In your Google Admin console, you can use the audit and investigation tool to review user and administrator activity in your organization. You can use the information to track users and admins, and for security purposes.
Premium vs. non-premium features
Non-premium features in the audit and investigation tool
If you have a non-premium Google Workspace edition (Business Starter, Business Standard, Business Plus, Education Fundamentals, Education Standard, or Enterprise Essentials), you can view log event data by accessing the basic features of the audit and investigation tool.
For example, you can:
- Run searches with multiple filters
- Use AND/OR operators
- Download search results (maximum of 100,000 rows per download)
- Create reporting rules
You can access the audit and investigation tool from the left-navigation menu by clicking ReportingAudit and investigation.
Note: Some admins have access to both the audit and investigation tool and the security investigation tool, depending on their Google Workspace edition, their admin privileges, and the data source. For more information, go to Access to both tools.
Premium features in the security investigation tool
If you have a premium Google Workspace edition (Enterprise Standard, Enterprise Plus, or Education Plus), you can access the advanced features of the security investigation tool. For example, you can:
- Save, share, delete, and duplicate investigations
- Create nested queries
- Group results by attribute when customizing a search
- Create activity rules
- Create a custom chart related to your investigation that's displayed on the security dashboard
- Pivot to other attributes from the search results
- Take action on search results
From the left-navigation menu, click SecuritySecurity centerInvestigation tool. For more details, go to About the security investigation tool.
For details about upgrading your service and for comparing features, go to Switch to Enterprise Plus edition and Compare Enterprise editions.