Take action based on search results

Security investigation tool
Supported editions for this feature: Frontline Standard; Enterprise Standard and Enterprise Plus; Education Standard and Education Plus; Enterprise Essentials Plus; Cloud Identity Premium. Compare your edition

After you conduct a search in the security investigation tool, you have the option to take several actions based on your search. For example, you can conduct a search based on Gmail log events, and then use the tool to delete specific messages, mark messages as spam or phishing, send messages to quarantine, or send messages to users' inboxes.

For details and instructions about the many actions you can take in the investigation tool, see the sections below.

Note:

  • Available data sources will vary depending on your Google Workspace edition.
  • Before taking action on search results, administrators in your organization might have the option to enter justification text to record the reasons for their action(s). If you're a Super Admin, you can enable this option by adjusting the settings for the investigation tool. For instructions, see Configure settings for your investigations.
  • If you narrow the date range for your search, your results will appear in the investigation tool sooner. For example, if you narrow the search to events that happened in the last week, the query will return faster than if you search without restricting the query to a shorter period of time.
  • If a timeout occurs when performing a bulk action, reduce the date range for the search, and then try again.

Types of actions in the investigation tool 

Actions for devices

When you conduct a search based on Devices or Device log events, you can select devices in the search results, and then take the following actions:

  • Approve device -- Approves the device. If you've selected Enable device activation, devices that register after the device activation setting is enabled will need to be approved before they can start syncing with your domain. Enabling device activation forces the device user to install the Device Policy app to sync with Google Workspace.
  • Block device -- Blocks access to Google Workspace data (Gmail, Calendar, and contacts) on the device. The user can still access their Gmail, Calendar, and contacts from a desktop computer or mobile browser.
  • Admin account wipe device -- Remotely wipes only Google Workspace data from the device. For more details, see Remove corporate data from a mobile device.
  • Remote wipe device -- Remotely wipes all data on the device. For more details, see Remove corporate data from a mobile device.
  • Cancel remote wipe device -- Cancels a remote wipe of the device.
Actions for Drive log events

When you conduct a search based on Drive log events, you can select files in the search results, audit the permissions for those files, and more.

Do the following:

  1. After you run a search in the security investigation tool based on Drive log events, check the boxes for the relevant files in the search results.
  2. Click Actions > Audit File Permissions to open the Permissions page.
    The Files tab, which is displayed by default, shows files that were included in your search results. From here you can manage the access to those files. Shared drive files are currently unavailable in this view.
  3. Click People to view users and groups with access to the files.
    People in this list have access to one or more of the items from your search results. Use this view to manage the access of people (users and groups).
  4. Click Links to view or modify the link-sharing settings on the selected files.
  5. Click Add Users if you want to provide file access for more users. You can add multiple users with a comma-separated list, and you can select the access level for the users that you add.

    Note: For actions in the Shared drive tab, you can only edit access for files within the shared drive. Files outside of a shared drive will not show up in this tab.
     
  6. Click Pending Changes to review your changes before saving.

Actions for shared drives

If you have the Security Investigation Tool and then Drive Update or Delete privilege, you can also modify shared drives and the files within shared drives:

  • You can change, remove, or add to the level of access for a member of a shared drive.
  • You can change, remove, or add access that users have been granted directly to a file or files in a shared drive.

Note: While Google Drive allows the sharing of folders and changing the ownership of folders, the investigation tool does not allow these actions for administrators.

Actions for Gmail messages and Gmail log events

When you conduct a search based on Gmail messages or Gmail log events, you can select messages in the search results and then take the following actions (the available actions only apply to messages within Gmail, and do not include messages in Google Groups):

  • View header
  • View messages
  • Delete messages
  • Restore messages
  • Mark message as spam
  • Mark message as phishing
  • Send message to inbox (also removes a spam or phishing classification)
  • Send message to quarantine (messages are sent to the default quarantine)

    Important: Messages sent to quarantine are automatically deleted when your Vault retention policy triggers; so if these messages are older than your Vault retention policy, they're deleted instead of being sent to quarantine. Default retention is set to 30 days after the email was originally sent or received. You can also use Vault to set custom retention rules.

For example, to send a message to a users' inbox:

  1. After running your search in the investigation tool, check the boxes for the relevant messages in the search results.
  2. Click Actions.
  3. Choose Send message to inbox.
  4. To confirm, click Send To Inbox.
  5. To view the result of the action, click View at the bottom of the page.
    In the Result column, you can view the status of the action--for example, The message was successfully sent to inbox.

Note: You can also view Gmail message contents. For details, see View Gmail message content.

Actions for users

When you conduct a search based on users, you can select users in the search results, and then take the following actions:

  • Restore user
  • Suspend user

For example, to suspend specific users in the search results, do the following:

  1. After running your search in the investigation tool, check the boxes for the relevant users in the search results.
  2. Click Actions.
  3. Choose Suspend user.
  4. To confirm, click Suspend users.

You can use similar steps to restore users.

Actions for user log events

When you conduct a search based on User log events, you can select users in the search results, and then take the following actions:

  • Force password change
  • Restore user
  • Suspend user

For example, to suspend specific users in the search results, do the following:

  1. After running your search in the investigation tool, check the boxes for the relevant users in the search results.
  2. Click Actions.
  3. Choose Suspend user.
  4. To confirm, click Suspend Users.

You can use similar steps to restore users.

Actions for Meet log events

When you conduct a search based on Meet log events, you can use the End meeting for all action to remove all users from selected meetings within your organization. For example, you might want to prevent users from having unsupervised meetings when the meeting host isn’t present, or after an event has completed.

For more details, see Use the investigation tool to end meetings.

Bulk actions with search results

In addition to selecting individual items in the search results and taking actions on them, you can take bulk actions on an entire page, or you can take bulk actions on all results on all pages.

Note: If a timeout occurs when performing a bulk action, reduce the date range for the search, and then try the bulk action again.

To take bulk actions on search results on the current page that you're viewing:

  1. Click the check box at the top of the far-left column.
    This checks all boxes on the current page.
  2. Click Actions in the header bar.

To take bulk actions on all search results on all pages:

  1. Click the check box at the top of the far-left column.
  2. Click Select All Results.
    This checks all boxes on all pages of the search results.
  3. Click Actions in the header bar.

    Note: If you click the next page in the search results during this process, this un-checks all boxes on all pages of the search results, and you'll need to start over.

Check the status of your bulk actions

You can check the status of your large tasks in the Google Admin console to see if they are still in-progress or completed.

For example, if one of your bulk actions in the investigation tool takes a long time to complete, you can leave the Admin console and later return to check the status of your action. 

At the top of the Admin console, click Tasks  to view the status of your large tasks.

 

For additional details, see also Check the status of large tasks.

Column-based pivoting in search results

You can use column-based pivoting in the investigation tool search results to view data about an item related to a different data source. For example, you can run a search based on Gmail log events, and then click any recipient in the Recipient column to create a drive event query by owner. This enables you to analyze data about a specific user from two different data sources -- both Gmail log events and Drive log events.

To pivot from the search results from a Gmail log event to a Drive log event, do the following:

  1. After you run a search in the security investigation tool, hover over the relevant user in the Recipient column.
  2. Click the menu icon (three vertical dots) for that user.
  3. Choose Drive log events and then Owner.
    The search criteria is automatically entered for a Drive log events search.
  4. Include additional conditions in your search -- for example, Title or Visibility.
  5. Click Search.

You can take other pivoting actions for many items in the search results. For example, you can pivot on an entire column, or you can pivot on the subject of a message, the message ID,  the sender, and more.

Cancel actions

You can cancel actions in the investigation tool before they are completed. For example, if you initiated an action to suspend several users, you can click Cancel at the bottom of the Investigation page.

If you cancel a bulk action, you will get partial results if the action is already  in-progress.

Note: For export actions, only the admin who initiated the export can cancel it. For all other actions, admins who have the specific privileges to take action on the data relevant to the actionsuch as Drive, Gmail, or Mobilecan cancel the action.

Retry actions

When taking a bulk action, you may occasionally encounter search errors—for example, if some users are not included in the search results. If this occurs, you can retry actions:

  1. After completing an action in the investigation tool, click VIEW DETAILS.
  2. From the Action details panel, click RETRY.
  3. Click the action in the retry window—for example, click MARK AS SPAM.

Export action results to a Sheets file in your My Drive folder

To save action results to your My Drive folder:

  1. Click the Export button at the top of the table for the action results.
  2. Type an export name.
  3. Click Export.

View exported action results

Note the following when viewing exported action results:

  • After you click the Export button at the top of the table, a Google Sheet is created in your My Drive folder that includes the action results. Depending on the size of the results, the export process could take some time, and multiple Google Sheets might be created. The total results of the export are limited to 30 million rows.
  • While the export is in-progress, Google Sheets are created with a temporary name—for example, TMP-1-<title>. If multiple Google Sheets are created, additional files are named TMP-2-<title>, TMP-3-<title>, and so on. When the export process is completed, the files are automatically renamed to: <title> [1 of N], <title> [2 of N], and so on. If only one Google Sheet contains the exported data, the file is renamed to <title>.
  • Sharing permissions for files with the exported action results are per your domain configuration. For example, if by default the files created will be shared with everyone in the company, then the exported data will also have this visibility. 

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu