Use the security investigation tool to view sensitive content

Security investigation tool

Supported editions for this feature: Frontline Plus; Enterprise Plus; Education Standard and Education Plus. Compare your edition

As an administrator, you can use the security investigation tool to view the sensitive content of a Gmail message, Chat message, Chat attachment, Chrome log event, or rule. You can also investigate data protection rules used for data loss prevention (DLP).

Important: Before you can view sensitive message content, a super administrator will need to adjust the security investigation tool settings to provide access to administrators in your organization. For details and instructions, go to Configure settings for your investigations.

View sensitive content

  1. In the Google Admin console, go to Menu and then Security and then Security center and then Investigation tool.

    Requires having the Security center administrator privilege.

  2. From the Data source list, select Chat log events, Chrome log events, Gmail messages, Gmail log events, or Rule log events.

    Gmail messages and Chrome log events are not available with Education Standard.

  3. (Optional) To narrow the search, click Add Condition and specify the attribute and values. For details on specific log events, go to Data sources for the security investigation tool.

  4. Click Search.

  5. In the search results, click the log event that you want to investigate.

View email message content

A search for Gmail log events or Gmail messages returns the message header. To view the message, you need to provide justification:

  1. At the top of the message header, click Message.

  2. Enter the reason why you need to view the message. The reason you enter is recorded in the Admin log events.

    Tip: Remember to include important information, such as a ticket number or if legal counsel gave approval to view the message.

  3. Click Confirm.

After you provide justification to view the message, you can review the contents of the message. Then, you can take the following actions on the message:

  • Delete message
  • Mark as spam
  • Mark as phishing
  • Send to inbox
  • Send to quarantine

From the Message tab or Thread tab, you can also view VirusTotal reports related to email attachments. For details and instructions, see View VirusTotal reports from the investigation tool.

View rule content

If you search for Rule log events, you get a list of DLP snippets. DLP snippets are created when sensitive content storage is turned on and the data protection rule flags sensitive content. For details, go to View content that triggers data protection rules.

View Chrome log events

Available with Chrome Enterprise Premium

If you search for Chrome log events, you can review any Chrome browser malware files in Evidence Locker. For details, go to Investigate and take action on suspicious files.