Searching and taking action

Caution: The Investigation Tool returns 30 days of data from Gmail logs and 180 days of data from all other logs. You can export Google Workspace logs and usage reports to Big Query. Over time this gives you access to data past the 6 month window. See Export your Google Logs to BigQuery for a Big Win.

Build a search

To build out searches in the investigation tool:

  1. Start with a data source.
  2. Define your conditions.
  3. (Optional) Organize your results with group-by or click a data item to pivot to a new search.
  4. Take action directly within the tool or export your findings to Sheets.

Pro Tip: You can manage the columns to view critical information. Click the cog wheel in the investigation tool results and choose which columns to include.


Actions you can take

Below are actions you can take based on the data source you are querying. See more details here

  • Drive log events: Add/remove users, change owners, disable download/print/copy, audit file permissions
  • Gmail log events and gmail messages: View header, view messages, delete messages, restore messages, mark message as spam, mark message as phishing, send message to inbox, send message to quarantine
  • User log events and users: Suspend user, restore user, delete user, reset password
  • Device log events and devices: Approve device, block device, admin account wipe device, remote wipe device, cancel remote wipe device

Note: You will need to select one or more search result rows for the ACTIONS menu to appear and allow you to choose what changes to make.


Articles in this section