As an administrator, you might need to search for a sensitive document that's been shared externally, or shared too broadly.
Follow the instructions in this article to investigate a file that's been shared externally by a specific user in your organization.
Investigate file sharing
1. Get started with your investigation- Sign in to use the investigation tool .
- From the Data sourcemenu, click Drive log events.
- Click Add Condition.
- From the Conditionmenu, click Visibility change.
- Make sure the condition is set to External.
- Click ADD CONDITION.
- From the Conditionmenu, click Actor.
- In the Userfield, enter the username of the user who shared the file—for example, user@example.com .
- Click ADD CONDITION.
- From the Conditionmenu, click Date.
- Change the condition to After.
- In the Datefield, enter the earliest date and time when the file may have been shared externally.
- Click SEARCH.
After you finish the above steps, the search results are displayed in a table at the bottom of the page. The table displays the date and time the file was shared externally, the document ID, document type, visibility, the title, the event type (for example, Change user access ), the actor's username, and the owner of the document.
(The actor is the user who changed the visibility of the document in some way.)
To save these search results to your My Drive folder, click Export allat the top of the table.
For more details, see View search results in the investigation tool .
