After searching in one data source (for example, using Gmail log events to find and delete a malicious email), you might want to investigate a specific user by pivoting and searching within another data source (for example, to search Drive log events to investigate file sharing related to that user).
For example, you might want to do this if a user account is hijacked and you learn that a malicious email is sent from that account. You can then investigate other actions from that user account in Drive.
Note: Some features in the security investigation tool—for example, data related to Gmail and Drive—are not available with Cloud Identity Premium or Enterprise Standard editions. For details see Data sources in the investigation tool.
To investigate a user across data sources:
- Complete your search using the instructions in Find and erase malicious emails.
- In the search results, hover over the user in the Sender column (for example, email@example.com).
- Hover over an item in the search results, and click the pivot button to open the menu options.
- Click Drive log events > Actor.
This opens a new search page where Drive log events is the data source, and where a condition is included with the same actor.
- If needed, you can click ADD CONDITION to include more criteria for your search.
- Click SEARCH.
- View and export your search results.
Note: You can also pivot on the entire column in the search results. To do this, hover over the column name, and then choose from the menu options.
Your access to the security investigation tool
- Supported editions for the security investigation tool include Enterprise Plus and Education Plus.
- Admins with Cloud Identity Premium, Enterprise Standard, and Education Standard can also use the investigation tool for a subset of data sources.
- Your ability to run a search in the investigation tool depends on your Google edition, your administrative privileges, and the data source. If you're unable to run a search in the investigation tool for a specific data source, you can generally use the audit and investigation page instead.