Security Investigation Tool - A Premium Audit Tool in Google Workspace

Google Workspace has been already infused with powerful intelligence that enables people to make the best use of their time and attention. Google’s Smart AI and ML provide around two billion grammar suggestions that surface in Docs every month, or the intelligent file suggestions in Drive’s Priority and Quick Access features that reduce file searching time by 50%.

Now with the logs and urgency for Audits and Investigation Google gives you the premium feature to look into the end-user activities with a Powerful Tool of Investigation. This tool can be used to identify, triage, and take action on security and privacy issues.

Google Security Center gives Administrators a Brilliant Dashboard to view the Investigation Tool and Security Health Events for the Organization with capabilities to Export and Analyze them. 

Along with the feasibility to customize the Widgets for the different reports you can have a great overview of what's happening within your organization.

This even gives you the ability to generate the VirusTotal Report to help you analyze Suspicious files, URLs, domains, and IP addresses to detect cyber threats.

Uses of Security Investigation Tool:-

• Take action based on search results

You can conduct a search based on Gmail log events, and then use the investigation tool to delete specific messages, mark messages as spam or phishing, send messages to quarantine, or send messages to users' inboxes.

• Search and investigate user log events

You can search and investigate user log events, and take action based on the results of your investigations.  

For example, you can Identify and investigate attempts to hijack user accounts in your organization.

Monitor which 2SV (Two step verification) methods users in your organization are using and causes of failed login attempts by users in your organization.

• Find and delete malicious emails

As an administrator, you might become aware of a malicious email that several users in your organization have received.

Using the investigation tool, you can identify all users in your domain that have received the message (for example, a phishing email). You can then use the investigation tool to centrally delete the email from your users' Gmail inboxes.

• Investigate file sharing

As an administrator, you might need to search for a sensitive document that's been shared externally, or shared too broadly.

You can investigate a file that's been shared externally by a specific user in your organization.

• Investigate a user across data sources

After searching in one data source (for example, using Gmail log events to find and delete a malicious email), you might want to investigate a specific user by pivoting and searching within another data source (for example, to search Drive log events to investigate file-sharing related to that user). 

• Use the investigation tool to end meetings

As a Google Workspace administrator, you can use the End meeting for all activities in the security investigation tool to remove all users from selected meetings within your organization. For example, you might want to prevent users from having unsupervised meetings when the meeting host isn’t present, or after an event has completed.

• Use the investigation tool to view Gmail message content

As an administrator, you might need to view the content of a Gmail message as part of an investigation. Using the investigation tool, you can find the message and view its contents.

Supported Editions of Workspace for the security investigation tool - Enterprise Plus and Education Plus. Admins with Cloud Identity Premium, Enterprise Standard, and Education Standard can also use the tool for a subset of data sources.