One of the key features of GAT is it’s very powerful Drive search capability. The power of its search comes from being able to search on so many aspects of your metadata, filter so quickly, combine with Google file content searches and then using recent filters, combine different searches together. We have even dedicated an entire post to talk about 4 powerful things you can do from the Drive Audit list in General Audit Tool. Finally, when you have found the exact set of files you want, you can click on schedule to apply a policy to them.
Let us examine the options in detail.
Document name – Can be the file name or any part of the name.
It can be built using regular expressions. Be sure to tick the RegExp. box when using regular expressions. For example for all Word or Excel Doc files ie. doc/docx/xls/xlsx, search on this: ([^\s]+(\.(?i)(doc|docx|xls|xlsx))$)
In all cases, an ‘exact match’ requires the searched for text to be a total, 100% match for the returned value, otherwise a partial match will be returned.
GAT remembers document name history, so if someone renames a document GAT will return matches against the new and old names
Full Text – Any text or combination of text subject to the Google rules outlined above (but it can not be a regular expression)
Exact doc title – Returns documents with that exact name
Document ID – The google document id – really useful for finding the document referred to in the Google console docs audit or where you only have the Google URL to search on.
Users – Anyone who is an Owner, Editor or Viewer of a document. Can also be entered as a regular expression.
Owners – Anyone who is the owner of a document. This can be a full email address or a partial address. For example to find all the files opened by your users but owned by email@example.com, select owners and enter firstname.lastname@example.org.
To find all the files owned by anyone with a gmail.com account, simply enter gmail.com
This is the same easy ‘domain’ selection for all the search criteria.
Can also be entered as a regular expression. For example to find all the files owned by 2 people at your organization enter (name1|name2)@your_domain_name.com and tick RegEx. before hitting search.
Editors – Anyone who is the editor of a document. Same search criteria as ‘Owners’. Can also be entered as a regular expression.
Viewers – Anyone who is the viewer of a document. Can also be entered as a regular expression.
Visited By – This returns any document that a user visited, either as an owner or an editor or a viewer. It is a quite distinct and important set. For example, someone might be listed as an editor or a viewer to a document, but may never have visited it. Can also be entered as a regular expression.
Edited By – This returns any document that a user edited, either as an owner or an editor. It is a quite distinct and important set. For example, someone might be listed as an editor to a document, but may never have edited it. Can also be entered as a regular expression.
Groups (how to search for)
Groups are an unusual object class in that they can be viewed two ways. If you are interested in the group as a single entity, you can treat the group name as you would a username. So for example to see all the files that the group ‘sales’ has been given edit rights to, select editors and enter the string ‘sales@your_domain_name.com’.
Remember however a group can’t be an owner. You can’t log in as a group name and create a file. Here’s our Groups Audit Explained post.
But what if you are interested in all the files owned by the members of the Group ‘sales’?
Here you use the lower field Local User/Group
Local User/Group (defined as someone or group from your domain) Fill in the name ‘sales@your_domain_name.com’, hit search and this will return all the files ‘used’ by the members of the group ‘sales’. This as seen in the examples above can then be made subject to an Audit or Policy rule. You can refine the search to just files ‘owned’ by the group members by ticking ‘Owned Docs’ as part of the search criteria.
You can also use this field to enter a Local User email address also. This will return all the files ‘used’ by the local user. You can refine the search to just files ‘owned’ by the user by ticking ‘Owned Docs’ as part of the search criteria.
Organization Here you can select from a drop-down list of all you Organization Units. Some of these may have sub-OUs and these can be selected or not by checking ‘Sub Orgs’. Again the ‘Owned Docs’ can be selected.
GAT Also allows you search between a range of dates
The default time window is forever.
If you specify a ‘From’ date and leave the ‘To’ date empty it is assumed you mean right up to now. Otherwise, you can specify any time window you wish.
Note: This is really useful when creating a scheduled policy. If you search for all documents ‘From’ today’s date and leave the To date empty, then press ‘Schedule’ and choose to run ‘Everyday after Midnight’, you can create a daily audit or policy enforcement check.
When searching you can decide to return files based on the following
All – All files modified in any way between the dates (covers files whose metadata changes).
Created – Files created between the dates.
Changed – Files changed between the dates (file changes refer to the contents only).
Last Viewed – Files viewed between the dates.
Printed – Files printed between the dates.
Finally, remember all different searches can be combined.
In the above screenshot we see how we can search for the files owned by members of the Groups ‘sales’ and ‘support’, then combine it with the filter for documents shared out since a date. The combined filter will show all documents owned by members of either groups shared out since the date.
This too can be scheduled after the search results are returned.