Publisher: Splunk
Connector Version: 2.0.10
Product Vendor: Google
Product Name: Google Vault
Product Version Supported (regex): ".*"
Minimum Product Version: 5.1.0
This app supports the actions to perform eDiscovery and provide a compliance solution for G Suite, allowing customers to retain, hold, search, and export their data
This app requires a pre-configured service account to operate. Please follow the procedure outlined
at this link to create a service account.
The following APIs will need to be enabled:
- AdminSDK
- G Suite Vault API
At the end of the creation process, the admin console should ask you to save the config as a JSON file. Copy the contents of the JSON file in the clipboard and paste it as the value of the "Contents of Service Account JSON file" asset configuration parameter.
Once the service account has been created and APIs enabled, the next step is to configure scopes on
these APIs to allow the App to access them. Every action requires different scopes to operate, these
are listed in the action documentation.
To enable scopes please complete the following steps:
- Go to your G Suite domain's Admin console.
- Select Security from the list of controls. If you don't see Security listed, select More controls from the gray bar at the bottom of the page, then select Security from the list of controls. If you can't see the controls, make sure you're signed in as an administrator for the domain.
- Select Show more and then Advanced settings from the list of options.
- Select Manage API client access in the Authentication section.
- In the Client Name field enter the service account's Client ID . You can find your service account's client ID in the Service accounts credentials page or the service account JSON file (key named client_id ).
- In the One or More API Scopes field enter the list of scopes that you wish to grant access to the App. For example, to enable all the scopes required by this app enter: https://www.googleapis.com/auth/ediscovery, https://www.googleapis.com/auth/ediscovery.readonly, https://www.googleapis.com/auth/admin.directory.orgunit, https://www.googleapis.com/auth/admin.directory.orgunit.readonly, https://www.googleapis.com/auth/admin.directory.group, https://www.googleapis.com/auth/admin.directory.group.readonly, https://www.googleapis.com/auth/admin.directory.group.member.readonly, https://www.googleapis.com/auth/admin.directory.group.member
- Click Authorize .
- If the user provides Organization ID of the root level organization instead of the child organizations (in which export is to be created) in the action create export , API might throw an error 'Domain wide search is disabled' or 'Select an organizational unit other than the root' based on the configurations of the Google Vault.
Copyright (c) 2005-2019, Ilya Etingof All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
This library simplifies using Google's various server-to-server authentication mechanisms to access Google APIs. Apache License Version 2.0, January 2004. http://www.apache.org/licenses/
This is the Python client library for Google's discovery based APIs. These client libraries are officially supported by Google. However, the libraries are considered complete and are in maintenance mode. This means that we will address critical bugs and security issues but will not add any new features. Copyright 2014 Google Inc. All Rights Reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at: http://www.apache.org/licenses/LICENSE-2.0
This is a client library for accessing resources protected by OAuth 2.0. Apache License Version 2.0, January 2004. http://www.apache.org/licenses/
This library provides oauthlib integration with google-auth. Apache License Version 2.0, January 2004. http://www.apache.org/licenses/
The below configuration variables are required for this Connector to operate. These variables are specified when configuring a Google Vault asset in SOAR.
| VARIABLE | REQUIRED | TYPE | DESCRIPTION |
|---|---|---|---|
| login_email | required | string | Login email |
| key_json | required | password | Contents of service account JSON file |
test connectivity - Validate the asset configuration for connectivity using supplied configuration
list matters - List all open, closed, and deleted matters
create matter - Create a matter with OPEN state
get matter - Fetch information for the given matter ID
close matter - Move a matter to the CLOSED state
delete matter - Move a matter to the DELETED state
reopen matter - Reopens a matter to move it from CLOSED to OPEN state
restore matter - Restores a matter to move it from DELETED to CLOSED state
list holds - List all holds for the given matter ID
create hold - Create a hold within the given matter ID
delete hold - Delete a hold
remove held account - Remove held account from the given hold ID
add held account - Add held account to the given hold ID
list exports - List all exports for the given matter ID
get export - Get information of an export from the given matter ID
create export - Perform a search based on the provided criteria and create an export for the search results
list organizations - List all organizations
list groups - List all groups of a domain
Validate the asset configuration for connectivity using supplied configuration
Type: test
Read only: True
No parameters are required for this action
No Output
List all open, closed, and deleted matters
Type: investigate
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| state | optional | Type of matters to be retrieved | string | |
| limit | optional | Maximum number of matters to return | numeric |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.limit | numeric | |
| action_result.parameter.state | string | |
| action_result.data.*.description | string | |
| action_result.data.*.matterId | string | gsvault matter id |
| action_result.data.*.name | string | |
| action_result.data.*.state | string | |
| action_result.summary.total_matters_returned | numeric | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Create a matter with OPEN state
Type: generic
Read only: False
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| name | required | Matter name | string | |
| description | required | Matter description | string |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.description | string | |
| action_result.parameter.name | string | |
| action_result.data.*.description | string | |
| action_result.data.*.matterId | string | gsvault matter id |
| action_result.data.*.name | string | |
| action_result.data.*.state | string | |
| action_result.summary.name | string | |
| action_result.summary.description | string | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Fetch information for the given matter ID
Type: investigate
Read only: True
There are two views of a matter: BASIC (default) and FULL. The FULL view adds matter permissions in addition to the data received in the BASIC view.
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| matter_id | required | Matter ID | string | gsvault matter id |
| view | optional | View of matter | string |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.matter_id | string | gsvault matter id |
| action_result.parameter.view | string | |
| action_result.data.*.description | string | |
| action_result.data.*.matterId | string | gsvault matter id |
| action_result.data.*.matterPermissions.*.accountId | string | gsvault user account id |
| action_result.data.*.matterPermissions.*.role | string | |
| action_result.data.*.name | string | |
| action_result.data.*.state | string | |
| action_result.summary.matter_id | string | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Move a matter to the CLOSED state
Type: generic
Read only: False
You can close the matter only if it is in the OPEN state. If the matter is in the OPEN state and contains any holds, then, to close the matter all holds must be deleted. For this, you have to checkmark the Delete all holds parameter and run the action. If you keep the parameter unchecked and run the action, it will fail due to undeleted holds in the matter. In that case, the user has to delete all the holds manually; run this action after that to close the matter.
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| matter_id | required | Matter ID | string | gsvault matter id |
| delete_all_holds | optional | Delete all holds | boolean |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.delete_all_holds | boolean | |
| action_result.parameter.matter_id | string | gsvault matter id |
| action_result.data.*.matter.description | string | |
| action_result.data.*.matter.matterId | string | gsvault matter id |
| action_result.data.*.matter.name | string | |
| action_result.data.*.matter.state | string | |
| action_result.summary.matter_id | string | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Move a matter to the DELETED state
Type: generic
Read only: False
You can delete the matter only if it is in the CLOSED state. If the matter is in the OPEN state and contains any holds, then, to delete it all holds must be deleted and the matter must be moved to the CLOSED state. For this, you have to checkmark the 'Delete all holds' parameter and run the action. By doing this, action will close the matter after deleting all the holds (if any) associated with it and move it to the DELETED state. If you keep the parameter unchecked and run the action, it will fail due to the matter not being in the CLOSED state. In that case, the user has to move the matter to the CLOSED state by manually deleting all the associated holds; run this action after that to delete the matter.
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| matter_id | required | Matter ID | string | gsvault matter id |
| delete_all_holds | optional | Delete all holds | boolean |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.delete_all_holds | boolean | |
| action_result.parameter.matter_id | string | gsvault matter id |
| action_result.data.*.description | string | |
| action_result.data.*.matterId | string | gsvault matter id |
| action_result.data.*.name | string | |
| action_result.data.*.state | string | |
| action_result.summary.matter_id | string | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Reopens a matter to move it from CLOSED to OPEN state
Type: generic
Read only: False
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| matter_id | required | Matter ID | string | gsvault matter id |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.matter_id | string | gsvault matter id |
| action_result.data.*.matter.description | string | |
| action_result.data.*.matter.matterId | string | gsvault matter id |
| action_result.data.*.matter.name | string | |
| action_result.data.*.matter.state | string | |
| action_result.summary.matter_id | string | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Restores a matter to move it from DELETED to CLOSED state
Type: generic
Read only: False
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| matter_id | required | Matter ID | string | gsvault matter id |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.matter_id | string | gsvault matter id |
| action_result.data.*.description | string | |
| action_result.data.*.matterId | string | gsvault matter id |
| action_result.data.*.name | string | |
| action_result.data.*.state | string | |
| action_result.summary.matter_id | string | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
List all holds for the given matter ID
Type: investigate
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| matter_id | required | Matter ID | string | gsvault matter id |
| limit | optional | Maximum number of holds to return | numeric |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.limit | numeric | |
| action_result.parameter.matter_id | string | gsvault matter id |
| action_result.data.*.accounts.*.accountId | string | gsvault user account id gsvault group account id |
| action_result.data.*.accounts.*.email | string | gsvault user email ids gsvault group email ids email |
| action_result.data.*.accounts.*.firstName | string | |
| action_result.data.*.accounts.*.holdTime | string | |
| action_result.data.*.accounts.*.lastName | string | |
| action_result.data.*.corpus | string | |
| action_result.data.*.holdId | string | gsvault hold id |
| action_result.data.*.name | string | |
| action_result.data.*.orgUnit.holdTime | string | |
| action_result.data.*.orgUnit.orgUnitId | string | gsvault org unit id |
| action_result.data.*.query.driveQuery.includeSharedDriveFiles | boolean | |
| action_result.data.*.query.driveQuery.includeTeamDriveFiles | boolean | |
| action_result.data.*.query.groupsQuery.endTime | string | |
| action_result.data.*.query.groupsQuery.startTime | string | |
| action_result.data.*.query.groupsQuery.terms | string | |
| action_result.data.*.query.mailQuery.endTime | string | |
| action_result.data.*.query.mailQuery.startTime | string | |
| action_result.data.*.query.mailQuery.terms | string | |
| action_result.data.*.updateTime | string | |
| action_result.summary.total_holds_returned | numeric | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Create a hold within the given matter ID
Type: generic
Read only: False
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| name | required | Hold name | string | |
| matter_id | required | Matter ID | string | gsvault matter id |
| type | required | Type of the hold | string | |
| search_method | required | Scope of search | string | |
| org_unit_id | optional | Organization ID | string | gsvault org unit id |
| user_email_ids | optional | Comma-separated list of user emails | string | gsvault user email ids email |
| group_account_ids | optional | Comma-separated list of group IDs | string | gsvault group account ids |
| terms | optional | Conditions to be met for a message to be covered by this hold | string | |
| start_time | optional | Start time (%Y-%m-%dT%H:%M:%SZ) | string | |
| end_time | optional | End time (%Y-%m-%dT%H:%M:%SZ) | string | |
| include_shared_drive_files | optional | Include files from associated shared drives | boolean |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.end_time | string | |
| action_result.parameter.group_account_ids | string | gsvault group account ids |
| action_result.parameter.include_shared_drive_files | boolean | |
| action_result.parameter.matter_id | string | gsvault matter id |
| action_result.parameter.name | string | |
| action_result.parameter.org_unit_id | string | gsvault org unit id |
| action_result.parameter.search_method | string | |
| action_result.parameter.start_time | string | |
| action_result.parameter.terms | string | |
| action_result.parameter.type | string | |
| action_result.parameter.user_email_ids | string | gsvault user email ids email |
| action_result.data.*.accounts.*.accountId | string | gsvault user account id gsvault group account id |
| action_result.data.*.accounts.*.email | string | gsvault user email ids gsvault group email ids email |
| action_result.data.*.accounts.*.firstName | string | |
| action_result.data.*.accounts.*.holdTime | string | |
| action_result.data.*.accounts.*.lastName | string | |
| action_result.data.*.corpus | string | |
| action_result.data.*.holdId | string | gsvault hold id |
| action_result.data.*.name | string | |
| action_result.data.*.orgUnit.holdTime | string | |
| action_result.data.*.orgUnit.orgUnitId | string | gsvault org unit id |
| action_result.data.*.query.driveQuery.includeSharedDriveFiles | boolean | |
| action_result.data.*.query.driveQuery.includeTeamDriveFiles | boolean | |
| action_result.data.*.query.groupsQuery.endTime | string | |
| action_result.data.*.query.groupsQuery.startTime | string | |
| action_result.data.*.query.groupsQuery.terms | string | |
| action_result.data.*.query.mailQuery.endTime | string | |
| action_result.data.*.query.mailQuery.startTime | string | |
| action_result.data.*.query.mailQuery.terms | string | |
| action_result.data.*.updateTime | string | |
| action_result.summary.matter_id | string | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Delete a hold
Type: generic
Read only: False
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| matter_id | required | Matter ID | string | gsvault matter id |
| hold_id | required | Hold ID | string | gsvault hold id |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.hold_id | string | gsvault hold id |
| action_result.parameter.matter_id | string | gsvault matter id |
| action_result.data | string | |
| action_result.summary.matter_id | string | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Remove held account from the given hold ID
Type: generic
Read only: False
A held account can only be removed from the given hold_id if the search_method of the hold is either USER_ACCOUNT or GROUP_ACCOUNT.
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| matter_id | required | Matter ID | string | gsvault matter id |
| hold_id | required | Hold ID | string | gsvault hold id |
| account_id | required | User or group account ID | string | gsvault user account id gsvault group account id |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.account_id | string | gsvault user account id gsvault group account id |
| action_result.parameter.hold_id | string | gsvault hold id |
| action_result.parameter.matter_id | string | gsvault matter id |
| action_result.data | string | |
| action_result.summary.matter_id | string | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Add held account to the given hold ID
Type: generic
Read only: False
A held account can only be added to the given hold_id if the search_method of the hold is either USER_ACCOUNT or GROUP_ACCOUNT.
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| matter_id | required | Matter ID | string | gsvault matter id |
| hold_id | required | Hold ID | string | gsvault hold id |
| account_id | required | User or group account ID | string | gsvault user account id gsvault group account id |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.account_id | string | gsvault user account id gsvault group account id |
| action_result.parameter.hold_id | string | gsvault hold id |
| action_result.parameter.matter_id | string | gsvault matter id |
| action_result.data.*.accountId | string | gsvault user account id gsvault group account id |
| action_result.data.*.email | string | gsvault user email ids gsvault group email ids email |
| action_result.data.*.firstName | string | |
| action_result.data.*.holdTime | string | |
| action_result.data.*.lastName | string | |
| action_result.summary.matter_id | string | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
List all exports for the given matter ID
Type: investigate
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| matter_id | required | Matter ID | string | gsvault matter id |
| limit | optional | Maximum number of exports to return | numeric |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.limit | numeric | |
| action_result.parameter.matter_id | string | gsvault matter id |
| action_result.data.*.cloudStorageSink.files.*.bucketName | string | |
| action_result.data.*.cloudStorageSink.files.*.md5Hash | string | md5 |
| action_result.data.*.cloudStorageSink.files.*.objectName | string | |
| action_result.data.*.cloudStorageSink.files.*.size | string | |
| action_result.data.*.createTime | string | |
| action_result.data.*.exportOptions.driveOptions.includeAccessInfo | boolean | |
| action_result.data.*.exportOptions.groupsOptions.exportFormat | string | |
| action_result.data.*.exportOptions.mailOptions.exportFormat | string | |
| action_result.data.*.exportOptions.mailOptions.showConfidentialModeContent | boolean | |
| action_result.data.*.exportOptions.region | string | |
| action_result.data.*.id | string | gsvault export id |
| action_result.data.*.matterId | string | gsvault matter id |
| action_result.data.*.name | string | |
| action_result.data.*.query.accountInfo.emails | string | gsvault user email ids gsvault group email ids email |
| action_result.data.*.query.corpus | string | |
| action_result.data.*.query.dataScope | string | |
| action_result.data.*.query.driveOptions.includeSharedDrives | boolean | |
| action_result.data.*.query.driveOptions.includeTeamDrives | boolean | |
| action_result.data.*.query.driveOptions.versionDate | string | |
| action_result.data.*.query.endTime | string | |
| action_result.data.*.query.mailOptions.excludeDrafts | boolean | |
| action_result.data.*.query.method | string | |
| action_result.data.*.query.orgUnitInfo.orgUnitId | string | gsvault org unit id |
| action_result.data.*.query.searchMethod | string | |
| action_result.data.*.query.startTime | string | |
| action_result.data.*.query.terms | string | |
| action_result.data.*.query.timeZone | string | |
| action_result.data.*.requester.displayName | string | |
| action_result.data.*.requester.email | string | gsvault user email ids email |
| action_result.data.*.stats.exportedArtifactCount | string | |
| action_result.data.*.stats.sizeInBytes | string | |
| action_result.data.*.stats.totalArtifactCount | string | |
| action_result.data.*.status | string | |
| action_result.summary.total_exports_returned | numeric | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Get information of an export from the given matter ID
Type: investigate
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| matter_id | required | Matter ID | string | gsvault matter id |
| export_id | required | Export ID | string | gsvault export id |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.export_id | string | gsvault export id |
| action_result.parameter.matter_id | string | gsvault matter id |
| action_result.data.*.cloudStorageSink.files.*.bucketName | string | |
| action_result.data.*.cloudStorageSink.files.*.md5Hash | string | md5 |
| action_result.data.*.cloudStorageSink.files.*.objectName | string | |
| action_result.data.*.cloudStorageSink.files.*.size | string | |
| action_result.data.*.createTime | string | |
| action_result.data.*.exportOptions.driveOptions.includeAccessInfo | boolean | |
| action_result.data.*.exportOptions.mailOptions.exportFormat | string | |
| action_result.data.*.exportOptions.mailOptions.showConfidentialModeContent | boolean | |
| action_result.data.*.exportOptions.region | string | |
| action_result.data.*.id | string | gsvault export id |
| action_result.data.*.matterId | string | gsvault matter id |
| action_result.data.*.name | string | |
| action_result.data.*.query.accountInfo.emails | string | gsvault user email ids gsvault group email ids email |
| action_result.data.*.query.corpus | string | |
| action_result.data.*.query.dataScope | string | |
| action_result.data.*.query.driveOptions.versionDate | string | |
| action_result.data.*.query.endTime | string | |
| action_result.data.*.query.method | string | |
| action_result.data.*.query.searchMethod | string | |
| action_result.data.*.query.startTime | string | |
| action_result.data.*.query.terms | string | |
| action_result.data.*.query.timeZone | string | |
| action_result.data.*.requester.displayName | string | |
| action_result.data.*.requester.email | string | gsvault user email ids email |
| action_result.data.*.stats.exportedArtifactCount | string | |
| action_result.data.*.stats.sizeInBytes | string | |
| action_result.data.*.stats.totalArtifactCount | string | |
| action_result.data.*.status | string | |
| action_result.summary.matter_id | string | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Perform a search based on the provided criteria and create an export for the search results
Type: generic
Read only: False
For ACCOUNT type search_method, you have to provide a valid list of email_ids. For ORG_UNIT type search_method, provide valid org_unit_id. For corpus type GROUPS, you have to select ACCOUNT search method and provide valid list of a group email_ids. The parameter export_format is supported only for the corpus type MAIL and GROUPS. The parameter exclude_drafts is supported only for the corpus type MAIL. The show_confidential_mode_content parameter is supported only for the corpus type MAIL. The parameters include_access_info and include_shared_drives are applicable only for the corpus type DRIVE. UNPROCESSED_DATA data_scope is not supported for corpus type DRIVE. The parameter version_date is only applicable for the corpus type DRIVE. If the corpus type is DRIVE and data scope is HELD_DATA, search_method TEAM_DRIVE is not allowed. Time zone is not applicable for the HELD_DATA data_scope. Terms parameter is not applicable for the UNPROCESSED_DATA data_scope. Google Vault selects the default data_region based on the region assigned to the owner of the matter. You can select one of the values from the United States(US) and Europe(EUROPE) to change the data_region of the created export. Exports are automatically deleted within 15 days of their creation.
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| name | required | Export name | string | |
| matter_id | required | Matter ID | string | gsvault matter id |
| type | required | Type of export | string | |
| data_scope | required | Scope of data to be exported | string | |
| search_method | required | Scope of search | string | |
| org_unit_id | optional | Organization ID | string | gsvault org unit id |
| email_ids | optional | Comma-separated list of email IDs (user or group) | string | gsvault user email ids gsvault group email ids email |
| shared_drive_ids | optional | Comma-separated list of shared drive IDs | string | gsvault shared drive ids |
| start_time | optional | Start time (%Y-%m-%dT%H:%M:%SZ) | string | |
| end_time | optional | End time (%Y-%m-%dT%H:%M:%SZ) | string | |
| time_zone | optional | Time zone for the export | string | |
| terms | optional | Terms | string | |
| version_date | optional | Version date (%Y-%m-%dT%H:%M:%SZ) | string | |
| data_region | optional | Data region | string | |
| exclude_drafts | optional | Exclude drafts | boolean | |
| export_format | optional | Export Format | string | |
| show_confidential_mode_content | optional | Show confidential mode content | boolean | |
| include_shared_drives | optional | Include results from shared drives | boolean | |
| include_access_info | optional | Include access level information for users with indirect access to files (this may increase export duration) | boolean |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.data_region | string | |
| action_result.parameter.data_scope | string | |
| action_result.parameter.email_ids | string | gsvault user email ids gsvault group email ids email |
| action_result.parameter.end_time | string | |
| action_result.parameter.exclude_drafts | boolean | |
| action_result.parameter.export_format | string | |
| action_result.parameter.include_access_info | boolean | |
| action_result.parameter.include_shared_drives | boolean | |
| action_result.parameter.matter_id | string | gsvault matter id |
| action_result.parameter.name | string | |
| action_result.parameter.org_unit_id | string | gsvault org unit id |
| action_result.parameter.search_method | string | |
| action_result.parameter.shared_drive_ids | string | gsvault shared drive ids |
| action_result.parameter.show_confidential_mode_content | boolean | |
| action_result.parameter.start_time | string | |
| action_result.parameter.terms | string | |
| action_result.parameter.time_zone | string | |
| action_result.parameter.type | string | |
| action_result.parameter.version_date | string | |
| action_result.data.*.createTime | string | |
| action_result.data.*.exportOptions.driveOptions.includeAccessInfo | boolean | |
| action_result.data.*.exportOptions.groupsOptions.exportFormat | string | |
| action_result.data.*.exportOptions.mailOptions.exportFormat | string | |
| action_result.data.*.exportOptions.mailOptions.showConfidentialModeContent | boolean | |
| action_result.data.*.exportOptions.region | string | |
| action_result.data.*.id | string | gsvault export id |
| action_result.data.*.matterId | string | gsvault matter id |
| action_result.data.*.name | string | |
| action_result.data.*.query.accountInfo.emails | string | gsvault user email ids gsvault group email ids email |
| action_result.data.*.query.corpus | string | |
| action_result.data.*.query.dataScope | string | |
| action_result.data.*.query.driveOptions.includeSharedDrives | boolean | |
| action_result.data.*.query.driveOptions.includeTeamDrives | boolean | |
| action_result.data.*.query.endTime | string | |
| action_result.data.*.query.mailOptions.excludeDrafts | boolean | |
| action_result.data.*.query.method | string | |
| action_result.data.*.query.orgUnitInfo.orgUnitId | string | gsvault org unit id |
| action_result.data.*.query.searchMethod | string | |
| action_result.data.*.query.sharedDriveInfo.sharedDriveIds | string | gsvault shared drive ids |
| action_result.data.*.query.startTime | string | |
| action_result.data.*.query.teamDriveInfo.teamDriveIds | string | |
| action_result.data.*.query.terms | string | |
| action_result.data.*.query.timeZone | string | |
| action_result.data.*.requester.displayName | string | |
| action_result.data.*.requester.email | string | gsvault user email ids email |
| action_result.data.*.status | string | |
| action_result.summary.matter_id | string | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
List all organizations
Type: investigate
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| limit | optional | Maximum number of organizations to return | numeric |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.limit | numeric | |
| action_result.data.*.description | string | |
| action_result.data.*.etag | string | |
| action_result.data.*.kind | string | |
| action_result.data.*.name | string | |
| action_result.data.*.orgUnitId | string | gsvault org unit id |
| action_result.data.*.orgUnitPath | string | |
| action_result.data.*.parentOrgUnitId | string | gsvault org unit id |
| action_result.data.*.parentOrgUnitPath | string | |
| action_result.summary.total_organization_units_returned | numeric | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
List all groups of a domain
Type: investigate
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| domain | required | Domain name | string | domain |
| limit | optional | Maximum number of groups to return | numeric |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.domain | string | domain |
| action_result.parameter.limit | numeric | |
| action_result.data.*.adminCreated | boolean | |
| action_result.data.*.description | string | |
| action_result.data.*.directMembersCount | string | |
| action_result.data.*.email | string | gsvault group email ids email |
| action_result.data.*.etag | string | |
| action_result.data.*.id | string | gsvault group account id |
| action_result.data.*.kind | string | |
| action_result.data.*.name | string | |
| action_result.data.*.nonEditableAliases | string | email |
| action_result.summary.total_groups_returned | numeric | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |