Make Investigations Work for You: Custom Charts and Activity Rules

The Investigation Tool in Google Workspace gives administrators powerful capabilities to monitor, analyze, and automate actions based on log data. In this article, you'll learn how to create custom dashboard charts, automate alerts with activity rules, and export logs for long-term analysis. We'll guide you through setting up and using these features to proactively enhance your ability to manage your domain's security.

Caution: The Investigation Tool returns 180 days of data from all logs. Gmail log search does have a limit of 30 days unless you have the message ID and recipient email address. You can export Google Workspace logs and usage reports to Big Query. Over time, this gives you access to data past the 30 day/6 month window. See Export your Google Logs to BigQuery for a Big Win.

Creating Custom Dashboard Charts from Investigations

Custom charts allow you to visualize recurring issues or frequently run queries. Instead of running the same investigation repeatedly, you can create a custom chart to quickly access the necessary data. You can then display the charts on your Security Center dashboard for easy monitoring.

Important: Custom charts are user-specific, meaning they're only visible to the admin who created them. However, they can be easily deleted without affecting other users.

Steps to Create a Custom Chart:

  1. From the Admin console, go to Security > Security center > Investigation tool.
  2. Conduct your search by selecting a Data source (e.g., Gmail log events).

    Note: You can only create custom charts for data sources based on log events.

  3. Refine your search by adding filters, conditions, or grouping results by an attribute (e.g., user or date).
  4. At the top of the search results, click Create custom chart.
  5. In the Create dashboard widget window, enter a title and short description for the chart.
    createCustomChart.png
  6. Preview how your chart will appear on the dashboard.
  7. Click Save to Dashboard to finish.

Your custom chart will now be visible on your Security Center dashboard, navigate to Security > Dashboard. You can find it as the top-left widget by default.

For more detailed guidance, see, 

Run a search in the security investigation tool - Google Workspace Admin Help

Start an investigation based on a dashboard chart - Google Workspace Admin Help

Automating Alerts with Activity Rules

Activity rules automate actions based on log events in the Investigation Tool, allowing you to create alerts or initiate remediation steps when certain thresholds are met. This feature helps reduce manual monitoring by automatically triggering actions when suspicious behavior or policy violations are detected.

You can monitor activities and adjust alert thresholds before making an activity rule active.

Note: That these rules currently apply to your entire domain, with no granularity for specific organizational units (OUs) or groups.

Steps to Create an Activity Rule:

1. From the Admin console, navigate to Rules.
2. Click Create rule and select Activity from the dropdown.
3. Use the step-by-step guide to configure your activity rule, including data sources, conditions, and actions.createCustomChartRule.png4. Once created, the rule will appear in the list on the Rules page, where you can edit or manage it as needed.

For more details on creating and managing activity rules, as well as setting up email notifications for rule alerts, visit Create and manage activity rules.

Expanding Your Capabilities with BigQuery

To extend your data analysis beyond the built-in retention periods, consider exporting logs and reports to BigQuery. This will allow you to store and query data over time, unlocking deeper insights and historical comparisons that aren’t available through the standard interface.

Learn more about exporting logs and reports to BigQuery in this guide.

Conclusion

By leveraging custom charts and activity rules within the Google Workspace Investigation Tool, you can streamline monitoring, automate responses to potential issues, and maintain greater visibility into your domain’s activity. Additionally, exporting logs to BigQuery ensures that you can perform long-term data analysis, helping you stay ahead of potential security concerns.

Document Version Date Description of Change
1.0 9/10/2024 Rewrote, reverify

 

Articles in this section