Searching and taking action

Build a search

To build out searches in the investigation tool:

  1. Start with a data source.
  2. Define your conditions.
  3. (Optional) Organize your results with group-by or click a data item to pivot to a new search.
  4. Take action directly within the tool or export your findings to Sheets.

Pro Tip: You can manage the columns to view critical information. Click the cog wheel in the investigation tool results and choose which columns to include.

managecolumns.gif

Actions you can take

Below are actions you can take based on the data source you are querying. See more details here

  • Drive log events: Add/remove users, change owners, disable download/print/copy, audit file permissions
  • Gmail log events and gmail messages: View header, view messages, delete messages, restore messages, mark message as spam, mark message as phishing, send message to inbox, send message to quarantine
  • User log events and users: Suspend user, restore user, delete user, reset password
  • Device log events and devices: Approve device, block device, admin account wipe device, remote wipe device, cancel remote wipe device

Note: You will need to select one or more search result rows for the ACTIONS menu to appear and allow you to choose what changes to make.