Depending on your Google Workspace edition, you might have access to the security investigation tool, which has more advanced features. For example, super admins can identify, triage, and take action on security and privacy issues. Learn more
To use this feature, you must have a Vault add-on license. For details, go to Buy Vault licenses for your organization.
As your organization's administrator, you can run searches and take action on Vault log events. For example, you can view a record of actions performed in the Vault console, such as which users edited retention rules or downloaded export files.
Run a search for log events
Your ability to run a search depends on your Google edition, your administrative privileges, and the data source. You can run a search on all users, regardless of their Google Workspace edition.
Run a search in the Vault console
Expand section | Collapse all & go to top
Attribute descriptions
For this data source, you can use the following attributes when searching log event data:
Attribute | Description |
---|---|
Actor | Email address of the user who performed the action |
Additional details | Contains additional payload details such as retention period and conditions |
Date | Date and time the event occurred (displayed in your browser's default time zone) |
Event | The logged event action, such as View Investigation, View External Document, or Add Collaborator Begin |
Matter ID |
ID of the matter. This ID is not available for all events, but instead events that pertain to a matter. |
Organizational unit name | The name of the organizational unit to which the action applies |
Query |
The search parameters the user entered for a specific search |
Resource name | The resource name of the action, such as hold name or saved query name |
Resource URL | The URL of a document that the user viewed |
Target user |
Email address of the targeted user, such as a user who was put on hold |
Note: If you gave a user a new name, you will not see query results with the user's old name. For example, if you rename OldName@example.com to NewName@example.com, you will not see results for events related to OldName@example.com.
Manage log event data
Manage search results column data
Export search result data
When and how long is data available?
Manage your investigations
Supported editions for this feature: Frontline Standard; Enterprise Standard and Enterprise Plus; Education Standard and Education Plus; Enterprise Essentials Plus; Cloud Identity Premium. Compare your edition