The Google Workspace Security Investigation Tool is one of the most powerful resources available to an administrator. It allows you to search, analyze, and act on security and privacy issues across your domain, turning incident response from a manual scramble into a streamlined, efficient process.

However, its power can also make it seem intimidating. To help you master this feature, we’ve compiled a list of the most frequently asked questions from Google Workspace admins. This guide will help you get comfortable and gain confidence using the tool, walking you through initial access to several advanced best practices.

• How do I access and use the Security Investigation Tool effectively?
• What permissions and Google Workspace edition do I need?
• What are some common troubleshooting issues?
• What are the most common use cases for the tool?
• How does it integrate with other Workspace security features?
• What are the best practices and limitations to know?

---

How do I access and use the Security Investigation Tool effectively?

You can launch the Investigation Tool directly from the Google Workspace Admin console.

1. Navigate to Menu > Security > Security Center > Investigation Tool.
2. Once inside, you must choose a data source. This could be anything from Gmail messages and Drive log events to user device logs.
3. Next, add conditions and filters to narrow down your search. For example, you might search for all Gmail messages from a specific sender received within the last 24 hours.
4. Run the search to see a list of results. From here, you can take direct action, such as identifying and bulk-deleting a malicious email from every user’s inbox or investigating who accessed a sensitive file.

In essence, the tool is your primary interface for identifying, triaging, and remediating security issues discovered within your domain.

What permissions and Google Workspace edition do I need?

Access to the Investigation Tool is not available on all tiers and requires specific administrator privileges.

• Google Workspace Editions: The tool is exclusive to higher-tier editions, including Enterprise Plus, Education Plus, and Enterprise Essentials Plus. It is not available in editions like Business Standard or Business Plus.
• Administrator Permissions: By default, only super administrators have access. To grant access to other admins, you must create or edit a custom admin role and assign the necessary privileges.
  • The core privilege required to see the tool is Security Center > Audit and Investigation > View.
  • To take action (e.g., delete emails), admins need additional privileges related to the specific data source, such as Gmail > Access Gmail.
  • To view the content of an email or chat message, an admin needs the View Sensitive Content privilege. A super admin must also enable this capability in the investigation settings, and the investigating admin will be required to provide a justification.

What are some common troubleshooting issues?

If you run into trouble using the tool, it’s often due to one of these common issues:

• Unable to Access the Tool: This almost always means your account either lacks the necessary admin role privileges or your organization’s Google Workspace edition does not include the Investigation Tool.
• Search Returns No Results: The tool queries audit logs, which have specific data retention limits. Most log data is only retained for six months (180 days), and some logs, like those for recent email activity, are only kept for 30 days. If your search is too old, the events will no longer be available. Try narrowing the date range to confirm the activity is within the retention period.
• Cannot View Email or Chat Content: If you only see metadata (like sender and subject) but not the message body, it’s a permissions issue. Your admin role needs the “View Sensitive Content” privilege, and a super admin must have enabled the feature in the tool’s settings.
• Bulk Actions Are Not Executing: If you try to perform a large-scale action (e.g., deleting over 300 emails) and it doesn’t proceed, check if the Require Reviewer setting is enabled. This security feature requires a second, different administrator to approve any large-scale actions before they are executed.

What are the most common use cases for the tool?

Admins leverage the Investigation Tool for a wide range of security and compliance scenarios. Key use cases include:

• Phishing and Malware Response: Hunting down and removing malicious emails from all user mailboxes in a single action and marking them as phishing.
• Data Loss Prevention (DLP): Investigating file-sharing activity in Google Drive to see if sensitive documents were shared externally or accessed improperly.
• Account Compromise Investigation: Reviewing user account activities, login logs, and OAuth token changes to find and respond to signs of a compromised account.
• Content Moderation: Investigating Google Chat messages that were reported by users or may contain sensitive or inappropriate data.
• Google Meet Governance: Terminating an ongoing Google Meet session that violates policy or is running without a host using the “End meeting” action.

How does it integrate with other Workspace security features?

The Investigation Tool doesn’t exist in a silo; it’s tightly integrated with the rest of the Google Workspace security ecosystem for a seamless workflow.

• Alert Center: Every notification in the Alert Center includes an Investigate link. Clicking it opens a pre-filtered investigation, allowing you to immediately dig deeper into the specific security alert and take action.
• Security Dashboard: You can pivot directly from dashboard charts (like a spike in malware) into a related investigation. You can also create a custom dashboard chart based on a saved investigation query for ongoing monitoring of specific threats.
• VirusTotal: When reviewing an email attachment, URL, or IP address in an investigation, you can click View VirusTotal Report. This provides instant threat intelligence and context from the broader security community.

These integrations allow you to move from high-level alerts and metrics to granular investigation and remediation in just a few clicks.

What are the best practices and limitations to know?

To use the tool responsibly and effectively, keep these points in mind.

Best Practices

• Enable Oversight: Go into the tool’s settings and enable Require Reviewer for bulk actions and Require justification for viewing sensitive content. This creates accountability.
• Use Least Privilege: Only grant Investigation Tool access to administrators who truly need it for their security roles.
• Audit Your Auditors: All actions taken within the tool are recorded in the Admin audit log. Regularly review this log to see who ran searches or executed changes.
• Save Common Queries: To speed up response times during an incident, pre-define and save searches for common investigations, like phishing campaigns or external file shares.

Limitations

• Data Retention: The tool’s biggest limitation is that it relies on audit logs, which are generally only kept for 180 days. For longer-term analysis, you must export your Workspace logs to an external tool like Google BigQuery.
• Event-Based, Not State-Based: The tool shows a history of events, not the current state. For example, it can show you when a file was shared externally, but it cannot generate a real-time list of all files currently shared externally.
• Incomplete Logging: Some activities are not fully captured. For instance, events performed by external users are anonymized.
• Performance: Very broad or complex queries can be slow or may even time out. Be as specific as possible with your filters and date ranges for the best performance.

Understanding the capabilities and limitations of the Security Investigation Tool is the first step toward security maturity in Google Workspace. By moving beyond default settings and embracing this tool, your IT and security teams can shift from a reactive posture—dealing with problems after they’ve escalated—to a proactive one, where threats are neutralized before they impact the business.

It’s about more than just features; it’s about having the visibility and control needed to confidently answer questions from leadership about your organization’s security posture.

Ready to unlock the full potential of your Google Workspace security tools? 

If your organization has an eligible plan but isn’t taking full advantage of the Investigation Tool, you may be missing a critical layer of defense. 

Reach out to our team to schedule a complimentary Workspace Security Workshop, where one of our experts can help you build a roadmap for a more secure and resilient environment.