Google Workspace Security Investigation Tool: Guide to the Condition Builder
The Google Workspace Security Investigation Tool has become a critical piece of the security stack for companies using Google Workspace. The tool can be used with a range of Google services, from Chrome to Gmail, helping administrators and security analysts with investigations. Administrators may use the condition builder to conduct investigations and searches within the security investigation tool. This allows them to choose different attributes (such as Visibility or Date), as well as search operators, before running a search.
In this post, we’ll take a look at all the attributes Google Workspace administrators can use. We’ll then define all the events, giving administrators a better idea of how to use the security tool in their organizations.
A quick guide to attributes in the Google Workspace Security Investigation Tool
To access the condition builder, simply go to “Investigation tool” in your Google Admin console, and in the Data source menu, choose “Drive log events.” You can then click “Add Condition” and start choosing attributes. We’ve defined these attributes in the table below:
Attribute Definition Actor The email address of the user who performed the action. For users outside the domain, their identity is anonymous, unless they view or edit a file that has been directly shared with them (either individually or as part of a group). Actor group name The group name of the user who performed the action. Google Groups allows users to share files with multiple people using a single email address. Admins can create a group, share files, and automatically forward emails to everyone in the group. Actor organizational unit The organizational unit of the user who performed the action. Organizational units allow admins to apply settings to a specific set of users. For example, you can have a group called Marketing that comprises members of the Marketing team. Audience The target audience (domain or target audience) that can view the item. For more information on target audiences, visit here. Billable Only for the Essentials edition. Billable means if the user action is a “chargeable activity.” Chargeable activities include things like viewing, opening, or previewing a Drive file. It’s essentially an activity that makes someone an active user. For more information on chargeable activities, visit here. Copy type This attribute deals with copying documents. Under “Copy Type,” you can choose from External, Internal, and Type. External shows if users/groups external to the domain created a copy of an original document. Internal shows if someone in your organization created a copy of an original document. Type shows if a user changed sharing permissions from “None” to “Can edit.” Data connection ID The data connection ID for Connected Sheets query events. Date The date and time the event occurred. It will be displayed in your browser's default time zone. Delegating principle The delegating user whose credentials are used. Document ID The unique identifier for the Drive item associated with the activity, as preserved within the URL link for the file. Document type The file format associated with the activity. Examples include Google Docs, Sheets, Slides, JPEG, PDF, PNG, MP4, Microsoft Word, Excel, PowerPoint, txt, HTML, MPEG audio, QuickTime video, folders, or shared drives. Domain The domain where the action took place. Encrypted Whether the file is client-side encrypted or not. Encryption change When an item is copied and an encryption change occurs. There are two possible values: encrypted or decrypted copy. “Decrypted copy” means an unencrypted item was created from an encrypted item. “Encrypted copy” means an encrypted item was created from an unencrypted item. Event User-initiated events. Some events include “Add to folder,” “Comment approved,” and “Download.” We’ll go over these in detail in the next table in this chapter. Execution ID The query execution ID for Connected Sheets query events. Execution trigger The execution trigger for Connected Sheets query events. It identifies what triggered the query to execute. IP address IP address of the user's activity, which could indicate the user's physical location or an alternate source like a proxy server or Virtual Private Network (VPN) address. Label field display name A field is an individual typed, settable component of a label. A label can have zero or more fields associated with it. Label title The name of the label. For example, confidential. New owner After a change of ownership, the email address of the user who now owns the item. For items moved to a shared drive, this is the shared drive name. New publish visibility value After a change, the new visibility of the document. New shared drive ID When a new document owner is a shared drive, the shared drive root ID. New value After a change, the new value of the changed setting. New value IDs After a label field change, the new ID value of the label field. Old publish visibility value After a visibility change, the old visibility of the document. Old value After a change, the old value of the changed setting. Old value IDs After a label field change, the old value of the label field ID. Owner The email address of the user who owns the file. When an account creates a document, they are the owner of that file. However, employees can also transfer ownership of their files to other people in their organization. Prior visibility After a visibility change, the previous visibility of the document. Query type The type of query. The value will be either BigQuery or Looker. Recipients The email addresses of the recipients. Requested access role When a user requests a level of access to an item. Possible values include “Can comment,” “Can edit,” “Can respond,” “Can view,” “Can view published,” “Manager,” “None,” and “Owner.” Revision create timestamp The timestamp when the revision was originally created. Revision ID The ID of the revision after a revision is deleted or unpinned. Script container app The container application of a container-bound Apps Script file. Choose from Google Document, Form, Presentation, Sites, or Spreadsheet. Script container ID The container ID of a container-bound Apps Script file. More information here. Script trigger ID The ID of an Apps Script trigger when a Script trigger is created or deleted. Script trigger source app The source providing a trigger. Choose from Clock, Google Calendar, Document, Form, Presentation, or Spreadsheet. Script trigger type The script trigger type. Choose from “On any event,” “On calendar event created,” “On calendar event deleted,” “On calendar event updated,” “On change,” “On edit,” “On form submit,” “On open,” “Oneshot,” or “Recurring.” Shared drive ID The ID of the shared drive containing the file or folder. Target A user whose access has been changed. Title The title of the document. Visibility Visibility of the Drive item associated with the activity. These include “People with link,” “People within audience with link,” “Private,” “Public on the web,” “Shared externally,” and “Shared internally.” Visibility change Visibility of the Drive item before the activity. Choose from “External,” “Internal,” or “None.” Visitor “True” means the activity is from a user who is not associated with a Google account. “False” means the activity is by a logged-in Google user. Learn more about sharing documents with visitors here.
A quick guide to events
When working in the condition builder, end users can choose from the attributes above, which include user-initiated events. We define all these events in the table below:
Event | Definition |
|---|---|
Access request denied | When a user requests access to an item, and the request is denied. |
Access request expired | When a user requests access to an item, and the access request ends before it is approved. |
Access requested | When a user requests access to an item. |
Add to folder | When a user adds a document to a folder. |
Appeal abuse violation | When a user appeals an abuse violation. |
Apply security update | When a user applies the security update to a file. |
Approval canceled | When a user cancels an approval on an item. |
Approval comment added | When a user adds a comment on an approval on an item. |
Approval completed | When an approval is completed. |
Approval decisions reset | When approval decisions are reset. |
Approval due time change | When a user requests a due time change on an approval. |
Approval requested | When a user requests approval on an item. |
Approval reviewer change | When a user requests a reviewer change on an approval. |
Approval reviewer responded | When a user reviews an approval on an item. |
Bulk apply security update | When a user applies the security update to all files in a shared drive. |
Bulk remove security update | When a user removes the security update from all files in a shared drive. |
Change access scope | When a user changes the link-sharing access type of a document. For example, a user changes the link-sharing access type from an “Editor” to a “Viewer.” |
Change access scope from Parent Folder | Due to a change in a parent folder, the link-sharing access type changes. |
Change ACL editors | When the editor settings for an Access Control List (ACL) are changed. |
Change document visibility | When a user changes the link-sharing visibility of a document. For example, the user changed the link-sharing visibility from “Public on the web” to “Private.” |
Change document visibility from parent folder | Due to a change in a parent folder, the link-sharing visibility for a domain changes. |
Change shared drive membership | When the members of a shared drive are changed, for example, a member is removed from the shared drive. |
Change user access from Parent Folder | Due to a change in a parent folder, the sharing permissions for a target user are changed. |
Comment created | When a user comments on a document. |
Comment deleted | When a user deletes their comment on a document. |
Comment edited | When a user edits their comment on a document. |
Comment reassigned | When a user assigns a comment to one user, but then changes the assignment to another user. |
Comment reopened | When a user reopens a comment that was previously resolved on a document. |
Comment resolved | When a user resolves a comment on a document. |
Connected Sheets query | When a query is run from Connected Sheets on BigQuery or Looker. |
Copy | When a user copies an item. |
Create | When a user creates an item. |
Delete | When a user sends an item to the Trash. |
Download | When a user downloads an item. |
Edit | When a user edits an item. |
Email as attachment | When a user shares a document as an email attachment. |
Email collaborators | When a user emails the collaborators of an item. |
Forms responses downloaded | When a user downloads Forms responses. |
Import content | When a range of cells is imported from a Sheet. |
Label applied | When a label is added to an item. |
Label applied on creation | When a label is automatically added to an item as soon as it is created. |
Label field value changed | When the field value for a label is edited. |
Label removed | When a label is removed from an item. |
Lock | When a user locks an item. |
Move | When a user moves an item from a source folder to a destination folder. |
Owner changed | When the ownership of an item is changed or transferred to another user. |
Owner changed from parent folder | Due to a change in a parent folder, the owner of an item was changed. |
Preview | When an item is previewed. |
When an item is printed. |
|
Publish new version | When a user publishes a new version of an item. |
Publish status change | When a user changes the publish status and visibility for an item. |
Remove from folder | When an item is taken out of a folder. |
Remove from trash | When an item is removed from the Trash. |
Remove security update | When the user removes the security update from a file. |
Rename | When an item is renamed. |
Report abuse | When an abuse report is submitted for an item. |
Revision deleted | When a user deletes a revision of an item. |
Revision unpinned | When a user unpins a revision of an item. This means that the revision should not be kept forever. |
Script trigger created | When a user creates an Apps Script trigger. |
Script trigger deleted | When a user deletes an Apps Script trigger. |
Shared drive settings change | When the settings for a company shared drive are edited. |
Sheets ImportRange | When a range of cells are imported from a spreadsheet. |
Source copy | When a user copies an item, creating a new item. Any time a file is copied, a source copy event is logged for the file that is copied. |
Suggestion accepted | When a user makes a suggestion on a document, and the suggestion is accepted. |
Suggestion created | When a user makes a suggestion on a document. |
Suggestion deleted | When a user makes a suggestion on a document, and the suggestion is deleted. |
Suggestion rejected | When a user makes a suggestion on a document, and the suggestion is rejected. |
Trash | When an item is deleted and sent to the Trash. |
Unlock | When a user unlocks an item. |
Unmovable item relocated | When a parent folder is moved, an item that couldn't be moved is relocated from a source folder to a destination folder. |
Upload | When an item is uploaded. |
User sharing permissions change | When the sharing permissions for an item are changed. For example, a user with “Edit” permissions is downgraded to “Comment” permissions. |
Video caption delete | When a user deletes a video caption. |
Video caption download | When a user downloads a video caption. |
Video caption upload | When a user uploads a video caption. |
View | When an item is viewed. |
Google Workspace Security Investigation Tool: Full Guide
Since 2018, the Google Workspace Security Investigation Tool has evolved into an essential security resource for businesses leveraging Google Workspace. Specifically designed to empower administrators and security analysts, the GSIT plays a pivotal role in detecting, assessing, and addressing potential security threats.
The GSIT illuminates investigations within Google Workspace, giving administrators a better way to augment security protocols. The condition builder helps streamline searches, offering more powerful results. For a detailed guide on utilizing the tool, please visit here.
