Investigation Tool Recipe: Tracking Actions on Quarantined Emails

Problem 

This recipe helps you uncover who performed actions on quarantined emails, such as releasing or deleting them, using the Google Workspace Admin Console Investigation Tool. 

In this example, we'll leverage the Admin Log Events data source to identify the administrators responsible for these actions and understand how your institution manages quarantined items. Whether you're troubleshooting email delivery issues or auditing administrative activity, this recipe will guide you through creating a precise search to retrieve actionable results.

Steps

  1. Open the Investigation Tool.
    Security > Security center > Investigation tool
  2. Search for or select Admin log events from the drop-down as your data source.
  3. Click Add Condition.
  4. Add the following condition:
    Event > is
  5. From the Event field, click the drop--down arrow and search for Quarantine.
    InvToolQuarantineActions.png
  6. From the search results, select the event to investigate; Drop From Quarantine, Reject from Quarantine, Release from Quarantine.
  7. Click Search. The results appear at the bottom of the page. Here, the results are those emails that were released from quarantine. 
    InvToolQuarantineActionsResults.png
  8. If you are happy with the investigation you built and want to retain it, click Save Investigation, located on the right.

See our full list of Investigation tool recipes

Articles in this section

See more