Use the investigation tool to view sensitive content

Security investigation tool
As an administrator, you might need to view sensitive content of a Gmail message, Chat message, or Chat attachment as part of an investigation. Using the investigation tool, you can find the message and view its contents. You can also investigate whether a DLP rule violation is a real incident or a false positive.

Important: Before you can view sensitive message content, a Super Admin will need to adjust the investigation tool settings to provide access to administrators in your organization. For details and instructions, see Configure settings for your investigations.

Your access to the security investigation tool

  • The security investigation tool requires a premium Google Workspace edition (Enterprise Standard, Enterprise Plus, or Education Plus).
  • You can access logs using the Chrome browser for the Google apps you have installed. For example, Gmail.
  • Your ability to run a search in the investigation tool depends on your Google edition, your administrative privileges, and the data source. If you're unable to run a search in the investigation tool for a specific data source, you can use the audit and investigation page instead. 
  • You can run a search in the investigation tool on all users, regardless of the Google edition they have.

Before you begin

You need the View sensitive content privilege to view sensitive message content. For details, see Admin privileges for the investigation tool

View sensitive email content

Step 1: Get started with your investigation
  1. Sign in to use the investigation tool.
  2. From the Data source list, select Gmail messages or Gmail logs.

    Note: Gmail data sources are not available with Cloud Identity Premium or Enterprise Standard editions. For details see Data sources in the investigation tool.

  3. Click Add Condition.
  4. Using the menus, search for the email you want to see. For details, see Customize searches within the investigation tool
  5. Click Search.
  6. In the search results, for the Gmail message you want to investigate, click the subject or message ID. 

You’ll see the message header. To view contents of the message, you need to provide justification (see step 2).

Step 2: Provide justification to view messages
  1. At the top of the message header, click Message
  2. Enter the reason why you need to view the message contents. The reason you enter is recorded in the Admin audit log. 
    Tip: Remember to include important information, such as a ticket number or if legal counsel gave approval to view the message. 
  3. Click Confirm.
Step 3: View the email message and take action

After you provide justification to view the message, you’ll see the contents of the message. Then, you can take the following actions on the message:

  • Delete message
  • Mark as spam
  • Mark as phishing
  • Send to inbox
  • Send to quarantine

From the Message tab or Thread tab, you can also view VirusTotal reports related to email attachments. For details and instructions, see View VirusTotal reports from the investigation tool.

Related topics 

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu