In the Google Admin console, you can use the security investigation tool to review user and administrator activity in your organization, and to take action based on search results. You can use the information to track users and admins, and for security purposes.
Your access to the security investigation tool
- The security investigation tool requires a premium Google Workspace edition (Enterprise Plus, Enterprise Standard, or Education Plus).
- You can access logs using the Chrome browser for the Google apps you have installed. For example, Gmail.
- Your ability to run a search in the investigation tool depends on your Google edition, your administrative privileges, and the data source. If you're unable to run a search in the investigation tool for a specific data source, you can use the audit and investigation page instead.
- You can run a search in the investigation tool on all users, regardless of the Google edition they have.
Filter results by Google Group
Filtering audit logs using a Google Group can help build statistics and improve performance since only the selected groups are tracked. You must explicitly add the groups to your filtering groups allowlist because the results can include sensitive information such as religion, gender, and other data.
Results can only be returned for the filtering group starting when the group is added until it is removed. Audit logs and events created before the group was added cannot be filtered using the group.
Manage your filtering groups allowlist
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
- From the Admin console, go to the Filtering groups page.
- Click Add Groups.
- Search for a group by entering the first few characters of its name or email address. When you see the group you want, select it.
- (Optional) To add another group, search for and select the group.
- When you finish selecting groups, click Add.
- (Optional) To remove a group, click Remove group
.
- Click Save.
Choose a data source to get started
To access data in the investigation tool, from the Google Admin console Home page, click SecuritySecurity center
Investigation tool.
Note: Access to specific data sources in the security investigation tool depends on your Google Workspace edition and your administrative privileges for specific features in the Google Admin console.
| Data source | Description |
|---|---|
| Access Transparency log events | See Google staff actions when accessing your data |
| Admin log events | View and investigate admin activity in the Google Admin console |
| Assignments log events |
View common activities, such as whether a student has joined a course or submitted work Note: You must be a Google Workspace for Education admin to access Assignments log events |
| Calendar log events | View and track changes to user events in Google Calendar |
| Chat log events | Track user conversations and room activity |
| Chrome browsers | View and investigate live-state data about Chrome browsers |
| Chrome log events | View and investigate Chrome log events |
| Chrome Sync log events | View and investigate a record of actions taken by users who have Chrome Sync enabled |
| Classroom log events | View common activities, such as who removed a student from a class or archived a class Note: You must be a Google Workspace for Education admin to access Classroom log events |
| Cloud Search log events | View and investigate user actions in Cloud Search |
| Contacts log events | View and investigate Contacts activity by your users |
| Context Aware Access log events | Use data to troubleshoot users’ access to apps |
| Device log events | Review activities on your organization’s devices |
| Devices | View and investigate live-state data about devices |
| Directory Sync log events | View events related to Google Cloud Directory Sync |
| Drive log events | View user Google Drive activity |
| Gmail log events | Investigate user and admin activity related to Gmail |
| Gmail messages | View and investigate live-state data about Gmail messages |
| Graduation log events | Track user data transfer |
| Groups Enterprise log events | See Admin console actions on groups and group memberships |
| Groups log events | View user changes to groups in Google Groups |
| Jamboard log events | Track changes to Jamboards |
| Keep log events | Track activity on notes owned by users in your organization |
| Looker Studio log events | View users' actions in Looker Studio |
| Meet log events | Understand users' video-meeting activity |
| OAuth log events | Track third-party app usage and data-access requests |
| Password vaulted apps log events | See admin and user activity related to password vaulted apps |
| Profile log events | View and investigate activity related to user profiles |
| Rules log events | Track your users' attempts to share sensitive data |
| SAML log events | View your users' sign-ins to SAML applications |
| Secure LDAP log events | Review LDAP operations for the Secure LDAP service |
| Takeout log events | View user Google Takeout activity |
| Tasks log events | View and investigate user actions related to tasks, task lists, and recurring tasks |
| User log events | View user activity across their accounts. Note: The User log events data source provides data previously contained in the Login audit log and User accounts audit log. |
| Users | View and investigate live-state data about users |
| Vault log events | Review activity in Google Vault |
| Voice log events | Review user activity in Google Voice |
When and how long is data available?
Go to Data retention and lag times.
