Investigate and take action on suspicious files

Evidence Locker stores suspicious or sensitive files in a Google Cloud Storage (GCS) bucket. You'll need to create a bucket using the following steps. Some familiarity with Google Cloud Storage is helpful. 

Tip: A Google Cloud Data Loss Prevention (DLP) rule that's too lenient can save many files to the bucket, leading to high storage costs. Create rules that save only highly suspicious files.

1. Create a Google Cloud project. For instructions, see Creating and managing projects.
   • The service account and the Google Cloud user need Storage Admin privileges in the Google Cloud project containing the bucket. See Granting roles at the project level, bucket level, or managed folder level.
2. Enable the Cloud Resource Manager API for the project:
   • The Cloud Resource Manager API allows you to programmatically manage container resources, such as organizations and projects, in Google Cloud.
   • Go to Cloud Resource Manager API for the project_number.
3. Create a Bucket with Customer Managed Encryption Key (CMEK).
   • Enable the KMS API. See Use customer-managed encryption keys.
   • (Optional) To create a CMEK key ring and key, go to Security > Key Management > Create Keyring.
   • Create a bucket at Cloud Storage > Buckets. See Create buckets.
     • The GCS bucket must be owned by your organization and within the same domain.
     • The CMEK must be in the same region as the bucket. Learn more
   • (Optional but recommended): Set a Time to Live (TTL) on the files. For example, automatically delete them after 30 days.

1. Sign in with an administrator account to the Google Admin console.

   If you aren’t using an administrator account, you can’t access the Admin console.

2. Go to Menu  Apps > Additional Google Services.

   Requires having the Service Settings administrator privilege.

3. Click Chrome Enterprise Security Services.
4. Click On for everyone or Off for everyone and then click Save.
5. (Optional) To turn a service on or off for an organizational unit:

   1. At the left, select the organizational unit.
   2. To change the Service status, select On or Off.
   3. Choose one:
      • If the Service status is set to Inherited and you want to keep the updated setting, even if the parent setting changes, click Override.
      • If the Service status is set to Overridden, either click Inherit to revert to the same setting as its parent, or click Save to keep the new setting, even if the parent setting changes.
        Note: Learn more about organizational structure.
6. Click Evidence Locker settings.
7. Click Enter the Google Cloud Storage bucket name.
8. If you do not have a service account, click Generate a service account. A service account is required to continue.
9. Add the service account to your Google Cloud Storage (GCS) bucket.
   Important: The service account must have Storage Admin privileges in the GCP project that contains the bucket. See Create a Google Cloud Storage Bucket.
   1. In the Google Cloud console, go to MenuIAM & AdminManage resources.
   2. Go to the GCS project that contains the bucket. 
   3. Click the Permissions tab.
   4. Select the Evidence Locker service account.
   5. Click Grant Access.
   6. In New principle, enter the service account you just generated.
   7. In Role, select Storage Admin.
   8. (Optional): Non super-admin users must also have Storage Admin privileges In the GCP project that contains the bucket. This is required to select a GCS bucket from the project.
   9. Click Save.
10. In the Google Workspace admin console Evidence Locker settings, enter the Google Cloud bucket name. 
11. (Optional) To keep copies of files that are flagged as malware in the Evidence Locker, select Save content containing malware to Evidence Locker.
12. Click Save.

1. Sign in with an administrator account to the Google Admin console.

   If you aren’t using an administrator account, you can’t access the Admin console.

2. Go to Menu  Apps > Additional Google Services.

   Requires having the Service Settings administrator privilege.

3. Click Chrome Enterprise Security Services.
4. Click Evidence Locker settings.
5. Click  and wait for your organization’s service account to display.
6. Below the bucket name field, select Save content containing malware to Evidence Locker.

1. Sign in with an administrator account to the Google Admin console.

   If you aren’t using an administrator account, you can’t access the Admin console.

2. From the Admin console Home page, go to Security > Investigation tool and click Create activity rule.
   
   —OR—
   
   From the Admin console Home page, go to Rules, and then click Create rule > Activity.
3. Click Chrome Enterprise Security Services.
4. At the top, in Classify and protect sensitive content, click Create rule to create a new rule, or View list to modify an existing rule.
5. In Actions, under Evidence Locker, select Save uploaded, downloaded, or printed content detected by this rule in Evidence Locker.

For more information, see Create and manage activity rules.

1. Sign in with an administrator account to the Google Admin console.

   If you aren’t using an administrator account, you can’t access the Admin console.

2. Go to Menu  Security > Security center > Investigation tool.

   Requires having the Security center administrator privilege.

   The following specific Security center administrator privileges are required. See Admin privileges of Security Investigation Tool.

   • To download and manage suspicious files:
     Manage > Chrome
   • To view the content of suspicious files:
     View sensitive Content > Chrome
3. Click Data source and select Chrome log events.
4. Locate the entries for your search and scroll to the right. 
5. Under the Evidence Locker Filepath column, click the link to the stored file.
   The file details are displayed in the side panel. For example, the file’s original name and path in the Google Cloud Storage bucket.
6. At the bottom, click Download file.
7. The downloaded zip file is password protected. The password is protected.

1. Sign in with an administrator account to the Google Admin console.

   If you aren’t using an administrator account, you can’t access the Admin console.

2. Go to Menu  Security > Security center > Investigation tool.

   Requires having the Security center administrator privilege.

3. Click Data source and select Rule log events. Click Search.
4. Locate the Action complete row with desired rule and scroll to the right to find the Evidence Locker Filepath column.
5. This is the path where the file is stored. Click More  to see additional actions.