Search filters available in Drive audit #
GAT+ is an Audit tool for Google Workspace Domains.
As such a tool it provides a very extensive set of Filters that can be applied in each section of your Workspace Domain.
Below we’ll cover some of the most common search parameters used in the Drive audit. We provide a large list of parameters and operants to find files/folders within Google Drive.
Drive audit #
Click on the funnel icon also known as the ‘Apply custom filter’ button.
This button is available everywhere within the GAT+ set of tools.
Filters #
A pop-up menu will appear.
The filters are divided into different types and definition sets of parameters and operants.
Type filters #
In Type you can select multiple options, the default will be “Simple filter”. Selecting it will display other options.
- Simple filter
- Title / Description Search
- Folder / Shared drive Search
- User / Group / OU Search
- Files by Event type / Date and User
- Files by User Status
- Duplicated Files
Each of those “Types” allows different search options.
Simple filter #
The “Simple filter” enabled the Admin to apply a simple filter and use the “Definition” and apply any search options.
Full content search #
Full Content Search allows Admin to apply a query and search in the “Content” of the file for the chosen “query”.
- Query – enter the query (text) that have to match the content of the file
- Local User/Group – enter the user or group of users
- Org. – enter the Organization Unit
- Include sub.org. – select to include the sub. ou of the above selected Org.Unit
Full Content Search can be combined with search options in Definition
Title / Description Search #
Title / Description Search allows Admins to find a file based on the Title of the File
- Terms – enter the “title” of the file needed.
- Most punctuation is considered delimiters, except a hyphen-minus (-) that negates term or double quotes that specify a phrase (some phrase”)
- Case sensitive – select the check-mark to be case sensitive or not
- Sort by text score – Represent the relevance of the result of the query
- Sort by text score, which represents the relevance of the result to the query. Both text columns are considered, but they are not equally important. The order of importance is: Title, Description.
Title / Description Search can be combined with search options in Definition
Folder / Shared Drive Search #
Folder / Shared Drive Search allows Admins to find files based on the File ID
Insert a Folder ID / Shared Drive ID or find a folder first and choose this filter from the dropdown near a folder Tittle
- Folder / Shared Drive ID – enter the Folder ID or Shared Drive ID
- Recursive – set up recursive option, to include the Folder and its content
- All except – all except the folder and its subfolders contents (shared contents will still be returned)
Folder / Shared Drive ID can be combined with search options in Definition
User/ Group/ OU Search #
User/Group/OU Search allows Admins to search by using User or Group Email or selecting Org. Unit (include sub. org) and selecting the ownership
Enter the details for the user you are looking for.
- Local user’s email / Group’s email – enter the email of the user or group
- Org – enter the Organization unit for the users needed
- Include sub.org – enable to include or not sub.org of the above Org. unit
- Ownership – select the ownership needed
- Any – select any ownership, whether the files are owned or not by the selected user/s
- Owned – select if you want the users to also be owners of the files
- Not owned – select if you want the users not to be owners of the files
User/Group/OU Search can be combined with search options in Definition
Files by Event Type / Date and User #
Files by Event Type / Date and User allow Admins to search for User, Event Type, and Date when the event has occurred
- User email – enter the user email
- Date since – select the date “since” the event has occurred
- Event type – select any of the events that occurred
- Document Access Scope Change – permissions on the file are changed
- Visibility Change – permissions on the file are changed
- ACL Change –
- Download – the Google Drive file has been downloaded
- Edit – the Google Drive file has been edited
- Print – the Google drive file has been printed
- Shared Drive Membership Change – a member of the Shared Drive has been changed
- Upload – a file has been uploaded to Google drive
- View – the Google drive file has been viewed
Files by Event Type / Date and User can be combined with search options in Definition
Files by User Status #
Files by User Status allows Admins to search for Files based on the Owner status
Search for Files where owner status is:
- Admin – select and pick the status of the owner, whether they are an admin or not
- Suspend – select and pick the status of the owner, whether the owner is suspended or not
- Deleted – select and pick the status of the owner, whether the owner is deleted or not
Files by User Status can be combined with search options in Definition
Duplicated Files #
Duplicated Files allows Admins to search for Drive files that are duplicated.
Important: This filter works on Non-Google Files that have the same Size and MD5 Checksum
Important: md5 field is not available for files scanned before March 2021, contact support to request a full re-scan.
Set a more restrictive filter if the query times out.
- Min number of duplicates
- Min file size – Bytes, KB, MB, GB, TB
- Max file size – Bytes, KB, MB, GB, TB
Definition #
Under Definition, we allow a variety of search options so Admin can find anything they need.
Search options list #
- Commenters – Users who have commenter permissions on Drive files
- Content Managers – Users who have Content manager permission on Shared Drive
- Contributors – Users who have contributor (editor) permissions on Drive files
- Created – Created date on Drive files/folders, a select time before/after a file is created
- Created (relative) – created date on files, select hrs, days, months since the file has been created
- Date fields (relative): previous days/months include full days (00:00 to 23:59) or months (1 to last day of a month) in your GAT configured time zone
- Description – enter a text description of the document
- Non-equality comparisons for title/description fields might result in slow querying. Please use “Title / Description Search” (available in the Type dropdown) to speed it up.
- Events since 7d (Active) – Drive events that have happened on files and folders greater, equal, or less than a certain number
- File ID – allows to enter the ID of the File and search for the specific File
- First seen in GAT – “First Seen in GAT+” is a search option that marks the first time and date when a file was newly discovered in GAT+ between two scans of the metadata.
- First seen in GAT (relative) – “First Seen in GAT+” is a search option that marks the first time and date when a file was newly discovered in GAT+ between two scans of the metadata.
- Date fields (relative): previous days/months include full days (00:00 to 23:59) or months (1 to last day of a month) in your GAT configured time zone
- Flags – select any different types of Flags on the files.
- Trashed – If the file is trashed, or deleted
- Restricted – If the file is Restricted – meaning Editors can’t change permissions and share and viewers and commenters can’t download, print, copy.
- Contributors can’t share – Policy on file is applied, and editors/contributors cannot Share files.
- Shared Drive – If the file or folder is part of a Shared Drive.
- Shared Drive Extra ACLs – If the file or folder is part of Shared Drive and ACL (Access Control List) permission applied. Augmented permissions
for example a file has some permissions inherited from a drive it is located in and additional permissions set on this file explicitly - Orphaned – Files and Folders that Orphaned, don’t have a parent folder, the original parent folder has been deleted.
- ACLs changed – Acess Control List (ACL) list of all permissions resources associated with a file, folder, or shared drive – if permission is changed
- Root folder – Primary folder that consists of everything that descends from this root folder
- Lost Drive – These are drives owned by a domain (internal) but without internal members
- Title truncated – The title of the doc is too long, and it is truncated to not waste memory
- Incomplete data – GAT+ doesn’t know the full permissions yet
- SD Incomplete – is a file that is reported in a Shared Drive but without Shared Drive metadata
- For example – Files that are being moved in/out of the Shared Drive
- Empty folder – The folder is empty with no content (files/folders inside the folder)
- Last accessed – Last Accessed field describes when a file was last time ‘used’ by an internal or external user. The file could have been added to the folder, created, deleted, downloaded, edited, moved, previewed, printed, removed from the folder, renamed, unthrashed, thrashed, uploaded, or viewed
- Last accessed (relative) – Relative to the time now, in last x hrs, days, months until now.
- Date fields (relative): previous days/months include full days (00:00 to 23:59) or months (1 to last day of a month) in your GAT configured time zone
- Last viewed (local user) – Last Viewed field describes when a file was last time ‘viewed’ by an internal user
- Last viewed (local user) (relative) – Last Viewed field describes when a file was last time ‘viewed’ by an internal user. Relative to the time now, in last x hrs, days, months until now.
- Date fields (relative): previous days/months include full days (00:00 to 23:59) or months (1 to last day of a month) in your GAT configured time zone
- Managers – Users who have Manager permission on Shared Drives
- MimeType – Search for MimeType of Files – more info can be found here.
- Old titles – Find an old title of Google drive file/folder
- Old titles (size) – Search for files that have a set number of Old titles
- Owner – Search for the email address of the owner of the file/folder
- Shared Drive ID – Enter the Shared Drive ID to find the file
- Shared out – Search for a file that has been Shared out (to external users) before/after a certain time
- Shared out (relative) – Search for a file that has been Shared out (to external users) relative to the time now
- Date fields (relative): previous days/months include full days (00:00 to 23:59) or months (1 to last day of a month) in your GAT configured time zone
- Sharing Flags – select any of the different Sharing flags of the files
- Public – File is shared with Public permission – file is open to public
- Public with link – File is shared with Public with link permission – anyone with link can access the file
- Anyone in domain with link – File is shared with this permission, shared with domain, and anyone in the domain can access file with a link
- Shared out – File is shared out to user from External domain, Public or Public with link (to users outside of your domain)
- Shared in – File is shared into the domain, from external domain shared into your own domain
- Anyone in domain – Anyone in your domain can access the file, share it with everyone in the domain
- Private – File is private, only the owner of the file can access it (no additional user have access to the file)
- Specific internal user(s) – File is shared to specific users from the local domain
- Specific external user(s) – File is shared to specific external user, from someone outside of your domain
- Shared Drive external – File/Folder is part of Shared Drive, that has external members having access to it
- Site published – When Google Site is being published – anyone on the internet can find and open the site
- Size – enter the size of the files in (bytes)
- Tags (custom) – select any of the custom tags created
- Title – enter the title of the File or Folder
- Type – enter the type of file
- Folder
- Other
- Document
- Spreadsheet
- Presentation
- Audio
- Video
- Text
- Image
- Map
- Form
- Site
- Drawing
- Script
- Fusiontable
- Application
- Excel
- Word
- PowerPoint
- Shortcut
- Updated – enter a time when the file was updated (before/after)
- Updated (relative) – enter a time when the file was updated
- Date fields (relative): previous days/months include full days (00:00 to 23:59) or months (1 to last day of a month) in your GAT configured time zone
- Users – enter the emails of the users of the file (it could be owner/viewer/contributor)
- Users since 7d (popular) –
- Viewers – users who have “View” access to Google files
- md5 checksum – enter the checksum value of the file
- unique if the contents of the file are unique, for non-Google files
Search operands #
For Search parameters, we also have multiple different options to assist in finding the exact files/folders/data you need.
- Equal – enter an equal value
- Not equal – enter a value that is not equal
- Matches (partial string or reg.ex.) – the value matches the operands
- Doesn’t match (partial string or reg.ex.) – the value doesn’t match the operands
- Begins with – enter the value that the operands begin with
- Doesn’t begin with – enter the value that the operands don’t begin with
- Contains – enter a value that is contained within the search operand
- Doesn’t contain – enter a value that does not contain the value searched in
- Contains (case insensitive) – enter a value that is contained within the search field
- Doesn’t contain (case insensitive) – enter a value that is not contained within the search field
- Ends with – enter the end field of the search
- Doesn’t end with – enter the end field of the search
- Is empty – the value is empty
- Is not empty – the value is not empty
- Is null – the value is null
- Is not null – the value is not null
- In (comma separated values) – enter multiple values that are IN comma-separated
- Not in (comma separated values) – enter multiple values that are NOT IN comma-separated
Search operators #
- Equal
- Not equal
- Less
- Less or equal
- Greater
- Greater or equal
- Is null
- Is not null
Below are some examples of different searches that can be performed within GAT.
Search example one #
- Set the “Type” to Simple filter
- under “Definition” select Owner equal user’s email address.
- Select the Owner parameter equal to UserX’s email address. If not sure of the correct email address, you can change equal to contains (case insensitive).
- Click on “+ Add rule” to add additional filters and combine different search parameters to find what you need.
Search example two #
You can also combine the Searches
- Select Type = User / Group / OU Search and add it on top of the previous example
- The owner contains (case insensitive) user@email.com and Sharing flag contains Shared out
The result will be different as it will combine the two different search options and the results will be based on them.