Problem 

This article addresses a crucial security investigation focused on data sharing outside of the school's domain and the associated file downloads.

The goal is to proactively monitor for potential data leakage and the presence of malicious or unauthorized files. This effort is essential to safeguard the privacy of our student and staff data and maintain the integrity of our network environment.

Steps

1. Open the Investigation Tool.
   Security > Security center > Investigation tool
2. Search for or select from the drop-down Drive log events as your data source.
3. Click Add Condition.
4. Add the following conditions:
   Event > is > Download
   Visibility > is > Shared externally
   
5. Click Search. The results appear at the bottom of the page.
6. To take action, select the checkbox for one or more event.
7. Click Actions at the top of the grid.
8. Select the appropriate action: Add users, Audit file permissions, Change owner, Disable download, print, copy, Remove users. 
   
9. At the prompt, enter additional information based on your selected action including your justification for this action.
10. If you are happy with the investigation you built and want to retain it, click Save Investigation, located on the right.

See our full list of Investigation tool recipes.