Monitoring for insider risk and data loss

Supported editions for this feature: Chrome Enterprise Premium; Enterprise Standard and Enterprise Plus with Chrome Enterprise CoreCompare your edition

Insider risk monitoring adds 4 reports to the security dashboard that summarize content transfer activity:

These reports help you identify unusual activity and risky behavior. They report on activity using Chrome browser on Windows, Mac, Linux and the Chrome operating system. Other platforms are not supported at this time.

Note: The insider monitoring reports do not include activity in Incognito windows. For information about how to prevent users from opening new Incognito windows, read about the Incognito mode setting.

Turn on insider risk and data loss monitoring

To enable insider risk and data loss monitoring, click View details & enable in the Monitor data leaks and insider risk box on the Google Admin console home page. Review the details about the security protections involved with insider risk and data loss monitoring, then click Enable. Any manually modified connector and event reporting settings are not enabled unless you opt in using the checkbox to override all settings.

If connectors are configured for a provider other than Chrome Enterprise Premium or None, the override checkbox does not override those connectors settings. In this case, there are 2 ways to override the connection settings:

  • Option 1—Go to the Chrome Enterprise Connector settings and change it to None. Try again to enable the Monitor data leaks and insider risk on the Admin console home page.
  • Option 2—Go to the Chrome Enterprise Connector settings and manually set Chrome Enterprise connector policies for Chrome Enterprise Premium.

To activate insider and data loss monitoring, ensure that the Chrome Enterprise Security Services app is switched on. If you try to enable the services app while it is off,  you will get an error message below the Enable button.

Click the link in the error message to access Settings. Select On, review the terms and conditions, and follow the instructions to activate the services app.

When the services app is enabled, you can return to the Monitor data leaks and insider risk and retry Enable.

Turning on insider risk and data loss monitoring enables the following enhanced Chrome security protections for users:

  • Chrome security event logging records user activity in Chrome that may be relevant from a security perspective, such as Content unscanned, Unsafe site visit, or Password reuse.
  • Chrome data insights scanning and reporting initiates review of uploaded, downloaded, and printed content to check for sensitive data. Data insights scanning can scan and report findings only up to 10MB of the text content extracted from each file.
  • Chrome Enterprise connectors perform the data review for up to 50 MB of content.
    • Upload content analysis scans uploaded files for sensitive data and malware.
    • Download content analysis scans downloaded files for sensitive data and malware.
    • Bulk text content analysis scans large blocks of pasted text for sensitive data when you define a Data Loss Prevention rule.
    • Print content analysis scans printed text for sensitive data.
    • Real time URL check scans accessed URLs in real time to protect users against dangerous sites, based on the Safe Browsing Protection Level setting.
    • You can expand sensitive data analysis by creating Data Loss Prevention rules.

These protections are enabled for the entire organization, that is, they are enabled at the root organizational level.

Customize insider risk and data loss monitoring

You can customize insider risk and data loss monitoring by changing which organizational units it applies to or updating the Chrome connectors configuration For example, you can limit which security events get logged or prevent certain files from being sent for analysis or downloaded.

Chrome security event logging

Before you begin: If you need to set up a department or team for this setting, go to Add an organizational unit.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Devicesand thenChromeand thenSettings

    If you signed up for Chrome Enterprise Core, go to Menu and then Chrome browserand thenSettings.

  3. (Optional) To apply the setting to a department or team, at the side, select an organizational unit. Show me how
  4. Go to Browser reportingand thenEvent reporting.
  5. Next to Event reporting, make sure that Enable event reporting is checked.
  6. (Optional) Configure additional settings. Choose the reported event types that you need based on what type of content you want to send for analysis. For details, go to Chrome audit log.
    • Default event types—Chrome threat and data protection events include malware transfer, password reuse, and unsafe site visits.
  7. Click Save. Or, you might click Override for an organizational unit.

    To later restore the inherited value, click Inherit

Chrome data insights and reporting
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Securityand thenAccess and data controland thenData protection.
  3. For Data protection insights setting, ensure that Data protection insight scanning and report is On.

If you turn off the Data protection insight scanning and report, it pauses production of the new insider risk monitoring reports. When you turn the setting On, the reports will be available in a day or 2.

Chrome Enterprise connectors

For details about configuring how Chrome connectors review content, see Set Chrome Enterprise connector policies for Chrome Enterprise Premium .

Related topics

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Main menu
359261266116010936
true
Search Help Center
true
true
true
true
true
73010
false
false