As an IT admin, I often feel like a detective 🕵️‍♂️ from an old B&W movie:

• Who deleted that critical file?
• Why are those emails bouncing into oblivion?
• Where did my lesson plans go?

These “cases” are a perfect opportunity to crack open the investigation tool from the Google Admin console. This resource provides incredible details into actions that have been taken in your Google workspace domain. 

Note: The investigation tool is available for all Workspace customers. Districts that have upgraded to EDU Plus will see some additional options and data sources. For now, I’m going to focus on the features that everyone can access.

Related Post: Google Workspace upgrades…worth the price?

Step 1: Pick a data source

You can access the investigation tool by visiting Security > Security Center > Investigation tool. This resource has a treasure trove of information. You have 30+ data sources at your disposal. Here are some of your go-to tools:

• 🗃️ Drive log events – file creation, deletion, share, rename, etc
• 📩 Gmail log events – message sent, received, deleted, forwarded, etc.
• 👤 User log events – successful login, password change, suspicious login, etc. 
• 📅 Calendar log event – event creation, deletion, RSVP, etc. 

Performing a search with these data sources will display thousands of results. Before this data can be useful, you will need to add some additional filters.

Step 2: filter & refine

I like to narrow down my search results by adding an “event” condition. There are different events for each of the data sources we discussed above. For example, the event options for Gmail include bounced, sent, delete, forward, etc. 

If I’m trying to figure out why an email wasn’t received, I would select “bounced” as my event condition and add a second filter for “from.” If I know the date the message was sent I would add that as a third filter condition. 

This narrows my results down to a handful of emails that I can inspect to solve my deliverability issue. 

 Step 3: practice and repeat

The investigation tool is a powerful resource to help you crack open whatever technology investigation is sent your way. Using it effectively takes a lot of practice and patience; key qualities of all great detectives. 🕵️‍♂️

Additional Resources

• Data sources for the security investigation tool
• Search Gmail logs using the investigation tool
• What Chromebook is that student using? Find out with a log event search!