Notification

Duet AI is now Gemini for Google Workspace. Learn more

Investigate a user across data sources

Security investigation tool

After searching in one data source (for example, using Gmail log events to find and delete a malicious email), you might want to investigate a specific user by pivoting and searching within another data source (for example, to search Drive log events to investigate file sharing related to that user). 

For example, you might want to do this if a user account is hijacked and you learn that a malicious email is sent from that account. You can then investigate other actions from that user account in Drive.

Note: Some features in the security investigation tool—for example, data related to Gmail and Drive—are not available with Cloud Identity Premium or Enterprise Standard editions. For details see Data sources in the investigation tool.

To investigate a user across data sources:

  1. Complete your search using the instructions in Find and erase malicious emails.
  2. In the search results, hover over the user in the Sender column (for example, user@example.com).
  3. Hover over an item in the search results, and click the pivot button to open the menu options.
  4. Click Drive log events > Actor.
    This opens a new search page where Drive log events is the data source, and where a condition is included with the same actor.
  5. If needed, you can click ADD CONDITION to include more criteria for your search. 
  6. Click SEARCH.
  7. View and export your search results.

Note: You can also pivot on the entire column in the search results. To do this, hover over the column name, and then choose from the menu options.

Your access to the security investigation tool

  • The security investigation tool requires a premium Google Workspace edition (Enterprise Plus, Enterprise Standard, or Education Plus).
  • You can access logs using the Chrome browser for the Google apps you have installed. For example, Gmail.
  • Your ability to run a search in the investigation tool depends on your Google edition, your administrative privileges, and the data source. If you're unable to run a search in the investigation tool for a specific data source, you can use the audit and investigation page instead. 
  • You can run a search in the investigation tool on all users, regardless of the Google edition they have.

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu
11452386492638034728
true
Search Help Center
true
true
true
true
true
73010
false
false