Investigate Chat messages to protect your organization's data

Security investigation tool

Supported editions for these features:
Enterprise Plus, Education Plus, Cloud Identity Premium, Enterprise Standard, Education Standard

As an administrator, you can create data protection rules for Chat to monitor and prevent sensitive content leaks. You can then use the security investigation tool to monitor Chat activity in your organization—including messages and files that are sent outside your domain.

Create a data protection rule for Chat messages

Before you can use the security investigation tool to investigate Chat messages in your organization, you need to set up a data protection rule for Chat. This is a custom rule that you create from the rules page. You can use this rule to be notified of specific activity related to the use of Chat messages within your domain.

Once you set up the data protection rule, you can then use the security investigation tool to investigate Chat messages in your organization.

Note: An administrator might have already set up a data protection rule for Chat messages. If not, you'll need to do this yourself. For instructions, see Create data protection rules.

Run a search for Rule log events

To run a search in the security investigation tool, first choose a data source. Optionally, you can then choose one or more conditions for your search. For each condition, choose an attribute, an operator, and a value

Note: The steps in the instructions below are presented as an example search for investigating Chat messages. You have the option to use other conditions in your search, or you can run a search using no conditions at all.

To run a search in the security investigation tool for Rule log events:

  1. On the left of the Admin console Home page, click Securityand thenSecurity centerand thenInvestigation tool.
  2. Click Data source and select Rule log events.
  3. Click Add Conditionand thenAttributeand thenDate.
    Choose a date range for your search.
  4. Click Add Conditionand thenAttributeand thenRule type.
    Choose DLP.
  5. Click Search.
    Search results are displayed at the bottom of the page.
  6.  To save your investigation, click Save""and thenenter a title and descriptionand thenclick Save.
    Note: By saving the search results for future use, you can conduct the same investigation on multiple occasions.
 

Investigate Chat messages in the search results

After you create a data protection rule for Chat messages, and then run a search for Rule log events, you can then investigate Chat messages in the search results of your investigation.

To investigate Chat messages:

  1. On the left of the Admin console Home page, click Securityand thenSecurity centerand thenInvestigation tool.
  2. From the right menu, click View investigations.
  3. Click the investigation from the list. (Choose an investigation that you created using the instructions in the section above.) 
  4. Click Search.
    From the search results at the bottom of the page, you can view a list of events, with details about each event. These details include the triggered action, the rule name, the container type (for example, 1:1 Chat or Chat Space), and the rule name.
  5. To drill down and view additional details, click the Resource ID for any line in the search results.
  6. If prompted, enter text to justify the business need for viewing Chat content, and click Confirm.
    A side panel is displayed with additional details about your investigation:

Incident details tab—This tab specifies the name of the rule that was triggered, and also displays the content within the Chat message that triggered the rule. Other important details include the sender of the message, date the message was sent, and message ID.

Conversation info tab—This tab includes information about the Chat conversation. Details include the type of conversation—for example, 1:1 Chat or Space. Note: For Space, up to 5 space manager emails are displayed, and you can contact space managers to take action if needed.

Chat transcript tab—This tab provides context about the Chat conversation—including text from some of the messages.

Related topics

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue

Search
Clear search
Close search
Google apps
Main menu
Search Help Center
true
true
true
true
73010
false
false