Depending on your Google Workspace edition, you might have access to the security investigation tool, which has more advanced features. For example, super admins can identify, triage, and take action on security and privacy issues. Learn more
As your organization's administrator, you can run searches and take action on Context-Aware Access log events, and take action based on the results. For example, you can view a record of actions to troubleshoot when a user is denied access to an app. Entries usually appear within an hour of when the user’s access is denied.For more information, go to Context-Aware Access overview.
Run a search for log events
Your ability to run a search depends on your Google edition, your administrative privileges, and the data source. You can run a search on all users, regardless of their Google Workspace edition.
Attribute descriptions
For this data source, you can use the following attributes when searching log event data:
Attribute | Description |
---|---|
Access level applied | The access levels applied by the admins for the specific app. If one of them is satisfied, the user's access will be granted. |
Access level satisfied |
The access levels that the user successfully met during the access evaluation. If at least one of the access levels from the applied attribute falls under Access level satisfied, then it's an Access grant event, which is not shown in CAA audit logs. |
Access level unsatisfied | All the access levels that the user didn't meet during the access evaluation. If all of the access levels from the Access level applied attribute appear in this list, then access is denied. |
Actor | Email address of the user who performed the action |
Actor group name |
The group name of the actor. For more information, go to Filtering results by Google Group. To add a group to your filtering groups allowlist:
|
Actor organizational unit | Organizational unit of the actor |
Application | Can be either:
|
Blocked API access | The API of the application the user was denied access to. For API access, the API that the calling application was blocked from accessing. |
Date | Date and time of the event (displayed in your browser's default time zone) |
Device ID |
Device ID, as shown in Admin console Home page If the device could not be detected, this value could be unknown. |
Device state |
State of the device used to perform this access—for example, Normal, Out of sync (stale or old), Cross organization (device doesn't belong to your organization), or No device signals (device cannot be detected). When the device ID is unknown and the Device state attribute says No device signals, the user's device doesn't have reporting agents, such as endpoint verification or mobile device management (MDM). |
Device risks | The security risks on the device that caused the user to be warned or blocked, due to a Security advisor for app access protection policy. |
Event | The logged event action:
|
IP address | IP address of the actor |
Manage log event data
Take action based on search results
Manage your investigations
Supported editions for this feature: Frontline Standard and Frontline Plus; Enterprise Standard and Enterprise Plus; Education Standard and Education Plus; Enterprise Essentials Plus; Cloud Identity Premium. Compare your edition