Audit Gmail Usage and Login Activity

You receive a call from a staff member on a Monday morning. They did not send the emails their contacts are asking about. Their inbox looks different. Their sent items contain messages they have never seen before. Somewhere between Friday afternoon and Monday morning, their Gmail account was used by someone else.

How long did the unauthorised access last? What was read? What was sent? Who else on your domain might be affected?

If you cannot answer those questions within the first hour of that phone call, your organisation is operating without the visibility that Google Workspace already provides. The Admin Console contains a set of auditing tools that log every significant Gmail and login event across your entire domain. Email deliveries, login attempts, failed authentications, suspicious sign-in flags, forwarding rule changes, user activity volumes -- all of it is recorded, searchable, and actionable.

This guide covers each of those tools in detail: what they capture, how to navigate them, what to look for, and how to use the data to meet your obligations under Australian compliance frameworks including the Privacy Act 1988 and the ASD Essential Eight.

What this guide covers:
- Why auditing Gmail matters for Australian IT admins
- Email Log Search: tracing message delivery and routing
- Login audit logs: identifying suspicious authentication events
- User activity reports: monitoring Gmail usage patterns
- Security Investigation Tool: advanced querying for incident response
- Detecting and responding to suspicious logins
- Australian compliance context
- Building a regular audit schedule

Why Auditing Gmail Matters for Australian IT Admins

Email is the most heavily used and most frequently targeted application in any Google Workspace environment. It is where business decisions are communicated, contracts are negotiated, invoices are sent, and sensitive data is shared. It is also the primary entry point for phishing attacks and the most common channel through which data leaves an organisation without authorisation.

For Australian SMBs, the stakes of ignoring email audit data are regulatory as well as operational. Under the Notifiable Data Breaches scheme established by the Privacy Act 1988, organisations must notify the Office of the Australian Information Commissioner and affected individuals when a data breach is likely to result in serious harm. To assess whether a breach meets that threshold -- and to provide the required documentation -- you need to know exactly what happened in your Gmail environment: which accounts were accessed, when, from where, and what was sent or received during that window.

The Australian Signals Directorate's Essential Eight framework adds further weight. Maturity Level One requires organisations to maintain logging and monitoring capabilities. Email logs and login audit data are among the most accessible and relevant data sources for meeting this requirement at the SMB level.

Beyond compliance, the practical case is straightforward. An undetected compromised account can be used to send phishing emails to your clients, exfiltrate sensitive files, or forward every incoming message to an attacker's inbox. The longer it goes undetected, the greater the damage. Audit tools compress the detection window. Used consistently, they transform reactive incident response into proactive threat monitoring.

Email Log Search: Tracing Message Delivery and Routing

Email Log Search is the tool most IT admins reach for first when a message delivery question arises. It provides a per-message delivery history for your entire domain, showing exactly what happened to any email sent to or from a user on your domain.

Accessing Email Log Search

1. Sign in to the Google Admin Console at admin.google.com with a Super Admin or Admin account that has the Reports privilege.
2. Navigate to Reporting > Email Log Search.
3. You will see a search interface with several filter fields.

Search Parameters

Email Log Search accepts multiple filters that can be combined to narrow results precisely:

• Date range: Set a start and end date. Email log data is retained for 30 days on all Google Workspace plans.
• Sender: Search by the full email address of the sender, or by domain (e.g., @yourdomain.com.au).
• Recipient: Search by the full address of the recipient.
• Message ID: If you have the message ID from a raw email header, this provides the most precise lookup. Find the message ID by opening an email in Gmail, clicking the three-dot menu, and selecting Show original.
• Subject: Partial subject matching works here, useful when a sender or recipient cannot recall the full subject line.

Reading the Results

Each result row shows a message event with the following fields: date and time, sender, recipient, subject, message ID, delivery status, and the last delivery event. Clicking into a specific result opens the delivery detail view, which shows every step in the message's journey through Google's infrastructure.

What to look for in the delivery detail:

• Delivered: The message arrived in the recipient's inbox as expected.
• Bounced: The message was rejected, typically because the recipient address does not exist or the destination server refused it.
• Rejected: Google's systems actively blocked the message, often due to spam classification or a content compliance rule trigger.
• Pending: The message is queued but has not yet been delivered. This can indicate a destination server issue.
• Routing events: If a routing rule redirected or duplicated the message, the delivery detail shows each routing action and the destination it was sent to.

Common Use Cases for Email Log Search

Tracking a missing email. A client says they sent an invoice three days ago and never received a reply. Use Email Log Search to check whether the message arrived at your domain, whether it was classified as spam, and whether your user's reply was delivered successfully.

Confirming DLP rule triggers. If a Data Loss Prevention rule is configured to block messages containing certain content, Email Log Search shows the rejected event with a reference to the compliance rule that triggered it. This is how you confirm the rule is functioning correctly, rather than blocking legitimate messages.

Investigating forwarding behaviour. If you suspect a user's account has an unauthorised forwarding rule in place, search for that user's sent items and look for messages being delivered to unexpected external addresses.

Post-incident documentation. After a suspected compromise, export Email Log Search results for the affected account and the timeframe of interest. This export forms part of the evidence record that your organisation must maintain under the Notifiable Data Breaches scheme.

Login Audit Logs: Identifying Suspicious Authentication Events

The Login audit log records every authentication event across your domain: successful sign-ins, failed attempts, two-step verification challenges, and events that Google's systems have flagged as suspicious. This is the most operationally important audit log for detecting account compromise.

Accessing the Login Audit Log

1. Navigate to Reporting > Audit and investigation > Login log events in the Admin Console.
2. Apply filters using the panel on the left or top of the screen.

What the Login Audit Log Captures

Each event record in the login audit log contains:

• Date and time of the authentication event (in UTC; adjust to AEST/AEDT when analysing events)
• User: The account that was used for the login attempt
• Event name: The type of event -- Login success, Login failure, Suspicious login, Logout, 2-step verification challenge, and so on
• IP address: The source IP from which the login was attempted
• Location: Google's geolocation of that IP address (country and sometimes city)
• Device type and browser: The client used to authenticate
• Login challenge method: Whether a two-step verification challenge was triggered and what type (Google prompt, authenticator app, SMS, backup code)
• Is suspicious: A boolean flag that Google's systems apply when the login event matches patterns associated with account compromise

Filtering for Meaningful Signals

The raw login log for a domain with dozens of users will contain hundreds of events per day, the vast majority of them normal. Efficient auditing means filtering for the events that carry risk.

Filter by Event Name: Suspicious Login

Set the Event Name filter to "Suspicious login" and run an unfiltered date range query. This surfaces only events that Google has already identified as anomalous. Review each one. In many cases, you will find a legitimate explanation (a user travelling, a VPN endpoint, a new device). In some cases, you will find the event you needed to catch.

Filter by Location

If your organisation operates entirely within Australia, any login originating from a country where you have no staff warrants investigation. Filter the login log by a specific country name or use the IP address field to search for known suspicious IP ranges.

Filter for Failed Logins on a Specific Account

If a user reports unusual behaviour, search the login log for their email address and filter by Login failure events. A cluster of failed attempts followed by a successful login is a classic credential-stuffing pattern.

Filter by Date Range After a Suspected Incident

When investigating a reported compromise, set the date range to start 24 to 48 hours before the user first noticed anything unusual. Look for the first suspicious or anomalous login event, then trace forward to understand what the attacker accessed during their session.

Two-Step Verification Events

The login log records 2SV challenge events separately. You can filter for accounts where the 2SV challenge was bypassed or where the challenge method changed unexpectedly. If a user who previously authenticated with a hardware security key suddenly starts using SMS codes, that change is worth investigating. It may mean their account settings were modified, or that the attacker substituted a lower-assurance factor.

User Activity Reports: Monitoring Gmail Usage Patterns

Beyond individual message tracking and login events, Google Workspace provides aggregated user activity reports that show Gmail usage patterns at the account level. These reports are useful for identifying accounts with abnormal activity volumes, which can indicate either a compromised account or a departing employee systematically exporting data.

Accessing User Activity Reports

1. Navigate to Reporting > Reports > Users in the Admin Console.
2. The Users report provides a table with one row per active account.
3. Gmail-specific columns include: emails received, emails sent, emails in inbox, storage used by Gmail, and whether the user has enabled 2-Step Verification.

What to Watch for in Usage Data

Unusual outbound email volume. A user who normally sends 30 to 50 emails per day suddenly sending 300 in a single day warrants a closer look. This pattern is consistent with either spam sending from a compromised account or bulk data exfiltration via email.

Storage anomalies. A significant increase in a user's Gmail storage within a short window can indicate that large attachments are being staged in drafts or that the account is being used to store data it should not be holding.

Zero activity following a period of normal usage. If a user's Gmail activity drops to zero for several days and they have not taken leave, the account may have been suspended by Google, locked out due to a security issue, or the user may be operating from an account you are not aware of.

Downloading and Analysing Reports

User activity reports can be downloaded as CSV files for analysis in Google Sheets. For ongoing monitoring, consider exporting the report weekly and comparing each week's data against the previous period. Accounts that deviate significantly from their historical baseline are the ones that deserve attention.

Security Investigation Tool: Advanced Querying for Incident Response

The Security Investigation Tool is available on Google Workspace Business Plus and Enterprise plans. It provides a structured query interface across multiple log types simultaneously, making it the most powerful option for incident response when you need to understand what happened across email, login, Drive, and admin activity within a single investigation.

Accessing the Security Investigation Tool

1. Navigate to Security > Investigation tool in the Admin Console.
2. Select a data source from the dropdown: Gmail log events, Login log events, Drive log events, Admin log events, or others.
3. Build your query using the filter interface and run it to retrieve results.

Gmail Log Events in the Investigation Tool

When you select Gmail log events as the data source, you have access to a richer set of filters than Email Log Search provides:

• Message subject: Partial and exact match
• Sender and recipient: Full address or domain-level
• Source IP: The IP from which the message was sent
• DKIM and SPF authentication status: Useful for identifying spoofed messages
• Spam classification: Whether Google classified the message as spam, phishing, or clean
• DLP rule name: The specific compliance rule that matched, if any
• Attachment hash: For identifying whether a specific file was attached to messages across the domain

Cross-Log Queries

The real power of the Investigation Tool is its ability to pivot between log types. Start with a suspicious login event. Note the time, user, and IP address. Then pivot to Gmail log events for the same user and the same time window to see what was sent or received during the suspected compromise period. Then check Drive log events to see what files were accessed or downloaded. In a few minutes, you can reconstruct a detailed timeline of what an attacker did after gaining access to an account.

Taking Action From the Investigation Tool

The Investigation Tool is not purely read-only. From within an investigation, you can:

• Sign the user out of all active sessions: This immediately terminates any ongoing unauthorised access.
• Reset the user's password: Forces a new credential to be set, locking out anyone using the compromised credentials.
• Revoke OAuth tokens: Removes any third-party app access the account had granted, closing a secondary exfiltration pathway.
• Mark messages as phishing: Reclassifies a message across the domain, removing it from every user's inbox if it was distributed to multiple recipients.

These actions can be taken from within the investigation workflow, reducing the time between detection and containment.

Detecting and Responding to Suspicious Login Activity

The combination of the login audit log, the Investigation Tool, and the Alert Center creates a practical detection and response workflow for account compromise. Here is how to connect these tools into a usable process.

Enable Suspicious Login Alerts

Before any investigation begins, alerts should already be configured to notify you when suspicious logins occur.

1. Navigate to Security > Alert center in the Admin Console.
2. Locate the Suspicious login activity alert rule.
3. Ensure it is enabled and that the notification recipients include at least one active IT admin email address.
4. Also enable User suspended due to suspicious activity: Google will sometimes automatically suspend an account it determines has been compromised. This alert tells you when that happens.

These two alerts together provide near-real-time notification of the events most likely to indicate a compromise.

The Initial Response Workflow

When a suspicious login alert arrives, or when a user reports unusual account behaviour, follow this sequence:

Step 1: Check the login audit log for the affected user.

Navigate to Reporting > Audit and investigation > Login log events, filter by the user's email address, and set the date range to the past 48 hours. Look for login events from IP addresses or locations that do not match the user's known work locations. Note the timestamp of the first anomalous event.

Step 2: Check what happened during the suspicious session.

Use the Security Investigation Tool (or Email Log Search if you are on Business Starter or Standard) to search Gmail log events for the affected user during the window starting from the first anomalous login. Look for outbound messages sent to unknown external addresses, auto-forwarding rule changes, or large numbers of messages marked as read or deleted.

Step 3: Contain immediately if confirmed.

If the evidence points to a compromise, act without waiting to complete the full investigation. Sign the user out of all sessions, reset their password, and revoke their OAuth tokens. Then continue the investigation in parallel.

Step 4: Assess scope.

After containing the immediate threat, assess whether other accounts may have been affected. If the compromised account was used to send phishing emails internally, search the Gmail log for recipients of those messages and check their login logs for subsequent suspicious events.

Step 5: Document and notify.

Export the relevant log data and compile a timeline. If the breach meets the threshold for notification under the Notifiable Data Breaches scheme -- specifically, if the exposed data is likely to result in serious harm to any individual -- prepare your notification to the OAIC and affected individuals. The 30-day timeline for notification begins from the date you become aware of the eligible data breach.

Australian Compliance Context

Google Workspace's Gmail audit tools directly support several compliance obligations relevant to Australian organisations.

Privacy Act 1988 and the Notifiable Data Breaches Scheme

The NDB scheme requires organisations covered by the Privacy Act to assess suspected breaches, take containment steps, and notify where required. The audit tools described in this guide provide:

• Evidence that the breach occurred (login audit log, suspicious login flags)
• Evidence of what data was accessed or transmitted (Email Log Search, Gmail log events in the Investigation Tool)
• Evidence of the remediation actions taken (admin log events recording password resets, session terminations, and OAuth revocations)

Without this evidence trail, a breach notification to the OAIC becomes speculative. With it, you can provide the specific, timestamped record that regulators expect.

ASD Essential Eight

The Essential Eight framework's logging and monitoring controls expect organisations to capture and retain authentication events and to review those logs regularly. Google Workspace's login audit log meets this requirement at the platform level. What most organisations lack is the review process -- the habit of looking at the data the logs are collecting.

At Maturity Level Two and above, the Essential Eight expects centralised log collection and defined incident response procedures. For organisations at this maturity level, consider enabling BigQuery Export under Reporting > BigQuery Export to stream audit log data to a Google Cloud project for long-term retention and SQL-based analysis.

APRA-Regulated Entities

For Australian financial services organisations subject to APRA's Prudential Practice Guide CPG 234 on Information Security, email audit logs and login monitoring form part of the evidence base for demonstrating adequate information security controls. The Security Investigation Tool's cross-log querying capability is particularly relevant for the incident response documentation that CPG 234 expects.

Building a Regular Audit Schedule

Audit tools are only effective if they are used consistently. A breach that goes undetected for six weeks because no one was looking at the login audit log causes far more damage than one caught on day two. The following schedule is designed to be sustainable for an IT admin or small IT team managing a Google Workspace environment with 20 to 200 users.

Weekly: 15-Minute Audit

Every Monday, spend 15 minutes reviewing:

1. Login audit log: Suspicious logins. Filter for "Is suspicious: True" across the past seven days. Review each flagged event and confirm whether a legitimate explanation exists. Document your review.
2. Login audit log: Failed login clusters. Filter for Login failure events in the past seven days, sort by user, and look for any account with more than five failed attempts. A cluster of failures followed by a success is a priority investigation.
3. Alert Center: Open alerts. Navigate to Security > Alert center and review any alerts that have not been acknowledged or closed. Assign each open alert an action or close it with a documented reason.

Monthly: 30-Minute Audit

Once a month, extend the review to include:

1. Email Log Search: Auto-forwarding check. Search for outbound messages where the sender is a system address (Gmail auto-forwarding uses a recognisable format) or where the recipient domain does not match any known business partner. This surfaces unauthorised forwarding rules.
2. User activity report: Volume anomalies. Download the user report for the past 30 days and compare outbound email volumes against the prior month. Flag accounts where outbound volume has increased by more than 50% without a known business reason.
3. Login audit log: New device types. Filter the login log for authentication events where the device or browser is unfamiliar. This catches cases where credentials have been used on a device that is not managed by your organisation.

Quarterly: One-Hour Audit

Each quarter, conduct a broader review:

1. Security Investigation Tool: Trend analysis. Query Gmail log events for the quarter and look at external recipient volume, spam and phishing classification rates, and DLP rule trigger frequency. Compare against the previous quarter to identify trends.
2. Compliance documentation. Export key audit data and archive it. For organisations subject to the Privacy Act, this archive serves as evidence of ongoing monitoring.
3. Account lifecycle reconciliation. Compare the list of active Workspace accounts against your HR records. Accounts for departed employees that have not been suspended or deleted represent both a security risk and a potential data exposure. The login audit log will show whether any of those accounts had recent login events.

Recommended Resource

If your organisation is on Google Workspace Business Starter or Business Standard and finding the Admin Console audit tools limited -- particularly the absence of the Security Investigation Tool -- upgrading to Business Plus or an Enterprise plan unlocks significantly more capability for incident response and compliance documentation.

Google Workspace: https://referworkspace.app.goo.gl/

Business Plus includes the Security Investigation Tool, eDiscovery through Google Vault, and enhanced audit log retention. For organisations with active compliance obligations or a history of security incidents, the additional visibility is worth evaluating.

Conclusion

Gmail audit tools sit inside the Admin Console, collecting data around the clock. Email deliveries, login events, suspicious authentication flags, user activity volumes -- the logs are running whether or not anyone is looking at them. The difference between organisations that catch compromises quickly and those that find out weeks later is not access to the data. It is the habit of checking it.

The tools covered in this guide -- Email Log Search, the Login audit log, User activity reports, and the Security Investigation Tool -- give you a complete picture of what is happening in your Gmail environment. Email Log Search answers the message delivery questions. The login audit log surfaces the authentication anomalies. User activity reports reveal behavioural changes. The Investigation Tool lets you tie all of it together when you need to reconstruct a timeline.

Start with the weekly login audit. Enable the suspicious login and account suspension alerts if they are not already active. Run the monthly auto-forwarding check. Build the quarterly compliance export into your IT calendar. Those four habits, consistently executed, give you the monitoring posture that the Privacy Act, the Essential Eight, and sound IT governance all expect.

Your Gmail logs are already recording what is happening. The only question is whether you are reading them.

Need help configuring Gmail audit monitoring for your Google Workspace environment? Contact our team for a free consultation.