Investigation tool known issues

For a summary of known issues related to the investigation tool during the trusted tester release, see the sections below.

Search (general)

'Unexpected error' message for searches with conditions containing an empty string

Searches in the investigation tool with conditions containing an empty string or default enum values will fail and generate an "Unexpected error" message.

Pivoting over columns with an empty string or default enum values will construct searches from the valid values only and skip the empty ones

Pivoting over columns with an empty string or default enum values will construct searches from the valid values only and skip the empty ones.

Device event search

The device serial number is not populated for all events in device logs

The device serial number is not populated for all events in the device logs.

Under basic management, log events for iOS mobile devices without the device policy app will not be shown

Under basic management, log events for iOS mobile devices without the device policy app will not be shown.

Management type for fully managed iOS devices older than 1 year will be displayed as unknown

The Management type for fully managed iOS devices older than about 1 year will be displayed as unknown. This is because these devices were created before this field existed in the investigation tool.

Drive event search

Visibility of shared drive events is displayed as Unknown in the search results

When the Document Type is shared drive in an investigation tool search, the Visibility of the event is incorrectly displayed as Unknown in the search results.

Gmail event search

Data is missing in the 'From (Header address)' column for some sent events

Data is missing in the Sender column for some sent events.

Data for admin quarantine related events is not displaying properly for some email responses to the sender

For Gmail event log searches, data for admin quarantine related events is not displaying properly for some email responses to the sender. This issue only affects events where senders send the message to themselves.

Data for some admin quarantine events is not available in the investigation tool

Data for admin-quarantine events is not available in the investigation tool for messages quarantined using the Send message to quarantine action. However, this event is available in the Admin audit log.

Gmail message search

In a Gmail message search, Google does not surface results if there is a double-quote in one of the search parameters

In a Gmail message search, Google does not surface results if there is a double-quote in one of the search parameters (for example, for attachment name or subject).

User event search

Data from user event searches won't immediately display a full 180 days of data

User event data in the investigation tool displays the latest 180 days of user events. Since this is a new data source, data from user event searches won't immediately display a full 180 days of data.

For events involving multiple challenges, failed security key events are missing from the results of user event searches

If a login event involves multiple challenges where one of those challenges is a security key challenge (for example, a password and a security key), the investigation tool will only show an event for the security key challenge if it succeeds. Security key events that fail are missing from the results of user event searches.

This only affects failed security key challenges, not any other challenge types.

For example:

  • If a user faces a security key challenge two times, and if the security key challenge fails the first time and then succeeds the second time, search results will show one login success event along with a passed 2SV challenge event. However, search results will not show the failed 2SV challenge event.
  • If a user faces a security key challenge and it fails, search results will show a login failure event. However, search results will not show the failed 2SV challenge event.

Actions (general)

Search results acted on with bulk actions may be slightly different than the results seen in the investigation tool

Search results that you act on with bulk actions may be slightly different than what you see in the search results in the investigation tool. This is because the search is re-run during the process of running the bulk action.

Long-running operation panel sometimes doesn’t load for the investigation tool

After a long-running operation is kicked off in the investigation tool (for example, a bulk action), the status of this operation can be viewed in the long-running operation panel. However, if it’s been more than 60 minutes since the user last signed in, this panel won’t load. The admin would need to refresh the page and sign in again for it to work.
 

Gmail actions

Admins are unable to perform Gmail actions on messages if there are multiple messages with the same owner and RFC message ID

When using the investigation tool to perform any Gmail actions, admins are unable to perform actions on messages if there are multiple messages with the same owner and RFC message ID. These admins receive an error message for the corresponding action. For example:

  • "An unexpected system error occurred"
    --or--
  • "This message header could not be found due to an internal error. Try again later."

If an admin takes an action in the investigation tool on a quarantined email, Not found status is reported

If an admin takes an action in the investigation tool on a quarantined mail, there is no indication that the message is quarantined. Instead, Not found status is reported.

Actions don't affect copies of messages routed to on-premise servers

Actions in the investigation tool only affect the message in the owner’s Gmail mailbox. Actions in the investigation tool don’t affect the copy of the message routed to an on-premise server.

For non-Gmail users using Message Center, actions only affect messages in the Message Center

For non-Gmail users using the Message Center, actions in the investigation tool only affect the messages in the Message Center. The Move to inbox action on a spam message will not deliver the message to the your on-premise server. If you think a message is falsely identified as spam and want it to be delivered to your on-premise server, you need to mark it as safe in the Message Center.

Note: Message Center will no longer be available after September 2019. We recommend using the methods described in Manage Spam Messages to manage spam when Message Center is no longer available.

Device actions

You cannot take actions on devices other than Android and iOS

You cannot take actions on devices other than Android and iOS. When you attempt actions on other devices, you'll receive a "not applicable" error.

Some actions are not allowed on devices that are supported with basic device management

Wiping a device, approving a device, and blocking a device are not supported on basic managed devices. Only an account wipe is allowed. This applies to both Android and iOS devices. When you attempt these actions, you'll receive a "not applicable" error.

Only one action can be pending on a device at any given time

Only one action can be pending on a device at any given time. If you try to perform an action on a device with a pending action, you will receive a "not applicable" error.

If you try to cancel a device wipe and there is no wipe pending on the device, you'll receive a 'not applicable' error 

If you try to cancel a device wipe and there is no wipe pending on the device, you'll receive a "not applicable" error.

'Not found' error code is returned when a device never existed or when a device was reset

A "not found" error code is returned when a device never existed or when a device was reset and has acquired a new device id. The virtual identity connected to the previous ID will still be contained in the logs and live state, but that identity will no longer be associated with the physical device.

A blocked device cannot be wiped

A blocked device cannot be wiped. You can schedule a wipe but the wipe will stay pending on the device and never go through when the device is synced.

Drive actions

Google Forms and Google Sites are not supported from Drive actions in the investigation tool

Google Forms and Google Sites are not supported from Drive actions in the investigation tool. They are available in the Drive audit log, but an attempt to modify the permissions on these files might result in a failure.

Sharing and unsharing a Google form might lead to failures in Drive actions

Sharing and unsharing Google Forms and Google Sites file types from the Drive Audit file permissions dialog is not fully supported and could lead to failures during Drive actions in the investigation tool.

Export

Exported results may be slightly different than the results seen in the investigation tool

Exported search results may be slightly different than what you see in the search results in the investigation tool. This is because the search results are re-run during the export process.

Gmail, Device, and Drive log events

Logs created under a previous customer ID are sometimes not accessible

When a business is transferred from one customer ID to another customer ID (for example, due to an acquisition, spin-off, or merger), logs that were created under the previous customer ID are no longer accessible.

"From (Envelope)" value will be converted to the original email address

For some automated Google notifications, the "From (Envelope)" value will be converted to the original email address of the user that initiated the notification.

Was this helpful?
How can we improve it?