Use the investigation tool to view sensitive content

Security investigation tool

Supported editions for this feature: Enterprise Plus, Education Plus. Compare your edition

As an administrator, you might need to view sensitive content of a Gmail message, Chat message, or Chat attachment as part of an investigation. Using the investigation tool, you can find the message and view its contents. You can also investigate whether a DLP rule violation is a real incident or a false positive.

Important: Before you can view sensitive message content, a Super Admin will need to adjust the investigation tool settings to provide access to administrators in your organization. For details and instructions, see Configure settings for your investigations.

Before you begin

You need the View sensitive content privilege to view sensitive message content. For details, see Admin privileges for the investigation tool

View sensitive email content

Step 1: Get started with your investigation
  1. Sign in to use the investigation tool.
  2. From the Data source list, select Gmail messages or Gmail logs.

    Note: Gmail data sources are available only with Enterprise Plus and Education Plus editions.

  3. Click Add Condition.
  4. Using the menus, search for the email you want to see. For details, see Customize searches within the investigation tool
  5. Click Search.
  6. In the search results, for the Gmail message you want to investigate, click the subject or message ID. 

You’ll see the message header. To view contents of the message, you need to provide justification (see step 2).

Step 2: Provide justification to view messages
  1. At the top of the message header, click Message
  2. Enter the reason why you need to view the message contents. The reason you enter is recorded in the Admin audit log. 
    Tip: Remember to include important information, such as a ticket number or if legal counsel gave approval to view the message. 
  3. Click Confirm.
Step 3: View the email message and take action

After you provide justification to view the message, you’ll see the contents of the message. Then, you can take the following actions on the message:

  • Delete message
  • Mark as spam
  • Mark as phishing
  • Send to inbox
  • Send to quarantine

From the Message tab or Thread tab, you can also view VirusTotal reports related to email attachments. For details and instructions, see View VirusTotal reports from the investigation tool.

Related topics 

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu
1164255714507588045
true
Search Help Center
true
true
true