After searching in one data source (for example, using Gmail log events to find and delete a malicious email), you might want to investigate a specific user by pivoting and searching within another data source (for example, to search Drive log events to investigate file sharing related to that user).
For example, you might want to do this if a user account is hijacked and you learn that a malicious email is sent from that account. You can then investigate other actions from that user account in Drive.
Note: Some features in the security investigation tool—for example, data related to Gmail and Drive—are not available with Cloud Identity Premium or Enterprise Standard editions. For details see Data sources in the investigation tool.
To investigate a user across data sources:
- Complete your search using the instructions in Find and erase malicious emails.
- In the search results, hover over the user in the Sender column (for example, email@example.com).
- Hover over an item in the search results, and click the pivot button to open the menu options.
- Click Drive log events > Actor.
This opens a new search page where Drive log events is the data source, and where a condition is included with the same actor.
- If needed, you can click ADD CONDITION to include more criteria for your search.
- Click SEARCH.
- View and export your search results.
Note: You can also pivot on the entire column in the search results. To do this, hover over the column name, and then choose from the menu options.