Investigate users across data sources

Security investigation tool
Supported editions for this feature: Frontline Standard; Enterprise Standard and Enterprise Plus; Education Standard and Education Plus; Enterprise Essentials Plus; Cloud Identity Premium. Compare your edition

After searching in one data source (for example, using Gmail log events to find and delete a malicious email), you might want to investigate a specific user by pivoting and searching within another data source (for example, to search Drive log events to investigate file sharing related to that user). 

For example, you might want to do this if a user account is hijacked and you learn that a malicious email is sent from that account. You can then investigate other actions from that user account in Google Drive.

Note: Some features in the security investigation tool—for example, data related to Gmail—are not available with all editions. For details, go to Gmail log events and Drive log events.

Investigate a user across data sources

  1. Complete your search using the instructions in Find and erase malicious emails.

    Supported editions for this feature: Enterprise Plus, Education Plus. Compare your edition

  2. In the search results, hover over the user in the Sender column (for example, [email protected]).
  3. Hover over an item in the search results, and click the pivot button to open the menu options.
  4. Click Drive log events > Actor.
    This opens a new search page where Drive log events is the data source, and where a condition is included with the same actor.
  5. If needed, you can click ADD CONDITION to include more criteria for your search. 
  6. Click SEARCH.
  7. View and export your search results.

Note: You can also pivot on the entire column in the search results. To do this, hover over the column name, and then choose from the menu options.

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu
15556486615626691958
true
Search Help Center
true
true
true
true
true
73010
false
false