Use Chrome Enterprise Premium to integrate DLP with Chrome

This example shows how to use rule settings to block file downloads. In this example, the download is blocked if it occurs from drive.google.com.

Before you begin: Sign in to your super administrator account or an admin account with these privileges:

• Organizational Unit
• Groups
• View DLP rule
• Manage DLP rule
• View Metadata and Attributes 

Learn more about administrator privileges and creating custom administrator roles.

1. Sign in with an administrator account to the Google Admin console.

   If you aren’t using an administrator account, you can’t access the Admin console.

2. Go to Menu  Security > Access and data control > Data protection.

   Requires having the View DLP rule and Manage DLP rule administrator privileges.

3. Click Manage Rules. Then click Add ruleNew rule. 
4. Add the name and description for the rule.
5. In the Scope section, choose Apply to all <domain.name> or choose to search for and include or exclude organizational units or groups the rule applies to. If there is a conflict between organizational units and groups in terms of inclusion or exclusion, the group takes precedence. Organizational units can contain devices, users, or a combination of devices and users. 
6. Click Continue.
7. In Apps, for Chrome, select File downloaded.
8. Click Continue.
9. In the Conditions section, click Add Condition and select the following values: Important: Third-party cookies are necessary for Google Drive downloads to increase browser security and to make sure that only you can download your data. Google Drive uses googleusercontent.com, a Google domain, but one that is regarded as a third party by Drive, to deliver your files and further increase security.
   1. Content type to scan—URL
   2. What to scan for—Contains text string
   3. Contents to match—drive.google.com
      Note: The Tab URL (drive.google.com) and Download URL (googleusercontent.com) can trigger the rule.
10. Click Continue. In the Actions section, under Chrome, select Block.
    1. (Optional) Choose a custom message to show end users.
       • Select the Customize Message check mark.
       • Enter the message that will be shown to end users. The message can be 300 characters or less. Hyperlinks are allowed but count toward the character limit.
    2. (Optional) In the Alerting section:
       • Choose a severity level (Low, Medium, or High) for how an event triggered by this rule is reported in the security dashboard. 
       • Choose whether an event triggered by this rule should also send an alert to the alert center. Also choose whether to email alert notifications to all super administrators or to other recipients.
11. Click Continue to review the rule details.
12. Choose a status for the rule:
    • Active—Your rule runs immediately.
    • Inactive—Your rule exists, but does not run immediately. This gives you time to review the rule and share it with team members before implementing. Activate the rule later by going to SecurityAccess and data controlData protectionManage Rules. Click the Inactive status for the rule and select Active. The rule runs after you activate it, and DLP scans for sensitive content.
13. Click Create.

Changes can take up to 24 hours but typically happen more quickly. Learn more

This example shows how to use rule settings to trigger a user warning under certain conditions.  In this example, the user is warned if they try to download more than 30 email addresses at once.

Before you begin: Sign in to your super administrator account or an admin account with these privileges:

• Organizational Unit
• Groups
• View DLP rule
• Manage DLP rule
• View Metadata and Attributes 

Learn more about administrator privileges and creating custom administrator roles.

1. Sign in with an administrator account to the Google Admin console.

   If you aren’t using an administrator account, you can’t access the Admin console.

2. Go to Menu  Security > Access and data control > Data protection.

   Requires having the View DLP rule and Manage DLP rule administrator privileges.

3. Click Manage Rules. Then click Add ruleNew rule. 
4. Add the name and description for the rule.
5. In the Scope section, choose Apply to all <domain.name> or choose to search for and include or exclude organizational units or groups the rule applies to. If there is a conflict between organizational units and groups in terms of inclusion or exclusion, the group takes precedence. Organizational units can contain devices, users, or a combination of devices and users.
6. In Apps, for Chrome, select File downloaded.
7. Click Continue.
8. In the Conditions section, click Add Condition and select the following values:
   1. Content type to scan—All content
   2. What to scan for—Matches predefined data type
   3. Data type—Global - Email Address
   4. Likelihood threshold—Medium
   5. Minimum unique matches—30
   6. Minimum match counts—30
9. Click Continue. In the Actions section, under Chrome, select Allow with warning. The user is warned, but can proceed with the action if the rule is violated. If the user chooses to proceed after being warned, this action is recorded in the Rules audit log.
   1. (Optional) Choose a custom message to show end users.
      • Select the Customize Message check mark.
      • Enter the message that will be shown to end users. The message can be 300 characters or less. Hyperlinks are allowed but count toward the character limit.
   2. (Optional) In the Alerting section:
      • Choose a severity level (Low, Medium, or High) for how an event triggered by this rule is reported in the security dashboard. 
      • Choose whether an event triggered by this rule should also send an alert to the alert center. Also choose whether to email alert notifications to all super administrators or to other recipients.
10. Click Continue to review the rule details.
11. Choose a status for the rule:
    • Active—Your rule runs immediately.
    • Inactive—Your rule exists, but does not run immediately. This gives you time to review the rule and share it with team members before implementing. Activate the rule later by going to SecurityAccess and data controlData protectionManage Rules. Click the Inactive status for the rule and select Active. The rule runs after you activate it, and DLP scans for sensitive content.
12. Click Create.

Changes can take up to 24 hours but typically happen more quickly. Learn more

This example shows how to use rule settings to block file uploads to certain types of websites. In this example, the upload is blocked if the user tries to upload files to social media sites, such as Facebook.

Before you begin: Sign in to your super administrator account or an admin account with these privileges:

• Organizational Unit
• Groups
• View DLP rule
• Manage DLP rule
• View Metadata and Attributes 

Learn more about administrator privileges and creating custom administrator roles.

1. Sign in with an administrator account to the Google Admin console.

   If you aren’t using an administrator account, you can’t access the Admin console.

2. Go to Menu  Security > Access and data control > Data protection.

   Requires having the View DLP rule and Manage DLP rule administrator privileges.

3. Click Manage Rules. Then click Add ruleNew rule. 
4. Add the name and description for the rule.
5. In the Scope section, choose Apply to all <domain.name> or choose to search for and include or exclude organizational units or groups the rule applies to. If there is a conflict between organizational units and groups in terms of inclusion or exclusion, the group takes precedence. Organizational units can contain devices, users, or a combination of devices and users. 
6. Click Continue.
7. In Apps, for Chrome, select File uploaded.

   Note: For the File uploaded and Content pasted triggers, the blocking behavior depends on the Delay file upload setting specified in Set Chrome Enterprise connector policies for Chrome Enterprise Premium. If the Delay file upload setting is set to Allow immediate upload, the file will upload during the scan. To prevent users from uploading files or content during a scan, set the Delay file upload setting to Delay upload until analysis is complete.

8. Click Continue.
9. In the Conditions section, click Add Condition and select the following values:
   1. Content type to scan—URL category
   2. Select category—Online CommunitiesSocial Networks
10. Click Continue. In the Actions section, under Chrome, select Block.
    1. (Optional) Choose a custom message to show end users.
       • Select the Customize Message check mark.
       • Enter the message that will be shown to end users. The message can be 300 characters or less. Hyperlinks are allowed but count toward the character limit.
    2. (Optional) In the Alerting section:
       • Choose a severity level (Low, Medium, or High) for how an event triggered by this rule is reported in the security dashboard. 
       • Choose whether an event triggered by this rule should also send an alert to the alert center. Also choose whether to email alert notifications to all super administrators or to other recipients.
11. Click Continue to review the rule details.
12. Choose a status for the rule:
    • Active—Your rule runs immediately.
    • Inactive—Your rule exists, but does not run immediately. This gives you time to review the rule and share it with team members before implementing. Activate the rule later by going to SecurityAccess and data controlData protectionManage Rules. Click the Inactive status for the rule and select Active. The rule runs after you activate it, and DLP scans for sensitive content.
13. Click Create.

Changes can take up to 24 hours but typically happen more quickly. Learn more

This example shows how to use rule settings to block file downloads based on file type and size. In this example, the download is blocked if the user tries to download image files larger than 10 KB.

Before you begin: Sign in to your super administrator account or an admin account with these privileges:

• Organizational Unit
• Groups
• View DLP rule
• Manage DLP rule
• View Metadata and Attributes 

Learn more about administrator privileges and creating custom administrator roles.

1. Sign in with an administrator account to the Google Admin console.

   If you aren’t using an administrator account, you can’t access the Admin console.

2. Go to Menu  Security > Access and data control > Data protection.

   Requires having the View DLP rule and Manage DLP rule administrator privileges.

3. Click Manage rulesAdd ruleNew rule. 
4. Add the name and description for the rule.
5. In the Scope section, choose Apply to all <domain.name> or choose to search for and include or exclude organizational units or groups that the rule applies to. If there is a conflict between organizational units and groups in terms of inclusion or exclusion, the group takes precedence. Organizational units can contain devices, users, or a combination of devices and users.
6. In Apps, for Chrome, select File downloaded.
7. Click Continue.
8. In the Conditions section, click Add Condition and select the following values:
   1. Content type to scan—File size
   2. What to scan for—Is greater than
   3. Enter file size (in bytes)—10000
9. Click Add condition and select the following values:

   For information on the MIME types included in each system file category, click here.

   1. Content type to scan—File type
   2. What to scan for—Matches system file category
   3. System file category—Image
10. Click Continue. In the Actions section, for Chrome, select Block.
    1. (Optional)  To show end users a custom message:
       1. Select the Customize Message check mark.
       2. Enter no more than 300 characters for the message that will be shown to end users. Hyperlinks are allowed but count toward the character limit.
    2. (Optional) In the Alerting section:
       • Choose a severity level (Low, Medium, or High) for how an event triggered by this rule is reported in the security dashboard. 
       • Choose whether an event triggered by this rule should also send an alert to the alert center. Also choose whether to email alert notifications to all super administrators or to other recipients.
11. Click Continue to review the rule details.
12. Choose a status for the rule:
    • Active—Your rule runs immediately.
    • Inactive—Your rule exists, but does not run immediately. This gives you time to review the rule and share it with team members before implementing. Activate the rule later by going to SecurityAccess and data controlData protectionManage Rules. Click the Inactive status for the rule and select Active. The rule runs after you activate it, and DLP scans for sensitive content.
13. Click Create.

Changes can take up to 24 hours but typically happen more quickly. Learn more

This example shows how to use rule settings to report file transfers in ChromeOS that contain U.S. Social Security numbers. The ChromeOS Files app is the only place where files are scanned, and setting up these rules requires a Chrome Enterprise Upgrade.

Before you begin: Sign in to your super administrator account or an admin account with these privileges:

• Organizational Unit
• Groups
• View DLP rule
• Manage DLP rule
• View Metadata and Attributes 

Learn more about administrator privileges and creating custom administrator roles.

1. Sign in with an administrator account to the Google Admin console.

   If you aren’t using an administrator account, you can’t access the Admin console.

2. Go to Menu  Security > Access and data control > Data protection.

   Requires having the View DLP rule and Manage DLP rule administrator privileges.

3. Click Manage Rules. Then click Add ruleNew rule. 
4. Click Name and enter a name for the rule and, optionally, a description.
5. For Scope, choose an option:
   • To apply the rule to your whole organization, select All in domain.name.
   • To apply the rule to specific organizational units or groups, select Organizational units and/or groups and include or exclude the organizational units and groups. Organizational units can contain devices, users, or a combination of devices and users. 
6. Click Continue.
7. In Apps, for ChromeOS, select File transfer.
8. Click Continue.
9. In the Conditions section, click Add Condition and select the following values:
   • Content type to scan—All content
   • What to scan for—Matches predefined data type (recommended)
   • Select data type—United States - Social Security Number
   • Likelihood threshold—Medium
   • Minimum unique matches—1
   • Minimum match count—1
10. Click Continue. In the Actions section, under ChromeOS, select Audit only.
11. (Optional) To choose a severity level for how to report events triggered by this rule in the Admin console, for Alerting, select Low, Medium, or High. The severity level is logged in the Rule log events and you can use it to investigate incidents.
12. (Optional) To choose whether an event triggered by this rule should also send an alert to the alert center, check the Send to alert center box and to send a notification about the alert to all super admins, check the All super administrators box. You can enter other email recipients as well for notifications.
13. Click Continue to review the rule details.
14. Choose a status for the rule:
    • Active—Your rule runs immediately.
    • Inactive—Your rule exists, but does not run immediately. This gives you time to review the rule and share it with team members before implementing. Activate the rule later by going to SecurityAccess and data controlData protectionManage Rules. Click the Inactive status for the rule and select Active. The rule runs after you activate it, and DLP scans for sensitive content.
15. Click Create.

Changes can take up to 24 hours but typically happen more quickly. Learn more

This example shows how to use rule settings to block text pasted from mail.google.com.

Before you begin: Sign in to your super administrator account or an admin account with these privileges:

• Organizational Unit
• Groups
• View DLP rule
• Manage DLP rule
• View Metadata and Attributes 

Learn more about administrator privileges and creating custom administrator roles.

1. Sign in with an administrator account to the Google Admin console.

   If you aren’t using an administrator account, you can’t access the Admin console.

2. Go to Menu  Security > Access and data control > Data protection.

   Requires having the View DLP rule and Manage DLP rule administrator privileges.

3. Go to Data protection rules and detectors and click Manage Rules.
4. Click Add ruleNew rule. 
5. Click Name and enter a name for the rule and, optionally, a description.
6. For Scope, choose an option:
   • To apply the rule to your whole organization, select All in domain.name.
   • To apply the rule to specific organizational units or groups, select Organizational units and/or groups and include or exclude the organizational units and groups. Organizational units can contain devices, users, or a combination of devices and users. 
7. Click Continue.
8. In Apps, for Chrome, check the Content pasted box.

   How you block Content pasted depends on the Delay text entry setting specified in Set Chrome Enterprise connector policies for Chrome Enterprise Premium. If you Allow immediate upload, the text will get pasted during the scan. To prevent users from pasting content during a scan, use Delay text entry until analysis is complete instead.

9. Click Continue.
10. Click Add Condition:
    1. Click All content and select Source URL.
    2. Click What to scan for and select Contains text string.
    3. Click Enter contents to match and enter mail.google.com.
11. Click Continue.
12. In the Actions section, for Chrome, select Block.
13. (Optional) To send a custom message to users, check the Customize Message box and enter a message. To add a URL, select text and click Insert link.
14. (Optional) To report events to the security dashboard, in the Alerting section, choose a severity level, check the boxes to send alerts to the alert center or super admins, and add other recipients for alerts.
15. Click Continue.
16. Review the rule details and for Rule status, choose an option:
    • To immediately run the rule, select Active.
    • To review the rule and share it with team members before implementing, select Inactive. 
    • To activate the rule later, go to Manage Rules (steps earlier on this page), select Active, and click Confirm. 
17. Click Create.

Changes can take up to 24 hours but typically happen more quickly. Learn more

This example shows how to use rule settings to trigger a user warning when a user tries to navigate to a website with gambling content.

Before you begin: Sign in to your super administrator account or an admin account with these privileges:

• Organizational Unit
• Groups
• View DLP rule
• Manage DLP rule
• View Metadata and Attributes 

Learn more about administrator privileges and creating custom administrator roles.

1. Sign in with an administrator account to the Google Admin console.

   If you aren’t using an administrator account, you can’t access the Admin console.

2. Go to Menu  Security > Access and data control > Data protection.

   Requires having the View DLP rule and Manage DLP rule administrator privileges.

3. Click Manage Rules. Then click Add ruleNew rule. 
4. Add the name and description for the rule.
5. In the Scope section, choose Apply to all <domain.name> or choose to search for and include or exclude organizational units or groups the rule applies to. If there is a conflict between organizational units and groups in terms of inclusion or exclusion, the group takes precedence. Organizational units can contain devices, users, or a combination of devices and users.
6. Click Continue.
7. In Apps, for Chrome, select URL visited.
8. Click Continue.
9. In the Conditions section, click Add Condition and select the following values:
   1. Content type to scan—URL category
   2. Select category—Games/Gambling
10. Click Continue. In the Actions section, under Chrome, select Allow with warning. The user is warned, but can choose to proceed with the action that triggers the rule. If the user chooses to proceed, the action is recorded in the Chrome log.
    1. (Optional) Choose a custom message to show end users.
       • Select the Customize Message check mark.
       • Enter the message that will be shown to end users. The message can be 300 characters or less. Hyperlinks are allowed but count toward the character limit.
    2. (Optional) In the Alerting section:
       • Choose a severity level (Low, Medium, or High) for how an event triggered by this rule is reported in the security dashboard. 
       • Choose whether an event triggered by this rule should also send an alert to the alert center. Also choose whether to email alert notifications to all super administrators or to other recipients.
11. Click Continue to review the rule details.
12. Choose a status for the rule:
    • Active—Your rule runs immediately.
    • Inactive—Your rule exists, but does not run immediately. This gives you time to review the rule and share it with team members before implementing. Activate the rule later by going to SecurityAccess and data controlData protectionManage Rules. Click the Inactive status for the rule and select Active. The rule runs after you activate it, and DLP scans for sensitive content.
13. Click Create.

Note: If a URL that you're filtering has been visited recently, it's cached for several minutes and may not be successfully filtered by a new (or modified) rule until the cache is cleared of that URL. Please allow approximately 5 minutes before testing out a new or modified rule.

This example shows how to use rule settings to block a user if they try to navigate to an URL that's part of a custom list.

Before you begin: Sign in to your super administrator account or an admin account with these privileges:

• Organizational Unit
• Groups
• View DLP rule
• Manage DLP rule
• View Metadata and Attributes 

Learn more about administrator privileges and creating custom administrator roles.

1. Sign in with an administrator account to the Google Admin console.

   If you aren’t using an administrator account, you can’t access the Admin console.

2. Go to Menu  Security > Access and data control > Data protection.

   Requires having the View DLP rule and Manage DLP rule administrator privileges.

3. Create a word list custom detector containing a comma-separated list of the URLs you want to block. For example: “example.com,example2.com.” For specific instructions, see Create a custom detector.
4. Click Manage Rules. Then click Add ruleNew rule. 
5. Add the name and description for the rule.
6. In the Scope section, choose Apply to all <domain.name> or choose to search for and include or exclude organizational units or groups the rule applies to. If there is a conflict between organizational units and groups in terms of inclusion or exclusion, the group takes precedence. Organizational units can contain devices, users, or a combination of devices and users.
7. Click Continue.
8. In Apps, for Chrome, select URL visited.
9. Click Continue.
10. In the Conditions section, click Add Condition and select the following values:
    1. Content type to scan—URL
    2. What to scan for—Matches words from word list
    3. Word list name—The name of the word list you created in Step 3.
    4. Match mode—Match any word
    5. Minimum total times any word detected—1
11. Click Continue. In the Actions section, under Chrome, select Block.
    1. (Optional) Choose a custom message to show end users.
       1. Select the Customize Message check mark.
       2. Enter the message that will be shown to end users. The message can be 300 characters or less. Hyperlinks are allowed but count toward the character limit.
    2. (Optional) In the Alerting section:
       • Choose a severity level (Low, Medium, or High) for how an event triggered by this rule is reported in the security dashboard. 
       • Choose whether an event triggered by this rule should also send an alert to the alert center. Also choose whether to email alert notifications to all super administrators or to other recipients.
12. Click Continue to review the rule details.
13. Choose a status for the rule:
    • Active—Your rule runs immediately.
    • Inactive—Your rule exists, but does not run immediately. This gives you time to review the rule and share it with team members before implementing. Activate the rule later by going to SecurityAccess and data controlData protectionManage Rules. Click the Inactive status for the rule and select Active. The rule runs after you activate it, and DLP scans for sensitive content.
14. Click Create.

Note: If a URL that you're filtering has been visited recently, it's cached for several minutes and may not be successfully filtered by a new (or modified) rule until the cache is cleared of that URL. Please allow approximately 5 minutes before testing out a new or modified rule.

This example shows how to use rule settings to trigger a user warning or to audit user activity by overlaying a watermark when a user tries to navigate to a specific website.

Before you begin: Sign in to your super administrator account or an admin account with these privileges:

• Organizational Unit
• Groups
• View DLP rule
• Manage DLP rule
• View Metadata and Attributes

Learn more about administrator privileges and creating custom administrator roles.

Step 1: Add a new rule

1. Sign in with an administrator account to the Google Admin console.

   If you aren’t using an administrator account, you can’t access the Admin console.

2. Go to Menu  Security > Access and data control > Data protection.

   Requires having the View DLP rule and Manage DLP rule administrator privileges.

3. Click Manage Rules.
4. Click Add ruleNew rule. 
5. Add a name and description for the rule.
6. For Scope, choose an option and click Continue.
   • Select All in <domain-name> to apply the rule to your entire organization.
   • Search for organizational units or groups to include or exclude from the rule. If there’s a conflict for a user that’s in an organizational unit you include and a group you exclude, the group takes precedence.  Organizational units can contain devices, users, or a combination of devices and users.
7. In Apps, for Chrome, select URL visited.
8. Click Continue.

Step 2: Set conditions and actions for the rule

1. Click Add Condition, select values for the URL or URL category that you want to watermark, and click Continue. 
2. For Actions, under Chrome, choose an option:
   • Allow with warning—Warns the user, but they can proceed to the website. If the user proceeds, the action is recorded in the Rule and Chrome log events. To display translucent watermark text over the page content, check the Add watermark over page content box. 
   • Audit only—Displays a watermark over the page content in Chrome and creates a new event in the Rule and Chrome log events.
3. (Optional) The default watermark message is Confidential. To create a custom watermark message, check the Customize watermark message box, and enter a message.
4. For Alerting, choose your settings and click Continue: 
   • Choose a severity level (Low, Medium, or High) for how an event triggered by this rule is reported in the security dashboard. 
   • Choose whether an event triggered by this rule should also send an alert to the alert center. Also choose whether to email alert notifications to all super administrators or to other recipients.
5. Click Continue to review the rule details.
6. Choose a Rule status and click Create:
   • Active—Your rule runs immediately.
   • Inactive—Your rule exists, but does not run immediately. This gives you time to review the rule and share it with team members before implementing. Activate the rule later by going to  SecurityAccess and data controlData protectionManage Rules. Click the Inactive status for the rule and select Active. The rule runs after you activate it, and DLP scans for sensitive content.

Note: If a URL that you're filtering has been visited recently, it's cached for several minutes and may not be successfully filtered by a new (or modified) rule until the cache is cleared of that URL. Allow approximately 5 minutes before testing a new or modified rule.

This example shows how to use rule settings to block screenshots (Mac and Windows) and screen sharing (Windows only). Content on the page is blacked out in screenshots for Windows and disappears for Mac.

Before you begin: Sign in to your super administrator account or an admin account with these privileges:

• Organizational Unit
• Groups
• View DLP rule
• Manage DLP rule
• View Metadata and Attributes 

Learn more about administrator privileges and creating custom administrator roles.

Step 1: Add a new rule

1. Sign in with an administrator account to the Google Admin console.

   If you aren’t using an administrator account, you can’t access the Admin console.

2. Go to Menu  Security > Access and data control > Data protection.

   Requires having the View DLP rule and Manage DLP rule administrator privileges.

3. Click Manage Rules.
4. Click Add ruleNew rule. 
5. Add a name and description for the rule.
6. For Scope, choose an option and click Continue.
   • Select All in <domain-name> to apply the rule to your entire organization.
   • Search for organizational units or groups to include or exclude from the rule. If there’s a conflict for a user that’s in an organizational unit you include and a group you exclude, the group takes precedence. Organizational units can contain devices, users, or a combination of devices and users. 
7. In Apps, for Chrome, select URL visited.
8. Click Continue.

Step 2: Set conditions and actions for the rule

1. Click Add Condition, select values for the URL or URL category that you want to block screenshots and screen sharing from, and click Continue. 
2. For Actions, under Chrome, choose an option:
   • Allow with warning—Warns the user, but they can proceed to the website. If the user proceeds, the action is recorded in the Rule and Chrome log events. To block screenshots and screen sharing on the associated pages, check the Restrict screenshot and screen-share content box. 
   • Audit only—Allows users to proceed to the website in Chrome and the action is recorded in the Rule and Chrome log events. To block screenshots and screen sharing on the associated pages, check the Restrict screenshot and screen-share content box.
3. For Alerting, choose your settings and click Continue: 
   • Choose a severity level (Low, Medium, or High) for how an event triggered by this rule is reported in the security dashboard. 
   • Choose whether an event triggered by this rule should also send an alert to the alert center. Also choose whether to email alert notifications to all super administrators or to other recipients.
4. Click Continue to review the rule details.
5. Choose a Rule status and click Create:
   • Active—Your rule runs immediately.
   • Inactive—Your rule exists, but does not run immediately. This gives you time to review the rule and share it with team members before implementing. Activate the rule later by going to  SecurityAccess and data controlData protectionManage Rules. Click the Inactive status for the rule and select Active. The rule runs after you activate it, and DLP scans for sensitive content.

Note: If a URL that you're filtering has been visited recently, it's cached for several minutes and will not be successfully filtered by a new (or modified) rule until the cache is cleared of that URL. Allow approximately 5 minutes before testing a new or modified rule.

This example shows how to use rule settings to audit users’ URL navigations when they try to navigate to an URL that matches a regular expression.

Before you begin: Sign in to your super administrator account or an admin account with these privileges:

• Organizational Unit
• Groups
• View DLP rule
• Manage DLP rule
• View Metadata and Attributes 

Learn more about administrator privileges and creating custom administrator roles.

Step 1: Create a regular expression

1. Sign in with an administrator account to the Google Admin console.

   If you aren’t using an administrator account, you can’t access the Admin console.

2. Go to Menu  Security > Access and data control > Data protection.

   Requires having the View DLP rule and Manage DLP rule administrator privileges.

3. Click Manage detectors.
4. Click Add detectorRegular expression. 
5. Add a name and description for the regular expression, and enter an expression that matches a subset of URLs. 
   For example, the expression [?|&]page_id=123 matches a URL with a query parameter called page_id with the value 123. For more information, go to Examples of regular expressions.
6. Click Test Expression to verify the regular expression.
7. Click Create. 

Step 2: Add a new rule

1. Click Manage rules.
2. Click Add ruleNew rule. 
3. Add a name and description for the rule.
4. For Scope, choose an option and click Continue.
   • Select All in <domain-name> to apply the rule to your entire organization.
   • Search for organizational units or groups to include or exclude from the rule. If there’s a conflict for a user that’s in an organizational unit you include and a group you exclude, the group takes precedence. Organizational units can contain devices, users, or a combination of devices and users.
5. In Apps, for Chrome, select URL visited and click Continue.
6. Click Add Condition, select the following values, and click Continue. 
   • Content type to scan—URL
   • What to scan for—Matches regular expression
   • Regular expression name—The name of the regular expression created in step 1
   • Minimum the pattern detected—1
7. For Actions, under Chrome, select Audit.
8. For Alerting, choose your settings and click Continue: 
   • Choose a severity level (Low, Medium, or High) for how an event triggered by this rule is reported in the security dashboard. 
   • Choose whether an event triggered by this rule should also send an alert to the alert center. Also choose whether to email alert notifications to all super administrators or to other recipients.
9. Click Continue to review the rule details.
10. Choose a Rule status and click Create:
    • Active—Your rule runs immediately.
    • Inactive—Your rule exists, but does not run immediately. This gives you time to review the rule and share it with team members before implementing. Activate the rule later by going to  SecurityAccess and data controlData protectionManage Rules. Click the Inactive status for the rule and select Active. The rule runs after you activate it, and DLP scans for sensitive content.

Note: If a URL that you're filtering has been visited recently, it's cached for several minutes and may not be successfully filtered by a new (or modified) rule until the cache is cleared of that URL. Allow approximately 5 minutes before testing a new or modified rule.