Configure the Investigation Tool Settings
Before you start using the investigation tool, you'll want to configure the settings. Access the tool at Security > Investigation Tool, then click the cog wheel in the right hand side toolbar to configure:
Time zone: you can change the time zone to ensure that the time stamps are your local time.
Require reviewer: Helpful when actions require manipulation of large data sets. When turned on, admins who attempt to take action on 300 items or more will have to specify a second admin to confirm the changes.
Bulk actions will show status messages: awaiting approval, completed, or expired. Status also shows total attempted successes or failures. To view action status, click the Tasks icon (hourglass) in the upper right hand side of the admin console. Check the status of large tasks.
Approve bulk actions: Click the email sent and you will be directed to the investigation tool. Click APPROVE (or reject). Respond within 72 hours the email notification or your action will expire.
Cancel bulk actions: Navigate to the the bottom of the Investigation page, click CANCEL. Canceling actions in the investigation tool results in partial results if the bulk action is already approved by a reviewer and in-progress.
View email content: For investigations that you create, you have the ability to allow admins with the appropriate privilege to view email content.
Enable action justification: When turned on, this will require admins with appropriate privileges to enter a justification text before performing the action. Commonly turned on for viewing email content.
Audit Log for Investigation Tool Actions
Admin queries and actions in the investigation tool will be included in the Admin audit log. The same items will be logged when reviewers are requested for bulk actions. The logs will include:
- Query performed
- Action performed
- Action completed
- Action cancelled