Blog

Google Security Investigation Tool: Remove Users, Change Ownership, and More

Ashleigh BuggAshleigh Bugg,Content at Nira

For investigations in Google Workspace, Google offers its powerful Security Investigation Tool. If you’re a super administrator on the Enterprise Plus, Education Standard, Education Plus, or Enterprise Essentials Plus plans, you can access this potent feature. 

The investigation tool allows administrators to conduct searches in different Google Workspace data sources including Gmail, Chrome, and Google Groups. In this post, we’ll focus on using the investigation tool to search within Google Drive and then take action based on the results.  

How to run a search for Google Drive log events

  1. In the Admin console, go to “Menu” > “Security” > “Security center” > “Investigation tool.”
  2. From the Data source menu, click “Drive log events.”
  3. Click “Add Condition.”
  4. Click “Attribute,” and select an option. For a complete list of attributes, visit here
  5. Click “Contains” and select an operator.
  6. Enter a value, or select a value from the drop-down list.
  7. You can add more search conditions by repeating steps 3–6.
  8. Click “Search.”
  9. You can also group your results by different attributes. Click “Group results,” then choose your attribute, such as “Date” or “Actor,” from the drop-down menu.
  10. To save your investigation, click “Save” > enter a title and description > click “Save.”

Once administrators conduct a search using Drive log events, they can choose files from the search results, review the permissions associated with those files, and perform additional actions as needed. Here are the actions you can take after identifying risks with Google’s investigation tool:

Find, add, and remove collaborators on Google Drive files 

Why it matters

Knowing who has been added as a collaborator to company files is essential to mitigate risk. Sometimes, collaborators have been added who should not have access, for example, a contractor who no longer works with the company. Using the tool, you can see who has access to your files, add new people, or remove collaborators. 

How to do it

  1. In the Admin console, go to “Menu” > “Security” > “Security center” > “Investigation tool.”
  2. After you run a search based on Drive log events, check the boxes for relevant files in the search results.
  3. Click “Add Users” if you want to give file access to additional users. You can add multiple users with a comma-separated list, and you can select the access level for the users that you add.
  4. Or, click “Actions,” and choose “Remove users.”
  5. You will need to confirm these actions by entering confirmation text.

Find and change permissions on Google Drive files

Why it matters

Many people do not realize when they share Google Drive files, they often grant collaborators more access permissions than they need. For example, anyone with “Editor” access can share the document with others or even set the file to have a public link. This leads to all sorts of unnecessary risks, for example, an employee sharing a document with an external vendor and giving them Editor permissions, rather than “Viewer” or “Commenter.” 

These types of oversharing mistakes happen all the time in companies, so it’s helpful to use the GSIT to investigate how much access a file has, or what its link-sharing settings are. Using the tool, administrators can even manage the permissions for shared drives. Let’s look at how: 

How to do it

  1. In the Admin console, go to “Menu” > “Security” > “Security center” > “Investigation tool.”
  2. After you run a search based on Drive log events, check the boxes for relevant files in the results.
  3. Click “Actions” > “Audit File Permissions” to open the Permissions page.
  4. The Files tab shows files that were included in your search results. From here you can manage access to those files. 
  5. You can select a file, and then click “Access.” From there, you can choose “Set access” to choose an access level. 
  6. You also have the option of removing users or disabling the ability to print, copy, or download the file. 
  7. Visit the “People” tab to view users and groups with access to the selected files. People in this list have access to one or more of the items from your search results. Use this view to manage the access of both users and groups.
  8. You can click “Links” to view or change the link-sharing settings on the files.
  9. Also, you can manage permissions for shared drives and files that were included in your search by visiting the “Shared Drives” tab. 
  10. Click “Pending Changes” to review the changes before saving.

Find and change ownership of Google Drive files

Why it matters

There are various reasons why you would change ownership of a file. Let’s say you are offboarding a former employee, and they are the owner of hundreds of sensitive company files. Or, you have an employee who has changed roles within the organization and should be the owner of certain documents, even though they did not create them. Using the GSIT, you can quickly transfer ownership to a new account with ease. 

How to do it

  1. In the Admin console, go to “Menu” > “Security” > “Security center” > “Investigation tool.”
  2. After you run a search based on Drive log events, check the boxes for relevant files in the results.
  3. Click “Actions” > “Change owner.” 
  4. Type in the email address of the new owner’s account.
  5. Confirm the action by writing “CHANGE OWNER” in the confirmation textbox. 
  6. Click “Change owner” at the bottom of the box. 

Find and restrict downloading, copying, and printing of Google Drive files

Why it matters

Although there will always be workarounds, restricting the ability to download, copy, or print sensitive documents in Google Drive can reduce the risk of malicious or accidental misuse. It’s important to note that disabling these actions will only affect users with “Commentator” or “Viewer” permissions. That’s another reason it’s vital to make sure only accounts who absolutely need “Editor” access have it. 

How to do it

  1. In the Admin console, go to “Menu” > “Security” > “Security center” > “Investigation tool.”
  2. After you run a search based on Drive log events, check the boxes for relevant files in the results.
  3. Click “Actions” > “Disable download, print, copy.”
  4. Confirm the action by typing in the confirmation textbox. 
  5. Click “Disable” at the bottom of the box. 

Since its introduction in 2018, the Google Security Investigation Tool has evolved into a powerful solution for investigations in Google Workspace. Using the tool, administrators can take action after their searches in Google Drive, including transferring ownership, removing users, and changing permissions. The GSIT illuminates investigations, giving administrators a toolkit to elevate security protocols. For a detailed guide on how to use the tool, visit here

Incredible companies use Nira

Every company that uses Google Workspace should be using Nira.
Bryan Wise
Bryan Wise,
Former VP of IT at GitLab

Incredible companies use Nira