Note: You also have the option to build a search for an investigation without saving it.
Your access to the security investigation tool
- Supported editions for the security investigation tool include Enterprise Plus, Education Standard, Education Plus, and Enterprise Essentials Plus.
- Admins with Cloud Identity Premium, Frontline Standard, Enterprise Standard, and Education Standard can also use the investigation tool for a subset of data sources.
- Your ability to run a search in the investigation tool depends on your Google edition, your administrative privileges, and the data source. If you're unable to run a search in the investigation tool for a specific data source, you can generally use the audit and investigation page instead.
Create and save investigations
To create and save an investigation:
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
In the Admin console, go to Menu SecuritySecurity centerInvestigation tool.
- Choose a data source for your search; for example, Device log events, Devices, or Gmail log events.
- Click Add Condition.
You can include one or more conditions in your search. You also have the option to customize your search with nested queries—searches with 2 or 3 levels of conditions (for details, see Customize your search with nested queries).
- From the Attribute drop-down list, choose one of the attributes—for example, Actor or Date.
Note: If you narrow the date range for your search, your results will appear in the investigation tool sooner. For example, if you narrow the search to events that happened in the last week, the query will return faster than if you search without restricting the query to a shorter period of time.
- Choose an operator—for example, Is, Is not, Contains, or Does not contain.
- Choose or enter a value for the attribute. For some attributes, you can choose from a drop-down list. For other attributes, type in a value.
- (Optional) To include multiple search conditions, repeat the above steps.
- Click Search.
Search results in the investigation tool are displayed in a table at the bottom of the page.
- Click Save .
- Type a Title and Description for the investigation.
- Click Save.
- Using the Condition builder tab, filters are represented as conditions with AND/OR operators. You can also use the Filter tab to include simple parameter and value pairs to filter the search results.
- From the main page for an investigation, you can view the date and time that an investigation was last saved in the header at the top of the page. If the settings for an investigation are incomplete or invalid (for example, if settings are left blank where you need to enter information), the investigation is described as partially saved. You'll need to find and fix any errors before you can save the investigation.
After you create and save an investigation, you can share it with other users.
To share an investigation:
- Click View investigations .
- Click an investigation to open it.
If the investigation isn't yet saved, click Save .
- Click Share.
- Enter the usernames of people you want to share the investigation with.
- Click Save changes.
If you decide that a search and/or the results of that search are not needed for an investigation, you can delete that search in the investigation tool.
To delete a search:
- Click Delete .
- To confirm the deletion, click Delete.
This deletes the search, including all of its query conditions and visible results, and you can’t undo this action.
You also have the option to delete all searches.
If you want to build a new investigation using the same search criteria that you used for an existing investigation, you can duplicate it.
To duplicate an investigation:
- Click Duplicate investigation .
- Enter a Title and Description.
- Click Save.
View your list of investigations
View a list of the investigations that you own and that were shared with you by clicking View investigations . The investigation list includes the names, descriptions, and owners of the investigations, as well as the date last modified.
From this list, you can take action on any investigations that you own—for example, to delete an investigation. Check the box for an investigation, and then click Actions.
Note: Directly above your list of investigations, you can also view a set of recently saved investigations in the Quick access section.