To run a search with the investigation tool:
- Sign in to the Google Admin console at admin.google.com.
Be sure to sign in using your administrator account, and not your personal Gmail account. - Click Security.
- Click Investigation tool.
- Choose a data source for your search. For example, choose Device log events, Devices, Drive log events, or Gmail log events.
Note: Available data sources will vary depending on your Google Workspace edition.
- Click ADD CONDITION.
You can include one or more conditions in your search. For details about conditions that are available for each data source, see the sections below. You also have the option to customize your search with nested queries—searches with 2 or 3 levels of conditions (for details, see the section below). - Click SEARCH.
Customize your search with nested queries
When customizing your search in the investigation tool, you can include one or more conditions in your search. If you're customizing a search that has at least 2 conditions, you also have the option to create nested queries—in other words, searches that include 2 or 3 levels of conditions.
Using nested queries enables you to narrow your search by specifying queries that are much more granular and that are targeted to specific types of events. Do this by clicking Add condition group while customizing your search.
For example, you might want to run a search about inbound emails in your organization to investigate users who are receiving attachments. Additionally, you might want to narrow your search by including only users who are opening those attachments or clicking links within the emails. When customizing your search, you would base the search on the Gmail log events data source, and you would set up the following conditions for your search:
- The email must have an attachment.
- AND the user must either open the attachment OR click a link in the email.
Note: Most data sources enable 3-level nested queries. The Users data source enables only 2-level nested queries, while the Chrome browsers data source doesn't enable nested queries.
Take action based on search results
Once you are finished conducting a search in the investigation tool, you have the option to take action based on the results of your searches. For example, you can conduct a search based on Gmail log events, and then use the investigation tool to delete specific messages, mark messages as spam or phishing, send messages to quarantine, or send messages to users' inboxes. For more details about actions in the investigation tool, see Take action based on search results.
Note: If you narrow your search, your results will appear in the investigation tool sooner. For example, if you narrow the search to events that happened in the last week, the query will return faster than if you search without restricting the query to a shorter period of time.
Add a group-by option when customizing a search
When customizing a search in the investigation tool, you can group items by a particular search attribute to quickly understand the breadth of an issue. For example, when conducting a search based on device log events, you can group the search criteria based on the device model.
To add a group-by option to your search:
- During your search, click ADD GROUP BY OPTION.
- From the Group by drop-down menu, choose a condition for your search—for example, choose Device model.
- Click SEARCH.
With this example, a list of devices is displayed in the list of search results. For each item in the search results, a name for the device model is displayed, and the number of occurrences is displayed for each device model, with the highest number of occurrences listed at the top.
You can then add more conditions to the search criteria by scrolling over items in the search results, clicking the Moreicon, and then clicking Add condition to search.
Device log events
Condition | ||
---|---|---|
Date |
|
Type a date in the Date field. YYYY-MM-DDThh:mm:ss |
Device ID |
|
Type a value in the Device ID field. |
Event |
|
Choose from the following:
|
Device owner |
|
Type a value in the Device owner field (valid email address). |
Device type |
|
Choose from the following:
|
Device model |
|
Type a value in the Device model field. |
Failed password attempts |
|
Type a number in the Numeric value field. |
Device compromised state |
|
Choose from the following:
|
Device property |
|
Choose from the following:
|
Device setting |
|
Choose from the following:
|
Application SHA-256 hash |
|
Type a value in the SHA-256 hash field. |
Application ID |
|
Type a value in the Application ID field. |
Application state |
|
Choose from the following:
|
Account state |
|
Choose from the following:
|
Register privilege |
|
Choose from the following:
|
Device ownership |
|
Choose from the following:
|
New device ID |
|
Type a value in the Device ID field. |
Resource ID |
|
Type a value in the Resource ID field. |
Serial number |
|
Type a value in the Serial number field. |
iOS vendor ID |
|
Type a value in the iOS vendor ID field. |
Domain |
|
Type a value in the Domain field. |
Device compliance state |
|
Choose from the following:
|
OS property |
|
Choose from the following:
|
Organizational unit |
|
Choose an organizational unit from the list. |
Devices
Condition | ||
---|---|---|
Device ID |
|
Type a value in the Device ID field. |
Device owner |
|
Type a value in the Device owner field (valid email address). |
Device type |
|
Choose from the following:
|
Device model |
|
Type a value in the Device model field. |
Status |
|
Choose from the following:
|
Last sync date |
|
Type a date in the Date field. Use the following format: YYYY-MM-DDThh:mm:ss |
Device compromised state |
|
Choose from the following:
|
Password status |
|
Choose from the following:
|
Management type |
|
Choose from the following:
|
Security patch update |
|
Type a date in the Date field. |
Registered date |
|
Type a date in the Date field. |
Carrier |
|
Type a value in the Carrier field. |
Drive log events
Condition | ||
---|---|---|
Date |
|
Type a date in the Date field. |
Document ID |
|
Type a value in the Document ID field. |
Title |
|
Type a value in the Title field. |
Document type |
|
Choose from the following:
|
Prior visibility |
|
Choose from the following:
|
Visibility |
|
Choose from the following:
|
Event |
|
Choose from the following:
|
Actor |
|
Enter a value for Actor field (user email address). Note: The actor is the user that triggered an event by modifying a file. |
Owner |
|
Type a username in the Owner field. |
Target |
|
Type a value in the Target field. Note: The target is the user or group that was added or removed from a file. |
Visibility change |
|
Choose from the following:
|
IP address |
|
Type a value in the IP address field. |
Domain |
|
Type a value in the Domain field. |
Organizational unit |
|
Choose an organizational unit from the list. |
About the visibility of files in a shared drive
In your My Drive folder, a file that's only visible to the owner has a visibility of Private. However, In a shared drive, even if a file is not explicitly shared with other users, it has a visibility of Shared internally (shared drive files cannot have a visibility of Private).
Gmail log events
Condition | ||
---|---|---|
Date |
|
Type a date in the Date field. |
Message ID |
|
Type a value in the Message ID field. |
Subject |
|
Type a value in the Subject field. |
Event |
|
Choose from the following:
|
From (Header address) |
|
Type an address in the From (Header address) field. |
From (Envelope) |
|
Type an address in the From (Envelope) field. |
To (Envelope) |
|
Type an address in the To (Envelope) field. |
Owner |
|
Type a username in the Owner field. |
Domain |
|
Type a name in the Domain field. |
Has attachment |
|
Choose from the following:
|
Attachment hash |
|
Type a value in the SHA-256 hash field. |
Attachment name |
|
Type a name in the Attachment name field. |
Attachment malware family |
|
Choose from the following:
|
IP Address |
|
Type a value in the IP address field. |
From (Header name) |
|
Type a name in the From (Header name) field. |
Sender domain |
|
Type a name in the Sender domain field. |
Link domain |
|
Type a name in the Link domain field. |
Attachment extension |
|
Type an extension in the Attachment extension field. |
SPF domain |
|
Type a name in the SPF domain field. |
DKIM domain |
|
Type a name in the DKIM domain field. |
Traffic source |
|
Choose from the following:
|
Spam classification |
|
Choose from the following:
|
Spam classification reason |
|
Choose from the following:
|
Geo location |
|
Type a value in the Geo location field. |
OAuth project ID |
|
Type a value for the OAuth project ID. |
Target link URL |
|
Type a value for the Target link URL. |
Target attachment hash |
|
Type a value for the Target attachment hash. |
Target attachment name |
|
Type a value for the Target attachment name. |
Target attachment malware family |
|
Choose from the following:
|
Target drive ID |
|
Type a value for the Target drive ID. |
Gmail messages
Condition | ||
---|---|---|
Subject |
|
Type a subject in the Subject field. |
Message ID |
|
Type a value in the Message ID field. |
Date |
|
Type a date in the Date field. |
Sender |
|
Type a sender in the Sender field. |
Recipient |
|
Type a recipient in the Recipient field. |
Label |
|
Choose from the following:
|
Attachment name |
|
Type an attachment name in the Attachment name field. |
Has attachment |
|
Choose from the following:
|
Cc |
|
Type a valid email address in the Cc field. |
Bcc |
|
Type a valid email address in the Bcc field. |
All content |
|
Type a value in the All content field. |
Message size |
|
Type a value in the Message size field. |
Rule log events
Condition | Operator | |
---|---|---|
Actor |
|
Enter a value for Actor (user email address). |
Data source |
|
Choose from the following:
|
Date |
|
Type a date in the Date field. |
Detector ID |
|
Type a domain name in the Detector ID field. |
Detector name |
|
Type a domain name in the Detector name field. |
Event |
|
Choose from the following:
|
Recipient |
|
Type a domain name in the Recipient field. |
Resource ID |
|
Enter a value in the Resource ID field. |
Resource owner |
|
Enter a value in the Resource owner field. |
Resource title |
|
Enter a value in the Resource title field. |
Resource type |
|
Choose from the following:
|
Rule ID |
|
Enter a value in the Rule ID field. |
Rule name |
|
Enter a value in the Rule name field. |
Rule type |
|
Choose from the following:
|
Scan type |
|
Choose from the following:
|
Severity |
|
Choose from the following:
|
Suppressed action |
|
Choose from the following:
|
Trigger |
|
Enter a value in the Trigger field. |
Triggered action |
|
Choose from the following:
|
Triggering client IP |
|
Enter a value in the Triggering client IP field. |
Triggering user email |
|
Enter a value in the Triggering user email field. |
Organizational unit |
|
Choose an organizational unit from the list. |
User log events
Condition | ||
---|---|---|
Affected user |
|
Type a user in the Affected user field. Note:
|
Challenge types |
|
Choose from the following:
|
Date |
|
Type a date in the Date field. |
Domain |
|
Type a domain name in the Domain field. |
Event |
|
Choose from the following:
|
IP address |
|
Type an IP address in the IP address field. |
Is second factor |
|
Choose from the following:
|
Is suspicious |
|
Choose from the following:
|
Login time |
|
Choose from the following:
|
Login type |
|
Choose from the following:
|
User |
|
Type a value in the User field. Note:
|
Organizational unit |
|
Choose an organizational unit from the list. |
Users
Condition | ||
---|---|---|
|
Type a valid email address in the Email field. Note: This address can match the primary email address or other email addresses of a user. |
|
First name |
|
Type a value in the First name field. |
Last name |
|
Type a value in the Last name field. |
Last login |
|
Type a date in the Date field. |
Super administrator |
|
Choose from the following:
|
Delegated administrator |
|
Choose from the following:
|
Enrolled in 2SV |
|
Choose from the following:
|
2SV enforced for org |
|
Choose from the following:
|
Suspended ID |
|
Choose from the following:
|
Change password at login |
|
Choose from the following:
|
Mailbox setup |
|
Choose from the following:
|
Organizational unit |
|
Choose an organizational unit from the list. |
Chrome log events
Condition | ||
---|---|---|
Browser version |
|
Enter a value for Browser version. This is the browser version used—for example, as displayed when a user enters chrome://version in their Chrome browser address bar. |
Content hash |
|
Enter a value for Content hash. This is the SHA256 hash of the content. |
Content name |
|
Enter a value for Content name. This is the name of the content—for example, a file name. |
Content size |
|
Enter a value for Content size. This is the size of the content transferred, in bytes. |
Content type |
|
Enter a value for Content type. This is the mime type (multipurpose internet mail extensions type) of the content that was transferred—for example, text or html. |
Date |
|
Enter a value for date and time. This is the date and time an event happened. The date is typically stored in UTC but displayed in the local time. |
Device ID |
|
Enter a value for Device ID. The device ID is the unique identifier for a device. |
Device name |
|
Enter a value for Device name. The device name is the machine name or hostname for a device. |
Device platform |
|
Enter a value for Device platform. The device platform is the OS platform name and version—for example, Windows 10 or Mac OS X 10.14.6. |
Device user |
|
Enter a value for Device user. This is the username of the user that's signed in to the device. |
Domain |
|
Enter a value for Domain. This is the domain name part of the URL—for example, solarmora.com. |
Event |
|
Choose from the following events:
|
Event reason |
|
Enter a value for Event reason. Examples of event reasons include the following:
|
Event result |
|
Choose from the following:
This is the result of the event based on the policies and rules that are set. |
Profile user |
|
Enter a value for Profile user. This is the Chrome browser profile of the current user. |
Trigger type |
|
Choose from the following:
This is the user action that triggered the event. |
Trigger user |
|
Enter a value for Trigger user. This is the username related to the event—for example, the username for a password reuse event, or the username name for which a password is reset. |
URL |
|
Enter a value for URL. This is the URL of the content. |
User agent |
|
Enter a value for User agent. This is the user agent string of the browser used to access the content—for example:
|
Organizational unit |
|
Choose an organizational unit from the list. |
Chrome browsers
Condition | ||
---|---|---|
Browser ID |
|
Enter a value for Browser ID. |
Chrome version |
|
Enter a value for Chrome version. |
Device ID |
|
Enter a value for Device ID. |
Device name |
|
Enter a value for Device name. |
Device OS version |
|
Choose from the following:
|
Device type |
|
Enter a value for Device type. |
Machine user |
|
Enter a value for Machine user. |
Registration time |
|
Enter a value for the Date. |
Calendar log events
Condition | ||
---|---|---|
Access level |
|
Choose from the following:
|
Actor |
|
Enter a value for Actor (user email address) |
API kind |
|
Choose from the following:
|
Calendar ID |
|
Enter a value for Calendar ID. |
Date |
|
Enter a value in the Date field. |
Event |
|
Choose from the following:
|
Event end time |
|
Enter a value for the Event end time. |
Event ID |
|
Enter a value for the Event ID. |
Event start time |
|
Enter a value for the Event start time. |
Event title |
|
Enter a value for the Event title. |
Guest response status |
|
Choose from the following:
|
Interop error code |
|
Enter a value for the Interop error code. |
IP address |
|
Enter a value for the IP address. |
New value |
|
Enter a value for New value. |
Notification message ID |
|
Enter a value for Notification message ID. |
Notification method |
|
Choose from the following:
|
Notification type |
|
Choose from the following:
|
Old event title |
|
Enter a value for the Old event title. |
Organizational unit |
|
Select an organizational unit from the list. |
Organizer calendar ID |
|
Enter a value for the Organizer calendar ID. |
Remote exchange server URL |
|
Enter a value for the Remote exchange server URL. |
Request period end time |
|
Enter a value for the Request period end time. |
Request period start time |
|
Enter a value for the Request period start time. |
Subscriber calendar ID |
|
Enter a value for the Subscriber calendar ID. |
Target user |
|
Enter a value for Target user. |
User agent |
|
Enter a value for User agent. |
Chat log events
Condition | ||
---|---|---|
Actor |
|
Enter a value for Actor (user email address) |
Attachment hash |
|
Enter a value for Attachment hash. |
Attachment name |
|
Enter a value for Attachment name. |
Attachment URL |
|
Enter a value for Attachment URL. |
Date |
|
Enter a value for the date. |
Event |
|
Choose from the following:
|
External room |
|
Choose from the following:
|
Message ID |
|
Enter a value for Message ID. |
Organizational unit |
|
Select an organizational unit from the list. |
Recipient |
|
Enter a value for Recipient. |
Room history setting |
|
Choose from the following:
|
Room ID |
|
Enter a value for Room ID. |
Room name |
|
Enter a value for Room name. |
Groups log events
Condition | ||
---|---|---|
Actor |
|
Enter a value for Actor |
Date |
|
Enter a value for the date. |
Event |
|
Choose from the following:
|
Group email |
|
Enter a value for Group email. |
Group permission setting |
|
Choose from the following:
|
Info setting value |
|
Enter a value for Info setting value. |
Message ID |
|
Enter a value for Message ID. |
Message moderation |
|
Choose from the following:
|
New value |
|
Enter a value for New value. |
Old value |
|
Enter a value for Old value. |
Organizational unit |
|
Select an organizational unit from the list. |
Role |
|
Choose from the following:
|
Setting |
|
Choose from the following:
|
Status |
|
Choose from the following:
|
Target |
|
Enter a value for Target. |
Meet log events
Condition | ||
---|---|---|
Actor |
|
Enter a value for Actor. |
Actor name |
|
Enter a value for Actor name. |
Actor type |
|
Choose from the following:
|
Calendar event ID |
|
Enter a value for Calendar event ID. |
Call rating |
|
Enter a value for Call rating. |
City |
|
Enter a value for City. |
Client type |
|
Choose from the following:
|
Conference ID |
|
Enter a value for Conference ID. |
Country |
|
Enter a value for Country (a 2-character ISO code). |
Date |
|
Enter a value for the date. |
Duration |
|
Enter a value for Duration. |
Endpoint ID |
|
Enter a value for Endpoint ID. |
Event |
|
Choose from the following:
|
IP address |
|
Enter a value for IP address. |
Livestream view page ID |
|
Enter a value for Livestream view page ID. |
Meeting ID |
|
Enter a value for Meeting ID. |
Organizational unit |
|
Select an organizational unit from the list. |
Organizer email |
|
Enter a value for Organizer email. |
Participant outside organization |
|
Choose from the following:
|
Product type |
|
Choose from the following:
|
Voice log events
Condition | ||
---|---|---|
Actor |
|
Enter a value for Actor (user email address). |
Call destination |
|
Enter a value for Call destination. |
Call source |
|
Enter a value for Call source. |
Cost |
|
Enter a value for Cost. |
Date |
|
Enter a value for the date. |
Desk phone ID |
|
Enter a value for Desk phone ID. |
Desk phone model |
|
Enter a value for Desk phone model. |
Duration |
|
Enter a value for Duration. |
Event |
|
Choose from the following:
|
Google Meet ID |
|
Enter a value for Google Meet ID. |
Is group conversation |
|
Choose from the following:
|
New address |
|
Enter a value for New address. |
Organizational unit |
|
Choose an organizational unit from the list. |
Phone number |
|
Enter a value for the phone number. |
Service ID |
|
Enter a value for the service ID. |
Service name |
|
Enter a value for Service name. |
Target |
|
Enter a value for Target. |
Voicemail recipient |
|
Enter a value for Voicemail recipient. |