Data sources for the security investigation tool

Supported editions for this feature: Frontline Standard; Enterprise Standard and Enterprise Plus; Education Standard and Education Plus; Enterprise Essentials Plus; Cloud Identity Premium. Compare your edition

In the Google Admin console, you can use the security investigation tool to review user and administrator activity in your organization, and to take action based on search results. You can use the information to track users and admins, and for security purposes.

Filter results by Google Group

Filtering audit logs using a Google Group can help build statistics and improve performance since only the selected groups are tracked. You must explicitly add the groups to your filtering groups allowlist because the results can include sensitive information such as religion, gender, and other data. 

Results can only be returned for the filtering group starting when the group is added until it is removed. Audit logs and events created before the group was added cannot be filtered using the group.

Manage your filtering groups allowlist

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console, go to the Filtering groups page.
  3. Click Add Groups.
  4. Search for a group by entering the first few characters of its name or email address. When you see the group you want, select it.
  5. (Optional) To add another group, search for and select the group.
  6. When you finish selecting groups, click Add.
  7. (Optional) To remove a group, click Remove group .
  8. Click Save.

Choose a data source to get started

To access data in the investigation tool, from the Google Admin console Home page, click Securityand thenSecurity center and thenInvestigation tool.

Note: Access to specific data sources in the security investigation tool depends on your Google Workspace edition and your administrative privileges for specific features in the Google Admin console.

Data source Description
Access Transparency log events See Google staff actions when accessing your data
Admin log events View and investigate admin activity in the Google Admin console
Assignments log events

View common activities, such as whether a student has joined a course or submitted work

Note: You must be a Google Workspace for Education admin to access Assignments log events

Calendar log events View and track changes to user events in Google Calendar
Chat log events Track user conversations and room activity
Chrome browsers View and investigate live-state data about Chrome browsers
Chrome log events View and investigate Chrome log events 
Chrome Sync log events View and investigate a record of actions taken by users who have Chrome Sync enabled
Classroom log events View common activities, such as who removed a student from a class or archived a class
Note: You must be a Google Workspace for Education admin to access Classroom log events
Cloud Search log events View and investigate user actions in Cloud Search
Contacts log events View and investigate Contacts activity by your users
Context Aware Access log events Use data to troubleshoot users’ access to apps
Device log events  Review activities on your organization’s devices
Devices View and investigate live-state data about devices
Directory Sync log events View events related to Google Cloud Directory Sync
Drive log events View user Google Drive activity
Gmail log events Investigate user and admin activity related to Gmail
Gmail messages View and investigate live-state data about Gmail messages
Graduation log events Track user data transfer
Groups Enterprise log events See Admin console actions on groups and group memberships
Groups log events View user changes to groups in Google Groups
Jamboard log events Track changes to Jamboards
Keep log events Track activity on notes owned by users in your organization
Looker Studio log events View users' actions in Looker Studio
Meet log events Understand users' video-meeting activity
OAuth log events Track third-party app usage and data-access requests
Password vaulted apps log events See admin and user activity related to password vaulted apps
Profile log events View and investigate activity related to user profiles
Rules log events Track your users' attempts to share sensitive data
SAML log events View your users' sign-ins to SAML applications
Secure LDAP log events Review LDAP operations for the Secure LDAP service
Takeout log events View user Google Takeout activity
Tasks log events View and investigate user actions related to tasks, task lists, and recurring tasks
User log events View user activity across their accounts. Note: The User log events data source provides data previously contained in the Login audit log and User accounts audit log.
Users View and investigate live-state data about users
Vault log events Review activity in Google Vault
Voice log events Review user activity in Google Voice

When and how long is data available?

Go to Data retention and lag times.

Was this helpful?

How can we improve it?
true
Start your free 14-day trial today

Professional email, online storage, shared calendars, video meetings and more. Start your free Google Workspace trial today.

Search
Clear search
Close search
Main menu
2306870725840124877
true
Search Help Center
true
true
true
true
true
73010
false
false