Search and investigate user log events

Security investigation tool

You can use the investigation tool to search and investigate user log events, and take action based on the results of your investigations.  For example, you can do the following:

  • Identify and investigate attempts to hijack user accounts in your organization.
  • Monitor which 2SV methods users in your organization are using.
  • Learn more about failed login attempts by users in your organization.
  • Restore or suspend users.

Your access to the security investigation tool

  • The security investigation tool requires a premium Google Workspace edition (Enterprise Standard, Enterprise Plus, or Education Plus).
  • You can access logs using the Chrome browser for the Google apps you have installed. For example, Gmail.
  • Your ability to run a search in the investigation tool depends on your Google edition, your administrative privileges, and the data source. If you're unable to run a search in the investigation tool for a specific data source, you can use the audit and investigation page instead. 
  • You can run a search in the investigation tool on all users, regardless of the Google edition they have.

Search and investigate user log events

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in

  2. In the Admin console, go to Menu and then Securityand thenSecurity centerand thenInvestigation tool.
  3. Choose User log events as the data source for your search.
  4. Click Add Condition.
    You can include one or more conditions in your search. For details about which conditions are available for User log events, see Customize searches within the investigation toolConditions for user log events.
    For example, you can narrow your search based on the Date of the event, the name of the user, or an Event type such as a password change, 2SV enrollment, or a failed login.
  5. Click Search.
    The search results are displayed at the bottom of the page.

Take action based on search results

From the search results page, select one or multiple users. Then, from the Actions drop-down menu, click Restore user or Suspend user.

View details for individual users in search results

From the search results page, select only one user. From the Actions drop-down menu, click View details. A page is then displayed with sign-in information, the name of the organizational unit,  security details, group membership, and more.

From this same page, you can also take actions on the user; for example, to reset the user's password or rename the user.

Was this helpful?

How can we improve it?
Clear search
Close search
Google apps
Main menu