What is Security Investigation Tool?

Security Investigation Tool?

As a super administrator, you can use the security investigation tool to identify, triage, and take action on security and privacy issues in your domain.

Your ability to run a search in the investigation tool depends on your Google edition, your administrative privileges, and the data source


You should have super administrator privileges as well as the administrator with investigation tool privileges (Custom admin privilege).

You can use the investigation tool to:

  • Access data about devices
  • Access data about Gmail messages, including email content. 
  • View search results that list suspended users.
  • Access Drive log data to investigate file sharing in your organization etc

To access data in the investigation tool, from the Google Admin console Home page, click Security> Security Center> Investigation tool.

 

Here, for example, we have selected Gmail as the Data source and filtered the data using the condition Date. 

Click on Search so the email data will be listed.

Select the email that we want to investigate, and click on the Action button, we can see a lot of options which is listed in the image, and the administrator will be able to perform this action if required for that particular email.

 

Also, we can save, share, delete, and duplicate any investigations that you own. This enables you to retain search criteria for ongoing use and to collaborate with others in your organization while managing investigations.

 

 

Under Reporting in the Google Admin console, Google Workspace administrators can search log event data (previously called audit logs) to review user and administrator activity for an organization. But the more-advanced security investigation tool—which is available for Enterprise Plus and Education Plus—enables admins to identify, triage, and take action on security and privacy issues.

Supported editions for the security investigation tool include Enterprise Plus, Education Standard, and Education Plus.

Admins with Cloud Identity Premium, Enterprise Standard, and Education Standard can also use the investigation tool for a subset of data sources.

Please check the supporting article for more information.

About the Investigation Tool

Data sources for the investigation tool