed to AutoForwarding auto_ forwarding_disabled

      event_name CHANGE_EMAIL_ SETTING is renamed to CHANGE_APPLICATION _SETTING

      admin.setting_name ENABLE_EMAIL_ AUTOFORWARDING is renamed to AutoForwarding auto_forwarding_ disabled

      End User Access > Google Workspace Sync

      Change Email Setting is renamed to Change Application Setting

      ENABLE_OUTLOOK_ SYNC is renamed to MailSyncSettings enable_outlook_sync

      events[].name CHANGE_EMAIL_ SETTING is renamed to CHANGE_APPLICATION _SETTING

      events[]. parameters[].name ENABLE_OUTLOOK_ SYNC is renamed to MailSyncSettings enable_outlook_sync

      event_name CHANGE_EMAIL_ SETTING is renamed to CHANGE_APPLICATION _SETTING

      admin.setting_name ENABLE_OUTLOOK_ SYNC is renamed to MailSyncSettings enable_outlook_sync

      Setup > User email uploads

      Change Email Setting is renamed to Change Application Setting

      ENABLE_EMAIL_USER _IMPORT is renamed to MailAndContacts Import Settingscan _import_ mail_and_contacts

      events[].name CHANGE_EMAIL_ SETTING is renamed to CHANGE_APPLICATION _SETTING

      events[]. parameters[].name ENABLE_EMAIL_USER_ IMPORT is renamed to MailAndContactsImportSettings can_import_mail_and_ contacts

      event_name CHANGE_EMAIL_ SETTING is renamed to CHANGE_APPLICATION _SETTING

      admin.setting_name ENABLE_EMAIL_USER_ IMPORT is renamed to MailAndContactsImportSettings can_import_mail_and_ contacts

      User settings > Themes

      Change Email Setting is renamed to Change Application Setting

      ENABLE_GMAIL_ SKINS is renamed to MailFrontendSettings skin_desired

      events[].name CHANGE_EMAIL_ SETTING is renamed to CHANGE_APPLICATION _SETTING

      events[]. parameters[].name ENABLE_GMAIL_SKINS is renamed to Mail FrontendSettings skin_desired

      event_name CHANGE_EMAIL_ SETTING is renamed to CHANGE_APPLICATION _SETTING

      admin.setting_name ENABLE_GMAIL_SKINS is renamed to MailFrontendSettings skin_desired

      Compliance > Optical Character Recognition (OCR)

      Change Email Setting is renamed to Change Application Setting

      ENABLE_OPTICAL_ CHARACTER_ RECOGNITION is renamed to OcrSettings ocr_enabled

      events[].name CHANGE_EMAIL_ SETTING is renamed to CHANGE_APPLICATION _SETTING

      events[]. parameters[].name
      ENABLE_OPTICAL_
      CHARACTER_ RECOGNITION is renamed to OcrSettings ocr_enabled

      event_name CHANGE_EMAIL_ SETTING is renamed to CHANGE_APPLICATION _SETTING

      admin.setting_name ENABLE_OPTICAL_ CHARACTER_ RECOGNITION is renamed to OcrSettings ocr_enabled

      Manage Quarantines

      Change Email Setting is renamed to Change Application Setting

      EMAIL_QUARANTINE is renamed to AdminQuarantine admin_quarantine_ info {field}

      events[].name CHANGE_EMAIL_ SETTING is renamed to CHANGE_APPLICATION _SETTING

      events[]. parameters[].name EMAIL_QUARANTINE is renamed to AdminQuarantine admin_quarantine _info {field}

      event_name CHANGE_EMAIL_ SETTING is renamed to CHANGE_APPLICATION _SETTING

      admin.setting_name EMAIL_QUARANTINE is renamed to AdminQuarantine admin_quarantine_info {field}

      Manage Google Workspace Marketplace allowlist access

      Change/Delete/Create Gmail Setting is renamed to Change/Delete/Create Application Setting

      ENABLE_G_SUITE_ MARKETPLACE is renamed to Apps Access Setting web_display_option

      events[].name CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/ CREATE/DELETE_ APPLICATION_SETTING

      events[]. parameters[].name ENABLE_G_SUITE _MARKETPLACE is renamed to Apps Access Setting web_display_option

      event_name CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/CREATE/ DELETE_APPLICATION _SETTING

      admin.setting_name ENABLE_G_SUITE_ MARKETPLACE is renamed to Apps Access Setting web_display_option

      Google Workspace Marketplace Apps

      Change/Delete/Create Gmail Setting is renamed to Change/Delete/Create Application Setting

      The ENABLE_G_SUITE_ MARKETPLACE setting name is renamed to Allowlist app_access

      events[].name CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/ CREATE/DELETE_ APPLICATION_SETTING

      events[]. parameters[].name ENABLE_G_ SUITE_MARKETPLACE is renamed to Allowlist app_access

      event_name CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/CREATE/ DELETE_APPLICATION _SETTING

      admin.setting_name ENABLE_G_SUITE_ MARKETPLACE is renamed to Allowlist app_access

      User Settings > S/MIME

      Change Email Setting is renamed to Change Application Setting

      EMAIL_SMIME is renamed to SMime status

      events[].name CHANGE_EMAIL_ SETTING is renamed to CHANGE_ APPLICATION_SETTING

      events[]. parameters[].name EMAIL_SMIME is renamed to SMime status

      event_name CHANGE_EMAIL_ SETTING is renamed to CHANGE_ APPLICATION_SETTING

      admin.setting_name EMAIL_SMIME is renamed to SMime status

      New Gmail parameters

      Parameter name

      Nested parameter
      Reports API & SecOps
      BigQuery Export
      SETTING_METADATA

      USER_DEFINED_NAME

      events[]. parameters[].name= SETTING_METADATA. USER_ DEFINED_NAME

      admin.setting_metadata .user_defined_name

      DESCRIPTION

      events[]. parameters[].name= SETTING_METADATA. DESCRIPTION

      admin.setting_metadata .description

      rule_key

      events[]. parameters[].name= SETTING_METADATA. RULE_KEY

      admin.setting_metadata .rule_key

      rule_type

      events[]. parameters[].name= SETTING_METADATA. RULE_TYPE

      admin.setting_metadata .rule_type

      New Gmail events

      Changes to the following Gmail settings ( Apps > Google Workspace > Settings for Gmail ) in the Admin console will log an event in Admin log events:

      • User Settings > S/MIME > Allow SHA-1 globally (not recommended)
      • Spam, phishing, and malware > Inbound gateway > Gateway IPs > Add/Delete IP addresses / ranges
      • Authenticate email > DKIM authentication > Start/Stop Authentication
      • Compliance > Email and chat auto-deletion > Automatically delete email and chat messages older than the specified number of days > Modify the labels to exclude

      Changes to the settings will be logged as follows:

      • Security & Audit and investigation tool event: Change Application Setting
      • Reports API & SecOps: events[].name=CHANGE_APPLICATION_SETTING , events[].type=APPLICATION_SETTINGS
      • BigQuery Export: event_name=CHANGE_APPLICATION_SETTING , event_type=APPLICATION_SETTINGS

      Updating automatically migrated rules

      Instructions will be added here soon describing how you can find your rules that have been automatically migrated. For details on managing automatically migrated rules, go to Create and manage activity rules .

      Changes to event names in the security investigation tool

      For the affected event name in the following table:

      • Breaking columns are being removed from rule conditions. (A breaking column is a security investigation tool column that has a changed value.)
      • Rule creation for these events is being restricted.
      • Certain event names will have new conditions, as shown in Updates to event names later on this page.
      Security investigation tool event name
      Breaking column name
      Change email setting
      Setting name
      Resource name
      Change Gmail setting
      Setting name
      Resource name
      Create Gmail setting
      Setting name
      Resource name
      Delete Gmail setting
      Setting name
      Resource name
      Change Drive setting
      Setting name
      New value
      Old value
      Session control settings change
      New value
      Old value
      • API Access Blocked
      • API Access Allowed
      • App Added to Blocked List
      • App Added to Limited List
      • App Added to Trusted Allowlist
      • App added to Trusted by OAuth Scope list
      • App Removed from Blocked List
      • App removed from Limited list
      • App Removed from Trusted Allowlist
      • App removed from Trusted by OAuth Scope list
      • App allowlisted for exemption from API access blocks
      • App no longer allowlisted for exemption from API access blocks
      • All third party API access blocked
      • All third party API access unblocked
      • Allow Google Sign-in only third party API access
      • All third party API access blocked
      • Allow Google Sign-in only third party API access
      No breaking columns
      Toggle new app features
      New value

      Example

      For all such rule conditions joined by AND, we are removing the part of the condition that contains the changing event. This results in the final condition being reduced to a single condition.

      Given the following rule conditions: Event name IS Change email setting AND Setting name IS abc

      The automatically migrated rule will become: Event name IS Change email setting

      Risks: Increased alerts

      The number of alerts being triggered will increase if you are using rules with breaking parameters in conditions. Rules that require both conditions 1 and 2 to be true to trigger, now trigger even if only one condition is true. For example, if there was a rule to trigger for a Gmail setting change for a specific setting name, it now triggers for all Gmail setting changes.

      Migrating event conditions

      Event display name
      Current condition
      New condition
      Create email setting
      Event IS Change email setting
      Event IS Change application setting AND Setting Application IS Gmail
      Create Gmail setting
      Event IS Change Gmail setting
      Event IS Change application setting AND Setting Application IS Gmail
      Create Gmail setting
      Event IS Create Gmail setting
      Event IS Create application setting AND Setting Application IS Gmail
      Create Gmail setting
      Event IS Delete Gmail setting
      Event IS Delete application setting AND Setting Application IS Gmail
      Create Drive setting
      Event IS Change Drive setting
      ( Event IS Change application setting OR Event IS Create application setting OR Event IS Delete application setting) AND Setting Application IS Drive and Docs.
      Toggle New App Features
      Event IS Toggle New App Features
      Event IS Toggle New App Features Preference
      API Access Blocked
      Event IS API Access Blocked
      Event IS API Access Changed AND Old Value IS Unrestricted
      API Access Allowed
      Event IS API Access Allowed
      Event IS API Access Changed AND New Value IS Unrestricted
      App Added to Blocked List
      Event IS App Added to Blocked List
      Event IS App Configuration Changed AND New Value IS Blocked
      App Added to Limited List
      Event IS App Added to Limited List
      Event IS App Configuration Changed AND New Value IS Limited
      App Added to Trusted Allowlist
      Event IS App Added to Trusted Allowlist
      Event IS App Configuration Changed AND New Value IS Trusted
      App added to Trusted by OAuth Scope list
      Event IS App added to Trusted by OAuth Scope list
      Event IS App Configuration Changed AND New Value IS Specific Google data
      App Removed from Blocked List
      Event IS App Removed from Blocked List
      Event IS App Configuration Changed AND Old Value IS Blocked AND New Value IS Unconfigured
      App removed from Limited list
      Event IS App removed from Limited list
      Event IS App Configuration Changed AND Old Value IS Limited AND New Value IS Unconfigured
      App Removed from Trusted Allowlist
      Event IS App Removed from Trusted Allowlist
      Event IS App Configuration Changed AND Old Value IS Trusted AND New Value IS Unconfigured
      App removed from Trusted by OAuth Scope list
      Event IS App removed from Trusted by OAuth Scope list
      Event IS App Configuration Changed AND Old Value IS Specific Google data AND New Value IS Unconfigured
      App allowlisted for exemption from API access blocks
      Event IS App allowlisted for exemption from API access blocks
      Event IS App Configuration Changed AND New Value IS Trusted and Allowlisted for Context-Aware Access Exemption
      App no longer allowlisted for exemption from API access blocks
      Event IS App no longer allowlisted for exemption from API access blocks
      Event IS App Configuration Changed AND Old Value IS Trusted and Allowlisted for Context-Aware Access Exemption AND New Value IS Unconfigured
      All third party API access blocked
      Event IS All third party API access blocked
      Event IS Unconfigured Apps Access Changed AND New Value IS Don't Allow
      All third party API access unblocked
      Event IS All third party API access unblocked
      Event IS Unconfigured Apps Access Changed AND New Value IS Allow
      Allow Google Sign-in only third party API access
      Event IS Allow Google Sign-in only third party API access
      Event IS Unconfigured Apps Access Changed AND New Value IS Allow Google sign-in only
      All third party API access blocked
      Event IS All third party API access blocked
      Event IS Under 18 Unconfigured Apps Access Changed AND New Value IS Don't Allow
      Allow Google Sign-in only third party API access
      Event IS Allow Google Sign-in only third party API access
      Event IS Under 18 Unconfigured Apps Access Changed AND New Value IS Allow Google sign-in only
      Create a Mobile Website
      View Site in Mobile | Classic
      Share by: