About the security investigation tool

Supported editions for this feature: Enterprise; Education Standard and Plus.  Compare your edition

For more details about which features in the investigation tool are available for your Google service, see Customize searches within the investigation tool, and go to Data sources & conditions in the investigation tool. For example, to see the supported editions for the Device log events data source, click Device log events.

As a super administrator, you can use the security investigation tool to identify, triage, and take action on security and privacy issues in your domain.

For example, you can use the investigation tool to:

  • Access data about devices.
  • Access device log data to get a clear view of the devices and applications being used to access your data.
  • Access data about Gmail messages, including email content. 
  • Access Gmail log data to find and erase malicious emails, mark emails as spam or phishing, or send emails to users’ inboxes.
  • View search results that list suspended users.
  • Access Drive log data to investigate file sharing in your organization, investigate the creation and deletion of documents, investigate who accessed documents, and more.

Administrator queries and actions in the investigation tool can be reviewed in the Admin audit log (for more details, see Admin auditing for the security center).

Note: To use the investigation tool, delegated admins must have an Enterprise license assigned to them. Some features in the security investigation tool—for example, data related to Gmail and Drive—are not available with Cloud Identity Premium or Enterprise Standard editions. For details see Data sources in the investigation tool.

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue

Clear search
Close search
Google apps
Main menu
Search Help Center