Problem 

You need to determine an action taken by an existing admin who may be Out Of Office, or you many want to monitor a new admin during their onboarding period. You can do that with log events.  In this example, we'll determine actions for a specific admin via their email. 

Steps

1. Open the Investigation Tool.
   Security > Security center > Investigation tool
2. Search for or select from the drop-down Admin log events as your data source.
3. Click Add Condition.
4. Add the following condition:
   Actor > is > [enter actor email].
5. Click Search. The results appear at the bottom of the page.
   
6. Select the checkbox for one or more messages to take action on the events.
7. Click Actions at the top of the grid.
8. Scroll down to see those files shared with anyone via a link.
9. Select the appropriate action: Actor > Force password change, Actor > Restore users, Actor > Suspend users. 
   
10. To view log details, click on any description in the Description column
11. If you are happy with the investigation you built and want to retain it, click Save Investigation, located on the right.

Note: You cannot view the file contents using the Investigation tool. You need to add yourself to the file using the Add users action. Once added, if the owner is in the file, they will see you in the file. Consider removing the owner and then adding yourself. You can always add the user again if needed.

See our full list of Investigation tool recipes.