As an administrator, you can create, save, and share investigations. This enables you to retain search criteria for ongoing use, and to collaborate with others in your organization while managing investigations.
Note: You also have the option to build a search for an investigation without saving it.
Create and save investigations
To create and save an investigation:
- Sign in to the Google Admin console at admin.google.com.
Be sure to sign in using your administrator account, and not your personal Gmail account.
- At the top, click Menu and select Security Investigation tool.
- Choose a data source for your search; for example, Device log events, Devices, or Gmail log events.
- Click ADD CONDITION.
You can include one or more conditions in your search. For details about conditions that are available for each data source, see Customize searches within the investigation tool.
- Click SEARCH.
- Click Save .
- Type a Title and Description for the investigation.
- Click SAVE.
Note: From the main page for an investigation, you can view the date and time that an investigation was last saved in the header at the top of the page. If the settings for an investigation are incomplete or invalid (for example, if settings are left blank where you need to enter information), the investigation is described as partially saved. You'll need to find and fix any errors before you can save the investigation.
After you create an investigation, you can share it with other users.
- In the investigation tool, click an investigation to open it.
- Click Share.
- Enter the usernames of people you want to share the investigation with.
- Click SAVE CHANGES.
View your list of investigations
View a list of the investigations that you own and that were shared with you by clicking the View investigations icon on the right-hand side of the security investigation tool. The investigation list includes the names, descriptions, and owners of the investigations, as well as the date last modified.
From this list, you can take action on any investigations that you own—for example, to delete an investigation. Check the box for an investigation, and then click ACTIONS.
Note: Directly above your list of investigations, you can also view a set of recently saved investigations in the Quick access section.