Depending on your Google Workspace edition, you might have access to the security investigation tool, which has more advanced features. For example, super admins can identify, triage, and take action on security and privacy issues. Learn more
As your organization's administrator, you can run searches on Context-Aware Access log events and take action based on the results. For example, you can view a record of actions to troubleshoot when a user is denied or allowed access to an app. Entries usually appear within an hour of when the user's access is denied.
For more information, go to Context-Aware Access overview .
Run a search for log events
Your ability to run a search depends on your Google edition, your administrative privileges, and the data source. You can run a search on all users, regardless of their Google Workspace edition.
Audit and investigation tool
To run a search for log events, first choose a data source. Then choose one or more filters for your search.
-
In the Google Admin console, go to Menu
Reporting Audit and investigation Context Aware Access log events.Requires having the Audit & Investigation administrator privilege.
-
To filter events that occurred before or after a specific date, for Date , select Before or After . By default, events from the last 7 days are shown. You can select a different date range or click
to remove the date filter. - Click Add a filter
select an attribute. For example, to filter by a specific event type, select Event
.
- Select an operatorselect a valueclick Apply
.
- (Optional) To create multiple filters for your search, repeat this step.
- (Optional) To add a search operator, above Add a filter , select AND or OR .
- Click Search . Note : Using the Filter tab, you can include simple parameter and value pairs to filter the search results. You can also use the Condition builder tab, where the filters are represented as conditions with AND/OR operators.
Security investigation tool
To run a search in the security investigation tool, first choose a data source. Then, choose one or more conditions for your search. For each condition, choose an attribute , an operator , and a value .
-
In the Google Admin console, go to Menu
Security Security center Investigation tool.Requires having the Security center administrator privilege.
- Click Data source and select Context Aware Access log events .
- Click Add Condition
.
Tip : You can include one or more conditions in your search or customize your search with nested queries . For details, go to Customize your search with nested queries . - Click Attribute
select an option. For example, to filter by a specific event type, select Event
.
For a complete list of attributes, go to the Attribute descriptions section. - Select an operator.
- Enter a value or select a value from the list.
- (Optional) To add more search conditions, repeat the steps.
- Click Search
.
You can review the search results from the investigation tool in a table at the bottom of the page. - (Optional) To save your investigation, click Save
enter a title and descriptionclick Save
.
Notes
- In the Condition builder tab, filters are represented as conditions with AND/OR operators. You can also use the Filter tab to include simple parameter and value pairs to filter the search results.
- If you give a user a new name, you will not see query results with the user's old name. For example, if you rename OldName@example.com to NewName@example.com , you will not see results for events related to OldName@example.com .
- You can only search for data in messages that have not yet been deleted from Trash.
Attribute descriptions
For this data source, you can use the following attributes when searching log event data.
All the applied access levels that the user successfully met during access evaluation. If this list is empty, then access isn't granted.
If at least one of the access levels from the applied attribute falls under Access level satisfied , then it's an Access grant event. This event is shown as Access Evaluated in Context-Aware Access audit logs.
All the applied access levels that the user didn't meet during access evaluation. If every access level from the Access level applied attribute appears in this list, the user's access is denied.
Note : Only applied access levels will appear in this list. Other access levels defined in the Admin console that are not applied do not appear.
The group name of the actor. For more information, go to Filtering results by Google Group .
To add a group to your filtering groups allowlist:
- Select Actor group name .
- Click Filtering groups
.
The Filtering groups page appears. - Click Add Groups .
- Search for a group by entering the first few characters of its name or email address. When you see the group you want, select it.
- (Optional) To add another group, search for and select the group.
- When you finish selecting groups, click Add .
- (Optional) To remove a group, click Remove group.
- Click Save .
- The application that the user was denied access to
- The application that the user was granted access to
- (For API access) The calling application that attempted to access a blocked API
- (For API access) The calling application that accessed an unblocked API
The API of the application that the user was denied access to. For API access, the API that the calling application was blocked from accessing.
(Applicable only to Active and Monitor mode deny audits)
Device ID, as shown in Admin console Home page Devices
Mobile and Endpoints
Devices
.
If the device could not be detected, this value could be unknown.
State of the device used to perform this access—for example, Normal, Out of sync (stale or old), Cross organization (device doesn't belong to your organization), or No device signals (device cannot be detected).
When the device ID is unknown and the Device state attribute says No device signals, the user's device doesn't have reporting agents, such as endpoint verification or mobile device management (MDM).
- Access Denied—Access was denied to the listed user (actor) for the listed application.
- Access Denied (Monitor mode)—Indicates when access would be denied, if the access level were in active mode. For details, go to Deploy Context-Aware Access .
- Access Denied/User Warned (Security advisor)—Access was denied, or a user warned, due to a Security advisor for app access protection policy.
- Access Denied Internal Error—Policy enforcement failed (access was denied) due to an issue with the enforcement server.
- Access Evaluated—Context-Aware Access granted access to the listed user (actor) for the listed application.
- Access Evaluated (Monitor mode)—Indicates when Context-Aware Access would grant access if the access level were in Active mode. For details, go to Deploy Context-Aware Access .
IP ASN
You need to add this column to the search results. For the steps, go to Manage search results column data .
IP Autonomous System Number (ASN), subdivision, and region associated with the log entry.
To review the IP ASN and subdivision and region code where the activity happened, click the name in the search results.
The API of the application that the user was granted access to by Context-Aware Access.
For API access, the API that the calling application was granted access to by Context-Aware Access.
Manage log event data
Understand Access Denied log events
Sometimes you might get an Access Denied entry in the Context-Aware Access log events for a user even though they didn't report getting an Access Denied page.
Why this happens
- Multiple device sign ins : This issue can arise when a user is signed in to their account on several devices. It's particularly likely if one of these devices lacks endpoint verification or is associated with another account. For instance, they might be signed in on a personal device or a different Chrome browser profile.
- Secondary account sign in : Another scenario involves users who are signed in to their corporate account as a secondary account on another device. In this case, the Access Denied page might not appear on their primary device. However, log events will capture the access attempt that was denied on the secondary device. For details, go to Sign in to multiple accounts at once .
What to do
- Check if the user is signed in to their corporate account on another device.
- Ensure endpoint verification is correctly installed and configured on all devices where the user accesses their corporate account.
- Review the log event for device information and IP addresses to help identify the source of the denied access attempt.
Take action based on search results
Create activity rules & set up alerts
- You can set up alerts based on log event data using reporting rules. For instructions, go to Create and manage reporting rules .
- Supported editions for this feature: Frontline Standard and Frontline Plus; Enterprise Standard and Enterprise Plus; Education Standard and Education Plus; Enterprise Essentials Plus; Cloud Identity Premium. Compare your edition
To help prevent, detect, and remediate security issues efficiently, you can automate actions in the security investigation tool and set up alerts by creating activity rules . To set up a rule, set up conditions for the rule, and then specify the actions to perform when the conditions are met. For more details, go to Create and manage activity rules .
Take action based on search results
Supported editions for this feature: Frontline Standard and Frontline Plus; Enterprise Standard and Enterprise Plus; Education Standard and Education Plus; Enterprise Essentials Plus; Cloud Identity Premium. Compare your edition
After you run a search in the security investigation tool, you can act on your search results. For example, you can run a search based on Gmail log events, and then use the tool to delete specific messages, send messages to quarantine, or send messages to users' inboxes. For more details, go to Take action based on search results .
Manage your investigations
Supported editions for this feature: Frontline Standard and Frontline Plus; Enterprise Standard and Enterprise Plus; Education Standard and Education Plus; Enterprise Essentials Plus; Cloud Identity Premium. Compare your edition
View your list of investigations
To view a list of the investigations that you own and that were shared with you, click View investigations
. The investigation list includes the names, descriptions, and owners of the investigations, and the date last modified.
From this list, you can take action on any investigations that you own, for example, to delete an investigation. Check the box for an investigation and then click Actions .
Note : You can view your saved investigations under Quick access , directly above your list of investigations.
Configure settings for your investigations
As a super administrator
, click Settings
to:
- Change the time zone for your investigations. The time zone applies to search conditions and results.
- Turn on or off Require reviewer . For more details, go to Require reviewers for bulk actions .
- Turn on or off View content . This setting allows admins with the appropriate privileges to view content.
- Turn on or off Enable action justification .
For more details, go to Configure settings for your investigations .
Save, share, delete & duplicate investigations
To save your search criteria or share it with others, you can create and save an investigation, and then share, duplicate, or delete it.
For details, go to Save, share, delete, and duplicate investigations .
