Security center improvements: Gmail content, saved investigations, and more
We’re making it easier to assess and manage threats and improve your organization’s security posture using the G Suite security center. With these changes, superadmins or delegated admins with appropriate permissions can:
- View Gmail content directly in the investigation tool when email content is needed to understand the potential security risk to a user or the domain during an investigation.
- Choose whether to include deleted Gmail content in search results and restore emails that have been recently deleted by users when required as part of the security investigation.
- Use “Group-by” to group search results around specific attributes when querying logs in the investigation tool.
- Save and share investigations with other security admins.
- See new charts and use new data sources related to user login logs.
Note that to see Gmail content, admins must have superadmin status or have the “View detailed content” permission. Additionally, those admins will be required to add justification for accessing email content, which is then stored with the log recording their access. See more details below.
Why you’d use it
The G Suite security center already helps you protect your organization with security analytics and best practice recommendations from Google. It provides a unified security dashboard, a tool to investigate and remediate threats, and more. These new features will make it easier to assess and manage threats in the tool directly, and help you collaborate with colleagues to improve your security posture.
How to get started
- Admins: Use our Help Center to learn more about the security center and the investigation tool.
- End users: No action needed.
Investigate, remediate, search and restore Gmail Content within the investigation tool.
Malicious emails can be a critical source of data for an admin investigating attempted attacks within their domain or identifying other potential security risks. Now, superadmins or admins with “View detailed content” permission who enter justification for the access request can choose to view the content of email messages that match their risk criteria directly in the investigation tool. They can also choose whether to include deleted emails as part of the investigation. Use our Help Center to learn more about Gmail message content in the investigation tool.
This makes it easier to understand the full context of risks associated with emails and can make it quicker to identify, triage, and take action on security and privacy issues in your domain.
See Gmail content directly in the investigation tool
- “Group-by” option around specific search attributes when querying logs in the investigation tool
When customizing a search in the investigation tool, you can group items by a particular search attribute to quickly understand the breadth of an issue. For example, when conducting a search based on device log events, you can group the search criteria based on the device model. Use our Help Center to find out how to add a group-by option when customizing a search.
- Save and share investigations in the investigation tool
We want to make sure admins are able to work together to assess their organization’s exposure to security issues. Admins can now save their investigations in the security investigation tool and share them with other admins to improve collaboration. Use our Help Center to learn how to save, share, and change ownership of investigations.
- User logs in the security center
There are new charts in the Security Dashboards and new data sources in the investigation tool related to user login logs and the state of users in the organization. Use our Help Center to see more about how to search and investigate user log events.