View search results in the investigation tool

Search results in the investigation tool are displayed in a table at the bottom of the search card.

Device log events

Search results for Device log events include the following details:

  • Date and time of the event
  • Device ID
  • Event
  • Device owner
  • Device type
  • Device model
  • Failed password attempts
  • Device compromised state
  • Device compliance state
  • Device property
  • Device setting
  • Application SHA-256 hash
  • Application ID
  • Application state
  • New value
  • New device ID
  • Resource ID
  • Serial number
  • iOS vendor ID
  • Domain
  • Account state
  • Register privilege
  • Device ownership
  • Old value
  • OS property

Devices

Search results for Devices include the following details:

  • Device ID
  • Device owner
  • Device type
  • Device model
  • Status
  • Last sync date
  • Device compromised state
  • Password status
  • Management type
  • Security patch date
  • Registered date
  • Carrier

Drive log events

Search results for Drive log events include the following details:

  • Date and time of the Drive event (for example, changes to file sharing)
  • Document ID
  • Title
  • Document type
  • Prior visibility
  • Visibility
  • Event
  • Actor (for example, a user who changed the visibility of the document).
  • Owner
  • Target
  • IP address
  • Old value
  • New value
  • Domain

Gmail log events

Search results for Gmail log events include the following details:

  • Date and time of the event
  • Message ID
  • Subject
  • Event (whether the message was sent, received, classified as user spam, or classified as late spam)
  • From (Header address)
  • From (Envelope)
  • To (Envelope)
  • Owner
  • Domain
  • Attachment hashes
  • Attachment names
  • Attachment malware families
  • IP address
  • From (Header name)
  • Link domains
  • SPF domains
  • DKIM domains
  • Traffic source
  • Spam classification
  • Spam classification reason
  • Geo location

Note: If your organization has data location constraints, you can't use the investigation tool for Gmail log-event searches to search by subject. The Subject column will be blank in the search results.

Gmail messages

Search results for Gmail messages include the following details:

  • Message ID
  • Owner
  • Subject
  • Date
  • Sender
  • Recipient
  • Label
  • Attachment name

User log events

Available for Beta customers of G Suite Enterprise, Drive Enterprise, and Cloud Identity Premium Edition

Search results for user log events include the following details:

  • Login success
  • Login failure
  • Logout
  • Login challenge
  • Login verification
  • Suspicious login
  • Suspicious login from a less secure app
  • Suspicious programmatic login
  • Account disabled
  • Account disabled because Google has become aware that someone else knows its password
  • Account disabled because Google has detected a suspicious activity indicating it might have been compromised
  • Account disabled because Google has become aware that it was used to engage in spamming
  • Account disabled because Google has become aware that it was used to engage in spamming through SMTP relay service

Users

Search results for users include the following details:

  • Primary email
  • Other emails
  • First name
  • Last name
  • Last login
  • Super administrator
  • Delegated administrator
  • Enrolled in 2SV
  • 2SV enforced for org
  • Suspended ID
  • Change password at login
  • Mailbox setup

Manage the display of columns in the search results

In the top-right corner of the search-results table, click the gear icon to customize how the columns are displayed in the search results. In the Manage columns window, delete columns, add new columns, or drag and drop columns to different locations to reorganize the display of the search results.

Export search results to a Sheets file in your My Drive folder

To save search results to your My Drive folder, click the Export buttonfile_download_grey600_24dp.pngat the top of the table.

View exported search results

Note the following when viewing exported search results:

  • After you click the Export buttonfile_download_grey600_24dp.pngat at the top of the table, a Google Sheet is created in your My Drive folder that includes the search results. Depending on the size of the results, the export process could take some time, and multiple Google Sheets might be created. The total results of the export are limited to 30 million rows (except for Gmail message searches, which are limited to 1.25 million rows).
  • While the export is in-progress, Google Sheets are created with a temporary name—for example, TMP-1-<title>. If multiple Google Sheets are created, additional files are named TMP-2-<title>, TMP-3-<title>, and so on. When the export process is completed, the files are automatically renamed to: <title> [1 of N], <title> [2 of N], and so on. If only one Google Sheet contains the exported data, the file is renamed to <title>.
  • Sharing permissions for files with the exported search results are per your domain configuration. For example, if by default the files created will be shared with everyone in the company, then the exported data will also have this visibility. 

Freshness latency

Events from the Gmail log data source have a freshness latency of up to 60 minutes. This means search results may not include Gmail events that are less than 60 minutes old.

For Drive log events, Device log events, and User log events, the freshness latency is 80 minutes.

For searches on devices, it may take up to 3 days for new data to be reflected in all search results. For searches on users, it may take up to 36 hours.

Data retention for Gmail and Drive log data

Gmail log data is retained for 30 days. Drive log data is retained for 6 months.  

Admin audit log

Administrator queries and actions in the investigation tool can be reviewed in the Admin audit log.

In the Admin audit log, you can view the types of queries that admins conducted and also see details about which filters were used. For actions, you can click a link in the Admin audit log to directly view the results within the investigation tool.

Was this article helpful?
How can we improve it?