The investigation tool is a powerful resource in the Admin console. With it, you can identify, triage, and respond to security and privacy issues in your domain. It is available to admins with Education Standard or Education Plus licenses.
Caution: The Investigation Tool returns 30 days of data from Gmail logs and 180 days of data from all other logs. You can export Google Workspace logs and usage reports to Big Query. Over time this gives you access to data past the 6 month window. See Export your Google Logs to BigQuery for a Big Win.
Use cases for the Investigation Tool
- Search Gmail logs and messages to view email content, delete malicious emails, mark emails as spam or phishing.
- Access Drive log data to change ownership, add/remove users, change permissions, view who has accessed a file.
- Determine users who have not logged in recently and clean up accounts that shouldn't be active.
- Verify when a user last changed their password.
View this Office Hours recording of some use cases for the investigation tool
View this Office Hours recording of some investigation tool tips, tricks, and advanced cases