Depending on your Google Workspace edition, you might have access to the security investigation tool, which has more advanced features. For example, super admins can identify, triage, and take action on security and privacy issues. Learn more
As your organization's administrator, you can run searches and take action on security issues related to Cloud Search log events. For example, you can view a record of actions in Cloud Search as users in your organization search across Google Workspace services, such as Drive, Contacts, and Gmail, and third-party data sources.
Run a search for Cloud Search log events
Your ability to run a search depends on your Google edition, your administrative privileges, and the data source. You can run a search on all users, regardless of their Google Workspace edition.
Attribute descriptions
For this data source, you can use the following attributes when searching log event data:
Attribute | Description |
---|---|
Actor | Email address of the user who performed the action |
Actor group name |
Group name of the actor. For more information, go to Filtering results by Google Group. To add a group to your filtering groups allowlist:
|
Actor organizational unit |
Organizational unit of the actor |
Date | Date and time the event occurred (displayed in your browser's default time zone) |
Event | The logged event action, such as Search, Suggest, or List query sources |
Service name |
Name of the service handling the API call |
Method name |
Name of the method handling the API call |
API call response status code |
Response status code of the API call |
Search request search application ID |
Search application ID sent in the search request |
Search request query | Query sent in the search request |
Number of results in search response |
Number of results sent in the search response |
Suggest request search application ID | Search application ID sent in the suggest request |
Suggest request query | Query sent in the suggest request |
Number of results in suggest response | Number of results sent in the suggest response |
List query sources search application ID | Search application ID send in the list query sources request |
Number of results in list query sources response | Number of results sent in the list query sources response |
Manage log event data
Take action based on search results
Manage your investigations
Supported editions for this feature: Frontline Standard; Enterprise Standard and Enterprise Plus; Education Standard and Education Plus; Enterprise Essentials Plus; Cloud Identity Premium. Compare your edition