About the security investigation tool
The investigation tool is available with G Suite Enterprise, Drive Enterprise, G Suite Enterprise for Education, and Cloud Identity Premium. Some features in the investigation tool are not available with Cloud Identity Premium.
As a G Suite super administrator, you can use the security investigation tool to identify, triage, and take action on security and privacy issues in your domain.
You can use the investigation tool to:
- Access data about devices.
- Access device log data to get a clear view of the devices and applications being used to access your data.
- Access data about Gmail messages, including email content.
- Access Gmail log data to find and erase malicious emails, mark emails as spam or phishing, or send emails to users’ inboxes.
- Access Drive log data to investigate file sharing in your organization, investigate the creation and deletion of documents, investigate who accessed documents, and more.
Administrator queries and actions in the investigation tool can be reviewed in the Admin audit log (for more details, see Admin auditing for the security center).
- The investigation tool is only available for G Suite Enterprise and G Suite Enterprise for Education customers. However, if an organization has a combination of G Suite Enterprise, G Suite Business, and G Suite Basic licenses, the investigation tool enables super administrators to see Gmail log data for all users in their organization—even for users that have a G Suite Business or G Suite Basic license. Super admins can only see Drive log data for users that have a G Suite Enterprise or G Suite Business license.
- To use the investigation tool, delegated admins must have a G Suite Enterprise license assigned to them.