As a super administrator with a premium Google Workspace edition—such as Enterprise Plus or Education Plus—you can use the security investigation tool to identify, triage, and take action on security and privacy issues in your domain.
For example, you can use the investigation tool to:
- Access data about devices.
- Access device log data to get a clear view of the devices and applications being used to access your data.
- Access data about Gmail messages, including email content.
- Access Gmail log data to find and erase malicious emails, mark emails as spam or phishing, or send emails to users’ inboxes.
- View search results that list suspended users.
- Access Drive log data to investigate file sharing in your organization, investigate the creation and deletion of documents, investigate who accessed documents, and more.
Administrator queries and actions in the investigation tool can be reviewed in Admin log event data (for more details, see Admin auditing for the security center).
For more details about which data sources are available in the investigation tool, go to Data sources for the security investigation tool.
Your access to the security investigation tool
- Supported editions for the security investigation tool include Enterprise Plus, Education Standard, Education Plus, and Enterprise Essentials Plus.
- Admins with Cloud Identity Premium, Frontline Standard, Enterprise Standard, and Education Standard can also use the investigation tool for a subset of data sources.
- Your ability to run a search in the investigation tool depends on your Google edition, your administrative privileges, and the data source. If you're unable to run a search in the investigation tool for a specific data source, you can use the audit and investigation page instead. For more information, go to Improved audit and investigation experience.
- You can run a search in the investigation tool on all users, regardless of the Google edition they have.