Ask Expert: How to make the most of your Drive Audit logs and the Reports API

Version 1

    How to make the most of your Drive audit logs and the Reports API


    Greetings! My name is Rio Akasaka and I’m a product manager on Google Drive, working on enterprise security and reporting. Today, I’d like to take the time and space here to talk about the Google Drive audit logs available within the Admin Console for Google Apps Unlimited customers. This is a powerful administrative feature that lets you understand what is happening when it comes to files and folders within your domain in a timely manner. This information extends to Google Docs, Slides, Sheets as well as any other file your users have chosen to store within Google Drive, such as Office files, PDFs, audio, video and other text content.


    You may already be aware of ISO 27001, a set of rigorous, independently-verified standards for information security that defines precisely what it means for your organization’s data to remain secure. Google’s Apps for Work has been certified for this and many other globally recognized standards for cloud security, handling of private data, health and federal data guidelines. We take security in in the information management space very seriously, and we imagine you do too.


    As part of a healthy information security ecosystem at your company, you may be asked to look for information about what is happening within your domain. Let’s follow the steps of getting that information, starting with a look at various admin roles within the Google Admin console.


    You can either create custom roles with defined administrator privileges or use a pre-built one. Remember, only a super admin can inspect Drive audit logs.


    Once authenticated, the super administrator can access the Drive audit logs if the domain is deployed with Google Apps Unlimited. It will appear under the Reports page, under Audit.


    Let’s take a look at the various features of the Audit. One thing you’ll notice is that you can use the filters on the left side of the page to find relevant items using event type, document ID, title, username, owner or time range. This makes it very quickly to start answering questions you may have, including what files have been accessed and how. The filter I like to refer to is “Link sharing visibility change”, where the dropdown beneath can be put to “External - link shared”. This gives you a list of documents that are publically accessible via a link.


    A more programmatic approach to this information is available to you through the Reports API. You might consider using the API in order to create customized dashboards or to aggregated data in a way that is meaningful to you and your company. There are two API calls that are particularly relevant to Admins looking for information about Drive and Docs usage:



    With a valid OAuth token (again, of someone who is a super admin), you can easily retrieve a list of files that correspond to any of the filters available to you in the UI. You can then take this information and aggregate them into reports for more in-depth analysis. Or, you can already directly retrieve the APIs for usage and render them the way you think is most appropriate for your domain.


    Did you know? You can try out the APIs without writing a single line of code using the API Explorer. Here’s a link to the Google Drive Activity Events API explorer.



    Screen Shot 2016-09-27 at 9.32.08 PM.png