Login Audit Activity Events

This document lists the events and parameters for various types of Login Audit activity events. You can retrieve these events by calling Activities.list() with applicationName=login.

2-step verification enrollment changed

Events of this type are returned with type=2sv_change.

2-step verification disable

Event details
Event name 2sv_disable
Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/login?eventName=2sv_disable&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
{actor} has disabled 2-step verification

2-step verification enroll

Event details
Event name 2sv_enroll
Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/login?eventName=2sv_enroll&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
{actor} has enrolled for 2-step verification

Account password changed

Events of this type are returned with type=password_change.

Account password change

Event details
Event name password_edit
Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/login?eventName=password_edit&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
{actor} has changed Account password

Account recovery info changed

Account recovery information changed. Events of this type are returned with type=recovery_info_change.

Account recovery email change

Event details
Event name recovery_email_edit
Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/login?eventName=recovery_email_edit&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
{actor} has changed Account recovery email

Account recovery phone change

Event details
Event name recovery_phone_edit
Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/login?eventName=recovery_phone_edit&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
{actor} has changed Account recovery phone

Account recovery secret question/answer change

Event details
Event name recovery_secret_qa_edit
Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/login?eventName=recovery_secret_qa_edit&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
{actor} has changed Account recovery secret question/answer

Account warning

Account warning event type. Events of this type are returned with type=account_warning.

Leaked password

Account warning event account disabled password leak description.

Event details
Event name account_disabled_password_leak
Parameters
affected_email_address

string

Email-id of the user affected by the event.

Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/login?eventName=account_disabled_password_leak&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
Account {affected_email_address} disabled because Google has become aware that someone else knows its password

Passkey enrolled

Passkey enrolled by user.

Event details
Event name passkey_enrolled
Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/login?eventName=passkey_enrolled&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
{actor} enrolled a new passkey

Passkey removed

Passkey removed by user.

Event details
Event name passkey_removed
Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/login?eventName=passkey_removed&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
{actor} removed passkey

Suspicious login blocked

Account warning event suspicious login description.

Event details
Event name suspicious_login
Parameters
affected_email_address

string

Email-id of the user affected by the event.

login_timestamp

integer

Login time of account warning event in micros.

Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/login?eventName=suspicious_login&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
Google has detected a suspicious login for {affected_email_address}

Suspicious login from less secure app blocked

Account warning event suspicious login less secure app description.

Event details
Event name suspicious_login_less_secure_app
Parameters
affected_email_address

string

Email-id of the user affected by the event.

login_timestamp

integer

Login time of account warning event in micros.

Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/login?eventName=suspicious_login_less_secure_app&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
Google has detected a suspicious login for {affected_email_address} from a less secure app

Suspicious programmatic login blocked

Account warning event suspicious programmatic login description.

Event details
Event name suspicious_programmatic_login
Parameters
affected_email_address

string

Email-id of the user affected by the event.

login_timestamp

integer

Login time of account warning event in micros.

Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/login?eventName=suspicious_programmatic_login&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
Google has detected a suspicious programmatic login for {affected_email_address}

User signed out due to suspicious session cookie(Cookie Cutter Malware Event).

Event details
Event name user_signed_out_due_to_suspicious_session_cookie
Parameters
affected_email_address

string

Email-id of the user affected by the event.

Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/login?eventName=user_signed_out_due_to_suspicious_session_cookie&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
Suspicious session cookie detected for user {affected_email_address}

User suspended

Account warning event account disabled generic description.

Event details
Event name account_disabled_generic
Parameters
affected_email_address

string

Email-id of the user affected by the event.

Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/login?eventName=account_disabled_generic&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
Account {affected_email_address} disabled

User suspended (spam through relay)

Account warning event account disabled spamming through relay description.

Event details
Event name account_disabled_spamming_through_relay
Parameters
affected_email_address

string

Email-id of the user affected by the event.

Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/login?eventName=account_disabled_spamming_through_relay&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
Account {affected_email_address} disabled because Google has become aware that it was used to engage in spamming through SMTP relay service

User suspended (spam)

Account warning event account disabled spamming description.

Event details
Event name account_disabled_spamming
Parameters
affected_email_address

string

Email-id of the user affected by the event.

Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/login?eventName=account_disabled_spamming&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
Account {affected_email_address} disabled because Google has become aware that it was used to engage in spamming

User suspended (suspicious activity)

Account warning event account disabled hijacked description.

Event details
Event name account_disabled_hijacked
Parameters
affected_email_address

string

Email-id of the user affected by the event.

login_timestamp

integer

Login time of account warning event in micros.

Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/login?eventName=account_disabled_hijacked&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
Account {affected_email_address} disabled because Google has detected a suspicious activity indicating it might have been compromised

Advanced Protection enrollment changed

Events of this type are returned with type=titanium_change.

Advanced Protection enroll

Event details
Event name titanium_enroll
Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/login?eventName=titanium_enroll&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
{actor} has enrolled for Advanced Protection

Advanced Protection unenroll

Event details
Event name titanium_unenroll
Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/login?eventName=titanium_unenroll&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
{actor} has disabled Advanced Protection

Attack Warning

Attack Warning Event Type. Events of this type are returned with type=attack_warning.

Government-backed Attack

Government-backed attack warning event name.

Event details
Event name gov_attack_warning
Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/login?eventName=gov_attack_warning&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
{actor} might have been targeted by government-backed attack

Blocked sender settings changed

Events of this type are returned with type=blocked_sender_change.

Blocked all future emails from the sender.

Blocked email address.

Event details
Event name blocked_sender
Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/login?eventName=blocked_sender&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
{actor} has blocked all future messages from {affected_email_address}.

Email forwarding settings changed

Events of this type are returned with type=email_forwarding_change.

Out of domain email forwarding enabled

Event details
Event name email_forwarding_out_of_domain
Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/login?eventName=email_forwarding_out_of_domain&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
{actor} has enabled out of domain email forwarding to {email_forwarding_destination_address}.

Login

Login Event Type. Events of this type are returned with type=login.

Failed Login

A login attempt was unsuccessful.

Event details
Event name login_failure
Parameters
login_challenge_method

string

Login challenge method. Possible values:

  • access_to_preregistered_email
    A challenge requiring access to a verification email in the inbox.
  • assistant_approval
    A challenge that lets the user approve authentication by a Google Assistant product.
  • backup_code
    Asks user to enter a backup verification code.
  • captcha
    A challenge to distinguish humans from automated bots using captcha.
  • cname
    A challenge that requires the user to prove ownership of a domain by changing the CNAME record at their hosting provider.
  • cross_account
    A challenge that lets products start an authentication session on one device under the primary account, delegate it for completion under another account, and then receive credentials for the session on the original initiating device owned by the primary account.
  • cross_device
    A challenge that requires the user to complete authentication on a secondary device.
  • deny
    User sign-in is denied.
  • device_assertion
    A challenge based on recognizing a previously used device.
  • device_preregistered_phone
    A challenge that requires the user to verify their phone number on the device. It's currently only used in username recovery and isn’t intended for use in other authentication flows.
  • device_prompt
    A challenge on the user’s mobile device.
  • extended_botguard
    A challenge that uses a series of additional verification steps to ensure human interaction.
  • google_authenticator
    Asks user to enter OTP from authenticator app.
  • google_prompt
    Login challenge method Google Prompt.
  • idv_any_email
    A challenge that requires the user to provide a code that Google sent to any email address they provided during the challenge.
  • idv_any_phone
    User asked for phone number and then enters code sent to that phone.
  • idv_preregistered_email
    A challenge in which a code is sent to another email address the user provided before.
  • idv_preregistered_phone
    User enters code sent to their preregistered phone.
  • internal_two_factor
    Login challenge method Internal Two Factor.
  • knowledge_account_creation_date
    A challenge that requires the user to provide the approximate date their account was created.
  • knowledge_cloud_pin
    A challenge based on the user's cloud service PIN.
  • knowledge_date_of_birth
    A challenge that requires the user to provide the date of birth registered on their Google Account.
  • knowledge_domain_title
    A challenge that asks the user to provide their domain title (organization name).
  • knowledge_employee_id
    Login challenge method Knowledge Employee Id.
  • knowledge_historical_password
    A challenge that lets the user enter either current or previous passwords. When this challenge is used, KNOWLEDGE_PASSWORD will refer only to the current password.
  • knowledge_last_login_date
    A challenge that asks the user the approximate date of their last sign-in.
  • knowledge_lockscreen
    A challenge which allows users to enter the lock screen knowledge factor on an eligible device.
  • knowledge_preregistered_email
    User proves knowledge of preregistered email.
  • knowledge_preregistered_phone
    User proves knowledge of preregistered phone.
  • knowledge_real_name
    A challenge that requires the user to provide the name(first name, last name) as registered on their Google account.
  • knowledge_secret_question
    A challenge that requires the user to provide the answer to a question they chose.
  • knowledge_user_count
    A challenge that asks the user to provide number of users in the domain.
  • knowledge_youtube
    A challenge based on the user's knowledge of their YouTube account details.
  • login_location
    User enters from where they usually sign in.
  • manual_recovery
    The user can recover their account only with their admin’s help.
  • math
    A challenge requiring the solution of a mathematical equation.
  • none
    No login challenge was faced.
  • offline_otp
    User enters OTP code they get from settings on their phone (android only).
  • oidc
    A challenge that uses the OIDC protocol.
  • other
    Login challenge method other.
  • outdated_app_warning
    A warning page, designed as a challenge, that notifies the user that they may be using an outdated version of an application. The user has the option to proceed.
  • parent_auth
    A challenge requiring authorization from a parent or guardian.
  • passkey
    A challenge that uses FIDO2 compliant passkeys or security keys to verify the user’s identity.
  • password
    Password.
  • recaptcha
    A challenge that protects the user against spam and other types of automated abuse with reCAPTCHA v2 API.
  • rescue_code
    A challenge that allows the user to enter their rescue code, which is a 32 character alphanumeric string that the user is expected to keep safe, and use it to recover their account.
  • same_device_screenlock
    A challenge that requires the user to unlock the device on which they are trying to sign in or perform a sensitive action.
  • saml
    The user provides a SAML assertion from a SAML identity provider.
  • security_key
    User passes the security key cryptographic challenge.
  • security_key_otp
    Login challenge method Security Key OTP.
  • time_delay
    An asynchronous challenge that sends a link by email once a defined hold period has elapsed.
  • userless_fido
    A FIDO challenge that’s not tied to a specific user.
  • web_approval
    A challenge that lets the user scan a QR code using their Apple iOS device’s native camera, and use web approval for sign-in.
login_failure_type

string

(Deprecated) The reason for the login failure. Possible values:

  • login_failure_access_code_disallowed
    The user does not have permission to login to the service.
  • login_failure_account_disabled
    The user's account is disabled.
  • login_failure_invalid_password
    The user's password was invalid.
  • login_failure_unknown
    The reason for the login failure is not known.
login_type

string

The type of credentials used to attempt login. Possible values:

  • exchange
    The user provides an existing credential and exchanges it for another type—for example, exchanging an OAuth token for a SID. May indicate that the user was already logged into a session and the two sessions were merged.
  • google_password
    The user provides a Google account password.
  • reauth
    The user is already authenticated but must reauthorize.
  • saml
    The user provides a SAML assertion from a SAML identity provider.
  • unknown
    Login type Unknown.
Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/login?eventName=login_failure&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
{actor} failed to login

Login Challenge

A login was challenged to verify the user's identity. Any login challenges encountered during a login session are grouped into a single events entry. For example, if a user enters an incorrect password twice, then enters the correct password, which is then followed by a two-step verification using a security key, the events field of the activities.list response looks like the following: 

"events": [
  {
    "type": "login",
    "name": "login_success",
    "parameters": [
      {
        "name": "login_type",
        "value": "google_password"
      },
      {
        "name": "login_challenge_method",
        "multiValue": [
          "password",
          "password",
          "password",
          "security_key"
        ]
      },
      {
        "name": "is_suspicious",
        "boolValue": false
      }
    ]
  }
]
 For more information about login challenges, see Verify a user’s identity with extra security.

Event details
Event name login_challenge
Parameters
login_challenge_method

string

Login challenge method. Possible values:

  • access_to_preregistered_email
    A challenge requiring access to a verification email in the inbox.
  • assistant_approval
    A challenge that lets the user approve authentication by a Google Assistant product.
  • backup_code
    Asks user to enter a backup verification code.
  • captcha
    A challenge to distinguish humans from automated bots using captcha.
  • cname
    A challenge that requires the user to prove ownership of a domain by changing the CNAME record at their hosting provider.
  • cross_account
    A challenge that lets products start an authentication session on one device under the primary account, delegate it for completion under another account, and then receive credentials for the session on the original initiating device owned by the primary account.
  • cross_device
    A challenge that requires the user to complete authentication on a secondary device.
  • deny
    User sign-in is denied.
  • device_assertion
    A challenge based on recognizing a previously used device.
  • device_preregistered_phone
    A challenge that requires the user to verify their phone number on the device. It's currently only used in username recovery and isn’t intended for use in other authentication flows.
  • device_prompt
    A challenge on the user’s mobile device.
  • extended_botguard
    A challenge that uses a series of additional verification steps to ensure human interaction.
  • google_authenticator
    Asks user to enter OTP from authenticator app.
  • google_prompt
    Login challenge method Google Prompt.
  • idv_any_email
    A challenge that requires the user to provide a code that Google sent to any email address they provided during the challenge.
  • idv_any_phone
    User asked for phone number and then enters code sent to that phone.
  • idv_preregistered_email
    A challenge in which a code is sent to another email address the user provided before.
  • idv_preregistered_phone
    User enters code sent to their preregistered phone.
  • internal_two_factor
    Login challenge method Internal Two Factor.
  • knowledge_account_creation_date
    A challenge that requires the user to provide the approximate date their account was created.
  • knowledge_cloud_pin
    A challenge based on the user's cloud service PIN.
  • knowledge_date_of_birth
    A challenge that requires the user to provide the date of birth registered on their Google Account.
  • knowledge_domain_title
    A challenge that asks the user to provide their domain title (organization name).
  • knowledge_employee_id
    Login challenge method Knowledge Employee Id.
  • knowledge_historical_password
    A challenge that lets the user enter either current or previous passwords. When this challenge is used, KNOWLEDGE_PASSWORD will refer only to the current password.
  • knowledge_last_login_date
    A challenge that asks the user the approximate date of their last sign-in.
  • knowledge_lockscreen
    A challenge which allows users to enter the lock screen knowledge factor on an eligible device.
  • knowledge_preregistered_email
    User proves knowledge of preregistered email.
  • knowledge_preregistered_phone
    User proves knowledge of preregistered phone.
  • knowledge_real_name
    A challenge that requires the user to provide the name(first name, last name) as registered on their Google account.
  • knowledge_secret_question
    A challenge that requires the user to provide the answer to a question they chose.
  • knowledge_user_count
    A challenge that asks the user to provide number of users in the domain.
  • knowledge_youtube
    A challenge based on the user's knowledge of their YouTube account details.
  • login_location
    User enters from where they usually sign in.
  • manual_recovery
    The user can recover their account only with their admin’s help.
  • math
    A challenge requiring the solution of a mathematical equation.
  • none
    No login challenge was faced.
  • offline_otp
    User enters OTP code they get from settings on their phone (android only).
  • oidc
    A challenge that uses the OIDC protocol.
  • other
    Login challenge method other.
  • outdated_app_warning
    A warning page, designed as a challenge, that notifies the user that they may be using an outdated version of an application. The user has the option to proceed.
  • parent_auth
    A challenge requiring authorization from a parent or guardian.
  • passkey
    A challenge that uses FIDO2 compliant passkeys or security keys to verify the user’s identity.
  • password
    Password.
  • recaptcha
    A challenge that protects the user against spam and other types of automated abuse with reCAPTCHA v2 API.
  • rescue_code
    A challenge that allows the user to enter their rescue code, which is a 32 character alphanumeric string that the user is expected to keep safe, and use it to recover their account.
  • same_device_screenlock
    A challenge that requires the user to unlock the device on which they are trying to sign in or perform a sensitive action.
  • saml
    The user provides a SAML assertion from a SAML identity provider.
  • security_key
    User passes the security key cryptographic challenge.
  • security_key_otp
    Login challenge method Security Key OTP.
  • time_delay
    An asynchronous challenge that sends a link by email once a defined hold period has elapsed.
  • userless_fido
    A FIDO challenge that’s not tied to a specific user.
  • web_approval
    A challenge that lets the user scan a QR code using their Apple iOS device’s native camera, and use web approval for sign-in.
login_challenge_status

string

Whether the login challenge succeeded or failed, represented as "Challenge Passed." and "Challenge Failed." respectively. An empty string indicates an unknown status.

login_type

string

The type of credentials used to attempt login. Possible values:

  • exchange
    The user provides an existing credential and exchanges it for another type—for example, exchanging an OAuth token for a SID. May indicate that the user was already logged into a session and the two sessions were merged.
  • google_password
    The user provides a Google account password.
  • reauth
    The user is already authenticated but must reauthorize.
  • saml
    The user provides a SAML assertion from a SAML identity provider.
  • unknown
    Login type Unknown.
Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/login?eventName=login_challenge&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
{actor} was presented with a login challenge

Login Verification

Login verification event name.

Event details
Event name login_verification
Parameters
is_second_factor

boolean

Whether the login verification is 2SV. Possible values:

  • false
    Boolean value false.
  • true
    Boolean value true.
login_challenge_method

string

Login challenge method. Possible values:

  • access_to_preregistered_email
    A challenge requiring access to a verification email in the inbox.
  • assistant_approval
    A challenge that lets the user approve authentication by a Google Assistant product.
  • backup_code
    Asks user to enter a backup verification code.
  • captcha
    A challenge to distinguish humans from automated bots using captcha.
  • cname
    A challenge that requires the user to prove ownership of a domain by changing the CNAME record at their hosting provider.
  • cross_account
    A challenge that lets products start an authentication session on one device under the primary account, delegate it for completion under another account, and then receive credentials for the session on the original initiating device owned by the primary account.
  • cross_device
    A challenge that requires the user to complete authentication on a secondary device.
  • deny
    User sign-in is denied.
  • device_assertion
    A challenge based on recognizing a previously used device.
  • device_preregistered_phone
    A challenge that requires the user to verify their phone number on the device. It's currently only used in username recovery and isn’t intended for use in other authentication flows.
  • device_prompt
    A challenge on the user’s mobile device.
  • extended_botguard
    A challenge that uses a series of additional verification steps to ensure human interaction.
  • google_authenticator
    Asks user to enter OTP from authenticator app.
  • google_prompt
    Login challenge method Google Prompt.
  • idv_any_email
    A challenge that requires the user to provide a code that Google sent to any email address they provided during the challenge.
  • idv_any_phone
    User asked for phone number and then enters code sent to that phone.
  • idv_preregistered_email
    A challenge in which a code is sent to another email address the user provided before.
  • idv_preregistered_phone
    User enters code sent to their preregistered phone.
  • internal_two_factor
    Login challenge method Internal Two Factor.
  • knowledge_account_creation_date
    A challenge that requires the user to provide the approximate date their account was created.
  • knowledge_cloud_pin
    A challenge based on the user's cloud service PIN.
  • knowledge_date_of_birth
    A challenge that requires the user to provide the date of birth registered on their Google Account.
  • knowledge_domain_title
    A challenge that asks the user to provide their domain title (organization name).
  • knowledge_employee_id
    Login challenge method Knowledge Employee Id.
  • knowledge_historical_password
    A challenge that lets the user enter either current or previous passwords. When this challenge is used, KNOWLEDGE_PASSWORD will refer only to the current password.
  • knowledge_last_login_date
    A challenge that asks the user the approximate date of their last sign-in.
  • knowledge_lockscreen
    A challenge which allows users to enter the lock screen knowledge factor on an eligible device.
  • knowledge_preregistered_email
    User proves knowledge of preregistered email.
  • knowledge_preregistered_phone
    User proves knowledge of preregistered phone.
  • knowledge_real_name
    A challenge that requires the user to provide the name(first name, last name) as registered on their Google account.
  • knowledge_secret_question
    A challenge that requires the user to provide the answer to a question they chose.
  • knowledge_user_count
    A challenge that asks the user to provide number of users in the domain.
  • knowledge_youtube
    A challenge based on the user's knowledge of their YouTube account details.
  • login_location
    User enters from where they usually sign in.
  • manual_recovery
    The user can recover their account only with their admin’s help.
  • math
    A challenge requiring the solution of a mathematical equation.
  • none
    No login challenge was faced.
  • offline_otp
    User enters OTP code they get from settings on their phone (android only).
  • oidc
    A challenge that uses the OIDC protocol.
  • other
    Login challenge method other.
  • outdated_app_warning
    A warning page, designed as a challenge, that notifies the user that they may be using an outdated version of an application. The user has the option to proceed.
  • parent_auth
    A challenge requiring authorization from a parent or guardian.
  • passkey
    A challenge that uses FIDO2 compliant passkeys or security keys to verify the user’s identity.
  • password
    Password.
  • recaptcha
    A challenge that protects the user against spam and other types of automated abuse with reCAPTCHA v2 API.
  • rescue_code
    A challenge that allows the user to enter their rescue code, which is a 32 character alphanumeric string that the user is expected to keep safe, and use it to recover their account.
  • same_device_screenlock
    A challenge that requires the user to unlock the device on which they are trying to sign in or perform a sensitive action.
  • saml
    The user provides a SAML assertion from a SAML identity provider.
  • security_key
    User passes the security key cryptographic challenge.
  • security_key_otp
    Login challenge method Security Key OTP.
  • time_delay
    An asynchronous challenge that sends a link by email once a defined hold period has elapsed.
  • userless_fido
    A FIDO challenge that’s not tied to a specific user.
  • web_approval
    A challenge that lets the user scan a QR code using their Apple iOS device’s native camera, and use web approval for sign-in.
login_challenge_status

string

Whether the login challenge succeeded or failed, represented as "Challenge Passed." and "Challenge Failed." respectively. An empty string indicates an unknown status.

login_type

string

The type of credentials used to attempt login. Possible values:

  • exchange
    The user provides an existing credential and exchanges it for another type—for example, exchanging an OAuth token for a SID. May indicate that the user was already logged into a session and the two sessions were merged.
  • google_password
    The user provides a Google account password.
  • reauth
    The user is already authenticated but must reauthorize.
  • saml
    The user provides a SAML assertion from a SAML identity provider.
  • unknown
    Login type Unknown.
Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/login?eventName=login_verification&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
{actor} was presented with login verification

Logout

The user logged out.

Event details
Event name logout
Parameters
login_type

string

The type of credentials used to attempt login. Possible values:

  • exchange
    The user provides an existing credential and exchanges it for another type—for example, exchanging an OAuth token for a SID. May indicate that the user was already logged into a session and the two sessions were merged.
  • google_password
    The user provides a Google account password.
  • reauth
    The user is already authenticated but must reauthorize.
  • saml
    The user provides a SAML assertion from a SAML identity provider.
  • unknown
    Login type Unknown.
Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/login?eventName=logout&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
{actor} logged out

Sensitive action allowed

Event details
Event name risky_sensitive_action_allowed
Parameters
is_suspicious

boolean

The login attempt had some unusual characteristics, for example the user logged in from an unfamiliar IP address. Possible values:

  • false
    Boolean value false.
  • true
    Boolean value true.
login_challenge_method

string

Login challenge method. Possible values:

  • access_to_preregistered_email
    A challenge requiring access to a verification email in the inbox.
  • assistant_approval
    A challenge that lets the user approve authentication by a Google Assistant product.
  • backup_code
    Asks user to enter a backup verification code.
  • captcha
    A challenge to distinguish humans from automated bots using captcha.
  • cname
    A challenge that requires the user to prove ownership of a domain by changing the CNAME record at their hosting provider.
  • cross_account
    A challenge that lets products start an authentication session on one device under the primary account, delegate it for completion under another account, and then receive credentials for the session on the original initiating device owned by the primary account.
  • cross_device
    A challenge that requires the user to complete authentication on a secondary device.
  • deny
    User sign-in is denied.
  • device_assertion
    A challenge based on recognizing a previously used device.
  • device_preregistered_phone
    A challenge that requires the user to verify their phone number on the device. It's currently only used in username recovery and isn’t intended for use in other authentication flows.
  • device_prompt
    A challenge on the user’s mobile device.
  • extended_botguard
    A challenge that uses a series of additional verification steps to ensure human interaction.
  • google_authenticator
    Asks user to enter OTP from authenticator app.
  • google_prompt
    Login challenge method Google Prompt.
  • idv_any_email
    A challenge that requires the user to provide a code that Google sent to any email address they provided during the challenge.
  • idv_any_phone
    User asked for phone number and then enters code sent to that phone.
  • idv_preregistered_email
    A challenge in which a code is sent to another email address the user provided before.
  • idv_preregistered_phone
    User enters code sent to their preregistered phone.
  • internal_two_factor
    Login challenge method Internal Two Factor.
  • knowledge_account_creation_date
    A challenge that requires the user to provide the approximate date their account was created.
  • knowledge_cloud_pin
    A challenge based on the user's cloud service PIN.
  • knowledge_date_of_birth
    A challenge that requires the user to provide the date of birth registered on their Google Account.
  • knowledge_domain_title
    A challenge that asks the user to provide their domain title (organization name).
  • knowledge_employee_id
    Login challenge method Knowledge Employee Id.
  • knowledge_historical_password
    A challenge that lets the user enter either current or previous passwords. When this challenge is used, KNOWLEDGE_PASSWORD will refer only to the current password.
  • knowledge_last_login_date
    A challenge that asks the user the approximate date of their last sign-in.
  • knowledge_lockscreen
    A challenge which allows users to enter the lock screen knowledge factor on an eligible device.
  • knowledge_preregistered_email
    User proves knowledge of preregistered email.
  • knowledge_preregistered_phone
    User proves knowledge of preregistered phone.
  • knowledge_real_name
    A challenge that requires the user to provide the name(first name, last name) as registered on their Google account.
  • knowledge_secret_question
    A challenge that requires the user to provide the answer to a question they chose.
  • knowledge_user_count
    A challenge that asks the user to provide number of users in the domain.
  • knowledge_youtube
    A challenge based on the user's knowledge of their YouTube account details.
  • login_location
    User enters from where they usually sign in.
  • manual_recovery
    The user can recover their account only with their admin’s help.
  • math
    A challenge requiring the solution of a mathematical equation.
  • none
    No login challenge was faced.
  • offline_otp
    User enters OTP code they get from settings on their phone (android only).
  • oidc
    A challenge that uses the OIDC protocol.
  • other
    Login challenge method other.
  • outdated_app_warning
    A warning page, designed as a challenge, that notifies the user that they may be using an outdated version of an application. The user has the option to proceed.
  • parent_auth
    A challenge requiring authorization from a parent or guardian.
  • passkey
    A challenge that uses FIDO2 compliant passkeys or security keys to verify the user’s identity.
  • password
    Password.
  • recaptcha
    A challenge that protects the user against spam and other types of automated abuse with reCAPTCHA v2 API.
  • rescue_code
    A challenge that allows the user to enter their rescue code, which is a 32 character alphanumeric string that the user is expected to keep safe, and use it to recover their account.
  • same_device_screenlock
    A challenge that requires the user to unlock the device on which they are trying to sign in or perform a sensitive action.
  • saml
    The user provides a SAML assertion from a SAML identity provider.
  • security_key
    User passes the security key cryptographic challenge.
  • security_key_otp
    Login challenge method Security Key OTP.
  • time_delay
    An asynchronous challenge that sends a link by email once a defined hold period has elapsed.
  • userless_fido
    A FIDO challenge that’s not tied to a specific user.
  • web_approval
    A challenge that lets the user scan a QR code using their Apple iOS device’s native camera, and use web approval for sign-in.
login_challenge_status

string

Whether the login challenge succeeded or failed, represented as "Challenge Passed." and "Challenge Failed." respectively. An empty string indicates an unknown status.

login_type

string

The type of credentials used to attempt login. Possible values:

  • exchange
    The user provides an existing credential and exchanges it for another type—for example, exchanging an OAuth token for a SID. May indicate that the user was already logged into a session and the two sessions were merged.
  • google_password
    The user provides a Google account password.
  • reauth
    The user is already authenticated but must reauthorize.
  • saml
    The user provides a SAML assertion from a SAML identity provider.
  • unknown
    Login type Unknown.
sensitive_action_name

string

Description for sensitive action name in risky sensitive action challenged event.

Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/login?eventName=risky_sensitive_action_allowed&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
{actor} was allowed to attempt sensitive action: {sensitive_action_name}. This action might be restricted based on privileges or other limitations.

Sensitive action blocked

Event details
Event name risky_sensitive_action_blocked
Parameters
is_suspicious

boolean

The login attempt had some unusual characteristics, for example the user logged in from an unfamiliar IP address. Possible values:

  • false
    Boolean value false.
  • true
    Boolean value true.
login_challenge_method

string

Login challenge method. Possible values:

  • access_to_preregistered_email
    A challenge requiring access to a verification email in the inbox.
  • assistant_approval
    A challenge that lets the user approve authentication by a Google Assistant product.
  • backup_code
    Asks user to enter a backup verification code.
  • captcha
    A challenge to distinguish humans from automated bots using captcha.
  • cname
    A challenge that requires the user to prove ownership of a domain by changing the CNAME record at their hosting provider.
  • cross_account
    A challenge that lets products start an authentication session on one device under the primary account, delegate it for completion under another account, and then receive credentials for the session on the original initiating device owned by the primary account.
  • cross_device
    A challenge that requires the user to complete authentication on a secondary device.
  • deny
    User sign-in is denied.
  • device_assertion
    A challenge based on recognizing a previously used device.
  • device_preregistered_phone
    A challenge that requires the user to verify their phone number on the device. It's currently only used in username recovery and isn’t intended for use in other authentication flows.
  • device_prompt
    A challenge on the user’s mobile device.
  • extended_botguard
    A challenge that uses a series of additional verification steps to ensure human interaction.
  • google_authenticator
    Asks user to enter OTP from authenticator app.
  • google_prompt
    Login challenge method Google Prompt.
  • idv_any_email
    A challenge that requires the user to provide a code that Google sent to any email address they provided during the challenge.
  • idv_any_phone
    User asked for phone number and then enters code sent to that phone.
  • idv_preregistered_email
    A challenge in which a code is sent to another email address the user provided before.
  • idv_preregistered_phone
    User enters code sent to their preregistered phone.
  • internal_two_factor
    Login challenge method Internal Two Factor.
  • knowledge_account_creation_date
    A challenge that requires the user to provide the approximate date their account was created.
  • knowledge_cloud_pin
    A challenge based on the user's cloud service PIN.
  • knowledge_date_of_birth
    A challenge that requires the user to provide the date of birth registered on their Google Account.
  • knowledge_domain_title
    A challenge that asks the user to provide their domain title (organization name).
  • knowledge_employee_id
    Login challenge method Knowledge Employee Id.
  • knowledge_historical_password
    A challenge that lets the user enter either current or previous passwords. When this challenge is used, KNOWLEDGE_PASSWORD will refer only to the current password.
  • knowledge_last_login_date
    A challenge that asks the user the approximate date of their last sign-in.
  • knowledge_lockscreen
    A challenge which allows users to enter the lock screen knowledge factor on an eligible device.
  • knowledge_preregistered_email
    User proves knowledge of preregistered email.
  • knowledge_preregistered_phone
    User proves knowledge of preregistered phone.
  • knowledge_real_name
    A challenge that requires the user to provide the name(first name, last name) as registered on their Google account.
  • knowledge_secret_question
    A challenge that requires the user to provide the answer to a question they chose.
  • knowledge_user_count
    A challenge that asks the user to provide number of users in the domain.
  • knowledge_youtube
    A challenge based on the user's knowledge of their YouTube account details.
  • login_location
    User enters from where they usually sign in.
  • manual_recovery
    The user can recover their account only with their admin’s help.
  • math
    A challenge requiring the solution of a mathematical equation.
  • none
    No login challenge was faced.
  • offline_otp
    User enters OTP code they get from settings on their phone (android only).
  • oidc
    A challenge that uses the OIDC protocol.
  • other
    Login challenge method other.
  • outdated_app_warning
    A warning page, designed as a challenge, that notifies the user that they may be using an outdated version of an application. The user has the option to proceed.
  • parent_auth
    A challenge requiring authorization from a parent or guardian.
  • passkey
    A challenge that uses FIDO2 compliant passkeys or security keys to verify the user’s identity.
  • password
    Password.
  • recaptcha
    A challenge that protects the user against spam and other types of automated abuse with reCAPTCHA v2 API.
  • rescue_code
    A challenge that allows the user to enter their rescue code, which is a 32 character alphanumeric string that the user is expected to keep safe, and use it to recover their account.
  • same_device_screenlock
    A challenge that requires the user to unlock the device on which they are trying to sign in or perform a sensitive action.
  • saml
    The user provides a SAML assertion from a SAML identity provider.
  • security_key
    User passes the security key cryptographic challenge.
  • security_key_otp
    Login challenge method Security Key OTP.
  • time_delay
    An asynchronous challenge that sends a link by email once a defined hold period has elapsed.
  • userless_fido
    A FIDO challenge that’s not tied to a specific user.
  • web_approval
    A challenge that lets the user scan a QR code using their Apple iOS device’s native camera, and use web approval for sign-in.
login_challenge_status

string

Whether the login challenge succeeded or failed, represented as "Challenge Passed." and "Challenge Failed." respectively. An empty string indicates an unknown status.

login_type

string

The type of credentials used to attempt login. Possible values:

  • exchange
    The user provides an existing credential and exchanges it for another type—for example, exchanging an OAuth token for a SID. May indicate that the user was already logged into a session and the two sessions were merged.
  • google_password
    The user provides a Google account password.
  • reauth
    The user is already authenticated but must reauthorize.
  • saml
    The user provides a SAML assertion from a SAML identity provider.
  • unknown
    Login type Unknown.
sensitive_action_name

string

Description for sensitive action name in risky sensitive action challenged event.

Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/login?eventName=risky_sensitive_action_blocked&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
{actor} wasn't allowed to attempt sensitive action: {sensitive_action_name}.

Successful Login

A login attempt was successful.

Event details
Event name login_success
Parameters
is_suspicious

boolean

The login attempt had some unusual characteristics, for example the user logged in from an unfamiliar IP address. Possible values:

  • false
    Boolean value false.
  • true
    Boolean value true.
login_challenge_method

string

Login challenge method. Possible values:

  • access_to_preregistered_email
    A challenge requiring access to a verification email in the inbox.
  • assistant_approval
    A challenge that lets the user approve authentication by a Google Assistant product.
  • backup_code
    Asks user to enter a backup verification code.
  • captcha
    A challenge to distinguish humans from automated bots using captcha.
  • cname
    A challenge that requires the user to prove ownership of a domain by changing the CNAME record at their hosting provider.
  • cross_account
    A challenge that lets products start an authentication session on one device under the primary account, delegate it for completion under another account, and then receive credentials for the session on the original initiating device owned by the primary account.
  • cross_device
    A challenge that requires the user to complete authentication on a secondary device.
  • deny
    User sign-in is denied.
  • device_assertion
    A challenge based on recognizing a previously used device.
  • device_preregistered_phone
    A challenge that requires the user to verify their phone number on the device. It's currently only used in username recovery and isn’t intended for use in other authentication flows.
  • device_prompt
    A challenge on the user’s mobile device.
  • extended_botguard
    A challenge that uses a series of additional verification steps to ensure human interaction.
  • google_authenticator
    Asks user to enter OTP from authenticator app.
  • google_prompt
    Login challenge method Google Prompt.
  • idv_any_email
    A challenge that requires the user to provide a code that Google sent to any email address they provided during the challenge.
  • idv_any_phone
    User asked for phone number and then enters code sent to that phone.
  • idv_preregistered_email
    A challenge in which a code is sent to another email address the user provided before.
  • idv_preregistered_phone
    User enters code sent to their preregistered phone.
  • internal_two_factor
    Login challenge method Internal Two Factor.
  • knowledge_account_creation_date
    A challenge that requires the user to provide the approximate date their account was created.
  • knowledge_cloud_pin
    A challenge based on the user's cloud service PIN.
  • knowledge_date_of_birth
    A challenge that requires the user to provide the date of birth registered on their Google Account.
  • knowledge_domain_title
    A challenge that asks the user to provide their domain title (organization name).
  • knowledge_employee_id
    Login challenge method Knowledge Employee Id.
  • knowledge_historical_password
    A challenge that lets the user enter either current or previous passwords. When this challenge is used, KNOWLEDGE_PASSWORD will refer only to the current password.
  • knowledge_last_login_date
    A challenge that asks the user the approximate date of their last sign-in.
  • knowledge_lockscreen
    A challenge which allows users to enter the lock screen knowledge factor on an eligible device.
  • knowledge_preregistered_email
    User proves knowledge of preregistered email.
  • knowledge_preregistered_phone
    User proves knowledge of preregistered phone.
  • knowledge_real_name
    A challenge that requires the user to provide the name(first name, last name) as registered on their Google account.
  • knowledge_secret_question
    A challenge that requires the user to provide the answer to a question they chose.
  • knowledge_user_count
    A challenge that asks the user to provide number of users in the domain.
  • knowledge_youtube
    A challenge based on the user's knowledge of their YouTube account details.
  • login_location
    User enters from where they usually sign in.
  • manual_recovery
    The user can recover their account only with their admin’s help.
  • math
    A challenge requiring the solution of a mathematical equation.
  • none
    No login challenge was faced.
  • offline_otp
    User enters OTP code they get from settings on their phone (android only).
  • oidc
    A challenge that uses the OIDC protocol.
  • other
    Login challenge method other.
  • outdated_app_warning
    A warning page, designed as a challenge, that notifies the user that they may be using an outdated version of an application. The user has the option to proceed.
  • parent_auth
    A challenge requiring authorization from a parent or guardian.
  • passkey
    A challenge that uses FIDO2 compliant passkeys or security keys to verify the user’s identity.
  • password
    Password.
  • recaptcha
    A challenge that protects the user against spam and other types of automated abuse with reCAPTCHA v2 API.
  • rescue_code
    A challenge that allows the user to enter their rescue code, which is a 32 character alphanumeric string that the user is expected to keep safe, and use it to recover their account.
  • same_device_screenlock
    A challenge that requires the user to unlock the device on which they are trying to sign in or perform a sensitive action.
  • saml
    The user provides a SAML assertion from a SAML identity provider.
  • security_key
    User passes the security key cryptographic challenge.
  • security_key_otp
    Login challenge method Security Key OTP.
  • time_delay
    An asynchronous challenge that sends a link by email once a defined hold period has elapsed.
  • userless_fido
    A FIDO challenge that’s not tied to a specific user.
  • web_approval
    A challenge that lets the user scan a QR code using their Apple iOS device’s native camera, and use web approval for sign-in.
login_type

string

The type of credentials used to attempt login. Possible values:

  • exchange
    The user provides an existing credential and exchanges it for another type—for example, exchanging an OAuth token for a SID. May indicate that the user was already logged into a session and the two sessions were merged.
  • google_password
    The user provides a Google account password.
  • reauth
    The user is already authenticated but must reauthorize.
  • saml
    The user provides a SAML assertion from a SAML identity provider.
  • unknown
    Login type Unknown.
Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/login?eventName=login_success&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
{actor} logged in