Beta: Rules audit log

You can track your user’s attempts to share sensitive data in the Rules audit log. For example, you can review events triggered by data loss prevention (DLP) rule violation events. Entries usually appear within an hour of the user action.

The Rules audit log also lists data types for BeyondCorp Threat and Data Protection.

Open the Rules audit log

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Reports.
  3. On the left, under Audit log, click Rules.
  4. (Optional) To customize what data you see, on the right, click Manage columns "". Select the columns that you want to see or hideand thenclick Save.

Data you can view

The Rules audit log provides the following information:

Data Type Description
Event name The name of the event that was logged. For DLP rules, the value is Action Complete
Event description The description of the event. The value Is Action Completed for DLP rules
User User that performed the action that triggered the event. The value can be Anonymous user if the events are the results of a rescan.
Rule name Rule name provided by the admin when they created the rule
Rule type DLP is the value for DLP rules
Rule resource name The system-generated unique identifier for the rule
Resource ID

The object modified.

For entries pertaining to Google Chat, click the Resource ID to see details on a Chat conversation. Note that some Chat data can expire, so not all details will always be available.

Resource title The title of the resource that was modified. For DLP, a document title.
Resource type For Drive DLP, the resource is Document. For Chat DLP, the resource is Chat Message or Chat Attachment.
Resource owner User that owns the resource that was scanned and had an action applied to it
Recipients Those who received the shared resource
Data source The application originating the resource
Actor IP address The IP address of the user that triggered the action
Severity The severity assigned to the rule when it was triggered
Scan type

Values are:

  •  Drive continuous scan (occurring when a rule changes)
  • Online scan (occurring as a document is changing)
  • Chat scan content before send (occurring when a Chat message is sent)
Matched trigger Matches the trigger assigned in the rule
Matched detectors Matches the detector set in the rule condition
Triggered actions Lists the action taken. This is blank if an audit-only rule was triggered.
Suppressed actions Actions configured on the rule, but suppressed. An action is suppressed if a higher priority action occurs at the same time and is triggered.
Date Date and time the event occurred
Device ID The ID of the device on which the action was triggered. This data type applies to BeyondCorp Threat and Data Protection.
Device type Type of device referred to by the Device ID. This data type applies to BeyondCorp Threat and Data Protection.
Recipient omitted count The number of recipients omitted from the audit log due to the upper limit on entries.
Location type Type of location.
Location ID The ID of the location.

Event names

At Add a filter, select an Event name to filter data for that event. The audit log shows entries for each time the particular event occurred during the time range that you set. Event names are self-explanatory.

When and how long is data available?

Go to Data retention and lag times.

Related topics

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue

Search
Clear search
Close search
Google apps
Main menu
Search Help Center
true
73010
false