Customize searches within the investigation tool

This feature is available with G Suite Enterprise, G Suite Enterprise for Education, Drive Enterprise, and Cloud Identity Premium editions.

Using the security investigation tool, you can customize your searches by entering multiple search conditions. The available conditions vary depending on the data source for your search (for example, Device log events or Drive log events).

To run a search with the investigation tool:

  1. Sign in to the Google Admin console at admin.google.com.
    Be sure to sign in using your administrator account, and not your personal Gmail account.
  2. Click Security.
  3. Click Investigation tool.
  4. Choose a data source for your search: Device log events, DevicesDrive log events, Gmail log events, Gmail messages, User log events, or Users.

    Note: Available data sources will vary depending on your G Suite edition.

  5. Click ADD CONDITION.
    You can include one or more conditions in your search. For details about conditions that are available for each data source, see the sections below. 
  6. Click SEARCH.

Take actions based on search results

Once you are finished conducting a search in the investigation tool, you have the option to take several actions based on the results of your searches. For example, you can conduct a search based on Gmail log events, and then use the investigation tool to delete specific messages, mark messages as spam or phishing, send messages to quarantine, or send messages to users' inboxes. For more details about actions in the investigation tool, see Take action based on search results.

Note: If you narrow your search, your results will appear in the investigation tool sooner. For example, if you narrow the search to events that happened in the last week, the query will return faster than if you search without restricting the query to a shorter period of time.

Conditions for device log events

Condition    
Date
  • Before
  • After

Type a date in the Date field.
Use the following format:

YYYY-MM-DDThh:mm:ss

Device ID
  • Is
  • Is not
Type a value in the Device ID field.
Event
  • Is
  • Is not

Choose from the following:

  • Account registration change
  • Device compliance status
  • Device OS update
  • Work profile support
  • Device settings change
  • Device compromise
  • Failed password attempts
  • Suspicious activity
  • Device application change
  • ADB events
  • Screen lock events
  • Device ownership change
  • Network event
  • Device action event
Device owner
  • Is
  • Is not
  • Contains
  • Does not contain
Type a value in the Device owner field (valid email address).
Device type
  • Is
  • Is not

Choose from the following:

  • Android
  • iOS
  • Mac
  • Windows
  • Chrome OS
Device model
  • Is
  • Is not
  • Contains
  • Does not contain
Type a value in the Device model field.
Failed password attempts
  • Equals
  • Less than or equal to
  • Greater than or equal to

Type a number in the Numeric value field.

Device compromised state
  • Is
  • Is not

Choose from the following:

  • Compromised
  • Not compromised
Device property
  • Is
  • Is not

Choose from the following:

  • Device Model
  • Serial Number
  • IMEI Number
  • MEID Number
  • WiFi MAC Address
  • Device Policy App Privilege
  • Manufacturer
  • Device Brand
  • Device Hardware
  • Bootloader Version
Device setting
  • Is
  • Is not

Choose from the following:

  • Developer Options
  • Unknown Sources
  • USB Debugging
  • Verify Apps
Application SHA-256 hash
  • Is
  • Is not

Type a value in the SHA-256 hash field.

Application ID
  • Is
  • Is not
Type a value in the Application ID field.
Application state
  • Is
  • Is not

Choose from the following:

  • Installed
  • Uninstalled
  • Updated
Account state
  • Is
  • Is not

Choose from the following:

  • Registered
  • Unregistered
Register privilege
  • Is
  • Is not

Choose from the following:

  • Device Administrator
  • Device Owner
  • Profile Owner
Device ownership
  • Is
  • Is not

Choose from the following:

  • Company Owned
  • User Owned
New device ID
  • Is
  • Is not
Type a value in the Device ID field.
Resource ID
  • Is
  • Is not

Type a value in the Resource ID field.

Serial number
  • Is
  • Is not
Type a value in the Serial number field.
iOS vendor ID
  • Is
  • Is not

Type a value in the iOS vendor ID field.

Domain
  • Is
  • Is not
  • Contains
  • Does not contain
Type a value in the Domain field.
Device compliance state
  • Is
  • Is not

Choose from the following:

  • Compliant
  • Non-compliant
OS property
  • Is
  • Is not

Choose from the following:

  • OS version
  • Build number
  • Kernel version
  • Baseband version
  • Security patch
  • Device bootloader

Conditions for devices

Condition    
Device ID
  • Is
  • Is not

Type a value in the Device ID field.

Device owner
  • Is
  • Is not

Type a value in the Device owner field (valid email address).

Device type
  • Is
  • Is not

Choose from the following:

  • Android
  • iOS
  • Mac
  • Windows
  • Chrome OS
Device model
  • Is
  • Is not
Type a value in the Device model field.
Status
  • Is
  • Is not

Choose from the following:

  • Pending
  • Running
  • Blocked
  • Wiping
  • Wiped
  • Unprovisioned
  • Account Wiping
  • Account Wiped
  • Registered
  • Unregistered
  • Deactivated
  • Approved
Last sync date
  • Before
  • After
Type a date in the Date field. 
Use the following format:
YYYY-MM-DDThh:mm:ss
Device compromised state
  • Is
  • Is not

Choose from the following:

  • Compromised
  • Not compromised
Password status
  • Is
  • Is not

Choose from the following:

  • On
  • Off
Management type
  • Is
  • Is not

Choose from the following:

  • None
  • Basic
  • Advanced
Security patch update
  • Before
  • After

Type a date in the Date field. 
Use the following format:
YYYY-MM-DDThh:mm:ss

Registered date
  • Before
  • After

Type a date in the Date field. 
Use the following format:
YYYY-MM-DDThh:mm:ss

Carrier
  • Is
  • Is not
Type a value in the Carrier field.

Conditions for Drive log events

Condition    
Date
  • Before
  • After

Type a date in the Date field. 
Use the following format:
YYYY-MM-DDThh:mm:ss

Document ID
  • Is
  • Is not

Type a value in the Document ID field.

Title
  • Is
  • Is not
  • Contains
  • Does not contain

Type a value in the Title field.

Document type
  • Is
  • Is not

Choose from the following:

  • Google Document
  • Google Spreadsheet
  • Google Presentation
  • Folder
  • Google Form
  • Google Drawing
  • Team Drive
  • Text file
  • JPEG
  • PDF
  • PNG
  • MP4
  • Microsoft Word
  • Microsoft Excel
  • HTML
  • MPEG
  • Quicktime
  • Microsoft Powerpoint
  • Google Sites
Prior visibility
  • Is
  • Is not

Choose from the following:

  • Private
  • Shared internally
  • People within domain with link
  • Public in the domain
  • Shared externally
  • People with link
  • Public on the web
Visibility
  • Is
  • Is not

Choose from the following:

  • Private
  • Shared internally
  • People within domain with link
  • Public in the domain
  • Shared externally
  • People with link
  • Public on the web
Event
  • Is
  • Is not

Choose from the following:

  • Create
  • Upload
  • Edit
  • View
  • Rename
  • Move
  • Add to folder
  • Remove from folder
  • Trash
  • Delete
  • Remove from trash
  • Download
  • Preview
  • Print
  • Change owner
  • Change ACL editors
  • Change access scope
  • Change document visibility
  • Change user access
  • Change Team Drive membership
Actor
  • Is
  • Is not
  • Contains
  • Does not contain

Type a username in the Actor field.

Note: The actor is the user that triggered an event by modifying a file.

Owner
  • Is
  • Is not
  • Contains
  • Does not contain

Type a username in the Owner field.

Target
  • Is
  • Is not
  • Contains
  • Does not contain

Type a value in the Target field.

Note: The target is the user or group that was added or removed from a file.

Visibility change
  • Is
  • Is not

Choose from the following:

  • Internal
  • External
  • None
IP address
  • Is
  • Is not
  • Contains
  • Does not contain

Type a value in the IP address field.

Domain
  • Is
  • Is not
  • Contains
  • Does not contain
Type a value in the Domain field.

About the visibility of files in a Team Drive

In your My Drive folder, a file that's only visible to the owner has a visibility of Private. However, In a Team Drive, even if a file is not explicitly shared with other users, it has a visibility of Shared internally (Team Drive files cannot have a visibility of Private).

Conditions for Gmail log events

Condition    
Date
  • Before
  • After

Type a date in the Date field. 
Use the following format:
YYYY-MM-DDThh:mm:ss

Message ID
  • Is
  • Is not

Type a value in the Message ID field.

Subject
  • Is
  • Is not
  • Contains
  • Does not contain

Type a value in the Subject field.

Event
  • Is
  • Is not

Choose from the following:

  • Admin quarantine
  • Attachment download
  • Attachment link click
  • Attachment save to Drive
  • Autoforwarded
  • Drive item save to Drive
  • Late spam classification
  • Link click
  • Mark unread
  • Move out of trash
  • Move to inbox
  • Move to trash
  • Open
  • Receive
  • Release from quarantine
  • Reply
  • Send
  • User spam classification
From (Header address)
  • Is
  • Is not
  • Contains
  • Does not contain

Type an address in the From (Header address) field.

From (Envelope)
  • Is
  • Is not
  • Contains
  • Does not contain

Type an address in the From (Envelope) field.

To (Envelope)
  • Is
  • Is not
  • Contains
  • Does not contain
Type an address in the To (Envelope) field.
Owner
  • Is
  • Is not
  • Contains
  • Does not contain

Type a username in the Owner field.

Domain
  • Is
  • Is not
  • Contains
  • Does not contain

Type a name in the Domain field.

Has attachment
  • Is
  • Is not

Choose from the following:

  • True
  • False
Attachment hash
  • Is
  • Is not

Type a value in the SHA-256 hash field.

Attachment name
  • Is
  • Is not
  • Contains
  • Does not contain

Type a name in the Attachment name field.

Attachment malware family
  • Is
  • Is not

Choose from the following:

  • Known malicious program
  • Virus/worm
  • Content may be harmful
  • Potentially unwanted
  • Other
IP Address
  • Is
  • Is not
  • Contains
  • Does not contain
Type a value in the IP address field.
From (Header name)
  • Is
  • Is not
  • Contains
  • Does not contain
Type a name in the From (Header name) field.
Sender domain
  • Is
  • Is not
  • Contains
  • Does not contain
Type a name in the Sender domain field.
Link domain
  • Is
  • Is not
  • Contains
  • Does not contain
Type a name in the Link domain field.
Attachment extension
  • Is
  • Is not
  • Contains
  • Does not contain
Type an extension in the Attachment extension field.
SPF domain
  • Is
  • Is not
  • Contains
  • Does not contain
Type a name in the SPF domain field.
DKIM domain
  • Is
  • Is not
  • Contains
  • Does not contain
Type a name in the DKIM domain field.
Traffic source
  • Is
  • Is not

Choose from the following:

  • External
  • Internal
Spam classification
  • Is
  • Is not

Choose from the following:

  • Clean
  • Spam
  • Phishing
  • Suspicious
  • Malware
Spam classification reason
  • Is
  • Is not

Choose from the following:

  • Default
  • Past User Action
  • Suspicious Content
  • Suspicious Link
  • Suspicious Attachment
  • Type
  • DMARC
  • Domain in Public RBLs
  • RFC Violation
  • GMAIL Policy Violation
  • Machine Learning Verdict
  • Sender Reputation
  • Blatant Spam
  • GMAIL Safety Setting
Geo location
  • Is
  • Is not
  • Contains
  • Does not contain
Type a value in the Geo location field.
OAuth project ID
  • Equals
  • Less than or equal to
  • Greater than or equal to
Type a value for the OAuth project ID.
Target link URL
  • Is
  • Is not
  • Contains
  • Does not contain
Type a value for the Target link URL.
Target attachment hash
  • Is
  • Is not
Type a value for the Target attachment hash.
Target attachment name
  • Is
  • Is not
Type a value for the Target attachment name.
Target attachment malware family
  • Is
  • Is not

Choose from the following:

  • Content may be harmful
  • Known malicious program
  • Other
  • Potentially unwanted
  • Virus/worm
Target drive ID
  • Is
  • Is not
  • Contains
  • Does not contain
Type a value for the Target drive ID.

Conditions for Gmail messages

Condition    
Subject
  • Is
  • Is not

Type a subject in the Subject field.

Message ID
  • Is
  • Is not

Type a value in the Message ID field.

Date
  • Before
  • After

Type a date in the Date field. 
Use the following format:
YYYY-MM-DDThh:mm:ss

Sender
  • Is
  • Is not

Type a sender in the Sender field.

Recipient
  • Is
  • Is not

Type a recipient in the Recipient field.

Label
  • Is
  • Is not

Choose from the following:

  • Inbox
  • Trash
  • Spam
  • Unread
  • Starred
  • Phishing
  • Admin quarantine
Attachment name
  • Is
  • Is not

Type an attachment name in the Attachment name field.

Has attachment
  • Is
  • Is not

Choose from the following:

  • True
  • False
Cc
  • Is
  • Is not
Type a valid email address in the Cc field.
Bcc
  • Is
  • Is not
Type a valid email address in the Bcc field.
 
All content
  • Contains word
  • Does not contain word
Type a value in the All content field.
Message size
  • Greater than or equal to
  • Less than or equal to
Type a value in the Message size field.

Conditions for user log events

Available for Beta customers of G Suite Enterprise, Drive Enterprise, and Cloud Identity Premium Edition

Condition    
Date
  • Before
  • After

Type a date in the Date field. 
Use the following format:
YYYY-MM-DDThh:mm:ss

User
  • Is
  • Is not

Type a value in the User field.

Event
  • Is
  • Is not

Choose from the following:

  • Successful login
  • Failed login
  • Login challenge
  • Logout
  • Password change
  • Password reset
  • 2SV enrollment
  • 2SV unenrollment
  • Modify recovery information
  • Generate backup code
Login type
  • Is
  • Is not

Choose from the following:

  • Google password
  • SAML
  • Exchange
  • Re-authorization
  • Unknown
Challenge type
  • Is
  • Is not

Choose from the following:

  • Google Prompt
  • Password
  • Offline OTP (user enters OTP code they receive from settings on their Android phone)
  • Knowledge employee ID  (user proves knowledge of employee ID)
  • Knowledge pre-registered email  (uiser proves knowledge of pre-registered email)
  • Knowledge pre-registered phone  (user proves knowledge of pre-registered phone)
  • Login location  (user signs in from their usual login location)
  • IDV any phone (user is asked for a phone number and then enters a code sent to that phone)
  • Backup code (user is asked to enter a backup verification code)
  • Security key  (user passes the security key cryptographic challenge) 
  • Google authenticator (user asked to enter OTP from authenticator app)
  • Other
  • None
Is suspicious
  • Is
  • Is not

Choose from the following:

  • True
  • False
IP address
  • Is
  • Is not

Type an IP address in the IP address field.

Device ID
  • Is
  • Is not

Type a device ID in the Device ID field.

Second factor
  • Is
  • Is not

Choose from the following:

  • True
  • False

Conditions for users

Condition    
Email
  • Is
  • Is not

Type a valid email address in the Email field.

Note: This address can match the primary email address or other email addresses of a user.

First name
  • Is
  • Is not

Type a value in the First name field.

Last name
  • Is
  • Is not

Type a value in the Last name field.

Last login
  • Before
  • After

Type a date in the Date field. 
Use the following format:
YYYY-MM-DDThh:mm:ss

Super administrator
  • Is
  • Is not

Choose from the following:

  • True
  • False
Delegated administrator
  • Is
  • Is not

Choose from the following:

  • True
  • False
Enrolled in 2SV
  • Is
  • Is not

Choose from the following:

  • True
  • False
2SV enforced for org
  • Is
  • Is not

Choose from the following:

  • True
  • False
Suspended ID
  • Is
  • Is not

Choose from the following:

  • True
  • False
Change password at login
  • Is
  • Is not

Choose from the following:

  • True
  • False
Mailbox setup
  • Is
  • Is not

Choose from the following:

  • True
  • False

Was this helpful?
How can we improve it?