Improved audit and investigation experience

• Replacement of the existing audit log UI with the new audit and investigation page—Google Workspace admins can now access log event data (previously called audit logs) from the audit and investigation page. This is a new UI similar to the UI of the security investigation tool. Admins can access the audit and investigation page through ReportingAudit and investigation.
• New data sources for the investigation tool—Admins now have access to 16 new data sources in the investigation tool. For details, go to Data sources below.
• Reporting rules and activity rules—Admins can create reporting rules through the audit and investigation page. Admins with premium editions such as Enterprise Plus can continue to create the more advanced activity rules through the investigation tool. For more details, go to Admin access to reporting rules & activity rules.

• Ability to run searches in filter mode or condition builder mode—In filter mode, admins can add simple parameter and value pairs to filter the search results. When switching to condition builder mode, filters that have already been added are represented as conditions with AND/OR operators.
• Enhanced dropdown lists for search attributes—The new UI includes a new search field to help you find search attributes. For large drop-down lists (more than 15 items), you can pin attributes that you commonly use.
• User preference settings—Previous user preferences in the old audit log UI (such as column ordering and visibility) were lost after this launch.
• Renaming and merging of some data sources—Some data sources that were referenced in the old audit log UI have been renamed or merged with other data sources. For example, Users log events replaces the old Login audit log and User accounts audit log.
• Search field at the top of audit log pages—In the old audit log UI, you could search for a value at the top of the page, and you were presented with suggestions as you enter text. This search field isn't available for the audit and investigation page.
• Groups filter—Multiple groups could be selected in the old audit log UI. To select multiple groups with the new audit and investigation page, you need to add multiple OR conditions with the Group filter.
• Date filter—In the old audit log UI, you could select predefined quick filters for the date or time-range value. This feature isn't available with the audit and investigation page.

Your ability to run searches in the investigation tool depends on your Google edition, your admin privileges for specific features within the Google Admin console, and the data source for which you want to run a search. For example, if you have a premium Google Workspace edition such as Enterprise Plus, but lack the necessary privileges for a specific data source, you can generally run the search on the audit and investigation page instead.

The investigation tool is primarily available for admins with premium Google Workspace editions such as Enterprise Plus and Education Plus. Admins with Cloud Identity Premium, Enterprise Standard, and Education Standard will also have access to the investigation tool, but only for the following data sources: Chrome log events, Device log events, OAuth log events, Rules log events, User log events, and Voice log events.

The following data sources are now available. Note that some data sources—for example, live state data sources—are only available in the investigation tool, and aren't available on the audit and investigation page:

• Access Transparency log events
• Admin log events
• Assignments log events
• Calendar log events
• Chat log events
• Chrome browsers (live state)
• Chrome log events
• Classroom log events
• Context Aware Access log events
• Currents log events
• Looker Studio log events
• Device log events
• Devices (live state)
• Directory Sync log events
• Drive log events
• Gmail log events
• Gmail messages (live state)
• Graduation log events
• Groups Enterprise log events
• Groups log events
• Jamboard log events
• Keep log events
• Meet log events
• OAuth log events
• Password Vaulted Apps log events
• Rules log events
• SAML log events
• Secure LDAP log events
• Takeout log events
• User log events
• Users (live state)
• Voice log events

Note: The old Login and User accounts audit logs are now combined into User log events. Also, some data sources are named differently. For example, the name for OAuth token log events has been changed to OAuth log events.

If you have a non-premium Google Workspace edition (Business Starter, Business Standard, Business Plus, Education Fundamentals, Education Standard, Enterprise Essentials, or Enterprise Standard), you can view log event data by accessing the basic features of the audit and investigation page.

For example, you can:

• Run searches with multiple filters
• Use AND/OR operators
• Download search results (maximum of 100,000 rows per download)
• Create reporting rules

You can access the audit and investigation page from the left-navigation menu by clicking ReportingAudit and investigation.

Note: Some admins have access to both the audit and investigation page and the security investigation tool, depending on their Google Workspace edition, their admin privileges, and the data source (for more information, go to Access to both tools).

If you have a premium Google Workspace edition (Enterprise Plus or Education Plus), you can access the advanced features of the security investigation tool. For example, you can:

• Save, share, delete, and duplicate investigations
• Create nested queries
• Group results by attribute when customizing a search
• Create activity rules
• Create a custom chart related to your investigation that's displayed on the security dashboard
• Pivot to other attributes from the search results
• Take action on search results

From the left-navigation menu, click SecuritySecurity centerInvestigation tool. For more details, go to About the security investigation tool.

For details about upgrading your service, and for feature comparisons, go to Switch to Enterprise Plus edition and Compare Enterprise editions.

Note: 

• Admins with Cloud Identity Premium, Enterprise Standard, and Education Standard can also access the investigation tool, but only for a subset of data sources.
• Some admins will have access to both the audit and investigation page and the security investigation tool, depending on their Google Workspace edition, their admin privileges, and the data source (for more information, go to Access to both tools).

Some admins will have access to both the audit and investigation page and the security investigation tool, depending on their Google Workspace edition, their admin privileges, and the data source for their search.

For example, an Enterprise Plus admin might have access only to the Drive log events data source in the investigation tool. But on the audit and investigation page, they can access all other data sources. So the admin can create activity rules, custom charts, nested queries, and more for the Drive data source. For other data sources, they only have access to the basic features of the audit and investigation page.