Caution: The Investigation Tool returns 30 days of data from Gmail logs and 180 days of data from all other logs. You can export Google Workspace logs and usage reports to Big Query. Over time this gives you access to data past the 6 month window. See Export your Google Logs to BigQuery for a Big Win.
Configure the Investigation Tool Settings
Before you start using the investigation tool, you'll want to configure the settings. Access the tool at Security > Investigation Tool, then click the cog wheel in the right hand side toolbar to configure:
- Time zone: you can change the time zone to ensure that the time stamps are your local time.
- Require reviewer: Helpful when actions require manipulation of large data sets. When turned on, admins who attempt to take action on 300 items or more will have to specify a second admin to confirm the changes.
- Bulk actions will show status messages: awaiting approval, completed, or expired. Status also shows total attempted successes or failures. To view action status, click the Tasks icon (hourglass) in the upper right hand side of the admin console. Check the status of large tasks.
- Approve bulk actions: Click the email sent and you will be directed to the investigation tool. Click APPROVE (or reject). Respond within 72 hours to the email notification or your action will expire.
- Cancel bulk actions: Navigate to the bottom of the Investigation page, click CANCEL. Canceling actions in the investigation tool results in partial results if the bulk action is already approved by a reviewer and in progress.
- View email content: For investigations that you create, you have the ability to allow admins with the appropriate privilege to view email content.
- Enable action justification: When turned on, this will require admins with appropriate privileges to enter a justification text before performing the action. Commonly turned on for viewing email content.
Audit Log for Investigation Tool Actions
Admin queries and actions in the investigation tool will be included in the Admin audit log. The same items will be logged when reviewers are requested for bulk actions. The logs will include:
- Query performed
- Action performed
- Action completed
- Action cancelled