Configure and Secure the Tool

Caution: The Investigation Tool returns 180 days of data from all logs. Gmail log search does have a limit of 30 days unless you have the message ID and recipient email address. You can export Google Workspace logs and usage reports to Big Query. Over time, this gives you access to data past the 30 day/6 month window. See Export your Google Logs to BigQuery for a Big Win.

Configure the Investigation Tool settings

Investigation_tool_-_Admin_console.gif

Before using the investigation tool, you'll want to configure the settings. Access the tool at Security > Investigation Tool, then click the cog wheel in the right hand side toolbar to configure: 

  • Time zone: You can change the time zone to ensure the time stamps are your local time.
  • Require reviewer: Helpful when actions require manipulation of large data sets. When turned on, admins who attempt to take action on 300 items or more will have to specify a second admin to confirm the changes.
    • Bulk actions will show status messages: awaiting approval, completed, or expired. The status also shows total attempted successes or failures. To view action status, click the Tasks icon (hourglass) in the upper right-hand side of the Admin console. Check the status of large tasks
    • Approve bulk actions: Click the email sent, it directs to the investigation tool. Click APPROVE (or REJECT). Respond within 72 hours to the email notification, or your action will expire.
    • Cancel bulk actions: Navigate to the bottom of the Investigation page and click CANCEL. Canceling actions in the investigation tool can result in partial results if a reviewer approves the bulk action and is in progress.
  • View email content: For investigations you create, you can allow admins with the appropriate privilege to view email content.
  • Enable action justification: When turned on, admins with appropriate privileges must enter a justification text before performing the action. It is commonly turned on for viewing email content.

Audit Log for Investigation Tool actions

The Audit Log includes the following information for Investigation tool queries and actions and bulk action reviews.

  • Query performed
  • Action performed
  • Action completed
  • Action cancelled

 

Document Version Date Description of Change
1.9 1/24/24 Updated for clarity, article verified

 

Articles in this section