Google Associate Google Workspace Administrator Exam - Topic 2 Question 20 Discussion

Actual exam question for Google's Associate Google Workspace Administrator exam

Question #: 20
Topic #: 2

[All Associate Google Workspace Administrator Questions]

You recently noticed a suspicious trend in your organization's Google Drive usage. Several users have shared sensitive documents outside the organization, potentially violating your company's data security policy. You need to identify the responsible users and the extent of the unauthorized sharing. What should you do?

AReview the organization's sharing policies in the Admin console, and update the policies to prevent external sharing.

BUse the security health page to identify misconfigured sharing settings in Drive.

CUse the security investigation tool to analyze Drive logs and identify the users.

DCreate an activity rule in the Security Center to alert you of future external sharing events.

Show Suggested Answer

Suggested Answer: C

The core of the problem is to identify the responsible users and the extent of past unauthorized sharing. The Security Investigation Tool is designed precisely for this purpose. It allows administrators to search and analyze various audit logs, including Drive logs, to pinpoint specific events, users, and data.

Here's why the other options are less appropriate as the first or most direct action for this specific problem:

A . Review the organization's sharing policies in the Admin console, and update the policies to prevent external sharing. This is a crucial preventative measure for the future, and a necessary step after identifying the scope of the problem. However, it won't help you identify who shared what in the past.

B . Use the security health page to identify misconfigured sharing settings in Drive. The security health page provides an overview of your security posture and can highlight general misconfigurations. While useful for identifying potential vulnerabilities, it won't give you the granular details of specific users and shared documents that have already occurred, which is what the question asks for.

D . Create an activity rule in the Security Center to alert you of future external sharing events. Similar to option A, this is a future-oriented preventative and monitoring measure. It will help catch future violations but won't provide information about the past unauthorized sharing that has already happened.

Reference from Google Workspace Administrator:

Security investigation tool: This tool is explicitly designed for identifying, triaging, and taking action on security issues. It allows administrators to search and analyze logs from various Google Workspace services, including Drive, to investigate specific events like external sharing.

Drive audit log events: The security investigation tool leverages audit logs. Drive audit logs capture events such as document sharing, changes in sharing permissions, and access.

by Rosendo at Apr 08, 2026, 04:17 AM

Limited Time Offer

25%

Off

Get Premium Associate Google Workspace Administrator Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Helene

4 days ago

I think we might need to use the security investigation tool to really dig into the logs and find out who shared those documents.

upvoted 0 times

...