Save, share, and delete investigations

Supported editions for this feature: Enterprise; Education Standard and Plus.  Compare your edition

As an administrator, you can create, save, share, and delete investigations. This enables you to retain search criteria for ongoing use, and to collaborate with others in your organization while managing investigations.

Note: You also have the option to build a search for an investigation without saving it.

Create and save investigations

To create and save an investigation:

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in

  2. On the Admin console Home page, go to Securityand thenInvestigation tool.
  3. Choose a data source for your search; for example, Device log events, Devices, or Gmail log events.
  4. Click Add Condition.
    You can include one or more conditions in your search. For details about conditions that are available for each data source, see Customize searches within the investigation tool.
  5. Click Search.
  6. Click Save Save.
  7. Type a Title and Description for the investigation.
  8. Click Save.

Note: From the main page for an investigation, you can view the date and time that an investigation was last saved in the header at the top of the page. If the settings for an investigation are incomplete or invalid (for example, if settings are left blank where you need to enter information), the investigation is described as partially saved. You'll need to find and fix any errors before you can save the investigation.

Share investigations

After you create an investigation, you can share it with other users.

  1. In the investigation tool, click an investigation to open it.
  2. Click Share.
  3. Enter the usernames of people you want to share the investigation with. 
  4. Click Save changes.

Delete investigations

If you decide that a search and/or the results of that search are not needed for an investigation, you can delete that search in the investigation tool. 

To delete a search:

  1. At the top of the search card, click the Delete button delete_grey600_24dp.png.
  2. To confirm the deletion, click Delete.

This deletes the search, including all of its query conditions and visible results, and you can’t undo this action.

You also have the option to delete all searches.

View your list of investigations

View a list of the investigations that you own and that were shared with you by clicking the View investigations icon on the right-hand side of the security investigation tool. The investigation list includes the names, descriptions, and owners of the investigations, as well as the date last modified. 

From this list, you can take action on any investigations that you own—for example, to delete an investigation. Check the box for an investigation, and then click Actions.

Note: Directly above your list of investigations, you can also view a set of recently saved investigations in the Quick access section.

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue

Clear search
Close search
Google apps
Main menu
Search Help Center