Customize searches within the investigation tool

Supported editions for this feature: Enterprise; Education Standard and Plus. Compare your edition

Using the security investigation tool, you can customize your searches by entering multiple search conditions. The available conditions vary depending on the data source for your search (for example, Device log events or Drive log events).

For more details about which features in the investigation tool are available for your Google service, go to Data sources & conditions in the investigation tool below. For example, to see the supported editions for the Device log events data source, click Device log events.

To run a search with the investigation tool:

Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
On the Admin console Home page, go to SecurityInvestigation tool.
Choose a data source for your search. For example, choose Device log events, Devices, Drive log events, or Gmail log events.
Note: Available data sources will vary depending on your Google Workspace edition.
Click ADD CONDITION.
You can include one or more conditions in your search. For details about conditions that are available for each data source, see the sections below. You also have the option to customize your search with nested queries—searches with 2 or 3 levels of conditions (for details, see the section below).
Click SEARCH.

Note: If you narrow the date range for your search, your results will appear in the investigation tool sooner. For example, if you narrow the search to events that happened in the last week, the query will return faster than if you search without restricting the query to a shorter period of time.

Customize your search with nested queries

When customizing your search in the investigation tool, you can include one or more conditions in your search. If you're customizing a search that has at least 2 conditions, you also have the option to create nested queries—in other words, searches that include 2 or 3 levels of conditions.

Using nested queries enables you to narrow your search by specifying queries that are much more granular and that are targeted to specific types of events. Do this by clicking Add condition group while customizing your search.

For example, you might want to run a search about inbound emails in your organization to investigate users who are receiving attachments. Additionally, you might want to narrow your search by including only users who are opening those attachments or clicking links within the emails. When customizing your search, you would base the search on the Gmail log events data source, and you would set up the following conditions for your search:

The email must have an attachment.
AND the user must either open the attachment OR click a link in the email.

Note: Most data sources enable 3-level nested queries. The Users data source enables only 2-level nested queries, while the Chrome browsers data source doesn't enable nested queries.

Take action based on search results

Once you are finished conducting a search in the investigation tool, you have the option to take action based on the results of your searches. For example, you can conduct a search based on Gmail log events, and then use the investigation tool to delete specific messages, mark messages as spam or phishing, send messages to quarantine, or send messages to users' inboxes. For more details about actions in the investigation tool, see Take action based on search results.

Group results by attribute when customizing a search

When customizing a search in the investigation tool, you can group items by a particular search attribute to quickly understand the breadth of an issue. For example, when conducting a search based on device log events, you can group the search criteria based on the device model.

To group results by specific attributes when customizing your search:

During your search, click GROUP RESULTS.
From the drop-down menu, choose a condition for your search—for example, Device model.
Click SEARCH.

With this example, a list of devices is displayed in the list of search results. For each item in the search results, a name for the device model is displayed, and the number of occurrences is displayed for each device model, with the highest number of occurrences listed at the top.

You can then add more conditions to the search criteria by scrolling over items in the search results, clicking the More icon, and then clicking Add condition to search.

Note: Occurrences is referring to the number of events logged in the corresponding reports. For example, if you group by Group email, the column occurrences will have a value corresponding to the number of entries in the Groups Audit log section of the Google Admin console when filtering all events by the given group address.

Data sources & conditions in the investigation tool

Device log events

Supported editions: Enterprise, Education, Cloud Identity Premium

Condition
Date	Before After	Type a date in the Date field. Use the following format: YYYY-MM-DDThh:mm:ss
Device ID	Is Is not	Type a value in the Device ID field.
Event	Is Is not	Choose from the following: Account registration change Device compliance status Device OS update Work profile support Device settings change Device compromise Failed password attempts Suspicious activity Device application change ADB events Screen lock events Device ownership change Network event Device action event
Device owner	Is Is not Contains Does not contain	Type a value in the Device owner field (valid email address).
Device type	Is Is not	Choose from the following: Android iOS Mac Windows Chrome OS
Device model	Is Is not Contains Does not contain	Type a value in the Device model field.
Failed password attempts	Equals Less than or equal to Greater than or equal to	Type a number in the Numeric value field.
Device compromised state	Is Is not	Choose from the following: Compromised Not compromised
Device property	Is Is not	Choose from the following: Device Model Serial Number IMEI Number MEID Number WiFi MAC Address Device Policy App Privilege Manufacturer Device Brand Device Hardware Bootloader Version
Device setting	Is Is not	Choose from the following: Developer Options Unknown Sources USB Debugging Verify Apps
Application SHA-256 hash	Is Is not	Type a value in the SHA-256 hash field.
Application ID	Is Is not	Type a value in the Application ID field.
Application state	Is Is not	Choose from the following: Installed Uninstalled Updated
Account state	Is Is not	Choose from the following: Registered Unregistered
Register privilege	Is Is not	Choose from the following: Device Administrator Device Owner Profile Owner
Device ownership	Is Is not	Choose from the following: Company Owned User Owned
New device ID	Is Is not	Type a value in the Device ID field.
Resource ID	Is Is not	Type a value in the Resource ID field.
Serial number	Is Is not	Type a value in the Serial number field.
iOS vendor ID	Is Is not	Type a value in the iOS vendor ID field.
Domain	Is Is not Contains Does not contain	Type a value in the Domain field.
Device compliance state	Is Is not	Choose from the following: Compliant Non-compliant
OS property	Is Is not	Choose from the following: OS version Build number Kernel version Baseband version Security patch Device bootloader
Organizational unit	Is	Choose an organizational unit from the list.

Devices

Supported editions: Enterprise, Education, Cloud Identity Premium

Condition
Device ID	Is Is not	Type a value in the Device ID field.
Device owner	Is Is not	Type a value in the Device owner field (valid email address).
Device type	Is Is not	Choose from the following: Android iOS Mac Windows Chrome OS
Device model	Is Is not	Type a value in the Device model field.
Status	Is Is not	Choose from the following: Pending Running Blocked Wiping Wiped Unprovisioned Account Wiping Account Wiped Registered Unregistered Deactivated Approved
Last sync date	Before After	Type a date in the Date field. Use the following format: YYYY-MM-DDThh:mm:ss
Device compromised state	Is Is not	Choose from the following: Compromised Not compromised
Password status	Is Is not	Choose from the following: On Off
Management type	Is Is not	Choose from the following: None Basic Advanced
Security patch update	Before After	Type a date in the Date field. Use the following format: YYYY-MM-DDThh:mm:ss
Registered date	Before After	Type a date in the Date field. Use the following format: YYYY-MM-DDThh:mm:ss
Carrier	Is Is not	Type a value in the Carrier field.

Drive log events

Supported editions: Enterprise Plus, Education

Condition
Date	Before After	Type a date in the Date field. Use the following format: YYYY-MM-DDThh:mm:ss
Document ID	Is Is not	Type a value in the Document ID field.
Title	Is Is not Contains Does not contain	Type a value in the Title field.
Document type	Is Is not	Choose from the following: Google Document Google Spreadsheet Google Presentation Folder Google Form Google Drawing Shared drive Text file JPEG PDF PNG MP4 Microsoft Word Microsoft Excel HTML MPEG Quicktime Microsoft Powerpoint Google Sites
Prior visibility	Is Is not	Choose from the following: Private Shared internally People within domain with link Public in the domain Shared externally People with link Public on the web
Visibility	Is Is not	Choose from the following: Private Shared internally People within domain with link Public in the domain Shared externally People with link Public on the web
Event	Is Is not	Choose from the following: Create Upload Edit View Rename Move Add to folder Remove from folder Trash Delete Remove from trash Download Preview Print Change owner Change ACL editors Change access scope Change document visibility Change user access Change shared drive membership
Actor	Is Is not Contains Does not contain	Enter a value for Actor field (user email address). Note: The actor is the user that triggered an event by modifying a file.
Owner	Is Is not Contains Does not contain	Type a username in the Owner field.
Target	Is Is not Contains Does not contain	Type a value in the Target field. Note: The target is the user or group that was added or removed from a file.
Visibility change	Is Is not	Choose from the following: Internal External None
IP address	Is Is not Contains Does not contain	Type a value in the IP address field.
Domain	Is Is not Contains Does not contain	Type a value in the Domain field.
Organizational unit	Is	Choose an organizational unit from the list.

About the visibility of files in a shared drive

In your My Drive folder, a file that's only visible to the owner has a visibility of Private. However, In a shared drive, even if a file is not explicitly shared with other users, it has a visibility of Shared internally (shared drive files cannot have a visibility of Private).

Gmail log events

Supported editions: Enterprise Plus, Education

Condition
Date	Before After	Type a date in the Date field. Use the following format: YYYY-MM-DDThh:mm:ss
Message ID	Is Is not	Type a value in the Message ID field.
Subject	Is Is not Contains Does not contain	Type a value in the Subject field.
Event	Is Is not	Choose from the following: Admin quarantine Attachment download Attachment link click Attachment save to Drive Autoforwarded Drive item save to Drive Late spam classification Link click Mark unread Move out of trash Move to inbox Move to trash Open Receive Release from quarantine Reply Send User spam classification
From (Header address)	Is Is not Contains Does not contain	Type an address in the From (Header address) field.
From (Envelope)	Is Is not Contains Does not contain	Type an address in the From (Envelope) field.
To (Envelope)	Is Is not Contains Does not contain	Type an address in the To (Envelope) field.
Owner	Is Is not Contains Does not contain	Type a username in the Owner field.
Domain	Is Is not Contains Does not contain	Type a name in the Domain field.
Has attachment	Is Is not	Choose from the following: True False
Attachment hash	Is Is not	Type a value in the SHA-256 hash field.
Attachment name	Is Is not Contains Does not contain	Type a name in the Attachment name field.
Attachment malware family	Is Is not	Choose from the following: Known malicious program Virus/worm Content may be harmful Potentially unwanted Other
IP Address	Is Is not Contains Does not contain	Type a value in the IP address field.
From (Header name)	Is Is not Contains Does not contain	Type a name in the From (Header name) field.
Sender domain	Is Is not Contains Does not contain	Type a name in the Sender domain field.
Link domain	Is Is not Contains Does not contain	Type a name in the Link domain field.
Attachment extension	Is Is not Contains Does not contain	Type an extension in the Attachment extension field.
SPF domain	Is Is not Contains Does not contain	Type a name in the SPF domain field.
DKIM domain	Is Is not Contains Does not contain	Type a name in the DKIM domain field.
Traffic source	Is Is not	Choose from the following: External Internal
Spam classification	Is Is not	Choose from the following: Clean (not classified as spam, phishing, suspicious, or malware) Spam Phishing Suspicious Malware
Spam classification reason	Is Is not	Choose from the following: Custom Rule Default Past User Action Suspicious Content Suspicious Link Suspicious Attachment Type DMARC Domain in Public RBLs RFC Violation GMAIL Policy Violation Machine Learning Verdict Sender Reputation Blatant Spam GMAIL Safety Setting
Geo location	Is Is not Contains Does not contain	Type a value in the Geo location field.
OAuth project ID	Equals Less than or equal to Greater than or equal to	Type a value for the OAuth project ID.
Target link URL	Is Is not Contains Does not contain	Type a value for the Target link URL.
Target attachment hash	Is Is not	Type a value for the Target attachment hash.
Target attachment name	Is Is not	Type a value for the Target attachment name.
Target attachment malware family	Is Is not	Choose from the following: Content may be harmful Known malicious program Other Potentially unwanted Virus/worm
Target drive ID	Is Is not Contains Does not contain	Type a value for the Target drive ID.

Gmail messages

Supported editions: Enterprise Plus, Education

Condition
Subject	Is Is not	Type a subject in the Subject field.
Message ID	Is Is not	Type a value in the Message ID field.
Date	Before After	Type a date in the Date field. Use the following format: YYYY-MM-DDThh:mm:ss
Sender	Is Is not	Type a sender in the Sender field.
Recipient	Is Is not	Type a recipient in the Recipient field.
Label	Is Is not	Choose from the following: Inbox Trash Spam Unread Starred Phishing Admin quarantine
Attachment name	Is Is not	Type an attachment name in the Attachment name field.
Has attachment	Is Is not	Choose from the following: True False
Cc	Is Is not	Type a valid email address in the Cc field.
Bcc	Is Is not	Type a valid email address in the Bcc field.
All content	Contains word Does not contain word	Type a value in the All content field.
Message size	Greater than or equal to Less than or equal to	Type a value in the Message size field.

Rule log events

Supported editions: Enterprise, Education, Cloud Identity Premium

Condition	Operator
Actor	Is Is not Contains Does not contain	Enter a value for Actor (user email address).
Data source	Is Is not	Choose from the following: Device Drive Gmail User
Date	Before After	Type a date in the Date field. Use the following format: YYYY-MM-DDThh:mm:ss
Detector ID	Is Is not Contains Does not contain	Type a domain name in the Detector ID field.
Detector name	Is Is not Contains Does not contain	Type a domain name in the Detector name field.
Event	Is Is not	Choose from the following: Action complete Rule trigger
Recipient	Is Is not Contains Does not contain	Type a domain name in the Recipient field.
Resource ID	Is Is not	Enter a value in the Resource ID field.
Resource owner	Is Is not Contains Does not contain	Enter a value in the Resource owner field.
Resource title	Is Is not Contains Does not contain	Enter a value in the Resource title field.
Resource type	Is Is not	Choose from the following: Device Document Email User
Rule ID	Is Is not	Enter a value in the Rule ID field.
Rule name	Is Is not Contains Does not contain	Enter a value in the Rule name field.
Rule type	Is Is not	Choose from the following: Activity Rule DLP
Scan type	Is Is not	Choose from the following: Drive continuous scan Drive single resource scan
Severity	Is Is not	Choose from the following: High Low Medium
Suppressed action	Is Is not	Choose from the following: Alert Device account wipe Device approve Device block Device cancel account wipe Device cancel wipe Device wipe Drive block external sharing Drive delete permission Drive disable download, print, and copy for commenters and viewers Drive insert permission Drive update permission Drive warn on external sharing Gmail change envelope recipient Gmail mark as phishing Gmail mark as spam Gmail modify headers Gmail modify route Gmail modify subject Gmail quarantine Gmail reject Gmail restore Gmail send to inbox Gmail soft delete User delete User reset password User restore User suspend
Trigger	Is Is not Contains Does not contain	Enter a value in the Trigger field.
Triggered action	Is Is not	Choose from the following: Alert Device account wipe Device approve Device block Device cancel account wipe Device cancel wipe Device wipe Drive block external sharing Drive delete permission Drive disable download, print, and copy for commenters and viewers Drive insert permission Drive update permission Drive warn on external sharing Gmail change envelope recipient Gmail mark as phishing Gmail mark as spam Gmail modify headers Gmail modify route Gmail modify subject Gmail quarantine Gmail reject Gmail restore Gmail send to inbox Gmail soft delete User delete User reset password User restore User suspend
Triggering client IP	Is Is not Contains Does not contain	Enter a value in the Triggering client IP field.
Triggering user email	Is Is not Contains Does not contain	Enter a value in the Triggering user email field.
Organizational unit	Is	Choose an organizational unit from the list.

User log events

Supported editions: Enterprise, Education, Cloud Identity Premium

Condition
Affected user	Is Is not Contains Does not contain	Type a user in the Affected user field. Note: Only include the Affected user filter in your search for system actions taken on a user account. Include the User filter in your search to set the filter to the user account that you're investigating.
Challenge types	Is Is not	Choose from the following: Backup code (user is asked to enter a backup verification code) Google authenticator (user asked to enter OTP from authenticator app) Google Prompt IDV any phone (user is asked for a phone number and then enters a code sent to that phone) IDV pre-registered phone Internal two factor Knowledge employee ID (user proves knowledge of employee ID) Knowledge pre-registered email (uiser proves knowledge of pre-registered email) Knowledge pre-registered phone (user proves knowledge of pre-registered phone) Login location (user signs in from their usual login location) None Offline OTP (user enters OTP code they receive from settings on their Android phone) Other Security key (user passes the security key cryptographic challenge)
Date	Before After	Type a date in the Date field. Use the following format: YYYY-MM-DDThh:mm:ss
Domain	Is Is not Contains Does not contain	Type a domain name in the Domain field.
Event	Is Is not	Choose from the following: Failed login Leaked password Login challenge Login verification Logout Successful login Suspicious login Suspicious login (less secure app) Suspicious programmatic login User suspended User suspended (spam through relay) User suspended (spam) User suspended (suspicious activity)
IP address	Is Is not Contains Does not contain	Type an IP address in the IP address field.
Is second factor	Is Is not	Choose from the following: True False
Is suspicious	Is Is not	Choose from the following: True False
Login time	Before After	Choose from the following: Before After
Login type	Is Is not	Choose from the following: Exchange Google password Re-auth SAML Unknown
User	Is Is not Contains Does not contain	Type a value in the User field. Note: Include the User filter in your search to set the filter to the user account that you're investigating. Only include the Affected user filter in your search for system actions taken on a user account.
Organizational unit	Is	Choose an organizational unit from the list.

Users

Supported editions: Enterprise, Education, Cloud Identity Premium

Condition
Email	Is Is not	Type a valid email address in the Email field. Note: This address can match the primary email address or other email addresses of a user.
First name	Is Is not	Type a value in the First name field.
Last name	Is Is not	Type a value in the Last name field.
Last login	Before After	Type a date in the Date field. Use the following format: YYYY-MM-DDThh:mm:ss
Super administrator	Is Is not	Choose from the following: True False
Delegated administrator	Is Is not	Choose from the following: True False
Enrolled in 2SV	Is Is not	Choose from the following: True False
2SV enforced for org	Is Is not	Choose from the following: True False
Suspended ID	Is Is not	Choose from the following: True False
Change password at login	Is Is not	Choose from the following: True False
Mailbox setup	Is Is not	Choose from the following: True False
Organizational unit	Is	Choose an organizational unit from the list.

Chrome log events

Available to BeyondCorp Enterprise customers only

Condition
Browser version	Is Is not Contains Does not contain	Enter a value for Browser version. This is the browser version used—for example, as displayed when a user enters chrome://version in their Chrome browser address bar.
Content hash	Is Is not Contains Does not contain	Enter a value for Content hash. This is the SHA256 hash of the content.
Content name	Is Is not Contains Does not contain	Enter a value for Content name. This is the name of the content—for example, a file name.
Content size	Equals Less than or equal to Greater than or equal toq	Enter a value for Content size. This is the size of the content transferred, in bytes.
Content type	Is Is not Contains Does not contain	Enter a value for Content type. This is the mime type (multipurpose internet mail extensions type) of the content that was transferred—for example, text or html.
Date	Before After	Enter a value for date and time. This is the date and time an event happened. The date is typically stored in UTC but displayed in the local time.
Device ID	Is Is not Contains Does not contain	Enter a value for Device ID. The device ID is the unique identifier for a device.
Device name	Is Is not Contains Does not contain	Enter a value for Device name. The device name is the machine name or hostname for a device.
Device platform	Is Is not Contains Does not contain	Enter a value for Device platform. The device platform is the OS platform name and version—for example, Windows 10 or Mac OS X 10.14.6.
Device user	Is Is not Contains Does not contain	Enter a value for Device user. This is the username of the user that's signed in to the device.
Domain	Is Is not Contains Does not contain	Enter a value for Domain. This is the domain name part of the URL—for example, solarmora.com.
Event	Is Is not	Choose from the following events: Content unscanned—There are multiple reasons why a file is unscanned. For example, the file could be password protected, the file is too large, the DLP scan failed, the malware scan failed, or the malware scan is for an unsupported file type. Malware transfer—The content transferred by the user is considered to be malicious, dangerous, or unwanted. Password changed—The user reset their password. Password reuse—The user has entered a password into a URL that’s outside of the list of allowed enterprise login URLs. This is triggered if it's a phishing URL or if a user tries to sign in with their corporate password to an unauthorized site. Sensitive data transfer—The content uploaded, downloaded or pasted by the user is considered to contain sensitive data, as detected by data protection rules. Unsafe site visit—The URL visited by the user is considered to be deceptive or malicious. This could be due to an SSL error, malware, social engineering, or unwanted software.
Event reason	Is Is not Contains Does not contain	Enter a value for Event reason. Examples of event reasons include the following: Sensitive data transfer—This is the list of data protection rules that triggered the warning. If there are multiple rules triggered, then the names are comma separated. Malware transfer—This is the list of reasons why content is considered malicious. Unsafe site visits—This is the list of reasons why a site shouldn’t be visited. Content unscanned—This is the list of reasons why content is not scanned. Password reuse—This is the reason why password reuse is detected.
Event result	Is Is not	Choose from the following: Allowed Blocked Bypassed Warned This is the result of the event based on the policies and rules that are set.
Profile user	Is Is not Contains Does not contain	Enter a value for Profile user. This is the Chrome browser profile of the current user.
Trigger type	Is Is not	Choose from the following: File download File upload Unspecified Web content upload This is the user action that triggered the event.
Trigger user	Is Is not Contains Does not contain	Enter a value for Trigger user. This is the username related to the event—for example, the username for a password reuse event, or the username name for which a password is reset.
URL	Is Is not Contains Does not contain	Enter a value for URL. This is the URL of the content.
User agent	Is Is not Contains Does not contain	Enter a value for User agent. This is the user agent string of the browser used to access the content—for example: `Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4140.0 Safari/537.36`
Organizational unit	Is	Choose an organizational unit from the list.

Chrome browsers

Available to BeyondCorp Enterprise customers only

Condition
Browser ID	Contains	Enter a value for Browser ID.
Chrome version	Contains	Enter a value for Chrome version.
Device ID	Contains	Enter a value for Device ID.
Device name	Contains	Enter a value for Device name.
Device OS version	Is	Choose from the following: Linux Mac Windows
Device type	Is	Enter a value for Device type.
Machine user	Is	Enter a value for Machine user.
Registration time	Before After	Enter a value for the Registration time.

Calendar log events

Supported editions: Enterprise Plus, Education

Condition
Access level	Is Is not	Choose from the following: Editor Freebusy None Owner Read Root
Actor	Is Is not Contains Does not contain	Enter a value for Actor (user email address)
API kind	Is Is not	Choose from the following: Android CalDAV API Events from Gmail EWS API GData API ICS iOS App REST API V3 Unknown Web
Calendar ID	Is Is not Contains Does not contain	Enter a value for Calendar ID.
Date	Before After	Enter a value in the Date field.
Event	Is Is not	Choose from the following: Calendar access level(s) changed Calendar country changed Calendar created Calendar deleted Calendar description changed Calendar location changed Calendar timezone changed Calendar title changed Event created Event deleted Event guest added Event guest auto-response Event guest removed Event guest response changed Event modified Event removed from trash Event restored Event start time changed Event title modified Notification triggered Subscription created Subscription deleted Successful availability lookup of a calendar on Exchange from Google Successful availability lookup of a calendar on Google from Exchange Successful availability lookup of Exchange Resource Successful lookup of Exchange Resource List Unsuccessful availability lookup of a calendar on Exchange from Google Unsuccessful availability lookup of a calendar on Google from Exchange Unsuccessful availability lookup of Exchange Resource Unsuccessful lookup of Exchange Resource List
Event end time	Before After	Enter a value for the Event end time.
Event ID	Is Is not Contains Does not contain	Enter a value for the Event ID.
Event start time	Before After	Enter a value for the Event start time.
Event title	Is Is not Contains Does not contain	Enter a value for the Event title.
Guest response status	Is Is not	Choose from the following: Accepted Declined Deleted Mark as spam Maybe Not invited Not responded Organizer
Interop error code	Is Is not Contains Does not contain	Enter a value for the Interop error code.
IP address	Is Is not Contains Does not contain	Enter a value for the IP address.
New value	Is Is not Contains Does not contain	Enter a value for New value.
Notification message ID	Is Is not Contains Does not contain	Enter a value for Notification message ID.
Notification method	Is Is not	Choose from the following: Alert Default Email SMS
Notification type	Is Is not	Choose from the following: Calendar access granted Calendar access request Cancelled event Changed event Daily agenda Email guests Event ownership change Event reminder Event response New event
Old event title	Is Is not Contains Does not contain	Enter a value for the Old event title.
Organizational unit	Is	Select an organizational unit from the list.
Organizer calendar ID	Is Is not Contains Does not contain	Enter a value for the Organizer calendar ID.
Remote exchange server URL	Is Is not Contains Does not contain	Enter a value for the Remote exchange server URL.
Request period end time	Before After	Enter a value for the Request period end time.
Request period start time	Before After	Enter a value for the Request period start time.
Subscriber calendar ID	Is Is not Contains Does not contain	Enter a value for the Subscriber calendar ID.
Target user	Is Is not Contains Does not contain	Enter a value for Target user.
User agent	Is Is not Contains Does not contain	Enter a value for User agent.

Chat log events

Supported editions: Enterprise Plus, Education

Condition
Actor	Is Is not Contains Does not contain	Enter a value for Actor (user email address)
Attachment hash	Is Is not Contains Does not contain	Enter a value for Attachment hash.
Attachment name	Is Is not Contains Does not contain	Enter a value for Attachment name.
Attachment URL	Is Is not Contains Does not contain	Enter a value for Attachment URL.
Data loss protection scan status (beta)	Is Is not	Choose from the following: Scanned Partially Scanned Failed Not Applicable
Date	Before After	Enter a value for the date.
Event	Is Is not	Choose from the following: Attachment downloaded Attachment uploaded Direct message started Invite sent Message edited Message sent Room created Room member added Room member removed
External room	Is Is not	Choose from the following: False True Unknown
Message ID	Is Is not Contains Does not contain	Enter a value for Message ID.
Organizational unit	Is	Select an organizational unit from the list.
Recipient	Is Is not Contains Does not contain	Enter a value for Recipient.
Room history setting	Is Is not	Choose from the following: Ephemeral Permanent
Room ID	Is Is not Contains Does not contain	Enter a value for Room ID.
Room name	Is Is not Contains Does not contain	Enter a value for Room name.

Groups log events

Supported editions: Enterprise Plus, Education

Condition
Actor	Is Is not Contains Does not contain	Enter a value for Actor
Date	Before After	Enter a value for the date.
Event	Is Is not	Choose from the following: Accept invitation Add info setting Add user Always post from user Approve join request Ban user with moderation Change ACL Change basic settings Change identity setting Change info setting Change new member restriction setting Change post replies setting Change spam moderation setting Change topic setting Create group Delete group Invite user Join Moderate message Reinvite user Reject join request Remove info setting Remove user Request to join Revoke invitation
Group email	Is Is not Contain Does not contain	Enter a value for Group email.
Group permission setting	Is Is not	Choose from the following: Can add members Can add references Can approve members Can approve messages Can assign topics Can attach files Can authoritative reply Can ban users Can change tags and categories Can contact owner Can delete any post Can delete topics Can edit forum alerts Can edit others post Can edit own post Can enter free tags Can have custom photo Can hide abuse Can invite members Can join Can lock topics Can mark duplicate Can mark favorite reply on own topics Can mark favorite reply others Can mark no response needed Can mark topics as sticky Can me too Can modify members Can modify roles Can move individual messages Can move topics in Can move topics out Can post Can post announcements Can post as group Can post moderated Can post rich text Can reply to author Can reply to auto closed Can send private messages Can take topics Can unassign topics Can unmark favorite reply Can used canned responses Can view member emails Can view members Can view topics
Info setting value	Is Is not Contains Does not contain	Enter a value for Info setting value.
Message ID	Is Is not Contains Does not contain	Enter a value for Message ID.
Message moderation	Is Is not	Choose from the following: Approved Rejected
New value	Is Is not Contains Does not contain	Enter a value for New value.
Old value	Is Is not Contains Does not contain	Enter a value for Old value.
Organizational unit	Is	Select an organizational unit from the list.
Role	Is Is not	Choose from the following: Manager Member Owner
Setting	Is Is not	Choose from the following: Allow external members Allow posting by email Allow web posting Allowed topic types Archive messages Authors receive bounce replies Categories enabled Custom footer Custom reply to address Default topic type Display names are unique Group email Group language Group name How to handle suspected spam messages Include custom footer Include group web URL in footer List this group in the directory Maximum message size New member can post New members can post moderated Notify authors when moderators reject their messages Required forms of identity Subject prefix Suppress email footer separator Tags enabled Where should replies be sent
Status	Is Is not	Choose from the following: Failed Succeeded
Target	Is Is not Contains Does not contain	Enter a value for Target.

Meet log events

Supported editions: Enterprise Plus, Education

Condition
Action description	Is Is not Contains Does not contain	Enter a description for the action.
Action reason	Is Is not	This search criteria includes the possible reasons for a user submitting an abuse report in Meet. Choose from the following: Child endangerment Fraud, phishing, and other deceptive practices Harassment and hateful content Malware (distributed via link in the chat window in Meet) Other abuse type selected by the reporter Spam or unwanted content Unwanted sexual content Violence and gore
Actor	Is Is not	Enter a value for Actor.
Actor name	Is Is not Contains Does not contain	Enter a value for Actor name.
Actor type	Is Is not	Choose from the following: Email address Meet hardware device ID Phone number
Calendar event ID	Is Is not Contain Does not contain	Enter a value for Calendar event ID.
Call rating	Equals Less than or equal to Greater than or equal to	Enter a value for Call rating.
City	Is Is not Contains Does not contain	Enter a value for City.
Client type	Is Is not	Choose from the following: Android Chromebase Chromebox Endpoint joining over the 3rd party system iOS Jamboard Other device type PSTN dial-in PSTN dial-out Web browser
Conference ID	Is Is not Contains Does not contain	Enter a value for Conference ID.
Country	Is Is not Contains Does not contain	Enter a value for Country (a 2-character ISO code).
Date	Before After	Enter a value for the date.
Duration	Equals Less than or equal to Greater than or equal to	Enter a value for Duration.
Endpoint ID	Is Is not Contains Does not contain	Enter a value for Endpoint ID.
Event	Is Is not	Choose from the following: Abuse report submitted Endpoint left Livestream watched
IP address	Is Is not Contains Does not contain	Enter a value for IP address.
Livestream view page ID	Is Is not Contains Does not contain	Enter a value for Livestream view page ID.
Meeting ID	Is Is not Contains Does not contain	Enter a value for Meeting ID.
Organizational unit	Is	Select an organizational unit from the list.
Organizer email	Is Is not Contains Does not contain	Enter a value for Organizer email.
Participant outside organization	Is Is not	Choose from the following: True False
Product type	Is Is not	Choose from the following: Classic Hangouts Hangouts Meet Other
Target	Is Is not Contains Does not contain	Enter the target email for the action.
Target display names	Is Is not Contains Does not contain	Enter the target display names for the action.
Target phone number	Is Is not Contains Does not contain	Enter the target phone number for the action.

Voice log events

Supported editions: Enterprise Plus

Condition
Actor	Is Is not Contains Does not contain	Enter a value for Actor (user email address).
Call destination	Is Is not Contains Does not contain	Enter a value for Call destination.
Call source	Is Is not Contain Does not contain	Enter a value for Call source.
Cost	Is Is not Contain Does not contain	Enter a value for Cost.
Date	Before After	Enter a value for the date.
Desk phone ID	Is Is not Contains Does not contain	Enter a value for Desk phone ID.
Desk phone model	Is Is not Contains Does not contain	Enter a value for Desk phone model.
Duration	Equals Less than or equal to Greater than or equal to	Enter a value for Duration.
Event	Is Is not	Choose from the following: Auto attendant deleted Auto attendant published Call placed Call placed (Meet) Call received Call received (auto attendant) Call received (Meet) Call received (ring group) Call transferred Call transferred (auto attendant) Call transferred (ring group) Desk phone deprovisioned Desk phone provisioned Missing voicemail recipient (auto attendant) Missing voicemail recipient (ring group) Number assigned Number assigned (auto attendant) Number assigned (desk phone) Number assigned (ring group) Number unassigned Number unassigned (auto attendant) Number unassigned (desk phone) Number unassigned (ring group) Ring group deleted Ring group edited Text message received Text message sent Transfer to user failed (auto attendant) Transfer to user failed (ring group) User assigned (desk phone) User unassigned (desk phone) Voicemail delivery failed (auto attendant) Voicemail delivery failed (ring group) Voicemail forward failed (auto attendant) Voicemail forward failed(ring group) Voicemail received (auto attendant) Voicemail received (ring group)
Google Meet ID	Is Is not Contains Does not contain	Enter a value for Google Meet ID.
Is group conversation	Is Is not	Choose from the following: False True Unspecified
New address	Is Is not Contains Does not contain	Enter a value for New address.
Organizational unit	Is	Choose an organizational unit from the list.
Phone number	Is Is not Contains Does not contains	Enter a value for the phone number.
Service ID	Is Is not Contains Does not contain	Enter a value for the service ID.
Service name	Is Is not Contains Does not contain	Enter a value for Service name.
Target	Is Is not Contains Does not contain	Enter a value for Target.
Voicemail recipient	Is Is not Contains Does not contain	Enter a value for Voicemail recipient.

Was this helpful?

How can we improve it?

Customize searches within the investigation tool

Customize your search with nested queries

Take action based on search results

Group results by attribute when customizing a search

Data sources & conditions in the investigation tool

Device log events

Devices

Drive log events

About the visibility of files in a shared drive

Gmail log events

Gmail messages

Rule log events

User log events

Users

Chrome log events

Chrome browsers

Calendar log events

Chat log events

Groups log events

Meet log events

Voice log events

Need more help?

Sign in for additional support options to quickly solve your issue