You can track your user’s attempts to share sensitive data in the Rules audit log. For example, you can review events triggered by data loss prevention (DLP) rule violation events. Entries usually appear within an hour of the user action.
The Rules audit log also lists data types for BeyondCorp Threat and Data Protection.
Open the Rules audit log
From the Admin console Home page, go to Reports.
- On the left, under Audit log, click Rules.
(Optional) To customize what data you see, on the right, click Manage columns . Select the columns that you want to see or hideclick Save.
(Optional) Review ways to filter and export log data and create alerts.
Data you can view
The Rules audit log provides the following information:
|Event name||The name of the event that was logged. For DLP rules, the value is Action Complete|
|Event description||The description of the event. The value Is Action Completed for DLP rules|
|User||User that performed the action that triggered the event. The value can be Anonymous user if the events are the results of a rescan.|
|Rule name||Rule name provided by the admin when they created the rule|
|Rule type||DLP is the value for DLP rules|
|Rule resource name||The system-generated unique identifier for the rule|
The object modified.
For entries pertaining to Google Chat, click the Resource ID to see details on a Chat conversation. Note that some Chat data can expire, so not all details will always be available.
|Resource title||The title of the resource that was modified. For DLP, a document title.|
|Resource type||For Drive DLP, the resource is Document. For Chat DLP, the resource is Chat Message or Chat Attachment.|
|Resource owner||User that owns the resource that was scanned and had an action applied to it|
|Recipients||Those who received the shared resource|
|Data source||The application originating the resource|
|Actor IP address||The IP address of the user that triggered the action|
|Severity||The severity assigned to the rule when it was triggered|
|Matched trigger||Matches the trigger assigned in the rule|
|Matched detectors||Matches the detector set in the rule condition|
|Triggered actions||Lists the action taken. This is blank if an audit-only rule was triggered.|
|Suppressed actions||Actions configured on the rule, but suppressed. An action is suppressed if a higher priority action occurs at the same time and is triggered.|
|Date||Date and time the event occurred|
|Device ID||The ID of the device on which the action was triggered. This data type applies to BeyondCorp Threat and Data Protection.|
|Device type||Type of device referred to by the Device ID. This data type applies to BeyondCorp Threat and Data Protection.|
|Recipient omitted count||The number of recipients omitted from the audit log due to the upper limit on entries.|
|Location type||Type of location.|
|Location ID||The ID of the location.|
At Add a filter, select an Event name to filter data for that event. The audit log shows entries for each time the particular event occurred during the time range that you set. Event names are self-explanatory.
When and how long is data available?
Go to Data retention and lag times.