Stop data loss with DLP

View content that triggers DLP rules

Supported editions for this feature: Frontline Standard; Enterprise Standard and Enterprise Plus; Education Fundamentals, Education Standard, Teaching and Learning Upgrade, and Education Plus; Enterprise Essentials Plus; Chrome Enterprise Premium .  Compare your edition

Drive DLP and Chat DLP are available to Cloud Identity Premium users who also have a Google Workspace license. For Drive DLP, the license must include the Drive log events.

As an administrator, you can use data loss prevention (DLP) snippets to investigate whether a DLP rule violation is a real incident or a false positive. DLP snippets capture the content that violates a rule. You can review the snippets in the security investigation tool and on the audit and investigation page.

On this page

Access to snippets in investigation tool

To access snippets in the investigation tool:

Before you begin

Turn sensitive content storage on:

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Securityand thenAccess and data controland thenData protection.
  3. For Sensitive content storage, change the state to On.
  4. Click Save
If you turn off sensitive content storage, DLP snippets are no longer logged.

About DLP snippets

DLP snippets contain any content flagged by a DLP rule that matches a DLP rule's content conditions, such as:

  • Contents of scanned files
  • Reusable content detectors 
  • Keywords and word lists 
  • Regular expressions
  • Predefined content detectors

You can review DLP snippets in the logs for 180 days. During this time, if the source content is deleted or changed, the snippets are not deleted. DLP snippets capture matched content detected by DLP rules plus surrounding text (up to 100 unicode characters on each side) providing context for DLP scans.

DLP snippet limitations

  • Snippet content larger than 500 unicode characters is truncated.
  • For DLP rule log event data, the total size of the snippets parameter is limited to 50 KB. Snippet instances are removed until the overall size is less than 50 KB.
  • In Google Chat, snippets are not collected for off-the-record messages (chat history turned off) or conversations sent to a space owned by someone outside of your organization.
  • DLP-scanned content and snippets extracted from Google Drive might differ from the original source content in the document.
  • DLP snippets aren't supported for Gmail DLP (beta)

Step 1: Start your investigation

Option 1: View sensitive content snippets in the investigation tool

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Securityand thenSecurity centerand thenInvestigation tool.
  3. Click Data source and select Rule log events.
  4. Click Add Condition
  5. From the Attribute menu, select Rule type and make sure the operator is set to Is (the default option).
  6. From the Rule type menu, select DLP
  7. Click Search

Option 2: View sensitive content snippets on the audit & investigation page

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Reportingand thenAudit and investigationand thenRule log events.
  3. Click Add a filterand thenRule type.
  4. In the Rule type box, select Isand thenDLP and click Apply.
  5. Click Search

Step 2: Show sensitive content

  1. From the search results, in the Has sensitive content column, look for True.
  2. In the Description column, click the text to open the Log details panel.
  3. Click Show sensitive content.
  4. If needed, enter the reason why you need to view the sensitive contentand thenclick Confirm.

The panel will refresh and the Sensitive content snippets row will update with the snippets triggered by the rule that you're investigating.

Step 3: View sensitive content

In the Log details panel, next to Sensitive content snippets, click the Right arrow to expand the rows containing sensitive content.

You can review the following attributes:

Attribute Description
Content Content (including surrounding text used for context) matched a DLP rule
Matched content starting character Start of content that matched a rule, where the start index is zero-based. The starting character of the matched content is relative to the content snippet, not the source document.
Matched content length Length of match
Matched detector ID Detector that matched, if any
Row index (Chat files in CSV format) Content row’s zero-based index, if any
Field name (Chat files in CSV format) Content’s column name, if any

Example: DLP rule scans for Social Security numbers

In this example, if a spreadsheet contains a Social Security number, the attributes populate as follows:

  • Content: SSN 123-45-6789
  • Matched content starting character: 4
  • Matched content length: 11
  • Matched detector ID: US_SOCIAL_SECURITY_NUMBER
  • Row index: 2
  • Field name: header2

Export sensitive content using BigQuery

You can export sensitive content snippets to custom tables for further investigation. For details, go to Set up a BigQuery Export configuration.

Remove sensitive content from logs

After investigating an incident, you can remove sensitive content from the logs so you don’t unnecessarily expose the data. Removing the content from the logs doesn’t remove it from the actual file or resource where the content was found or from custom BigQuery tables. If you remove the content, it’s no longer available in the investigation tool or the audit and investigation page and can’t be exported to BigQuery. 

You must be signed in as a super administrator for this task.

  1. Repeat Steps 1, 2, and 3 above on this page to view sensitive content.
  2. Click Remove sensitive content.
  3. In the Remove sensitive content box, click Remove to confirm.

Restore sensitive content

If needed, you can restore sensitive content to the log within the 180-day retention period.

You must be signed in as a super administrator for this task.

  1. Repeat Steps 1, 2, and 3 above on this page to view sensitive content.
  2. At the top of the Log details panel, click Restore.
  3. Click Show sensitive content.
  4. In the Log details panel, next to Sensitive content snippets, click the Right arrow to expand the rows containing sensitive content.

After the original 180-day retention period, the DLP snippets are deleted, regardless of whether you restore them.

Admin Data Action log events

You can search the Admin Data Action log events to keep track of admins who accessed, removed, or restored sensitive content. For details, go to Admin Data Action log events.

Related topic

How to use predefined content detectors

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu
2885143809625641219