We’re releasing a number of enhancements to Workspace audit logs, including:Log filtering enhancements for Resource fields in the security investigation tool for Gmail and Google DriveUpdated Application and Network fields available in the Workspace audit log integration with Google Security Operations (SecOps)Expanded filtering in the AdminSDK Activities.List methodNew OwnerDetails field in the events published to the AdminSDK and BigQueryLog filtering enhancements for Resource fields in the security investigation tool for Gmail and Google DriveThe security investigation tool now features improved filtering for the Resources attribute for Gmail and Google Drive log events. These updates enable administrators to execute more granular searches, particularly by utilizing classification labels. Because classification labels offer essential metadata for identifying sensitive content and enforcing security policies, the capability to filter audit logs through these labels is vital for analyzing data patterns and investigating security incidents.Additionally, we have also added filtering support for the Actor application info attribute for Gmail log events.Updated Application and Network fields available in the Workspace audit log integration with Google Security Operations (SecOps)The following fields will now be included in the audit events sent to SecOps, where applicable:Expanded filtering in the AdminSDK Activities.List methodWe’re adding filtering for the following fields in the Activities.List method of the AdminSDK:RegionCode: Filter audit logs belonging to specified region using networkInfoFilter field in the api requestOAuthClientId: Filter audit logs where actions are done by specified app using applicationInfoFilter field in the api requestNew OwnerDetails field in the events published to the AdminSDK and BigQueryA new OwnerDetails field in Resource Details identifies who owns a resource using two primary fields:Owner Type: This specifies the category of the owner. The owner of the resource can be an individual person (USER), entire organization (CUSTOMER), or a GROUP. SHARED_DRIVEOwner Identity: This contains specific details (like IDs or email addresses) of that ownerGetting startedAdmins: As the changes roll out, get started with your analysis in either the Audit and Investigation tool, Admin SDK (Reports API), SecOps, or BigQuery.End users: There is no end user setting for this feature.Rollout paceRapid Release and Scheduled Release domains: Gradual rollout (up to 15 days for feature visibility) AvailabilityAvailable for Google Workspace with Audit Log eligible licenses. Note that Classification labels are available only for some editions.ResourcesGoogle Workspace Admin Help:About the security investigation toolCreate classification labels for your organizationAdmin SDK (Reports API)Export log events to Google Security Operations to monitor insider riskAbout reporting logs and BigQuery | Reports & monitoring | Google Workspace HelpCompare Google Workspace editions