To audit if [email protected] has shared any sensitive documents outside the organization, use

the Security Investigation Tool in the Google Admin console. This tool allows administrators to

investigate and take action on security issues within the organization.

Open Security Investigation Tool:

Go to the Google Admin console.

Navigate to Security > Investigation tool.

Set Conditions in Drive Log Events:

In the Investigation Tool, select the data source as "Drive Log Events".

Add the following conditions:

Visibility Is External: This filters the events to show only documents that have been shared externally.

Actor Is [email protected]: This specifies that the actions performed by the [email protected]

should be displayed.

Run the Investigation:

Click on “Search” to run the investigation with the specified conditions.

Review the results to identify any documents that have been shared externally by the user.

Remediate:

For any documents that were shared inappropriately, you can take corrective actions such as

changing permissions or removing external sharing.

Reference:

Security Investigation Tool

Audit Drive log events