Supported editions for this feature: Frontline Standard and Frontline Plus; Business Plus; Enterprise Standard and Enterprise Plus; Education Fundamentals, Education Standard, Teaching and Learning Upgrade, and Education Plus; Enterprise Essentials and Enterprise Essentials Plus; G Suite Business. Compare your edition
The security and investigation tool page lets you search for and take action on security issues related to Vault log events. You can view a record of actions performed in the Vault console, such as which users edited retention rules or downloaded export files.
On this page
Run a search in the Admin console
To run a search in the security investigation tool, first choose a data source. Then, choose one or more conditions for your search. For each condition, choose an attribute, an operator, and a value.
-
Sign in with an administrator account to the Google Admin console.
If you aren’t using an administrator account, you can’t access the Admin console.
-
Go to Menu
Security > Security center > Investigation tool.
Requires having the Security center administrator privilege.
- Click Data source and select Vault log events.
- Click Add Condition.
Tip: You can include one or more conditions in your search or customize your search with nested queries. For details, go to Customize your search with nested queries. - Click Attribute
select an option.
For a complete list of attributes, go to the Attribute descriptions section (later on this page). - Select an operator.
- Enter a value or select a value from the list.
- (Optional) To add more search conditions, repeat steps 4–7.
- Click Search.
You can review the search results from the investigation tool in a table at the bottom of the page. - (Optional) To save your investigation, click Save
Notes
- In the Condition builder tab, filters are represented as conditions with AND/OR operators. You can also use the Filter tab to include simple parameter and value pairs to filter the search results.
- If you give a user a new name, you will not see query results with the user's old name. For example, if you rename OldName@example.com to NewName@example.com, you will not see results for events related to OldName@example.com.
Attribute descriptions
For this data source, you can use the following attributes when searching log event data:
| Attribute | Description |
|---|---|
| Actor | Email address of the user who performed the action |
| Additional details | Contains additional payload details such as retention period and conditions |
| Date | Date and time the event occurred (displayed in your browser's default time zone) |
| Event | The logged event action, such as View Investigation, View External Document, or Add Collaborator Begin |
| Matter ID |
ID of the matter. This ID is not available for all events, but instead events that pertain to a matter. |
| Organizational unit name | The name of the organizational unit to which the action applies |
| Query |
The search parameters the user entered for a specific search |
| Resource name | The resource name of the action, such as hold name or saved query name |
| Resource URL | The URL of a document that the user viewed |
| Target user |
Email address of the targeted user, such as a user who was put on hold |
Manage your investigations
Expand section | Collapse all & go to top