Today we’re announcing the release of several enhancements to deepen the security investigation capabilities of the Workspace audit log, including expanded fields across many data sources.These new enhancements include:Introduction of owner details for resource attributeExpansion of resource and actor attributes to additional data sourcesIntroduction of new device info attribute for multiple data sourcesNew owner details for enhanced resource visibility in Security Investigation Tool and Audit logsWe’re adding a new “Owner details” field to the “Resources” attribute, making it easier to identify who owns a resource during security investigations. This field uses two primary components:Owner Type: Specifies the category of the owner, which can be an individual person (User), the entire organization (Customer), or a Group.Owner Identity: Contains specific details, such as IDs or email addresses, of that owner.It will be available for all data sources wherever the resource field is present: Directory sync, Gmail, Meet, Groups, Keep, Looker Studio, Drive, Meet hardware, Chat, Admin, Data migration, Chrome, Voice, Calendar, Vault, Assignments and Groups enterprise log events.Expanded coverage for resources and actor application info in Security Investigation tool / Audit and Investigation toolTo ensure you have a complete view across various Workspace services, we are expanding two critical attributes to additional log events:Resources: Expanding to Chrome, Voice, Vault, and Assignment log eventsActor application info: Expanding to Chrome, Voice, Group, Meet, Assignments, and Admin data action log eventsComprehensive device information in Security Investigation tool / Audit and Investigation tool, Admin SDK (Reports API), SecOps, and BigQueryAdministrators can now gain crucial context about the devices used to perform actions. We are introducing the User device info attribute, which provides details such as User device ID, User device OS version, or User device type (e.g., DESKTOP_MAC, DESKTOP_WINDOWS).This information is available for many log sources, including: Contact, Gemini workspace, Keep, Meet hardware, Chat, Chrome, Directory sync, Drive, Group, Meet, Rule, Looker studio and SAML log events. Detail for Admin SDK (Reports API)Getting startedAdmins: As the changes roll out, get started with your analysis in either the Audit and Investigation tool, Admin SDK (Reports API), SecOps, or BigQuery.End users: There is no end user setting for this feature.Rollout paceRapid Release and Scheduled Release domains: Gradual rollout (up to 15 days for feature visibility) starting on April 29, 2026AvailabilityAvailable for Google Workspace editions with Audit Log eligible licensesResourcesGoogle Workspace Admin Help: About the security investigation toolGoogle Developers Help: Admin SDK (Reports API)Google Workspace Admin Help: Export log events to Google Security Operations to monitor insider riskGoogle Workspace Admin Help: About reporting logs and BigQueryGoogle Workspace Admin Help: Compare Google Workspace editions