Conduct Payment Card Industry Data Security Standard (PCI DSS) Compliance Testing

GAT lets G Suite Admins search all Domain-wide email folders and email contents and attachments with the same ease it lets you search Domain-wide Drive folders and contents.

This is like a Gmail UI search but applied to all or some of your accounts. You can use all the search parameters described here.

The string below is the suggested opening search string for Payment Card Industry Data Security Standard (PCI DSS) compliance testing using GAT+.

(See our third-party risk assessment post addressing PCI DSSP)

Cut and paste into the ‘Gmail Search’ tab of Email audit. You may add or subtract from the list as appropriate, to a max of 1024 characters. Should you need a longer search string, use 2 searches.

‘Amex’ OR “American Express” OR ‘Mastercard’ OR ‘Visa’ OR ‘Discover’ OR “Diner’s Club” OR “Diners Club” OR ‘JCB’ OR ‘CCV’ OR ‘CID’

You will notice the string above is starting inside a bracket. This is because the full string set of strings can also be enclosed in brackets as follows:

(‘Amex’ OR “American Express” OR ‘Mastercard’ OR ‘Visa’ OR ‘Discover’ OR “Diner’s Club” OR “Diners Club” OR ‘JCB’ OR ‘CCV2’ OR ‘CID’)  

Allow some time for the search to finish, in particular for larger domains.  Searches may be confined to users, groups or OU’s to improve on-screen interaction, domain-wide (and all another type) searches may be run as scheduled jobs.

In our case, we search for the whole domain and its sub-OU.

When the scan is finished click on the green button in actions  to examine the returned results

This search ‘context’ remains in force for all subsequent filter operations. It can be further refined with any of the many other filters available.

Full-text search in the General Audit Tool happens without email extraction. This means your data never leaves your domain, the search is passed in for Google to complete. Only the metadata of emails with potential hits are passed back out. This is by far the most secure method of third-party testing for PCI compliance and means credit card details or other confidential information is not passed out to the third party and thus avoids lengthening the chain of vulnerability.

This method is also suitable for abusive language, bullying language or any other context searches.

How to Find the Number of Emails Each User Sent and Received in a 24 Hour Period

Using the G Suite Admin Console or Google Vault it’s a difficult task for a super admin to find all of the emails sent or received by the entire organization or sub-group of users in a clear and readable way. That’s why the Email auditing in GAT+ is so important. For any filter you create, you can see who was involved with sending or receiving of those emails.

From the GAT+ side-menu go to the email audit section.

While in the first tab.

Click on the ‘Apply custom filters’ button.

Add the dates to capture the previous 24 hour period.

In the search definition area, the following search parameters were applied.

Sent date after or equal MM/DD/YYYY HH:MM


Received date before or equal MM/DD/YYYY HH:MM

Once you have selected the look-back period, apply the filter. In the above example, we looked back one day, you can have your custom look back cover a date range you need to audit.

Now when the filter is applied, click on the ‘Sender/Receiver’ tab, the filter will be carried over to this area!

The first table will show you the number of emails sent from your domain’s users.

The second table shows the number of emails each local user received (including, cc’s and bcc’s).

The third table shows you all of the external senders and the number of emails they sent in the last 24 hours.

The fourth and last table will show you the external receivers and how many emails they received in the last 24 hours.

You can export each table to see further details.

Out of Hours Email Activity Reporting with GAT+

In France, the legal length of the working week is 35 hours in all types of companies with more than 50 employees. The working day may not exceed 10 hours. Furthermore, employees may not work for more than 4.5 hours without a break. The maximum working day may be extended to 12 hours under a collective agreement.

If you wish to enforce this policy throughout your organization you can utilize GAT Shield. Let’s presume you already know about Shield and utilize it within your organization.

You have the ability as a super admin to enforce the French working hours after getting proper approval from your management team.

Navigate to the Configuration area of GAT Shield. In the Login Control section.

Now, I will create a time frame window outside of this time frame users on my domain won’t be allowed to log into their G Suite account to check emails or other cloud services.

The below example covers 9AM to 7PM.

Login time window (from): 0 0 9 1/1 * ? *

Login time window (to): 0 0 19 1/1 * ? *

This means my employees can log in and do their work from 9AM to 7PM after which they will be blocked.

If you don’t wish to block entry into the account when users are out of hour you can report on your employee’s activities using GAT Shield User Activity section. This will show you when a user was active and what sites they went to throughout a given day.

Less is More: Email Audit

How to see the tree from the woods.

Sometimes we can be overwhelmed with search results and where we have a lot of information coming at us we sometimes want to turn down the noise a little.

In our domain, we get a lot of email from one particular source. We have a domain called that we use to relay certain events.  For example, we have a series of internal cameras at sensitive doors in the building. These record to a NAS system, but to be sure we also turn some of the images into email and email them to a google account. These all come from the account  As you can imagine this generates quite a bit of noise. When we’re auditing email we like to eliminate this noise.

First, we search for email from ‘’

GAT 'negate filter' button

Then we hit ‘Negate Filter’ to remove these 15,000+ emails from the results.


This really starts to become useful when combined with another filter.

For example, if we want to see all the email with attachments, we ‘clear filter’, select the attachments box and hit ‘Search Emails’

Unfortunately, this returns all emails with attachments, including the thousands of alerts from

What we can do is go to the tab ‘Recent Filters’ and combine searches, all email ‘With Attachments’ and all email ‘not from[]’

You can see we select the two filters we want, join them with ‘AND’ and hit ‘Show’.

This returns a much smaller subset of all emails with attachments, except those from ‘alerts’.

If we add dates to this search, we get an example like in line 1. (picture at top of page), which is getting all the email we want from the 30th of Jan, 2013.

We can then schedule this for 5 past midnight on the 31st of Jan.

Assuming we are on the 30th of January, this will generate a report that will run everyday showing us all the email that comes or goes the day before, with files attached, excluding all those thousands of emails from the alerting system.

How to Schedule Reports for Top 10 or More Email Senders and Receivers

This post will show you how GAT+ can generate a report of all email activity for each user. The report can be scheduled daily, weekly or monthly and will be generated in the form of a spreadsheet that can be sorted by the desired column. The report will cover both internal and external email.

To start building this scheduled report the Admin should go to the Users audit first select the group or OU to report on, then select the Emails tab, followed by clicking the Show daily stats link

From there, select the ‘Schedule’ link

At this point, the Admin will be able to choose the exact type of report s/he wants.

For the daily report, select as a schedule ‘Every day – after midnight’ or choose a custom Cron period. You can also choose the report type such as ‘New spreadsheet will be created for each day’.

You may also add additional email recipients for the report.

You can now also select both the number of results you want, the order in which you want them sorted and select from a wide range of sort fields. 

Once you have made the selection, press ‘Update’ and the job will become a scheduled job for your domain. A new spreadsheet will be created every day, cover the previous day. The Admin will be emailed a link of the spreadsheet.


An example of the spreadsheet output looks like this.

Freeze row 1 and then select any column of interest,  finally sort the sheet based on that column in the Z to A order to bring the largest numbers to the top.

Here is an example of a calendar monthly aggregate report

You might also find these posts relevant:  

Demonstrating GAT+’s Powerful Reporting Range

4 Great Scheduled Audits You Should Set in GAT

Scheduled Report for Top 10 (and more) Email Senders and Receivers (by emails, by attachments, by bytes)

Report Files Created in the Last 24 Hours


Full Text Search of Email Metadata

GAT+Email now allows for full text search using boolean operators in the GAT metadata database filter (New Filter tab). This search technique covers metadata up to the last scan only and does not cover email body contents. If you are searching for users note that the metadata only knows about email addresses, not the full name.

If you are looking for recent emails or email body contents or usernames you can use Domain Gmail Search.

An example search is …

from:paul AND to:”” AND subject:api attach:avi

If you omit the field prefix (from:, to:, cc:, bcc:, subject:, label:, attach:) the search is applied to all of them.

If the search term contains a dot or other special character you must enclose it in double quotes.

Previously this search would have to be built using three searches and combining the three using recent filters. The new technique is much faster.

GAT 'Full Text" search

The metadata covers all emails scanned by GAT.

Note: that it matches words, not characters, so “rob” will not match robert, for this, you can use the prefix query, rob*  will match robert, robin, etc. There is NO suffix query, *bert will not match anything.

There are other advanced options, like ^test will search the word “test” only if it is the first one. For the full syntax read this guide.

To search email body contents use the third tab Domain Gmail Search. This is a live search on all existing email (including trash if you choose it as an option). It can be domain wide or limited to an OU, Group or User.

Remember with ‘Unlock’ you can use the fourth tab ‘View Email Contents’ to download or trash or 100% remove any email or collection of emails returned in the first three tabs. This is often used for email recall, removal of spam, removal of mass phishing emails, etc.

Find Top Senders of Email to an Address, From an Address, of a Particular Type, etc

Finding the Top Senders of email to an address, from an address, of a particular type, etc.

This tech tip is a feature from GAT+

If we want to find which user or which domain is sending most emails to support we start by going to the email audit on GAT+

GAT features

We change the search to ‘Sent To’, enter the address we are interested in and hit ‘Search Emails’.  This will return a list of all the emails sent to and from that address, internal and external, with and without files. Clicking on any blue number in the color row above the results selects that set of emails.

Clicking on ‘Sender/Receiver Table’ ranks the results both by domain and by individual email address.

"emails with sent to" in GAT

This makes the complex analyses of figuring out who is generating work for you so easy it almost seems trivial.  If you have the external support you can see who are the main domains that generate load and who the leading individuals are.

The main search itself has many criteria you can set, once you search for something in particular, the tables reflect the result for that search criteria.

So, for example, you could do a search on just ‘With Attachments’, then the ‘Sender/Receiver Table’ will show the top internal senders and receivers of email with attachments.

The largest G Suite customers in the world trust GAT. It has become the gold standard for accuracy and the benchmark by which to judge other audit tools.

To Install GAT, look here Google Staff pick.


How to Do an Email Header Search

GAT supports the search of all email headers in all emails for all accounts on your domain. This can be a particularly useful feature for forensic investigations, where for example you want to find all the emails that went to or from a particular IP address.

In your Gmail tab, when you are reading any message, you will see in the top right-hand corner of the message, a drop down menu.


In your Gmail tab, when you are reading any message, you will see in the top right-hand corner of the message, a drop down menu.

Selecting that drop-down allows you to select ‘Show original’ which displays the original email in raw format on a new tab.

Doing this exposes all the header information, an example snippet of which you can see on the left.

GAT allows to search this header information based on just two search criteria, the name of the header you want to find (no “:” required) and part of the string in that header.

No extra formatting is required and in the case where the header name is repeated several times, all instances of that name in all emails will be searched for.

In this example, we are searching for email that passed through a particular server identified by IP address.



The search process takes a long time so you should be prepared to go and have a cup of coffee…

When the results come back you can click on ‘Explore all emails’ to see all the emails in all accounts that match your criteria.

GAT Gmail Audit Tables

The email audit report comes with links to three very useful tables.  The first table is accessed through the link ‘Users Audit – Emails’ tab on the Users audit page.

This table is a 6-week look back at email sent and received.

GAT - emails out, emails in, external emails

The table is part of the user audit report. It shows the following sortable columns with details related to emails. Every row is linked to a user and columns can be sorted up or down showing how the user’s rank under each category.  You may also search and filter by user, group and organisation.  The 10 columns of information are detailed as follows: 


1) The email quota in use by each user

2) The list of user accounts with email forwarding set and the forwarding address

3) The number of emails sent externally by the user

4) The number of files sent externally by the user

5) The number external emails received by the user

6) The number of external files received by the user

7) The number of emails sent internally by the user

8) The number of files sent internally by the user

9) The number internal emails received by the user

10) The number of internal files received by the user


All the results can be exported to a Google spreadsheet or downloaded.

This table lets you rank your users by activity (generators of email) and by popularity (receivers of email). Those accounts with ‘Forwarders’ set could also be considered a risk.

On the same page, the ‘Email Charts’ button lets you graph the above data.

In the Emails Audit section, the second and third table links are found just above the email audit results

GAT sender/ receiver table

The Sender/Receiver table shows the full matrix of emails for whichever email results are below (by default, after first running the email audit, the entire domain is shown), these include the senders and all the receivers, internal and external, cc’ed and bcc’ed (if the email originated internally) all ranked by volume.  The purpose of this table is to map and display email relationships, by domain and by user. You can look at the table from a Domain view, a User view or both.

Finding emails with GAT

The table has four columns:

1) The internal senders of any given email or emails

2) The internal receivers of any given email or emails

3) The external senders of any given email or emails

4) The external receivers of any given email or emails


All columns are sortable.

All domain or address results can be ‘clicked through’ to show you the detail of the email conversations.

The purpose of this table is to show the nature and web of relationships for any email, individual, group or domain.  The table changes depending on the focus of your audit filters in the main audit page. This is a very powerful ‘big picture’ in a glance view of relationships.

The Top External From/To table lists the external domains and users and ranks them by volume under external senders and external receivers. This table is the external view of the internal user ‘external’ email table ( items 4,5,6,7 from the first table).  However, it shows the outside view of the world. You can look at the table from a domain view, or a user view, or both.

GAT - Top External From/To

There are 4 sortable columns of data: 

1) The number of emails sent from the external user or domain into your domain

2) The number of files sent from the external user or domain into your domain

3) The number of emails received by the external user or domain from your domain

4) The number of files received by the external user or domain from your domain


Both of the second and third tables change to reflect the results of the email audit filters, so you can get the domain wide view, the view for a group or the view for a single address.

For example, if on the main email audit page you search for emails ‘Sent To’, then linking through to the second table shows you the matrix around all the emails sent to that address, internal and external and all those cc’d.

Linking through to the third table shows you the top external senders to support and the top external receivers from that address.

In addition, you can go from any address on any of the tables back to a filtered audit for that address, and then look at the respective tables for that address.

This table is very useful if you wish to see who outside your organisation is generating work for you or if you wish to see who is the main target of your output.


Remember after all audits, to ‘clear filter’ before starting a fresh search.

In addition to email audits, there is a separate statistics table to be found in the ‘View scans’ – ‘Statistics’ link. The rows are self-explanatory.

Email statistics and trends


Looking at the above table you may ask how is it that 254 emails were sent with attachments, yet only 188 attachments were sent?  The reason for this is that some emails may have had multiple recipients and therefore count as multiple emails, whereas the attachment count is based on the sender. 


You may also find these posts relevant:  

Reduce Noise with Email Charts

Daily Usage Stats

Daily Reporting external emails to and from a Group

If you have a requirement to report on a daily basis all external emails sent to a list of users or sent from a list of users then follow these steps.

Create a Google group with the list of users you are interested in. This will make selection much easier.

Go to the Email Audit on the GAT homepage, enter the group name you are interested in. This will automatically select for all members of the group. Next, select today’s date and click on ‘Search Emails’.

GAT new filer

Finally, in the results table select the number of ‘Emails Out’. This will create the first half of your filter.

Clear the filter and repeat the exact same steps for emails sent in.

General Audit Tool filter settings

This will create the second part of the filter for emails sent out.

We then need to combine the two filters. To do this, select the ‘Recent Filters’ tab.

recent filters

Select the two filters and combine using ‘And’ and pressing ‘Show’. This will give you the combined results, which we will now schedule as a daily task

GAT schedule/save

Select ‘Every day – after Mmdnight’. Choose the list of recipients. and activate by pressing the ‘Update’ button.


You can use the pen to paste the filter, modified to meet your needs.


 “0dateFrom”: “09/02/2016 00:00:00″,

 “_reportType”: “EMAILS”,

 “0sentOut”: “false”,

 “0searchTextType”: “SUBJECT”,

 “1searchTextType”: “SUBJECT”,

 “1sentOut”: “false”,

 “#multi”: “and 0 1”,

 “1dateFrom”: “09/02/2016 00:00:00″,

 “0userToAudit”: ““,

 “1userToAudit”: “



Change the red fields.