Searching and Taking Action in the Investigation Tool

The Investigation Tool in Google Workspace allows admins to search logs, review data, and take direct action based on their findings. This article provides an overview of building searches, managing results, and performing key actions, helping you maintain control over your environment. You will learn how to search across multiple data sources, filter results, and take immediate action to protect your domain.

Caution: The Investigation Tool returns 180 days of data from all logs. Gmail log search does have a limit of 30 days unless you have the message ID and recipient email address. You can export Google Workspace logs and usage reports to Big Query. Over time, this gives you access to data past the 30 day/6 month window. See Export your Google Logs to BigQuery for a Big Win.

Building a Search in the Investigation Tool

To start building a search:

  1. Choose a data source – Select the log you want to search, such as Gmail, Drive, User, or Device logs.
  2. Define your conditions – Set filters to narrow your search, such as date range, event type, or specific users.
  3. Organize your results – Optionally, group results by certain fields or click on a specific data item to pivot your search.
  4. Take action or export findings – Once your results are displayed, you can take direct actions within the tool or export the data to Google Sheets for further analysis.

Pro Tip: Customize the columns to display critical data points. Click the settings cog in the search results to select which columns to include for easier analysis.

managecolumns.gif

Key Actions You Can Take

Once you've identified essential events through your search, the Investigation Tool allows you to take direct action depending on the data source you're working with:

  • Drive Log Events: Add or remove users, change file owners, disable download/print/copy permissions, audit file sharing permissions.
  • Gmail Log Events and Messages: View message headers, restore or delete messages, mark messages as spam or phishing, and move messages to quarantine or the inbox.
  • User Log Events and Users: Suspend, restore, or delete users, and reset user passwords.
  • Device Log Events and Devices: Approve or block devices, perform admin account wipes, remote wipe devices, or cancel remote wipes.

Note: You must select one or more search result rows for the "Actions" menu to appear, enabling you to choose the appropriate actions based on the search results.

Document Version Date Description of Change
1.0 9/10/2024 Rewrote, reverify

 

Articles in this section

See more