Vault log events

View Vault user activity

Depending on your Google Workspace edition, you might have access to the security investigation tool, which has more advanced features. For example, super admins can identify, triage, and take action on security and privacy issues. Learn more

To use this feature, you must have a Vault add-on license. For details, go to Buy Vault licenses for your organization.

As your organization's administrator, you can run searches and take action on Vault log events. For example, you can view a record of actions performed in the Vault console, such as which users edited retention rules or downloaded export files.

Run a search for log events

Your ability to run a search depends on your Google edition, your administrative privileges, and the data source. You can run a search on all users, regardless of their Google Workspace edition.

Run a search in the Vault console

Expand section  |  Collapse all & go to top

Attribute descriptions

For this data source, you can use the following attributes when searching log event data:

Attribute Description
Actor Email address of the user who performed the action
Additional details Contains additional payload details such as retention period and conditions
Date Date and time the event occurred (displayed in your browser's default time zone)
Event The logged event action, such as View Investigation, View External Document, or Add Collaborator Begin
Matter ID

ID of the matter. This ID is not available for all events, but instead events that pertain to a matter.

Organizational unit name The name of the organizational unit to which the action applies
Query

The search parameters the user entered for a specific search

Resource name The resource name of the action, such as hold name or saved query name
Resource URL The URL of a document that the user viewed
Target user

Email address of the targeted user, such as a user who was put on hold

Note: If you gave a user a new name, you will not see query results with the user's old name. For example, if you rename OldName@example.com to NewName@example.com, you will not see results for events related to OldName@example.com.

Manage log event data

 

Manage your investigations

Supported editions for this feature: Frontline Standard; Enterprise Standard and Enterprise Plus; Education Standard and Education Plus; Enterprise Essentials Plus; Cloud Identity Premium. Compare your edition

Was this helpful?

How can we improve it?
716183242793518362
true
Search Help Center
true
true
true
true
true
73010
Search
Clear search
Close search
Main menu
false
false