Admin log event changes

In an effort to make the reports for Admin log events more understandable, detailed, and precise, there are updates to some event names and types as well as reporting frequency and event conditions. Between now and August 2026, legacy and updated event names and types will be available. After August 2026, only the new event names and types will be available.

Saved investigations will continue to work, but they will be based on legacy events and will stop working after August 2026. After August 2026, custom charts will be based on old data.

Important: If you don't update rules that have changes to more than one event condition, you'll get increased alerts. Rules that have 2 conditions that are true will trigger an alert if only one condition is true. For example, if a rule triggers an alert for a change to a specific Gmail setting, you will get an alert for all Gmail setting changes.

What you need to do

Review the changes listed on this page. If you're using or relying on any of the events listed on this page, you might need to make changes to your existing queries, alerts, reports, and rules. Between now and August 2026, rules that are affected will be automatically migrated and you might need to make changes to your rules.

Changes to Admin log events

Account & security

Admin console setting Security & Audit and investigation tool Reports API & Google SecOps BigQuery Export
Account settings > Preferences > New features

Toggle New App Features event name is renamed to Toggle New App Features Preference.

Value for New Value changes from True or False to Rapid release or Scheduled release.

Description value changes from New app features for your organization changed to value to The account setting of "New Features" was changed from value1 to value2.

The Old Value attribute is introduced. Its values are Rapid release and Scheduled release.

The New Features value is added to the Setting Category attribute.

events[].name
ADMIN_EVENTS_ TOGGLE_NEW_APP_
FEATURES is renamed to ADMIN_EVENTS_
TOGGLE_NEW_APP_
FEATURES_
PREFERENCE

events[].parameters
[].name=:new_value
Values change from True or False to Rapid release or Scheduled release.

events[].parameters
[].name=:old_value
This is a new parameter with the values Rapid release and Scheduled release.

event_name
ADMIN_EVENTS_
TOGGLE_NEW_APP_
FEATURES is renamed to ADMIN_EVENTS_
TOGGLE_NEW_APP_
FEATURES_
PREFERENCE

admin.new_value Values change from True or False to Rapid release or Scheduled release.

admin.old_value
This is a new parameter with the values Rapid release and Scheduled release.
Security > Access and data control > Google Cloud session control > Reauthentication policy

New Value and Old Value attributes for Session Control Settings Change records values for reauthentication frequency, idle session timeout, and reauthentication method in separate log events. Previously, all 3 settings were recorded in one log event.

If any of the settings are unchanged, no log event is recorded for that setting.

events[].name=
SESSION_CONTROL_
SETTINGS_CHANGE
REAUTH_SETTING_
OLD and REAUTH_SETTING_
NEW record values for reauthentication frequency, idle session timeout, and reauthentication method in separate log events. Previously, all 3 settings were recorded in one log event.

If any of the settings are unchanged, no log event is recorded for that setting.

event_name
SESSION_CONTROL_
SETTINGS_CHANGE
admin.reauth_ setting_old and
Admin.reauth_ setting_new record values for reauthentication frequency, idle session timeout, and reauthentication method in separate log events. Previously, all 3 settings were recorded in one log event.

If any of the settings are unchanged, no log event is recorded for that setting.

App access control

```html
Reports API & SecOps events[].name
& BigQuery Export
event_name		 Security & Audit and
investigation tool event name		 New events[].name & event_name New Security & Audit and investigation tool event name
DISALLOW_SERVICE_FOR_
OAUTH2_ACCESS		 API Access Blocked CHANGE_API_ACCESS API Access Changed
ALLOW_SERVICE_FOR_
OAUTH2_ACCESS		 API Access Allowed CHANGE_API_ACCESS API Access Changed
ADD_TO_BLOCKED_OAUTH2
_APPS		 App Added to Blocked List CHANGE_APP_ACCESS App Configuration Changed
ADD_TO_LIMITED_OAUTH2
_APPS		 App Added to Limited List CHANGE_APP_ACCESS App Configuration Changed
ADD_TO_TRUSTED_OAUTH2
_APPS		 App Added to Trusted Allowlist CHANGE_APP_ACCESS App Configuration Changed
ADD_TO_TRUSTED_BY_
OAUTH_SCOPE_OAUTH2_
APPS		 App added to Trusted by OAuth Scope list CHANGE_APP_ACCESS App Configuration Changed
ADD_TO_CAA_EXEMPT
_OAUTH2_APPS		 App allowlisted for exemption from API access blocks CHANGE_APP_ACCESS App Configuration Changed
REMOVE_FROM_TRUSTED
_OAUTH2_APPS		 App Removed from Trusted Allowlist CHANGE_APP_ACCESS App Configuration Changed
REMOVE_FROM_CAA_
EXEMPT_OAUTH2_APPS		 App no longer allowlisted for exemption from API access blocks CHANGE_APP_ACCESS App Configuration Changed
REMOVE_FROM_BLOCKED
_OAUTH2_APPS		 App Removed from Blocked List CHANGE_APP_ACCESS App Configuration Changed
REMOVE_FROM_LIMITED
_OAUTH2_APPS		 App removed from Limited list CHANGE_APP_ACCESS App Configuration Changed
REMOVE_FROM_TRUSTED
_BY_OAUTH_SCOPE_
OAUTH2_APPS		 App removed from Trusted by OAuth Scope list CHANGE_APP_ACCESS App Configuration Changed
BLOCK_ALL_THIRD_PARTY
_API_ACCESS		 All third party API access blocked CHANGE_
UNCONFIGURED_APPS
_ACCESS		 Unconfigured Apps Access Changed
UNBLOCK_ALL_THIRD_
PARTY_API_ACCESS		 All third party API access unblocked CHANGE_
UNCONFIGURED_APPS
_ACCESS		 Unconfigured Apps Access Changed
SIGN_IN_ONLY_THIRD_
PARTY_API_ACCESS		 Allow Google Sign-in only third party API access CHANGE_
UNCONFIGURED_APPS
_ACCESS		 Unconfigured Apps Access Changed
UNDERAGE_BLOCK_ALL
_THIRD_PARTY_API_
ACCESS		 All third party API access blocked CHANGE_UNDERAGE
_UNCONFIGURED_APPS
_ACCESS		 Under 18 Unconfigured Apps Access Changed
UNDERAGE_SIGN_IN_
ONLY_THIRD_PARTY_
API_ACCESS		 Allow Google Sign-in only third party API access CHANGE_UNDERAGE
_UNCONFIGURED_APPS
_ACCESS		 Under 18 Unconfigured Apps Access Changed
```

Google Drive settings with inherited values

Previously, Google Drive settings that were overridden from an inherited value or reverted to an inherited value used the same log event identifiers, with INHERIT_FROM_PARENT in the old value and new value attributes:

  • Security & Audit and investigation tool: The Change Drive Setting event name showed INHERIT_FROM_PARENT in Old value and New value
  • Reports API & SecOps: events[].type=DOCS_SETTINGS, events[].name=CHANGE_DOCS_SETTING showed INHERIT_FROM_PARENT in admin.old_value and admin.new_value
  • BigQuery Export: events_type=DOCS_SETTINGS, event_name=CHANGE_DOCS_SETTING showed INHERIT_FROM_PARENT in admin.old_value and admin.new_value
The updated Admin log events use the following event identifiers instead of INHERIT_FROM_PARENT values:
Tool Override an inherited value Change an existing value Revert to an inherited value
Security & Audit and investigation tool Event name: Create
Application Setting		 Event name: Change
Application Setting		 Event name: Delete
Application Setting
Reports API & SecOps Event type: APPLICATION_SETTINGS
Event name: CREATE_APPLICATION_ SETTING		 Event type: APPLICATION_SETTINGS
Event name: CHANGE_APPLICATION_ SETTING		 Event type: APPLICATION_SETTINGS
Event name: DELETE_APPLICATION_ SETTING
BigQuery Export Event type: APPLICATION_SETTINGS
Event name: CREATE_APPLICATION_ SETTING		 Event type: APPLICATION_SETTINGS
Event name: CHANGE_APPLICATION_ SETTING		 Event type: APPLICATION_SETTINGS
Event name: DELETE_APPLICATION_ SETTING

Drive settings

The table below lists updated log event information for the following Admin log event attributes and values:

  • Security & Audit and investigation tool: Setting name, Old value, New value
  • BigQuery Export: admin.setting_name, admin.old_value, admin.new_value
  • Reports API & SecOps: events[].parameters[].name=setting_name, events[].parameters[].name=OLD_VALUE or NEW_VALUE

Old event

Updated event

Setting name

Old or new value

Setting name

Old or new value

SHARING_OUTSIDE_ DOMAIN

SHARING_NOT_ ALLOWED_BUT_MAY _RECEIVE_FILES

ExternalSharing external_sharing_mode

DISALLOWED

ExternalSharing allow_receiving_external _files

true

SHARING_NOT_ ALLOWED

ExternalSharing external_sharing_mode

DISALLOWED

ExternalSharing allow_receiving_external _files

false

TRUSTED_DOMAINS_ ALLOWED_WITH_ WARNING_MAY_ RECEIVE _FILES_ FROM_ ANYONE

ExternalSharing external_sharing_mode

ALLOWLISTED_ DOMAINS

ExternalSharing warn_for_sharing_ outside_allowlisted_ domains

true

ExternalSharing allow_receiving_files_ outside_allowlisted_ domains changed

true

TRUSTED_DOMAINS_ ALLOWED_WITH_ WARNING

ExternalSharing external_sharing_mode

ALLOWLISTED_ DOMAINS

ExternalSharing warn_for _sharing_outside_ allowlisted_domains

true

ExternalSharing allow_ receiving_files_outside_ allowlisted_domains changed

false

TRUSTED_DOMAINS_ ALLOWED_AND_MAY_ RECEIVE_FILES_FROM _ANYONE

ExternalSharing external_sharing_mode

ALLOWLISTED_ DOMAINS

ExternalSharing warn_ for_sharing_outside_ allowlisted_domains

false

ExternalSharing allow_ receiving_files_outside_ allowlisted_domains changed

true

TRUSTED_DOMAINS_ ALLOWED

ExternalSharing external_sharing_mode

ALLOWLISTED_ DOMAINS

ExternalSharing warn_for_sharing _outside_allowlisted_ domains

false

ExternalSharing allow_receiving_files _outside_allowlisted_ domains changed

false

SHARING_ALLOWED_ WITH_WARNING

ExternalSharing external_sharing_mode

ALLOWED

ExternalSharing warn_for_external_ sharing

true

SHARING_ALLOWED

ExternalSharing external_sharing_mode

ALLOWED

ExternalSharing warn_for_external_ sharing

false

SHARING_INVITES_TO_ NON_GOOGLE_ ACCOUNTS

NOT_ALLOWED

ExternalSharing allow_non_google_ invites

false

ANONYMOUS_ PREVIEW

ExternalSharing allow_non_google_ invites

true

PUBLISHING_TO_WEB

NOT_ALLOWED

ExternalSharing allow_publishing_files

false

ALLOWED

true

SHARING_ACCESS_ CHECKER_OPTIONS

NAMED_PARTIES_ ONLY

ExternalSharing access_checker_ suggestions

RECIPIENTS_ONLY

DOMAIN_OR_NAMED _PARTIES

RECIPIENTS_OR_ AUDIENCE

ALL

RECIPIENTS_OR_ AUDIENCE_OR_ PUBLIC

SHARING_TEAM_DRIVE _CROSS_DOMAIN_ OPTIONS

CROSS_DOMAIN_ FROM_INTERNAL_OR _EXTERNAL

ExternalSharing allowed_parties _for_distributing_ content

ALL_ELIGIBLE_ USERS

CROSS_DOMAIN_ FROM_INTERNAL_ ONLY

ELIGIBLE_INTERNAL _USERS

CROSS_DOMAIN_ MOVES_BLOCKED

NONE

DEFAULT_LINK_ SHARING_FOR_NEW _DOCS

PRIVATE

GeneralAccessDefault default_file_access

PRIVATE_TO_OWNER

PEOPLE_WITH_LINK

PRIMARY_ AUDIENCE_WITH_ LINK

PUBLIC

PRIMARY_ AUDIENCE_WITH_ LINK_OR _SEARCH

DOCS_OFFLINE_ ENABLED

false

DocsOffline enable_docs_offline

false

true

true

ENABLE_DRIVE_APPS

false

DriveSdk enable_drive_sdk_api _access

false

true

true

Gmail settings

For all affected settings in Reports API & SecOps:

  • events[].type EMAIL_SETTINGS is renamed to APPLICATION_SETTINGS
  • events[].parameters[].name=USER_DEFINED_SETTING_NAME is moved to events[].parameters[].name= SETTING_METADATA.USER_DEFINED_NAME

For all affected settings in BigQuery Export:

  • event_type EMAIL_SETTINGS is renamed to APPLICATION_SETTINGS
  • admin.user_defined_setting_name is moved to admin.setting_metadata.user_defined_name

Gmail setting

 Security & Audit and
investigation tool		 Reports API & SecOps BigQuery Export

Mail delegation

Change Email Setting is renamed to Change Application Setting

ENABLE_SENDER_ ATTRIBUTION is renamed to MailDelegation sender_attribution_ desired

events[].name
CHANGE_EMAIL_
SETTING is renamed to CHANGE_APPLICATION
_SETTING

events[]. parameters[].name
ENABLE_SENDER_ ATTRIBUTION is renamed to MailDelegation sender _attribution_desired

event_name
CHANGE_EMAIL_ SETTING is renamed to CHANGE_APPLICATION _SETTING

admin.setting_name
ENABLE_SENDER_ ATTRIBUTION is renamed to MailDelegation sender_attribution _desired

Image URL proxy allowlist

Change Email Setting is renamed to Change Application Setting

NUMBER_OF_EMAIL _IMAGE_URL_ WHITELIST _PATTERNS is renamed to MailImage Proxy external _image_bypass_ pattern

events[].name
CHANGE_EMAIL_ SETTING is renamed to CHANGE_APPLICATION
_SETTING

events[]. parameters[].name
NUMBER_OF_EMAIL_ IMAGE_URL_WHITELIST _PATTERNS is renamed to MailImageProxy external _image_bypass_pattern

event_name
CHANGE_EMAIL_ SETTING is renamed to CHANGE_APPLICATION _SETTING

admin.setting_name
NUMBER_OF_EMAIL_ IMAGE_URL_WHITELIST _PATTERNS is renamed to MailImageProxy external_image_ bypass_pattern

Compliance > Restrict delivery

Change/Delete/Create Gmail Setting is renamed to Change/Delete/Create Application Setting

RESTRICT_DELIVERY is renamed to RestrictDelivery rules walled_garden_info or RuleState rule_state enabled

events[].name
CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/ CREATE/DELETE_ APPLICATION_SETTING

events[]. parameters[].name
RESTRICT_DELIVERY is renamed to RestrictDelivery rules walled_ garden_info or RuleState rule_state enabled

event_name
CHANGE/CREATE/ DELETE_GMAIL _SETTING is renamed to CHANGE/CREATE/ DELETE_APPLICATION _SETTING

admin.setting_name RESTRICT_DELIVERY is renamed to RestrictDelivery rules walled_garden_info or RuleState rule_state enabled

Compliance > Comprehensive mail storage

Change/Delete/Create Gmail Setting is renamed to Change/Delete/Create Application Setting

COMPREHENSIVE_ MAIL _STORAGE is renamed to RuleState rule_state enabled

events[].name
CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/ CREATE/DELETE_ APPLICATION_SETTING

events[]. parameters[].name
COMPREHENSIVE_ MAIL_STORAGE is renamed to RuleState rule_state enabled

event_name
CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/CREATE/ DELETE_APPLICATION _SETTING

admin.setting_name
COMPREHENSIVE_MAIL _STORAGE is renamed to RuleState rule_state enabled

Spam, phishing, and malware > Inbound gateway

Change/Delete/Create Gmail Setting is renamed to Change/Delete/Create Application Setting

INBOUND_GATEWAY is renamed to RuleState rule_state enabled or InboundGateway {field}

events[].name
CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/ CREATE/DELETE_ APPLICATION_SETTING

events[]. parameters[].name
INBOUND_GATEWAY is renamed to RuleState rule_state enabled or Inbound Gateway {field}

event_name
CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/CREATE/ DELETE_APPLICATION _SETTING

admin.setting_name
INBOUND_GATEWAY is renamed to RuleState rule_state enabled or InboundGateway {field}

Routing > Email forwarding using recipient address map

Change/Delete/Create Gmail Setting is renamed to Change/Delete/Create Application Setting

ALIAS_TABLE is renamed to AliasTable rules alias_table_info or RuleState rule_state enabled

events[].name
CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/ CREATE/DELETE_ APPLICATION_SETTING

events[]. parameters[].name
ALIAS_TABLE is renamed to AliasTable rules alias_table_info or RuleState rule_state enabled

event_name
CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/CREATE/ DELETE_APPLICATION _SETTING

admin.setting_name
ALIAS_TABLE is renamed to AliasTable rules alias_table_info or RuleState rule_state enabled

Compliance > Content compliance

Change/Delete/Create Gmail Setting is renamed to Change/Delete/Create Application Setting

CONTENT_ COMPLIANCE is renamed to ContentCompliance rules content _compliance _info or RuleState rule_state enabled

events[].name
CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/ CREATE/DELETE_ APPLICATION_SETTING

events[]. parameters[].name
CONTENT_ COMPLIANCE is renamed to ContentCompliance rules content_ compliance_ info or RuleState rule_state enabled

event_name
CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/CREATE/ DELETE_APPLICATION _SETTING


admin.setting_name
CONTENT_ COMPLIANCE is renamed to ContentCompliance rules content_compliance _info or RuleState rule_state enabled

Default Routing > Default Routing

Change/Delete/Create Gmail Setting is renamed to Change/Delete/Create Application Setting

DOMAIN_DEFAULT is renamed to DomainDefault rules domain_default_info or RuleState rule_state enabled

events[].name
CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/ CREATE/DELETE_ APPLICATION_SETTING

events[]. parameters[].name
DOMAIN_DEFAULT is renamed to DomainDefault rules domain_default_info or RuleState rule_state enabled

Event_name
CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/CREATE/ DELETE_APPLICATION _SETTING

admin.setting_name
DOMAIN_DEFAULT is renamed to DomainDefault rules domain_default_info or RuleState rule_state enabled

Routing > Routing

Change/Delete/Create Gmail Setting is renamed to Change/Delete/Create Application Setting

UNIFIED_MAIL_ ROUTING is renamed to Routing rules routing_info or RuleState rule_state enabled

events[].name
CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/ CREATE/DELETE_ APPLICATION_SETTING

events[]. parameters[].name
UNIFIED_MAIL_ ROUTING is renamed to Routing rules routing_info or RuleState rule_state enabled

event_name
CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/CREATE/ DELETE_APPLICATION _SETTING

admin.setting_name
UNIFIED_MAIL_ ROUTING is renamed to Routing rules routing_info or RuleState rule_state enabled

Routing > Inbound email journal acceptance in Vault

Change/Delete/Create Gmail Setting is renamed to Change/Delete/Create Application Setting

INBOUND_EMAIL_ JOURNAL_ ACCEPTANCE is renamed to RuleState rule_state enabled or ExchangeJournal Ingestion {field}

events[].name
CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/ CREATE/DELETE_ APPLICATION_SETTING

events[]. parameters[].name
INBOUND_ EMAIL_ JOURNAL_ ACCEPTANCE is renamed to RuleState rule_state enabled or ExchangeJournal Ingestion {field}

event_name
CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/CREATE/ DELETE_APPLICATION _SETTING

admin.setting_name
INBOUND_EMAIL_ JOURNAL _ACCEPTANCE is renamed to RuleState rule_state enabled or ExchangeJournal Ingestion {field}

Blocked senders

Change/Delete/Create Gmail Setting is renamed to Change/Delete/Create Application Setting

BLOCKED_SENDERS is renamed to BlockedSenders rules blocked_senders_info or RuleState rule_state enabled

events[].name
CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/ CREATE/DELETE_ APPLICATION_SETTING

events[]. parameters[].name
BLOCKED_SENDERS is renamed to BlockedSenders rules blocked_senders_info or RuleState rule_state enabled

event_name
CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/CREATE/ DELETE_APPLICATION _SETTING

admin.setting_name
BLOCKED_SENDERS is renamed to BlockedSenders rules blocked_senders_info or RuleState rule_state enabled

Routing > Third-party email archiving

Change/Delete/Create Gmail Setting is renamed to Change/Delete/Create Application Setting

OUTBOUND_EMAIL_ JOURNAL_ GENERATION is renamed to ExchangeJournal Generation rules exchange_journal_ generation _info or RuleState rule_state enabled

events[].name
CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/ CREATE/DELETE_ APPLICATION_SETTING

events[]. parameters[].name
OUTBOUND_EMAIL_ JOURNAL_ GENERATION is renamed to ExchangeJournal Generation rules exchange_journal _generation_info or RuleState rule_state enabled

event_name
CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/CREATE/ DELETE_APPLICATION _SETTING

admin.setting_name
OUTBOUND_EMAIL_ JOURNAL_GENERATION is renamed to ExchangeJournal Generation rules exchange_journal_ generation_info or RuleState rule_state enabled

Routing > Non-Gmail mailbox

Change/Delete/Create Gmail Setting is renamed to Change/Delete/Create Application Setting

QUARANTINE_ SUMMARY is renamed to NonGmail Mailbox rules quarantine _summary _info or RuleState rule_state enabled

events[].name
CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/ CREATE/DELETE_ APPLICATION_SETTING

events[]. parameters[].name
QUARANTINE_ SUMMARY is renamed to NonGmailMailbox rules quarantine_summary _info or RuleState rule_state enabled

event_name
CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/CREATE/ DELETE_APPLICATION _SETTING

admin.setting_name
QUARANTINE_ SUMMARY is renamed to NonGmailMailbox rules quarantine_summary_ info or RuleState rule_state enabled

Routing > SMTP relay service

Change/Delete/Create Gmail Setting is renamed to Change/Delete/Create Application Setting

OUTBOUND_RELAY is renamed to RuleState rule_state enabled

events[].name
CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/ CREATE/DELETE_ APPLICATION_SETTING

events[]. parameters[].name
OUTBOUND_RELAY is renamed to RuleState rule_state enabled

event_name
CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/CREATE/ DELETE_APPLICATION _SETTING

admin.setting_name
OUTBOUND_RELAY is renamed to RuleState rule_state enabled

Spam, phishing, and malware > Security sandbox rules

Change/Delete/Create Gmail Setting is renamed to Change/Delete/Create Application Setting

SECURITY_SANDBOX_ RULE is renamed to DeepScanning rules deep_scanning_info or RuleState rule_state enabled

events[].name
CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/ CREATE/DELETE_ APPLICATION_SETTING

events[]. parameters[].name
SECURITY_ SANDBOX_RULE is renamed to DeepScanning rules deep_scanning_info or RuleState rule_state enabled

event_name
CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/CREATE/ DELETE_APPLICATION _SETTING

admin.setting_name
SECURITY_SANDBOX_ RULE is renamed to DeepScanning rules deep_scanning_info or RuleState rule_state enabled

Compliance > Secure transport (TLS) compliance

Change/Delete/Create Gmail Setting is renamed to Change/Delete/Create Application Setting

TLS_COMPLIANCE is renamed to TlsCompliance rules tls_compliance_info or RuleState rule_state enabled

events[].name
CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/ CREATE/DELETE_ APPLICATION_SETTING

events[]. parameters[].name
TLS_ COMPLIANCE is renamed to TlsCompliance rules tls_compliance_info or RuleState rule_state enabled

event_name
CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/CREATE/ DELETE_APPLICATION _SETTING

admin.setting_name
TLS_COMPLIANCE is renamed to TlsCompliance rules tls_compliance_info or RuleState rule_state enabled

Spam, phishing, and malware > Spam

Change/Delete/Create Gmail Setting is renamed to Change/Delete/Create Application Setting

SPAM_CONTROL is renamed to SpamOverride rules spam_override_info or RuleState rule_state enabled

events[].name
CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/ CREATE/DELETE_ APPLICATION_SETTING

events[]. parameters[].name
SPAM_CONTROL is renamed to SpamOverride rules spam_override_info or RuleState rule_state enabled

event_name
CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/CREATE/ DELETE_APPLICATION _SETTING

admin.setting_name
SPAM_CONTROL is renamed to SpamOverride rules spam_override_info or RuleState rule_state enabled

Compliance > Objectable content

Change/Delete/Create Gmail Setting is renamed to Change/Delete/Create Application Setting

OBJECTIONABLE_ CONTENT is renamed to Objectionable Content rules objectionable_content _info or RuleState rule_state enabled

events[].name
CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/ CREATE/DELETE_ APPLICATION_SETTING

events[]. parameters[].name
OBJECTIONABLE_ CONTENT is renamed to ObjectionableContent rules objectionable_ content_info or RuleState rule_state enabled

event_name
CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/CREATE/ DELETE_APPLICATION _SETTING

admin.setting_name
OBJECTIONABLE_ CONTENT is renamed to ObjectionableContent rules objectionable _content_ info or RuleState rule_state enabled

Routing > Alternate secure route

Change/Delete/Create Gmail Setting is renamed to Change/Delete/Create Application Setting

ALTERNATE_SECURE _ROUTE is renamed to AlternateSecureRoute alternate_route_id or RuleState rule_state enabled

events[].name
CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/ CREATE/DELETE_ APPLICATION_SETTING

events[]. parameters[].name
ALTERNATE_SECURE _ROUTE is renamed to AlternateSecure Route alternate_route_id or RuleState rule_state enabled

event_name
CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/CREATE/ DELETE_APPLICATION _SETTING

admin.setting_name
ALTERNATE_SECURE_ ROUTE is renamed to AlternateSecureRoute alternate_route_id or RuleState rule_state enabled

Compliance > Attachment compliance

Change/Delete/Create Gmail Setting is renamed to Change/Delete/Create Application Setting

ATTACHMENT_ COMPLIANCE is renamed to Attachment Compliance rules attachment_ compliance_ info or RuleState rule_state enabled

events[].name
CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/ CREATE/DELETE_ APPLICATION_SETTING

events[]. parameters[].name
ATTACHMENT _COMPLIANCE was renamed to AttachmentCompliance rules attachment_compliance _info or RuleState rule_state enabled

event_name
CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/CREATE/ DELETE_APPLICATION _SETTING

admin.setting_name
ATTACHMENT_ COMPLIANCE was renamed to AttachmentCompliance rules attachment_compliance _info or RuleState rule_state enabled

Compliance > Restrict delivery for S/MIME

Change/Delete/Create Gmail Setting is renamed to Change/Delete/Create Application Setting

SMIME_RESTRICT_ DELIVERY is renamed to SmimeRestrict Delivery rules smime_restrict_ delivery_ info or RuleState rule_state enabled

events[].name
CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/ CREATE/DELETE_ APPLICATION_SETTING

events[]. parameters[].name
SMIME_RESTRICT_ DELIVERY is renamed to SmimeRestrictDelivery rules smime_restrict_ delivery_info or RuleState rule_state enabled

event_name
CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/CREATE/ DELETE_APPLICATION _SETTING

admin.setting_name
SMIME_RESTRICT_ DELIVERY is renamed to SmimeRestrictDelivery rules smime_restrict _delivery_info or RuleState rule_state enabled

Hosts > Hosts

Change/Delete/Create Gmail Setting is renamed to Change/Delete/Create Application Setting

EMAIL_ROUTE is renamed to Mail DeliveryRoutes available_route receiving_route_info

events[].name
CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/ CREATE/DELETE_ APPLICATION_SETTING

events[]. parameters[].name
EMAIL_ROUTE is renamed to MailDeliveryRoutes available_route receiving_route_info

event_name
CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/CREATE/ DELETE_APPLICATION _SETTING

admin.setting_name
EMAIL_ROUTE is renamed to MailDeliveryRoutes available_route receiving_route_info

Compliance > Append footer

Change/Delete/Create Gmail Setting is renamed to Change/Delete/Create Application Setting

COMPLIANCE_FOOTER is renamed to AppendFooter rules append_footer_info or RuleState rule_state enabled

events[].name
CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/ CREATE/DELETE_ APPLICATION_SETTING

events[]. parameters[].name
COMPLIANCE_FOOTER is renamed to AppendFooter rules append_footer_info or RuleState rule_state enabled

event_name
CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/CREATE/ DELETE_APPLICATION _SETTING

admin.setting_name
COMPLIANCE_FOOTER is renamed to AppendFooter rules append_footer_info or RuleState rule_state enabled

Routing > Outbound Gateway

Change/Delete/Create Gmail Setting is renamed to Change/Delete/Create Application Setting

EMAIL_ROUTE is renamed to MailDeliveryRoutes available_route receiving_route_info

events[].name
CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/ CREATE/DELETE_ APPLICATION_SETTING

events[]. parameters[].name
EMAIL_ROUTE is renamed to MailDeliveryRoutes available_route receiving_route_info

event_name
CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/CREATE/ DELETE_APPLICATION _SETTING

admin.setting_name
EMAIL_ROUTE is renamed to MailDeliveryRoutes available_route receiving_route_info

User Settings > Email read receipts

Change Email Setting is renamed to Change Application Setting

EMAIL_READ_ RECEIPTS_ALLOWED_ DESTINATIONS is renamed to ReadReceipts {field name}

events[].name
CHANGE_EMAIL_ SETTING is renamed to CHANGE_APPLICATION _SETTING

events[]. parameters[].name
EMAIL_READ_ RECEIPTS_ALLOWED _DESTINATIONS is renamed to ReadReceipts {field name}

event_name
CHANGE_EMAIL_ SETTING is renamed to CHANGE_APPLICATION _SETTING

admin.setting_name
EMAIL_READ_RECEIPTS _ALLOWED_ DESTINATIONS is renamed to ReadReceipts {field name}

User Settings > Name Format

Change Email Setting is renamed to Change Application Setting

DEFAULT_NAME_ FORMAT is renamed to NameFormat default_display_name _format

events[].name
CHANGE_EMAIL_ SETTING is renamed to CHANGE_APPLICATION _SETTING

events[]. parameters[].name
DEFAULT_NAME_ FORMAT is renamed to NameFormat default_ display_name_format

event_name
CHANGE_EMAIL_ SETTING is renamed to CHANGE_APPLICATION _SETTING

admin.setting_name
DEFAULT_NAME_ FORMAT is renamed to NameFormat default_display_name _format

End User Access > Allow per user outbound gateways

Change Email Setting is renamed to Change Application Setting

ALLOW_NAME_ FORMAT_ CUSTOMIZATION is renamed to PerUserOutbound Gateway enable_smtp_relay

events[].name
CHANGE_EMAIL_ SETTING is renamed to CHANGE_APPLICATION _SETTING

events[]. parameters[].name
ALLOW_NAME_FORMAT _CUSTOMIZATION is renamed to PerUserOutbound Gateway enable_smtp_relay

event_name
CHANGE_EMAIL_ SETTING is renamed to CHANGE_APPLICATION _SETTING

admin.setting_name
ALLOW_NAME_FORMAT _CUSTOMIZATION is renamed to PerUserOutbound Gateway enable_smtp_relay

End User Access > Pop and Imap access

Change Email Setting is renamed to Change Application Setting

IMAP_ACCESS is renamed to ImapSettings {field name}

ENABLE_POP_ACCESS is renamed to PopSettings pop_disabled

events[].name
CHANGE_EMAIL_ SETTING is renamed to CHANGE_APPLICATION _SETTING

events[]. parameters[].name
IMAP_ACCESS is renamed to ImapSettings {field name}

admin.setting_name
ENABLE_POP_ACCESS is renamed to PopSettings pop_disabled

event_name
CHANGE_EMAIL_ SETTING is renamed to CHANGE_APPLICATION _SETTING

admin.setting_name
IMAP_ACCESS is renamed to ImapSettings {field name}

admin.setting_name
ENABLE_POP_ACCESS is renamed to PopSettings pop_disabled

End User Access > Automatic Forwarding

Change Email Setting is renamed to Change Application Setting

ENABLE_EMAIL_ AUTOFORWARDING is renamed to AutoForwarding auto_forwarding_ disabled

events[].name
CHANGE_EMAIL_ SETTING is renamed to CHANGE_APPLICATION _SETTING

events[]. parameters[].name
ENABLE_EMAIL _AUTOFORWARDING is renamed to AutoForwarding auto_ forwarding_disabled

event_name
CHANGE_EMAIL_ SETTING is renamed to CHANGE_APPLICATION _SETTING

admin.setting_name
ENABLE_EMAIL_ AUTOFORWARDING is renamed to AutoForwarding auto_forwarding_ disabled

End User Access > Google Workspace Sync

Change Email Setting is renamed to Change Application Setting

ENABLE_OUTLOOK_ SYNC is renamed to MailSyncSettings enable_outlook_sync

events[].name
CHANGE_EMAIL_ SETTING is renamed to CHANGE_APPLICATION _SETTING

events[]. parameters[].name
ENABLE_OUTLOOK_ SYNC is renamed to MailSyncSettings enable_outlook_sync

event_name
CHANGE_EMAIL_ SETTING is renamed to CHANGE_APPLICATION _SETTING

admin.setting_name
ENABLE_OUTLOOK_ SYNC is renamed to MailSyncSettings enable_outlook_sync

Setup > User email uploads

Change Email Setting is renamed to Change Application Setting

ENABLE_EMAIL_USER _IMPORT is renamed to MailAndContacts Import Settingscan _import_ mail_and_contacts

events[].name
CHANGE_EMAIL_ SETTING is renamed to CHANGE_APPLICATION _SETTING

events[]. parameters[].name
ENABLE_EMAIL_USER_ IMPORT is renamed to MailAndContactsImportSettings can_import_mail_and_ contacts

event_name
CHANGE_EMAIL_ SETTING is renamed to CHANGE_APPLICATION _SETTING

admin.setting_name ENABLE_EMAIL_USER_ IMPORT is renamed to MailAndContactsImportSettings can_import_mail_and_ contacts

User settings > Themes

Change Email Setting is renamed to Change Application Setting

ENABLE_GMAIL_ SKINS is renamed to MailFrontendSettings skin_desired

events[].name
CHANGE_EMAIL_ SETTING is renamed to CHANGE_APPLICATION _SETTING

events[]. parameters[].name
ENABLE_GMAIL_SKINS is renamed to Mail FrontendSettings skin_desired

event_name
CHANGE_EMAIL_ SETTING is renamed to CHANGE_APPLICATION _SETTING

admin.setting_name ENABLE_GMAIL_SKINS is renamed to MailFrontendSettings skin_desired

Compliance > Optical Character Recognition (OCR)

Change Email Setting is renamed to Change Application Setting

ENABLE_OPTICAL_ CHARACTER_ RECOGNITION is renamed to OcrSettings ocr_enabled

events[].name
CHANGE_EMAIL_ SETTING is renamed to CHANGE_APPLICATION _SETTING

events[]. parameters[].name
ENABLE_OPTICAL_
CHARACTER_ RECOGNITION is renamed to OcrSettings ocr_enabled

event_name
CHANGE_EMAIL_ SETTING is renamed to CHANGE_APPLICATION _SETTING

admin.setting_name ENABLE_OPTICAL_ CHARACTER_ RECOGNITION is renamed to OcrSettings ocr_enabled

Manage Quarantines

Change Email Setting is renamed to Change Application Setting

EMAIL_QUARANTINE is renamed to AdminQuarantine admin_quarantine_ info {field}

events[].name
CHANGE_EMAIL_ SETTING is renamed to CHANGE_APPLICATION _SETTING

events[]. parameters[].name
EMAIL_QUARANTINE is renamed to AdminQuarantine admin_quarantine _info {field}

event_name
CHANGE_EMAIL_ SETTING is renamed to CHANGE_APPLICATION _SETTING

admin.setting_name EMAIL_QUARANTINE is renamed to AdminQuarantine admin_quarantine_info {field}

Manage Google Workspace Marketplace allowlist access

Change/Delete/Create Gmail Setting is renamed to Change/Delete/Create Application Setting

ENABLE_G_SUITE_ MARKETPLACE is renamed to Apps Access Setting web_display_option

events[].name
CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/ CREATE/DELETE_ APPLICATION_SETTING

events[]. parameters[].name
ENABLE_G_SUITE _MARKETPLACE is renamed to Apps Access Setting web_display_option

event_name
CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/CREATE/ DELETE_APPLICATION _SETTING

admin.setting_name
ENABLE_G_SUITE_ MARKETPLACE is renamed to Apps Access Setting web_display_option

Google Workspace Marketplace Apps

Change/Delete/Create Gmail Setting is renamed to Change/Delete/Create Application Setting

The ENABLE_G_SUITE_ MARKETPLACE setting name is renamed to Allowlist app_access

events[].name
CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/ CREATE/DELETE_ APPLICATION_SETTING

events[]. parameters[].name
ENABLE_G_ SUITE_MARKETPLACE is renamed to Allowlist app_access

event_name
CHANGE/CREATE/ DELETE_GMAIL_ SETTING is renamed to CHANGE/CREATE/ DELETE_APPLICATION _SETTING

admin.setting_name
ENABLE_G_SUITE_ MARKETPLACE is renamed to Allowlist app_access

User Settings > S/MIME

Change Email Setting is renamed to Change Application Setting

EMAIL_SMIME is renamed to SMime status

events[].name
CHANGE_EMAIL_ SETTING is renamed to CHANGE_ APPLICATION_SETTING

events[]. parameters[].name
EMAIL_SMIME is renamed to SMime status

event_name CHANGE_EMAIL_ SETTING is renamed to CHANGE_ APPLICATION_SETTING

admin.setting_name
EMAIL_SMIME is renamed to SMime status

New Gmail parameters

Parameter name

 Nested parameter Reports API & SecOps BigQuery Export
SETTING_METADATA

USER_DEFINED_NAME

events[]. parameters[].name= SETTING_METADATA. USER_ DEFINED_NAME

admin.setting_metadata .user_defined_name

DESCRIPTION

events[]. parameters[].name= SETTING_METADATA. DESCRIPTION

admin.setting_metadata .description

rule_key

events[]. parameters[].name= SETTING_METADATA. RULE_KEY

admin.setting_metadata .rule_key

rule_type

events[]. parameters[].name= SETTING_METADATA. RULE_TYPE

admin.setting_metadata .rule_type

New Gmail events

Changes to the following Gmail settings (Apps > Google Workspace > Settings for Gmail) in the Admin console will log an event in Admin log events:

  • User Settings > S/MIME > Allow SHA-1 globally (not recommended)
  • Spam, phishing, and malware > Inbound gateway > Gateway IPs > Add/Delete IP addresses / ranges
  • Authenticate email > DKIM authentication > Start/Stop Authentication
  • Compliance > Email and chat auto-deletion > Automatically delete email and chat messages older than the specified number of days > Modify the labels to exclude

Changes to the settings will be logged as follows:

  • Security & Audit and investigation tool event: Change Application Setting
  • Reports API & SecOps: events[].name=CHANGE_APPLICATION_SETTING, events[].type=APPLICATION_SETTINGS
  • BigQuery Export: event_name=CHANGE_APPLICATION_SETTING, event_type=APPLICATION_SETTINGS

Updating automatically migrated rules

Instructions will be added here soon describing how you can find your rules that have been automatically migrated. For details on managing automatically migrated rules, go to Create and manage activity rules.

Changes to event names in the security investigation tool

For the affected event name in the following table:

  • Breaking columns are being removed from rule conditions. (A breaking column is a security investigation tool column that has a changed value.)
  • Rule creation for these events is being restricted.
  • Certain event names will have new conditions, as shown in Updates to event names later on this page.
Security investigation tool event name Breaking column name
Change email setting Setting name
Resource name
Change Gmail setting Setting name
Resource name
Create Gmail setting Setting name
Resource name
Delete Gmail setting Setting name
Resource name
Change Drive setting Setting name
New value
Old value
Session control settings change New value
Old value
  • API Access Blocked
  • API Access Allowed
  • App Added to Blocked List
  • App Added to Limited List
  • App Added to Trusted Allowlist
  • App added to Trusted by OAuth Scope list
  • App Removed from Blocked List
  • App removed from Limited list
  • App Removed from Trusted Allowlist
  • App removed from Trusted by OAuth Scope list
  • App allowlisted for exemption from API access blocks
  • App no longer allowlisted for exemption from API access blocks
  • All third party API access blocked
  • All third party API access unblocked
  • Allow Google Sign-in only third party API access
  • All third party API access blocked
  • Allow Google Sign-in only third party API access
 No breaking columns
Toggle new app features New value

Example

For all such rule conditions joined by AND, we are removing the part of the condition that contains the changing event. This results in the final condition being reduced to a single condition.

Given the following rule conditions: Event name IS Change email setting AND Setting name IS abc

The automatically migrated rule will become: Event name IS Change email setting

Risks: Increased alerts

The number of alerts being triggered will increase if you are using rules with breaking parameters in conditions. Rules that require both conditions 1 and 2 to be true to trigger, now trigger even if only one condition is true. For example, if there was a rule to trigger for a Gmail setting change for a specific setting name, it now triggers for all Gmail setting changes.

Migrating event conditions

Event display name Current condition New condition
Create email setting Event IS Change email setting Event IS Change application setting AND Setting Application IS Gmail
Create Gmail setting Event IS Change Gmail setting Event IS Change application setting AND Setting Application IS Gmail
Create Gmail setting Event IS Create Gmail setting Event IS Create application setting AND Setting Application IS Gmail
Create Gmail setting Event IS Delete Gmail setting Event IS Delete application setting AND Setting Application IS Gmail
Create Drive setting Event IS Change Drive setting (Event IS Change application setting OR Event IS Create application setting OR Event IS Delete application setting) AND Setting Application IS Drive and Docs.
Toggle New App Features Event IS Toggle New App Features Event IS Toggle New App Features Preference
API Access Blocked Event IS API Access Blocked Event IS API Access Changed AND Old Value IS Unrestricted
API Access Allowed Event IS API Access Allowed Event IS API Access Changed AND New Value IS Unrestricted
App Added to Blocked List Event IS App Added to Blocked List Event IS App Configuration Changed AND New Value IS Blocked
App Added to Limited List Event IS App Added to Limited List Event IS App Configuration Changed AND New Value IS Limited
App Added to Trusted Allowlist Event IS App Added to Trusted Allowlist Event IS App Configuration Changed AND New Value IS Trusted
App added to Trusted by OAuth Scope list Event IS App added to Trusted by OAuth Scope list Event IS App Configuration Changed AND New Value IS Specific Google data
App Removed from Blocked List Event IS App Removed from Blocked List Event IS App Configuration Changed AND Old Value IS Blocked AND New Value IS Unconfigured
App removed from Limited list Event IS App removed from Limited list Event IS App Configuration Changed AND Old Value IS Limited AND New Value IS Unconfigured
App Removed from Trusted Allowlist Event IS App Removed from Trusted Allowlist Event IS App Configuration Changed AND Old Value IS Trusted AND New Value IS Unconfigured
App removed from Trusted by OAuth Scope list Event IS App removed from Trusted by OAuth Scope list Event IS App Configuration Changed AND Old Value IS Specific Google data AND New Value IS Unconfigured
App allowlisted for exemption from API access blocks Event IS App allowlisted for exemption from API access blocks Event IS App Configuration Changed AND New Value IS Trusted and Allowlisted for Context-Aware Access Exemption
App no longer allowlisted for exemption from API access blocks Event IS App no longer allowlisted for exemption from API access blocks Event IS App Configuration Changed AND Old Value IS Trusted and Allowlisted for Context-Aware Access Exemption AND New Value IS Unconfigured
All third party API access blocked Event IS All third party API access blocked Event IS Unconfigured Apps Access Changed AND New Value IS Don't Allow
All third party API access unblocked Event IS All third party API access unblocked Event IS Unconfigured Apps Access Changed AND New Value IS Allow
Allow Google Sign-in only third party API access Event IS Allow Google Sign-in only third party API access Event IS Unconfigured Apps Access Changed AND New Value IS Allow Google sign-in only
All third party API access blocked Event IS All third party API access blocked Event IS Under 18 Unconfigured Apps Access Changed AND New Value IS Don't Allow
Allow Google Sign-in only third party API access Event IS Allow Google Sign-in only third party API access Event IS Under 18 Unconfigured Apps Access Changed AND New Value IS Allow Google sign-in only