Education Standard or Education Plus

The investigation tool is a powerful resource in the Admin console. With it, you can identify, triage, and respond to security and privacy issues in your domain. However, there are a lot of recipes, and finding the recipe you want can sometimes be challenging. To help, we've listed some issues and their Investigation Tool recipes  so you can see what's popular. 

Caution: The Investigation Tool returns 180 days of data from all logs. Gmail log search does have a limit of 30 days unless you have the message ID and recipient email address. You can export Google Workspace logs and usage reports to Big Query. Over time, this gives you access to data past the 30 day/6 month window. See Export your Google Logs to BigQuery for a Big Win.

Use Cases

• Search Gmail logs and messages to view email content, delete malicious emails, and mark emails as spam or phishing.
• Access Drive log data to change ownership, add/remove users, change permissions, and view who has accessed a file.
• Determine users who have not logged in recently and clean up accounts that should be inactive.
• Verify when a user last changed their password.

List of Investigation Tool Recipes

1. Users with Email Auto Forward ON
2. Gmail messages containing a specific word or phrase
3. Drive link file sharing, anyone with the link
4. Admin log events
5. Classroom log events, Originality report created
6. Context Aware Access
7. Tracking actions on quarantined emails
8. Discover Guardians Who Have Not Accepted Their Guardian Invitation

See Google's Run a search in the security investigation tool article for additional examples.