Customize searches within the investigation tool

Using the security investigation tool, you can customize your searches by entering multiple search conditions. The available conditions vary depending on the data source for your search (for example, Device log events or Drive log events).

To run a search with the investigation tool:

  1. Sign in to the Google Admin console at admin.google.com.
    Be sure to sign in using your administrator account, and not your personal Gmail account.
  2. Click Security.
  3. Click Investigation tool.
  4. Choose a data source for your search. For example, choose Device log events, DevicesDrive log events, or Gmail log events.

    Note: Available data sources will vary depending on your Google Workspace edition.

  5. Click ADD CONDITION.
    You can include one or more conditions in your search. For details about conditions that are available for each data source, see the sections below. You also have the option to customize your search with nested queries—searches with 2 or 3 levels of conditions (for details, see the section below). 
  6. Click SEARCH.

Customize your search with nested queries

When customizing your search in the investigation tool, you can include one or more conditions in your search. If you're customizing a search that has at least 2 conditions, you also have the option to create nested queries—in other words, searches that include 2 or 3 levels of conditions.

Using nested queries enables you to narrow your search by specifying queries that are much more granular and that are targeted to specific types of events. Do this by clicking "" Add condition group while customizing your search.

For example, you might want to run a search about inbound emails in your organization to investigate users who are receiving attachments. Additionally, you might want to narrow your search by including only users who are opening those attachments or clicking links within the emails. When customizing your search, you would base the search on the Gmail log events data source, and you would set up the following conditions for your search:

  • The email must have an attachment.
  • AND the user must either open the attachment OR click a link in the email.

Note: Most data sources enable 3-level nested queries. The Users data source enables only 2-level nested queries, while the Chrome browsers data source doesn't enable nested queries.

Take action based on search results

Once you are finished conducting a search in the investigation tool, you have the option to take action based on the results of your searches. For example, you can conduct a search based on Gmail log events, and then use the investigation tool to delete specific messages, mark messages as spam or phishing, send messages to quarantine, or send messages to users' inboxes. For more details about actions in the investigation tool, see Take action based on search results.

Note: If you narrow your search, your results will appear in the investigation tool sooner. For example, if you narrow the search to events that happened in the last week, the query will return faster than if you search without restricting the query to a shorter period of time.

Add a group-by option when customizing a search

When customizing a search in the investigation tool, you can group items by a particular search attribute to quickly understand the breadth of an issue. For example, when conducting a search based on device log events, you can group the search criteria based on the device model. 

To add a group-by option to your search:

  1. During your search, click ADD GROUP BY OPTION.
  2. From the Group by drop-down menu, choose a condition for your search—for example, choose Device model.
  3. Click SEARCH.

    With this example, a list of devices is displayed in the list of search results. For each item in the search results, a name for the device model is displayed, and the number of occurrences is displayed for each device model, with the highest number of occurrences listed at the top.

    You can then add more conditions to the search criteria by scrolling over items in the search results, clicking the More "" icon, and then clicking Add condition to search.

    Note: Occurrences is referring to the number of events logged in the corresponding reports. For example, if you group by Group email, the column occurrences will have a value corresponding to the number of entries in the Groups Audit log section of the Google Admin console when filtering all events by the given group address.

Data sources & conditions in the investigation tool

Device log events

Condition    
Date
  • Before
  • After

Type a date in the Date field.
Use the following format:

YYYY-MM-DDThh:mm:ss

Device ID
  • Is
  • Is not
Type a value in the Device ID field.
Event
  • Is
  • Is not

Choose from the following:

  • Account registration change
  • Device compliance status
  • Device OS update
  • Work profile support
  • Device settings change
  • Device compromise
  • Failed password attempts
  • Suspicious activity
  • Device application change
  • ADB events
  • Screen lock events
  • Device ownership change
  • Network event
  • Device action event
Device owner
  • Is
  • Is not
  • Contains
  • Does not contain
Type a value in the Device owner field (valid email address).
Device type
  • Is
  • Is not

Choose from the following:

  • Android
  • iOS
  • Mac
  • Windows
  • Chrome OS
Device model
  • Is
  • Is not
  • Contains
  • Does not contain
Type a value in the Device model field.
Failed password attempts
  • Equals
  • Less than or equal to
  • Greater than or equal to

Type a number in the Numeric value field.

Device compromised state
  • Is
  • Is not

Choose from the following:

  • Compromised
  • Not compromised
Device property
  • Is
  • Is not

Choose from the following:

  • Device Model
  • Serial Number
  • IMEI Number
  • MEID Number
  • WiFi MAC Address
  • Device Policy App Privilege
  • Manufacturer
  • Device Brand
  • Device Hardware
  • Bootloader Version
Device setting
  • Is
  • Is not

Choose from the following:

  • Developer Options
  • Unknown Sources
  • USB Debugging
  • Verify Apps
Application SHA-256 hash
  • Is
  • Is not

Type a value in the SHA-256 hash field.

Application ID
  • Is
  • Is not
Type a value in the Application ID field.
Application state
  • Is
  • Is not

Choose from the following:

  • Installed
  • Uninstalled
  • Updated
Account state
  • Is
  • Is not

Choose from the following:

  • Registered
  • Unregistered
Register privilege
  • Is
  • Is not

Choose from the following:

  • Device Administrator
  • Device Owner
  • Profile Owner
Device ownership
  • Is
  • Is not

Choose from the following:

  • Company Owned
  • User Owned
New device ID
  • Is
  • Is not
Type a value in the Device ID field.
Resource ID
  • Is
  • Is not

Type a value in the Resource ID field.

Serial number
  • Is
  • Is not
Type a value in the Serial number field.
iOS vendor ID
  • Is
  • Is not

Type a value in the iOS vendor ID field.

Domain
  • Is
  • Is not
  • Contains
  • Does not contain
Type a value in the Domain field.
Device compliance state
  • Is
  • Is not

Choose from the following:

  • Compliant
  • Non-compliant
OS property
  • Is
  • Is not

Choose from the following:

  • OS version
  • Build number
  • Kernel version
  • Baseband version
  • Security patch
  • Device bootloader
Organizational unit
  • Is

Choose an organizational unit from the list.

Devices

Condition    
Device ID
  • Is
  • Is not

Type a value in the Device ID field.

Device owner
  • Is
  • Is not

Type a value in the Device owner field (valid email address).

Device type
  • Is
  • Is not

Choose from the following:

  • Android
  • iOS
  • Mac
  • Windows
  • Chrome OS
Device model
  • Is
  • Is not
Type a value in the Device model field.
Status
  • Is
  • Is not

Choose from the following:

  • Pending
  • Running
  • Blocked
  • Wiping
  • Wiped
  • Unprovisioned
  • Account Wiping
  • Account Wiped
  • Registered
  • Unregistered
  • Deactivated
  • Approved
Last sync date
  • Before
  • After
Type a date in the Date field. 
Use the following format:
YYYY-MM-DDThh:mm:ss
Device compromised state
  • Is
  • Is not

Choose from the following:

  • Compromised
  • Not compromised
Password status
  • Is
  • Is not

Choose from the following:

  • On
  • Off
Management type
  • Is
  • Is not

Choose from the following:

  • None
  • Basic
  • Advanced
Security patch update
  • Before
  • After

Type a date in the Date field. 
Use the following format:
YYYY-MM-DDThh:mm:ss

Registered date
  • Before
  • After

Type a date in the Date field. 
Use the following format:
YYYY-MM-DDThh:mm:ss

Carrier
  • Is
  • Is not
Type a value in the Carrier field.

Drive log events

Condition    
Date
  • Before
  • After

Type a date in the Date field. 
Use the following format:
YYYY-MM-DDThh:mm:ss

Document ID
  • Is
  • Is not

Type a value in the Document ID field.

Title
  • Is
  • Is not
  • Contains
  • Does not contain

Type a value in the Title field.

Document type
  • Is
  • Is not

Choose from the following:

  • Google Document
  • Google Spreadsheet
  • Google Presentation
  • Folder
  • Google Form
  • Google Drawing
  • Shared drive
  • Text file
  • JPEG
  • PDF
  • PNG
  • MP4
  • Microsoft Word
  • Microsoft Excel
  • HTML
  • MPEG
  • Quicktime
  • Microsoft Powerpoint
  • Google Sites
Prior visibility
  • Is
  • Is not

Choose from the following:

  • Private
  • Shared internally
  • People within domain with link
  • Public in the domain
  • Shared externally
  • People with link
  • Public on the web
Visibility
  • Is
  • Is not

Choose from the following:

  • Private
  • Shared internally
  • People within domain with link
  • Public in the domain
  • Shared externally
  • People with link
  • Public on the web
Event
  • Is
  • Is not

Choose from the following:

  • Create
  • Upload
  • Edit
  • View
  • Rename
  • Move
  • Add to folder
  • Remove from folder
  • Trash
  • Delete
  • Remove from trash
  • Download
  • Preview
  • Print
  • Change owner
  • Change ACL editors
  • Change access scope
  • Change document visibility
  • Change user access
  • Change shared drive membership
Actor
  • Is
  • Is not
  • Contains
  • Does not contain

Enter a value for Actor field (​​​​​user email address).

Note: The actor is the user that triggered an event by modifying a file.

Owner
  • Is
  • Is not
  • Contains
  • Does not contain

Type a username in the Owner field.

Target
  • Is
  • Is not
  • Contains
  • Does not contain

Type a value in the Target field.

Note: The target is the user or group that was added or removed from a file.

Visibility change
  • Is
  • Is not

Choose from the following:

  • Internal
  • External
  • None
IP address
  • Is
  • Is not
  • Contains
  • Does not contain

Type a value in the IP address field.

Domain
  • Is
  • Is not
  • Contains
  • Does not contain
Type a value in the Domain field.
Organizational unit
  • Is

Choose an organizational unit from the list.

About the visibility of files in a shared drive

In your My Drive folder, a file that's only visible to the owner has a visibility of Private. However, In a shared drive, even if a file is not explicitly shared with other users, it has a visibility of Shared internally (shared drive files cannot have a visibility of Private).

Gmail log events

Condition    
Date
  • Before
  • After

Type a date in the Date field. 
Use the following format:
YYYY-MM-DDThh:mm:ss

Message ID
  • Is
  • Is not

Type a value in the Message ID field.

Subject
  • Is
  • Is not
  • Contains
  • Does not contain

Type a value in the Subject field.

Event
  • Is
  • Is not

Choose from the following:

  • Admin quarantine
  • Attachment download
  • Attachment link click
  • Attachment save to Drive
  • Autoforwarded
  • Drive item save to Drive
  • Late spam classification
  • Link click
  • Mark unread
  • Move out of trash
  • Move to inbox
  • Move to trash
  • Open
  • Receive
  • Release from quarantine
  • Reply
  • Send
  • User spam classification
From (Header address)
  • Is
  • Is not
  • Contains
  • Does not contain

Type an address in the From (Header address) field.

From (Envelope)
  • Is
  • Is not
  • Contains
  • Does not contain

Type an address in the From (Envelope) field.

To (Envelope)
  • Is
  • Is not
  • Contains
  • Does not contain
Type an address in the To (Envelope) field.
Owner
  • Is
  • Is not
  • Contains
  • Does not contain

Type a username in the Owner field.

Domain
  • Is
  • Is not
  • Contains
  • Does not contain

Type a name in the Domain field.

Has attachment
  • Is
  • Is not

Choose from the following:

  • True
  • False
Attachment hash
  • Is
  • Is not

Type a value in the SHA-256 hash field.

Attachment name
  • Is
  • Is not
  • Contains
  • Does not contain

Type a name in the Attachment name field.

Attachment malware family
  • Is
  • Is not

Choose from the following:

  • Known malicious program
  • Virus/worm
  • Content may be harmful
  • Potentially unwanted
  • Other
IP Address
  • Is
  • Is not
  • Contains
  • Does not contain
Type a value in the IP address field.
From (Header name)
  • Is
  • Is not
  • Contains
  • Does not contain
Type a name in the From (Header name) field.
Sender domain
  • Is
  • Is not
  • Contains
  • Does not contain
Type a name in the Sender domain field.
Link domain
  • Is
  • Is not
  • Contains
  • Does not contain
Type a name in the Link domain field.
Attachment extension
  • Is
  • Is not
  • Contains
  • Does not contain
Type an extension in the Attachment extension field.
SPF domain
  • Is
  • Is not
  • Contains
  • Does not contain
Type a name in the SPF domain field.
DKIM domain
  • Is
  • Is not
  • Contains
  • Does not contain
Type a name in the DKIM domain field.
Traffic source
  • Is
  • Is not

Choose from the following:

  • External
  • Internal
Spam classification
  • Is
  • Is not

Choose from the following:

  • Clean
  • Spam
  • Phishing
  • Suspicious
  • Malware
Spam classification reason
  • Is
  • Is not

Choose from the following:

  • Default
  • Past User Action
  • Suspicious Content
  • Suspicious Link
  • Suspicious Attachment
  • Type
  • DMARC
  • Domain in Public RBLs
  • RFC Violation
  • GMAIL Policy Violation
  • Machine Learning Verdict
  • Sender Reputation
  • Blatant Spam
  • GMAIL Safety Setting
Geo location
  • Is
  • Is not
  • Contains
  • Does not contain
Type a value in the Geo location field.
OAuth project ID
  • Equals
  • Less than or equal to
  • Greater than or equal to
Type a value for the OAuth project ID.
Target link URL
  • Is
  • Is not
  • Contains
  • Does not contain
Type a value for the Target link URL.
Target attachment hash
  • Is
  • Is not
Type a value for the Target attachment hash.
Target attachment name
  • Is
  • Is not
Type a value for the Target attachment name.
Target attachment malware family
  • Is
  • Is not

Choose from the following:

  • Content may be harmful
  • Known malicious program
  • Other
  • Potentially unwanted
  • Virus/worm
Target drive ID
  • Is
  • Is not
  • Contains
  • Does not contain
Type a value for the Target drive ID.

Gmail messages

Condition    
Subject
  • Is
  • Is not

Type a subject in the Subject field.

Message ID
  • Is
  • Is not

Type a value in the Message ID field.

Date
  • Before
  • After

Type a date in the Date field. 
Use the following format:
YYYY-MM-DDThh:mm:ss

Sender
  • Is
  • Is not

Type a sender in the Sender field.

Recipient
  • Is
  • Is not

Type a recipient in the Recipient field.

Label
  • Is
  • Is not

Choose from the following:

  • Inbox
  • Trash
  • Spam
  • Unread
  • Starred
  • Phishing
  • Admin quarantine
Attachment name
  • Is
  • Is not

Type an attachment name in the Attachment name field.

Has attachment
  • Is
  • Is not

Choose from the following:

  • True
  • False
Cc
  • Is
  • Is not
Type a valid email address in the Cc field.
Bcc
  • Is
  • Is not
Type a valid email address in the Bcc field.
 
All content
  • Contains word
  • Does not contain word
Type a value in the All content field.
Message size
  • Greater than or equal to
  • Less than or equal to
Type a value in the Message size field.

Rule log events

Condition Operator  
Actor
  • Is
  • Is not
  • Contains
  • Does not contain

Enter a value for Actor (user email address).

Data source
  • Is
  • Is not

Choose from the following:

  • Device
  • Drive
  • Gmail
  • User 
Date
  • Before
  • After

Type a date in the Date field. 
Use the following format:
YYYY-MM-DDThh:mm:ss

Detector ID
  • Is
  • Is not
  • Contains
  • Does not contain
Type a domain name in the Detector ID field.
Detector name
  • Is
  • Is not
  • Contains
  • Does not contain
Type a domain name in the Detector name field.
Event
  • Is
  • Is not

Choose from the following:

  • Action complete
  • Rule trigger
Recipient
  • Is
  • Is not
  • Contains
  • Does not contain
Type a domain name in the Recipient field.
Resource ID
  • Is
  • Is not
Enter a value in the Resource ID field.
Resource owner
  • Is
  • Is not
  • Contains
  • Does not contain
Enter a value in the Resource owner field.
Resource title
  • Is
  • Is not
  • Contains
  • Does not contain
Enter a value in the Resource title field.
Resource type
  • Is
  • Is not

Choose from the following:

  • Device
  • Document
  • Email
  • User
Rule ID
  • Is
  • Is not
Enter a value in the Rule ID field.
Rule name
  • Is
  • Is not
  • Contains
  • Does not contain
Enter a value in the Rule name field.
Rule type
  • Is
  • Is not

Choose from the following:

  • Activity Rule
  • DLP
Scan type
  • Is
  • Is not

Choose from the following:

  • Drive continuous scan
  • Drive single resource scan
Severity
  • Is
  • Is not

Choose from the following:

  • High
  • Low
  • Medium
Suppressed action
  • Is
  • Is not

Choose from the following:

  • Alert
  • Device account wipe
  • Device approve
  • Device block
  • Device cancel account wipe
  • Device cancel wipe
  • Device wipe
  • Drive block external sharing
  • Drive delete permission
  • Drive disable download, print, and copy for commenters and viewers
  • Drive insert permission
  • Drive update permission
  • Drive warn on external sharing
  • Gmail change envelope recipient
  • Gmail mark as phishing
  • Gmail mark as spam
  • Gmail modify headers
  • Gmail modify route
  • Gmail modify subject
  • Gmail quarantine
  • Gmail reject
  • Gmail restore
  • Gmail send to inbox
  • Gmail soft delete
  • User delete
  • User reset password
  • User restore
  • User suspend
Trigger
  • Is
  • Is not
  • Contains
  • Does not contain
Enter a value in the Trigger field.
Triggered action
  • Is
  • Is not

Choose from the following:

  • Alert
  • Device account wipe
  • Device approve
  • Device block
  • Device cancel account wipe
  • Device cancel wipe
  • Device wipe
  • Drive block external sharing
  • Drive delete permission
  • Drive disable download, print, and copy for commenters and viewers
  • Drive insert permission
  • Drive update permission
  • Drive warn on external sharing
  • Gmail change envelope recipient
  • Gmail mark as phishing
  • Gmail mark as spam
  • Gmail modify headers
  • Gmail modify route
  • Gmail modify subject
  • Gmail quarantine
  • Gmail reject
  • Gmail restore
  • Gmail send to inbox
  • Gmail soft delete
  • User delete
  • User reset password
  • User restore
  • User suspend
Triggering client IP
  • Is
  • Is not
  • Contains
  • Does not contain
Enter a value in the Triggering client IP field.
Triggering user email
  • Is
  • Is not
  • Contains
  • Does not contain
Enter a value in the Triggering user email field.
Organizational unit
  • Is

Choose an organizational unit from the list.

User log events

Condition    
Affected user
  • Is
  • Is not
  • Contains
  • Does not contain

Type a user in the Affected user field.

Note:

  • Only include the Affected user filter in your search for system actions taken on a user account.
  • Include the User filter in your search to set the filter to the user account that you're investigating. 
Challenge types
  • Is
  • Is not

Choose from the following:

  • Backup code (user is asked to enter a backup verification code)
  • Google authenticator (user asked to enter OTP from authenticator app)
  • Google Prompt
  • IDV any phone (user is asked for a phone number and then enters a code sent to that phone)
  • IDV pre-registered phone
  • Internal two factor
  • Knowledge employee ID  (user proves knowledge of employee ID)
  • Knowledge pre-registered email  (uiser proves knowledge of pre-registered email)
  • Knowledge pre-registered phone  (user proves knowledge of pre-registered phone)
  • Login location  (user signs in from their usual login location)
  • None
  • Offline OTP (user enters OTP code they receive from settings on their Android phone)
  • Other
  • Security key  (user passes the security key cryptographic challenge) 
Date
  • Before
  • After

Type a date in the Date field. 
Use the following format:
YYYY-MM-DDThh:mm:ss

Domain
  • Is
  • Is not
  • Contains
  • Does not contain
Type a domain name in the Domain field.
Event
  • Is
  • Is not

Choose from the following:

  • Failed login
  • Leaked password
  • Login challenge
  • Login verification
  • Logout
  • Successful login
  • Suspicious login
  • Suspicious login (less secure app)
  • Suspicious programmatic login
  • User suspended
  • User suspended (spam through relay)
  • User suspended (spam)
  • User suspended (suspicious activity)
IP address
  • Is
  • Is not
  • Contains
  • Does not contain
Type an IP address in the IP address field.
Is second factor
  • Is
  • Is not

Choose from the following:

  • True
  • False
Is suspicious
  • Is
  • Is not

Choose from the following:

  • True
  • False
Login time
  • Before
  • After

Choose from the following:

  • Before
  • After
Login type
  • Is
  • Is not

Choose from the following:

  • Exchange
  • Google password
  • Re-auth
  • SAML
  • Unknown
User
  • Is
  • Is not
  • Contains
  • Does not contain

Type a value in the User field.

Note:

  • Include the User filter in your search to set the filter to the user account that you're investigating. 
  • Only include the Affected user filter in your search for system actions taken on a user account.
Organizational unit
  • Is

Choose an organizational unit from the list.

Users

Condition    
Email
  • Is
  • Is not

Type a valid email address in the Email field.

Note: This address can match the primary email address or other email addresses of a user.

First name
  • Is
  • Is not

Type a value in the First name field.

Last name
  • Is
  • Is not

Type a value in the Last name field.

Last login
  • Before
  • After

Type a date in the Date field. 
Use the following format:
YYYY-MM-DDThh:mm:ss

Super administrator
  • Is
  • Is not

Choose from the following:

  • True
  • False
Delegated administrator
  • Is
  • Is not

Choose from the following:

  • True
  • False
Enrolled in 2SV
  • Is
  • Is not

Choose from the following:

  • True
  • False
2SV enforced for org
  • Is
  • Is not

Choose from the following:

  • True
  • False
Suspended ID
  • Is
  • Is not

Choose from the following:

  • True
  • False
Change password at login
  • Is
  • Is not

Choose from the following:

  • True
  • False
Mailbox setup
  • Is
  • Is not

Choose from the following:

  • True
  • False
Organizational unit
  • Is

Choose an organizational unit from the list.

Chrome log events

Condition    
Browser version
  • Is
  • Is not
  • Contains
  • Does not contain

Enter a value for Browser version.

This is the browser version used—for example, as displayed when a user enters chrome://version in their Chrome browser address bar.

Content hash
  • Is
  • Is not
  • Contains
  • Does not contain

Enter a value for Content hash.

This is the SHA256 hash of the content.

Content name
  • Is
  • Is not
  • Contains
  • Does not contain

Enter a value for Content name.

This is the name of the content—for example, a file name.

Content size
  • Equals
  • Less than or equal to
  • Greater than or equal toq

Enter a value for Content size.

This is the size of the content transferred, in bytes.

Content type
  • Is
  • Is not
  • Contains
  • Does not contain

Enter a value for Content type.

This is the mime type (multipurpose internet mail extensions type) of the content that was transferred—for example, text or html.

Date
  • Before 
  • After

Enter a value for date and time.

This is the date and time an event happened. The date is typically stored in UTC but displayed in the local time.

Device ID
  • Is
  • Is not
  • Contains
  • Does not contain

Enter a value for Device ID.

The device ID is the unique identifier for a device.

Device name
  • Is
  • Is not
  • Contains
  • Does not contain

Enter a value for Device name.

The device name is the machine name or hostname for a device.

Device platform
  • Is
  • Is not
  • Contains
  • Does not contain

Enter a value for Device platform.

The device platform is the OS platform name and version—for example, Windows 10 or Mac OS X 10.14.6.

Device user
  • Is
  • Is not
  • Contains
  • Does not contain

Enter a value for Device user.

This is the username of the user that's signed in to the device.

Domain
  • Is
  • Is not
  • Contains
  • Does not contain

Enter a value for Domain.

This is the domain name part of the URL—for example, solarmora.com.

Event
  • Is
  • Is not

Choose from the following events:

  • Content unscanned—There are multiple reasons why a file is unscanned. For example, the file could be password protected, the file is too large, the DLP scan failed, the malware scan failed, or the malware scan is for an unsupported file type.
  • Malware transfer—The content transferred by the user is considered to be malicious, dangerous, or unwanted. 
  • Password changed—The user reset their password.
  • Password reuse—The user has entered a password into a URL that’s outside of the list of allowed enterprise login URLs. This is triggered if it's a phishing URL or if a user tries to sign in with their corporate password to an unauthorized site.
  • Sensitive data transfer—The content uploaded, downloaded or pasted by the user is considered to contain sensitive data, as detected by data protection rules.
  • Unsafe site visit—The URL visited by the user is considered to be deceptive or malicious. This could be due to an SSL error, malware, social engineering, or unwanted software.
Event reason
  • Is
  • Is not
  • Contains
  • Does not contain

Enter a value for Event reason.

Examples of event reasons include the following:

  • Sensitive data transfer—This is the list of data protection rules that triggered the warning. If there are multiple rules triggered, then the names are comma separated. 
  • Malware transfer—This is the list of reasons why content is considered malicious.
  • Unsafe site visits—This is the list of reasons why a site shouldn’t be visited.
  • Content unscanned—This is the list of reasons why content is not scanned.
  • Password reuse—This is the reason why password reuse is detected.
Event result
  • Is
  • Is not

Choose from the following:

  • Allowed
  • Blocked
  • Bypassed
  • Warned

This is the result of the event based on the policies and rules that are set.

Profile user
  • Is
  • Is not
  • Contains
  • Does not contain

Enter a value for Profile user.

This is the Chrome browser profile of the current user.

Trigger type
  • Is
  • Is not

Choose from the following:

  • File download
  • File upload
  • Unspecified
  • Web content upload

This is the user action that triggered the event. 

Trigger user
  • Is
  • Is not
  • Contains
  • Does not contain

Enter a value for Trigger user.

This is the username related to the event—for example, the username for a password reuse event, or the username name for which a password is reset.

URL
  • Is
  • Is not
  • Contains
  • Does not contain

Enter a value for URL.

This is the URL of the content.

User agent
  • Is
  • Is not
  • Contains
  • Does not contain

Enter a value for User agent.

This is the user agent string of the browser used to access the content—for example:

Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4140.0 Safari/537.36
 

Organizational unit
  • Is

Choose an organizational unit from the list.

Chrome browsers

Condition    
Browser ID
  • Contains

Enter a value for Browser ID.

Chrome version
  • Contains

Enter a value for Chrome version.

Device ID
  • Contains
Enter a value for Device ID.
Device name
  • Contains
Enter a value for Device name.
Device OS version
  • Is

Choose from the following:

  • Linux 
  • Mac
  • Windows
Device type
  • Is

Enter a value for Device type.

Machine user
  • Is
Enter a value for Machine user.
Registration time
  • Before
  • After
Enter a value for the Registration time.

Calendar log events

Condition    
Access level
  • Is
  • Is not

Choose from the following:

  • Editor
  • Freebusy
  • None
  • Owner
  • Read
  • Root
Actor
  • Is
  • Is not
  • Contains
  • Does not contain

Enter a value for Actor (user email address)

API kind
  • Is
  • Is not

Choose from the following:

  • Android
  • CalDAV API
  • Events from Gmail
  • EWS API
  • GData API
  • ICS
  • iOS App
  • REST API V3
  • Unknown
  • Web
Calendar ID
  • Is
  • Is not
  • Contains
  • Does not contain
Enter a value for Calendar ID.
Date
  • Before
  • After

Enter a value in the Date field.

Event
  • Is
  • Is not

Choose from the following:

  • Calendar access level(s) changed
  • Calendar country changed
  • Calendar created
  • Calendar deleted
  • Calendar description changed
  • Calendar location changed
  • Calendar timezone changed
  • Calendar title changed
  • Event created
  • Event deleted
  • Event guest added
  • Event guest auto-response
  • Event guest removed
  • Event guest response changed
  • Event modified
  • Event removed from trash
  • Event restored
  • Event start time changed
  • Event title modified
  • Notification triggered
  • Subscription created
  • Subscription deleted
  • Successful availability lookup of a calendar on Exchange from Google
  • Successful availability lookup of a calendar on Google from Exchange
  • Successful availability lookup of Exchange Resource
  • Successful lookup of Exchange Resource List
  • Unsuccessful availability lookup of a calendar on Exchange from Google
  • Unsuccessful availability lookup of a calendar on Google from Exchange
  • Unsuccessful availability lookup of Exchange Resource
  • Unsuccessful lookup of Exchange Resource List
Event end time
  • Before
  • After
Enter a value for the Event end time.
Event ID
  • Is
  • Is not
  • Contains
  • Does not contain
Enter a value for the Event ID.
Event start time
  • Before 
  • After
Enter a value for the Event start time.
Event title
  • Is
  • Is not
  • Contains
  • Does not contain
Enter a value for the Event title.
Guest response status
  • Is
  • Is not

Choose from the following:

  • Accepted
  • Declined
  • Deleted
  • Mark as spam
  • Maybe
  • Not invited
  • Not responded
  • Organizer
Interop error code
  • Is
  • Is not
  • Contains
  • Does not contain
Enter a value for the Interop error code.
IP address
  • Is
  • Is not
  • Contains
  • Does not contain
Enter a value for the IP address.
New value
  • Is
  • Is not
  • Contains
  • Does not contain
Enter a value for New value.
Notification message ID
  • Is
  • Is not
  • Contains
  • Does not contain
Enter a value for Notification message ID.
Notification method
  • Is
  • Is not

Choose from the following:

  • Alert
  • Default
  • Email
  • SMS
Notification type
  • Is
  • Is not

Choose from the following:

  • Calendar access granted
  • Calendar access request
  • Cancelled event
  • Changed event
  • Daily agenda
  • Email guests
  • Event ownership change
  • Event reminder
  • Event response
  • New event
Old event title
  • Is
  • Is not
  • Contains
  • Does not contain
Enter a value for the Old event title.
Organizational unit
  • Is
Select an organizational unit from the list.
Organizer calendar ID
  • Is
  • Is not
  • Contains
  • Does not contain
Enter a value for the Organizer calendar ID.
Remote exchange server URL
  • Is
  • Is not
  • Contains
  • Does not contain
Enter a value for the Remote exchange server URL.
Request period end time
  • Before
  • After
Enter a value for the Request period end time.
Request period start time
  • Before
  • After
Enter a value for the Request period start time.
Subscriber calendar ID
  • Is
  • Is not
  • Contains
  • Does not contain
Enter a value for the Subscriber calendar ID.
Target user
  • Is
  • Is not
  • Contains
  • Does not contain
Enter a value for Target user.
User agent
  • Is
  • Is not
  • Contains
  • Does not contain
Enter a value for User agent.

Chat log events

Condition    
Actor
  • Is
  • Is not
  • Contains
  • Does not contain

Enter a value for Actor (user email address)

Attachment hash
  • Is
  • Is not
  • Contains
  • Does not contain

Enter a value for Attachment hash.

Attachment name
  • Is
  • Is not
  • Contains
  • Does not contain
Enter a value for Attachment name.
Attachment URL
  • Is
  • Is not
  • Contains
  • Does not contain
Enter a value for Attachment URL.
Date
  • Before
  • After

Enter a value for the date.

Event
  • Is
  • Is not

Choose from the following:

  • Attachment downloaded
  • Attachment uploaded
  • Direct message started
  • Invite sent
  • Message edited
  • Message sent
  • Room created
  • Room member added
  • Room member removed
External room
  • Is
  • Is not

Choose from the following:

  • False
  • True
  • Unknown
Message ID
  • Is
  • Is not
  • Contains
  • Does not contain
Enter a value for Message ID.
Organizational unit
  • Is
Select an organizational unit from the list.
Recipient
  • Is
  • Is not
  • Contains
  • Does not contain
Enter a value for Recipient.
Room history setting
  • Is
  • Is not

Choose from the following:

  • Ephemeral
  • Permanent
Room ID
  • Is
  • Is not
  • Contains
  • Does not contain
Enter a value for Room ID.
Room name
  • Is
  • Is not
  • Contains
  • Does not contain
Enter a value for Room name.

Groups log events

Condition    
Actor
  • Is
  • Is not
  • Contains
  • Does not contain

Enter a value for Actor 

Date
  • Before
  • After

Enter a value for the date.

Event
  • Is
  • Is not

Choose from the following:

  • Accept invitation
  • Add info setting
  • Add user
  • Always post from user
  • Approve join request
  • Ban user with moderation
  • Change ACL
  • Change basic settings
  • Change identity setting
  • Change info setting
  • Change new member restriction setting
  • Change post replies setting
  • Change spam moderation setting
  • Change topic setting
  • Create group
  • Delete group
  • Invite user
  • Join
  • Moderate message
  • Reinvite user
  • Reject join request
  • Remove info setting
  • Remove user
  • Request to join
  • Revoke invitation
Group email
  • Is
  • Is not
  • Contain
  • Does not contain

Enter a value for Group email.

Group permission setting
  • Is
  • Is not

Choose from the following:

  • Can add members
  • Can add references
  • Can approve members
  • Can approve messages
  • Can assign topics
  • Can attach files
  • Can authoritative reply
  • Can ban users
  • Can change tags and categories
  • Can contact owner
  • Can delete any post
  • Can delete topics
  • Can edit forum alerts
  • Can edit others post
  • Can edit own post
  • Can enter free tags
  • Can have custom photo
  • Can hide abuse
  • Can invite members
  • Can join
  • Can lock topics
  • Can mark duplicate
  • Can mark favorite reply on own topics
  • Can mark favorite reply others
  • Can mark no response needed
  • Can mark topics as sticky
  • Can me too
  • Can modify members
  • Can modify roles
  • Can move individual messages
  • Can move topics in
  • Can move topics out
  • Can post
  • Can post announcements
  • Can post as group
  • Can post moderated
  • Can post rich text
  • Can reply to author
  • Can reply to auto closed
  • Can send private messages
  • Can take topics
  • Can unassign topics
  • Can unmark favorite reply
  • Can used canned responses
  • Can view member emails
  • Can view members
  • Can view topics
Info setting value
  • Is
  • Is not
  • Contains
  • Does not contain
Enter a value for Info setting value.
Message ID
  • Is
  • Is not
  • Contains
  • Does not contain
Enter a value for Message ID.
Message moderation
  • Is
  • Is not

Choose from the following:

  • Approved
  • Rejected
New value
  • Is
  • Is not
  • Contains
  • Does not contain
Enter a value for New value.
Old value
  • Is
  • Is not
  • Contains
  • Does not contain
Enter a value for Old value.
Organizational unit
  • Is
Select an organizational unit from the list.

Role

  • Is
  • Is not

Choose from the following:

  • Manager
  • Member
  • Owner
Setting
  • Is
  • Is not

Choose from the following:

  • Allow external members
  • Allow posting by email
  • Allow web posting
  • Allowed topic types
  • Archive messages
  • Authors receive bounce replies
  • Categories enabled
  • Custom footer
  • Custom reply to address
  • Default topic type
  • Display names are unique
  • Group email
  • Group language
  • Group name
  • How to handle suspected spam messages
  • Include custom footer
  • Include group web URL in footer
  • List this group in the directory
  • Maximum message size
  • New member can post
  • New members can post moderated
  • Notify authors when moderators reject their messages
  • Required forms of identity
  • Subject prefix
  • Suppress email footer separator
  • Tags enabled
  • Where should replies be sent
Status
  • Is
  • Is not

Choose from the following:

  • Failed
  • Succeeded
Target
  • Is
  • Is not
  • Contains
  • Does not contain
Enter a value for Target.

Meet log events

Condition    
Actor
  • Is
  • Is not

Enter a value for Actor.

Actor name
  • Is
  • Is not
  • Contains
  • Does not contain

Enter a value for Actor name.

Actor type
  • Is
  • Is not

Choose from the following:

  • Email address
  • Meet hardware device ID
  • Phone number
Calendar event ID
  • Is
  • Is not
  • Contain
  • Does not contain

Enter a value for Calendar event ID.

Call rating
  • Equals
  • Less than or equal to
  • Greater than or equal to

Enter a value for Call rating.

City
  • Is
  • Is not
  • Contains
  • Does not contain
Enter a value for City.
Client type
  • Is
  • Is not

Choose from the following:

  • Android
  • Chromebase
  • Chromebox
  • Endpoint joining over the 3rd party system
  • iOS
  • Jamboard
  • Other device type
  • PSTN dial-in
  • PSTN dial-out
  • Web browser
Conference ID
  • Is
  • Is not
  • Contains
  • Does not contain
Enter a value for Conference ID.
Country
  • Is
  • Is not
  • Contains
  • Does not contain
Enter a value for Country (a 2-character ISO code).
Date
  • Before
  • After
Enter a value for the date.
Duration
  • Equals
  • Less than or equal to
  • Greater than or equal to
Enter a value for Duration.

Endpoint ID

  • Is
  • Is not
  • Contains
  • Does not contain
Enter a value for Endpoint ID.
Event
  • Is
  • Is not

Choose from the following:

  • Endpoint left
  • Livestream watched
IP address
  • Is
  • Is not
  • Contains
  • Does not contain
Enter a value for IP address.
Livestream view page ID
  • Is
  • Is not
  • Contains
  • Does not contain
Enter a value for Livestream view page ID.
Meeting ID
  • Is
  • Is not
  • Contains
  • Does not contain
Enter a value for Meeting ID.
Organizational unit
  • Is
Select an organizational unit from the list.
Organizer email
  • Is
  • Is not
  • Contains
  • Does not contain
Enter a value for Organizer email.
Participant outside organization
  • Is
  • Is not

Choose from the following:

  • True
  • False
Product type
  • Is
  • Is not

Choose from the following:

  • Classic Hangouts
  • Hangouts Meet
  • Other

 

Voice log events

Condition    
Actor
  • Is
  • Is not
  • Contains
  • Does not contain

Enter a value for Actor (user email address).

Call destination
  • Is
  • Is not
  • Contains
  • Does not contain

Enter a value for Call destination.

Call source
  • Is
  • Is not
  • Contain
  • Does not contain

Enter a value for Call source.

Cost
  • Is
  • Is not
  • Contain
  • Does not contain

Enter a value for Cost.

Date
  • Before
  • After

Enter a value for the date.

Desk phone ID
  • Is
  • Is not
  • Contains
  • Does not contain
Enter a value for Desk phone ID.
Desk phone model
  • Is
  • Is not
  • Contains
  • Does not contain
Enter a value for Desk phone model.
Duration
  • Equals
  • Less than or equal to
  • Greater than or equal to
Enter a value for Duration.
Event
  • Is
  • Is not

Choose from the following:

  • Auto attendant deleted
  • Auto attendant published
  • Call placed
  • Call placed (Meet)
  • Call received
  • Call received (auto attendant)
  • Call received (Meet)
  • Call received (ring group)
  • Call transferred
  • Call transferred (auto attendant)
  • Call transferred (ring group)
  • Desk phone deprovisioned
  • Desk phone provisioned
  • Missing voicemail recipient (auto attendant)
  • Missing voicemail recipient (ring group)
  • Number assigned
  • Number assigned (auto attendant)
  • Number assigned (desk phone)
  • Number assigned (ring group)
  • Number unassigned
  • Number unassigned (auto attendant)
  • Number unassigned (desk phone)
  • Number unassigned (ring group)
  • Ring group deleted
  • Ring group edited
  • Text message received
  • Text message sent
  • Transfer to user failed (auto attendant)
  • Transfer to user failed (ring group)
  • User assigned (desk phone)
  • User unassigned (desk phone)
  • Voicemail delivery failed (auto attendant)
  • Voicemail delivery failed (ring group)
  • Voicemail forward failed (auto attendant)
  • Voicemail forward failed(ring group)
  • Voicemail received (auto attendant)
  • Voicemail received (ring group)
Google Meet ID
  • Is
  • Is not
  • Contains
  • Does not contain
Enter a value for Google Meet ID.
Is group conversation
  • Is
  • Is not

Choose from the following:

  • False
  • True
  • Unspecified
New address
  • Is
  • Is not
  • Contains
  • Does not contain
Enter a value for New address.
Organizational unit
  • Is

Choose an organizational unit from the list.

Phone number
  • Is
  • Is not
  • Contains
  • Does not contains

Enter a value for the phone number.

Service ID
  • Is
  • Is not
  • Contains
  • Does not contain
Enter a value for the service ID.
Service name
  • Is
  • Is not
  • Contains
  • Does not contain
Enter a value for Service name.
Target
  • Is
  • Is not
  • Contains
  • Does not contain
Enter a value for Target.
Voicemail recipient
  • Is
  • Is not
  • Contains
  • Does not contain
Enter a value for Voicemail recipient.

 

 

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue