Save, share, and change ownership of investigations

As an administrator, you can create, save, share, and change the ownership of investigations. This enables you to collaborate with others in your organization—both administrators and users—and to retain search criteria so that you can manage investigations for ongoing use.

Note: You also have the option to build a search for an investigation without saving it.

Create and save investigations

To create and save an investigation:

  1. Sign in to the Google Admin console at admin.google.com.
    Be sure to sign in using your administrator account, and not your personal Gmail account.
  2. At the top, click Menu Menu and select Security and then Investigation tool.
  3. Choose a data source for your search; for example, Device log events, Devices, or Gmail log events.
  4. Click ADD CONDITION.
    You can include one or more conditions in your search. For details about conditions that are available for each data source, see Customize searches within the investigation tool.
  5. Click SEARCH.
  6. Click Save Save.
  7. Type a Title and Description for the investigation.
  8. Click SAVE.

Note: From the main page for an investigation, you can view the date and time that an investigation was last saved in the header at the top of the page. If the settings for an investigation are incomplete or invalid (for example, if settings are left blank where you need to enter information), the investigation is described as partially saved. You'll need to find and fix any errors before you can save the investigation.

Share investigations

After you create an investigation, you can share it with other users.

  1. In the investigation tool, click an investigation to open it.
  2. Click Share.
  3. Enter the usernames of people you want to share the investigation with. 
  4. Click SAVE CHANGES.

Change ownership of investigations

When you create and save an investigation, you are automatically the owner of that investigation. When you share the investigation with others, those users automatically receive view access. You have the option to transfer the ownership of the investigation to one of the users that you have shared it with. By transferring ownership, you will change your privilege for the investigation to viewer.

To change the ownership of an investigation:

  1. In the investigation tool, click an investigation to open it.
  2. Click Share.
  3. From the Share with people window, change the drop-down setting for a specific user from Viewer to Owner
  4. Click SAVE CHANGES.

You can also change the ownership of an investigation from the main list of saved investigations.

  1. From your list of investigations, check the box for an investigation.
  2. Click ACTIONS
  3. From the drop-down list, click Change owner.
  4. From the Change owner window, type a username.
  5. To confirm this action, type exactly the following confirmation: CHANGE OWNER.
  6. Click CHANGE OWNER.

View your list of investigations

View a list of the investigations that you own and that were shared with you by clicking the View investigations icon on the right-hand side of the security investigation tool. The investigation list includes the names, descriptions, and owners of the investigations, as well as the date last modified. 

From this list, you can take action on any investigations that you own—for example, to delete an investigation or change the owner. Check the box for an investigation, and then click ACTIONS.

Note: Directly above your list of investigations, you can also view a set of recently saved investigations in the Quick access section.

Was this helpful?
How can we improve it?