Finding message viewed in Google Vault using Vault's Audit Log
994 views
Skip to first unread message
Dylan Bennett
Jul 10, 2021, 4:51:31 PM7/10/21
to GAM for Google Workspace
If someone views a mail message in Google Vault, it will show up in the Vault Audit Log with the "Action" as "VIEW_DOCUMENT" and the "Name" as a very long unique identifier of what was viewed. (This is explained in this support document: https://support.google.com/vault/answer/4239060?hl=en#zippy=%2Cname ) However, I'm having an extremely hard time finding any information on how to match that unique identifier to an actual email to see which mail message was actually viewed.
If the person views a Drive document in Vault, the Audit Log's "Name" field shows the Drive file ID and I can use GAM to easily get all the info about the specific document viewed. However, this isn't the case with mail messages that are viewed. The identifier is not an rfc822msgid, and I can't find any information anywhere that explains what the mail message unique identifier in the Audit Log actually points to.
Any information about how to see which specific mail message was viewed in Vault would be hugely appreciated.
Best,
Dylan
Dylan Bennett
Jul 13, 2021, 1:37:54 PM7/13/21
to GAM for Google Workspace
Just adding some closure to this for anyone who finds this thread.
We contacted Google and they said the unique identifier in the "Name" field of the Vault Audit Log does not correspond to anything that can be looked up when it was an email that was viewed, but it does correspond to a Drive document when it was a Drive document that was viewed.
In other words, you can see which Drive documents someone viewed in Vault, but you cannot see which emails they viewed in Vault. They did not have any plans to fix this.
Best,
Dylan
Kim Nilsson
Jul 14, 2021, 4:52:35 PM7/14/21
to GAM for Google Workspace
Is that the same if the admin instead uses the Investigation Tool?
I mean, is the exact reference to the email also missing in the audit log?
I mean, is the exact reference to the email also missing in the audit log?
Dylan Bennett
Jul 14, 2021, 6:26:43 PM7/14/21
to GAM for Google Workspace
Not as far as I can tell. In looking at the Admin Audit Log, admin actions reported there appear to have the rfc822messageid as part of the Event Description field. However, actions admins take in Google Vault do not appear in the Admin Audit Log.
Best,
Dylan
Kim Nilsson
Jul 14, 2021, 7:16:48 PM7/14/21
to Google Apps Manager
Thanks for confirming.
Reply all
Reply to author
Forward
0 new messages