Supported editions for this feature: Chrome Enterprise Premium. Compare your edition
Evidence Locker, available with Chrome Enterprise Premium, allows administrators to inspect files flagged as malware or violating Data Protection rules, providing greater visibility and control over potential risks. Files are saved to your organization's Google Cloud Storage bucket and can be downloaded by the security administrator from the Google Workspace Security Investigation Tool (SIT).
Before you begin
The following are required:
Chrome browser
For more information, see:
Chrome Enterprise Premium license
- For more information and to sign up, see Enhance security with Chrome Enterprise Premium or the Chrome Enterprise Premium overview.
- To view and manage your Chrome Enterprise Premium license:
Go to Menu
Billing > Subscriptions.
Requires having the Billing Management administrator privilege.
Set Up Evidence Locker
Step 1: Create a Google Cloud Storage BucketEvidence Locker stores suspicious or sensitive files in a Google Cloud Storage (GCS) bucket. You'll need to create a bucket using the following steps. Some familiarity with Google Cloud Storage is helpful.
Tip: A Google Cloud Data Loss Prevention (DLP) rule that's too lenient can save many files to the bucket, leading to high storage costs. Create rules that save only highly suspicious files.
- Create a Google Cloud project. For instructions, see Creating and managing projects.
- The service account and the Google Cloud user need Storage Admin privileges in the Google Cloud project containing the bucket. See Granting roles at the project level, bucket level, or managed folder level.
- Enable the Cloud Resource Manager API for the project:
- The Cloud Resource Manager API allows you to programmatically manage container resources, such as organizations and projects, in Google Cloud.
- Go to Cloud Resource Manager API for the project_number.
- Create a Bucket with Customer Managed Encryption Key (CMEK).
- Enable the KMS API. See Use customer-managed encryption keys.
- (Optional) To create a CMEK key ring and key, go to Security > Key Management > Create Keyring.
- Create a bucket at Cloud Storage > Buckets. See Create buckets.
- The GCS bucket must be owned by your organization and within the same domain.
- The CMEK must be in the same region as the bucket. Learn more
- (Optional but recommended): Set a Time to Live (TTL) on the files. For example, automatically delete them after 30 days.
-
Sign in with an administrator account to the Google Admin console.
If you aren’t using an administrator account, you can’t access the Admin console.
-
Go to Menu
Apps > Additional Google Services.
Requires having the Service Settings administrator privilege.
- Click Chrome Enterprise Security Services.
- Click On for everyone or Off for everyone and then click Save.
-
(Optional) To turn a service on or off for an organizational unit:
- At the left, select the organizational unit.
- To change the Service status, select On or Off.
- Choose one:
- If the Service status is set to Inherited and you want to keep the updated setting, even if the parent setting changes, click Override.
- If the Service status is set to Overridden, either click Inherit to revert to the same setting as its parent, or click Save to keep the new setting, even if the parent setting changes.
Note: Learn more about organizational structure.
- Click Evidence Locker settings.
- Click Enter the Google Cloud Storage bucket name.
- If you do not have a service account, click Generate a service account. A service account is required to continue.
- Add the service account to your Google Cloud Storage (GCS) bucket.
Important: The service account must have Storage Admin privileges in the GCP project that contains the bucket. See Create a Google Cloud Storage Bucket.- In the Google Cloud console, go to Menu
IAM & Admin
- Go to the GCS project that contains the bucket.
- Click the Permissions tab.
- Select the Evidence Locker service account.
- Click Grant Access.
- In New principle, enter the service account you just generated.
- In Role, select Storage Admin.
- (Optional): Non super-admin users must also have Storage Admin privileges In the GCP project that contains the bucket. This is required to select a GCS bucket from the project.
- Click Save.
- In the Google Cloud console, go to Menu
- In the Google Workspace admin console Evidence Locker settings, enter the Google Cloud bucket name.
- (Optional) To keep copies of files that are flagged as malware in the Evidence Locker, select Save content containing malware to Evidence Locker.
- Click Save.
-
Sign in with an administrator account to the Google Admin console.
If you aren’t using an administrator account, you can’t access the Admin console.
-
Go to Menu
Requires having the Service Settings administrator privilege.
- Click Chrome Enterprise Security Services.
- Click Evidence Locker settings.
- Click
and wait for your organization’s service account to display.
- Below the bucket name field, select Save content containing malware to Evidence Locker.
You can copy files to the Evidence Locker bucket when a Data Protection rule violation occurs. Only files triggered by the following actions are copied:
- File uploaded
- File downloaded
Content that is flagged using "Content pasted" is not copied to Evidence Locker.
-
Sign in with an administrator account to the Google Admin console.
If you aren’t using an administrator account, you can’t access the Admin console.
-
From the Admin console Home page, go to Security > Investigation tool and click Create activity rule.
—OR—
From the Admin console Home page, go to Rules, and then click Create rule > Activity. - Click Chrome Enterprise Security Services.
- At the top, in Classify and protect sensitive content, click Create rule to create a new rule, or View list to modify an existing rule.
- In Actions, under Evidence Locker, select Save uploaded, downloaded, or printed content detected by this rule in Evidence Locker.
For more information, see Create and manage activity rules.
Monitor and download files from Evidence Locker
Important: Evidence Locker's Data Protection rules are highly configurable. Your organization is responsible for ensuring compliance with employee privacy policies and for all storage costs in the Google Cloud Storage bucket. Be mindful that extensive file storage from Data Protection rules can lead to substantial Google Cloud Storage fees.
In the Chrome logs-
Sign in with an administrator account to the Google Admin console.
If you aren’t using an administrator account, you can’t access the Admin console.
-
Go to Menu
Security > Security center > Investigation tool.
Requires having the Security center administrator privilege.
The following specific Security center administrator privileges are required. See Admin privileges of Security Investigation Tool.
- To download and manage suspicious files:
Manage > Chrome - To view the content of suspicious files:
View sensitive Content > Chrome
- To download and manage suspicious files:
-
Click Data source and select Chrome log events.
- Locate the entries for your search and scroll to the right.
- Under the Evidence Locker Filepath column, click the link to the stored file.
The file details are displayed in the side panel. For example, the file’s original name and path in the Google Cloud Storage bucket. - At the bottom, click Download file.
- The downloaded zip file is password protected. The password is protected.
-
Sign in with an administrator account to the Google Admin console.
If you aren’t using an administrator account, you can’t access the Admin console.
-
Go to Menu
Requires having the Security center administrator privilege.
- Click Data source and select Rule log events. Click Search.
- Locate the Action complete row with desired rule and scroll to the right to find the Evidence Locker Filepath column.
- This is the path where the file is stored. Click More
to see additional actions.
