Cloud Search log events

View a record of user actions in Cloud Search

Depending on your Google Workspace edition, you might have access to the security investigation tool, which has more advanced features. For example, super admins can identify, triage, and take action on security and privacy issues. Learn more

As your organization's administrator, you can run searches and take action on security issues related to Cloud Search log events. For example, you can view a record of actions in Cloud Search as users in your organization search across Google Workspace services, such as Drive, Contacts, and Gmail, and third-party data sources.

Run a search for Cloud Search log events

Your ability to run a search depends on your Google edition, your administrative privileges, and the data source. You can run a search on all users, regardless of their Google Workspace edition.

Audit and investigation tool

Security investigation tool

Supported editions for this feature: Frontline Standard; Enterprise Standard and Enterprise Plus; Education Standard and Education Plus; Enterprise Essentials Plus; Cloud Identity Premium. Compare your edition

To run a search in the security investigation tool, first choose a data source. Then, choose one or more conditions for your search. For each condition, choose an attribute, an operator, and a value.

Sign in with an administrator account to the Google Admin console.
If you aren’t using an administrator account, you can’t access the Admin console.
Go to Menu Security > Security center > Investigation tool.
Requires having the Security center administrator privilege.
Click Data source and select Cloud Search log events.
Click Add Condition.
Tip: You can include one or more conditions in your search or customize your search with nested queries. For details, go to Customize your search with nested queries.
Click Attributeselect an option.
For a complete list of attributes, go to the Attribute descriptions section (later on this page).
Select an operator.
Enter a value or select a value from the list.
(Optional) To add more search conditions, repeat steps 4–7.
Click Search.
You can review the search results from the investigation tool in a table at the bottom of the page.
(Optional) To save your investigation, click Save enter a title and descriptionclick Save.

Notes

In the Condition builder tab, filters are represented as conditions with AND/OR operators. You can also use the Filter tab to include simple parameter and value pairs to filter the search results.
If you gave a user a new name, you will not see query results with the user's old name. For example, if you rename OldName@example.com to NewName@example.com, you will not see results for events related to OldName@example.com.

Attribute descriptions

For this data source, you can use the following attributes when searching log event data:

Attribute	Description
Actor	Email address of the user who performed the action
Actor group name	Group name of the actor. For more information, go to Filtering results by Google Group. To add a group to your filtering groups allowlist: Select Actor group name. Click Filtering groups. The Filtering groups page appears. Click Add Groups. Search for a group by entering the first few characters of its name or email address. When you see the group you want, select it. (Optional) To add another group, search for and select the group. When you finish selecting groups, click Add. (Optional) To remove a group, click Remove group . Click Save.
Actor organizational unit	Organizational unit of the actor
Date	Date and time the event occurred (displayed in your browser's default time zone)
Event	The logged event action, such as Search, Suggest, or List query sources
Service name	Name of the service handling the API call
Method name	Name of the method handling the API call
API call response status code	Response status code of the API call
Search request search application ID	Search application ID sent in the search request
Search request query	Query sent in the search request
Number of results in search response	Number of results sent in the search response
Suggest request search application ID	Search application ID sent in the suggest request
Suggest request query	Query sent in the suggest request
Number of results in suggest response	Number of results sent in the suggest response
List query sources search application ID	Search application ID send in the list query sources request
Number of results in list query sources response	Number of results sent in the list query sources response