Investigate file sharing

Security investigation tool
As an administrator, you might need to search for a sensitive document that's been shared externally, or shared too broadly.

Follow the instructions in this article to investigate a file that's been shared externally by a specific user in your organization.

Note: Some features in the security investigation tool—for example, data related to Gmail and Drive—are not available with Cloud Identity Premium or Enterprise Standard editions. For details see Data sources in the investigation tool.

Your access to the security investigation tool

  • Supported editions for the security investigation tool include Enterprise Plus and Education Plus.
  • Admins with Cloud Identity Premium, Enterprise Standard, and Education Standard can also use the investigation tool for a subset of data sources.
  • Your ability to run a search in the investigation tool depends on your Google edition, your administrative privileges, and the data source. If you're unable to run a search in the investigation tool for a specific data source, you can generally use the audit and investigation page instead.

Investigate file sharing

1. Get started with your investigation
  1. Sign in to use the investigation tool.
  2. From the Data source menu, click Drive log events.
  3. Click Add Condition.
  4. From the Condition menu, click Visibility change.
  5. Make sure the condition is set to External.
  6. Click ADD CONDITION.
  7. From the Condition menu, click Actor.
  8. In the User field, enter the username of the user who shared the file—for example, user@example.com
  9. Click ADD CONDITION.
  10. From the Condition menu, click Date.
  11. Change the condition to After.
  12. In the Date field, enter the earliest date and time when the file may have been shared externally.
  13. Click SEARCH.
2. View and export search results

After you finish the above steps, the search results are displayed in a table at the bottom of the page. The table displays the date and time the file was shared externally, the document ID, document type, visibility, the title, the event type (for example, Change user access), the actor's username, and the owner of the document.

(The actor is the user who changed the visibility of the document in some way.)

To save these search results to your My Drive folder, click the Export buttonfile_download_grey600_24dp.pngat the top of the table. 

For more details, see View search results in the investigation tool.

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue

Search
Clear search
Close search
Google apps
Main menu
Search Help Center
false
false
true
true
73010
false
false