After searching in one data source (for example, using Gmail log events to find and delete a malicious email), you might want to investigate a specific user by pivoting and searching within another data source (for example, to search Drive log events to investigate file sharing related to that user).
For example, you might want to do this if a user account is hijacked and you learn that a malicious email is sent from that account. You can then investigate other actions from that user account in Drive.
To investigate a user across data sources:
- Complete your search using the instructions in Find and erase malicious emails.
- In the search results, hover over the user in the Sender column (for example, firstname.lastname@example.org).
- Hover over an item in the search results, and click the pivot button to open the menu options.
- Click Drive log events > Actor.
This opens a new search page where Drive log events is the data source, and where a condition is included with the same actor.
- If needed, you can click ADD CONDITION to include more criteria for your search.
- Click SEARCH.
- View and export your search results.
Note: You can also pivot on the entire column in the search results. To do this, hover over the column name, and then choose from the menu options.