Full text search (without document extraction) is available in the General Audit Tool. This allows for complex string based searching, using boolean operators and multiple other filters.
Any search can be used to form the basis of an Audit, a policy match or a simple notification.
Searching your domain for text is as fast and as easy as every other Search in GAT.
Tech Tip. For large domains to really improve search speed, select a Local User/Group or an Organization, and we will automatically confine your search to that user, group or OU.
The search criteria are outlined below.
||Matches contain the exact phrase in quotes.
||“The quick brown fox jumps over the lazy dog.”
||Matches contain all of the given words. This is the default behavior.
||‘cats’ AND ‘dogs’ AND ‘lizards’
||Matches contain one of the given words.
||‘cats’ OR ‘dogs’ OR ‘lizards’
||Matches do not contain the given words.
||Matches contain the given word in their title.
|Items shared by a user
||Matches are shared by the given user.
|Items shared with a user
||Matches are shared with the given user.
|Items owned by a user
||Matches are owned by the given user.
||Matches are starred.
||Matches are hidden.
|Items of a certain type
||Matches are of the given resource type.
||type:document OR type:spreadsheet OR type:presentation OR type:video
||Matches are edited before or after the given date.
||before:2010-07-13 OR after:2007-07-24
Note. Regular Expressions or Reg Exp. is not supported for text search.
It is very easy to build a regular search like the example in the top screenshot into an audit or a policy violation check.
(We have a suggested english bad word list refined to reduce false positives which we can share with Admins on request. Email firstname.lastname@example.org and request the ‘bad word list’.)
Let’s say for example we want the sales manager to be notified anytime any document with the word ‘Pricelist’ gets shared with a ‘gmail.com’ account and we would like this check to happen daily. This is as simple as a couple of searches and scheduling a policy.
First we search for all the documents with the text pricelist created or modified from today’s date (Simply do a text search for ‘pricelist’, from today’s date, with no end date.)
Next we need to find all the documents shared out to gmail accounts. Here we do a search for all ‘Users’ of the domain gmail.com from today’s date. (Note, we can pick owners, viewers or editors also, but we pick users. A user is anyone who touches a document by creating, editing or viewing it. This will cover all circumstances where a document is ‘touched’ in the time window, share in’s, share out’s, edits or simply reviewing old documents that might have been shared ages ago.)
Now we need to merge these 2 simple filters. To do that simply go to the tab Recent Filters, select the last 2 choices, join the with ‘AND’ and hit ‘Show’
This combined search might not return any files, but that is OK as you are just building a policy check and sometimes nothing meets the policy violation criteria now. (A good tech tip is always to prepare one ‘violation’ beforehand, then as your filters zone in on that, you can be assured the policy is working)
Next select ‘Schedule/Save’
Here, we select this to run as a ‘Policy’, meaning people will only be sent a report if the policy is broken. Add the sales manager to the notify list, you can add an email group or multiple names separated by commas. We suggest you run the job after midnight your time, or click ‘Add your cron expression’ to build a schedule time any time you want. When done, click ‘Update’ and your policy is now in place and working. Notification will only happen when a violation occurs.
The advantage of GAT is that it allows you to build ever more complex searches and filters, which can all be turned into Audits, Policy checks, or notifications flags.
For example, if we wanted to further refine that search so that we only looked at the documents ‘used’ by the group ‘sales’, we would enter the group sales into the ‘Group Search’ field
Then we would go to recent filters and combine this search with those of our searches for pricelists and files shared to gmail.com.
This search in turn could be scheduled, building up a powerful layer of refinement, each layer being verified by results as you build it.
This is far more powerful than other methods as you have many more selection criteria and you can see the results of the audit or policy as you progress.
Search choices explained
Document name – Can be the name or any part of the name and can be built using regular expressions. Be sure to tick the Reg Exp. box when using regular expressions. For example for all Word or Excel Doc files ie. doc/docx/xls/xlsx Search on this: ([^s]+(.(?i)(doc|docx|xls|xlsx))$) (- thanks to Justin Gale.)
Full Text – Any text or combination of text subject to the Google rules outlined above (but it can not be a regular expression)
Document ID – The google document id – really useful for finding the document referred to in the Google console docs audit.
Users – Anyone who is an Owner, Editor or Viewer of a document. Can be entered as a regular expression.
Owners – Anyone who is the owner of a document. Can be entered as a regular expression. For example to find all the files owned by 2 people at your organization enter (name1|name2)@your_domain_name.com and tick Reg Exp. before hitting search.
Editors – Anyone who is the editor of a document. Can be entered as a regular expression.
Viewers – Anyone who is the viewer of a document. Can be entered as a regular expression.
Visited By – This returns any document that a user visited, either as an owner or an editor or a viewer. It is a quite distinct and important set. For example someone might be listed as an editor or a viewer to a document, but may never have visited it. Can be entered as a regular expression.
Groups are an unusual object class in that they can be viewed two ways. If you are interested in the group as a single entity, you can treat the group name as you would a user name. So for example to see all the files that the group ‘sales’ has been given edit rights to, select editors and enter the string ‘sales@your_domain_name.com’.
Remember however a group can’t be an owner. You can’t log in as a group name and create a file.
So what if you are interested in all the files owned by the members of the Group ‘sales’?
Here you use the lower field
Local User/Group and fill in the name ‘sales@your_domain_name.com’, hit search and this will return all the files owned by the members of the group ‘sales’. This as seen in the examples above can then be made subject to an Audit or Policy rule.
The default time window is forever.
If you specify a ‘From’ date and leave the ‘To’ date empty it is assumed you mean right up to now. Otherwise you can specify any time window you wish.
When searching you can decide to return ‘All’ files (default) or the fairly self explanatory