You can start an investigation from the alert center by linking directly to the security investigation tool. Using the investigation tool, you can then view additional details about the event, make important adjustments to your Google Admin console settings if needed, or take other actions in response to the alert.
You can start an investigation in two ways:
- To start an investigation from the main page of the alert center, click one of the magnifying glass icons on the far-right side of the page.
- To start an investigation from an alert details page, click INVESTIGATE ALERT.
Using the details from the alert, conditions for the investigation are then pre-populated in the investigation tool, and the investigation tool opens automatically. Click SEARCH to run the investigation. You can also add conditions or make adjustments to the conditions before clicking SEARCH.
For more details and instructions, see About the security investigation tool.
Your access to the security investigation tool
- Supported editions for the security investigation tool include Enterprise Plus, Education Standard, Education Plus, and Enterprise Essentials Plus.
- Admins with Cloud Identity Premium, Frontline Standard, Enterprise Standard, and Education Standard can also use the investigation tool for a subset of data sources.
- Your ability to run a search in the investigation tool depends on your Google edition, your administrative privileges, and the data source. If you're unable to run a search in the investigation tool for a specific data source, you can use the audit and investigation page instead. For more information, go to Improved audit and investigation experience.
- You can run a search in the investigation tool on all users, regardless of the Google edition they have.