Scan and protect Drive files using DLP rules

This feature is only available with G Suite Enterprise and G Suite for Education. Compare editions

As a G Suite administrator, you can prevent users from sharing sensitive content in Google Drive or Team Drives with people outside of your organization. You use Data Loss Prevention (DLP) rules to scan files for sensitive content. For example, if a user shares a file with bank account or tax ID numbers, you can send an email to super admins to let them know. You could also warn users when they try to share a file or completely block anyone outside of your organization from accessing the file. 

Tip: To see examples of sensitive content or test your own content, try the Data Loss Prevention Demo.

How rules work

You can work with a predefined template or create your own. You assign a rule to your whole domain, an organizational unit, or a group in Google Groups. For rules to apply to Team Drive files, you have to apply the rule to all users in your organization. If a sensitive item is detected, you determine what action to take. For details, see How to define a rule.

Create and edit rules

You must be signed in as a super administrator for this task.

Create rules using the predefined templates
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Rules.

    To see Rules, you might have to click More controls at the bottom. 

  3. Click Add Add or at the top, click Templates to open the list of templates.
  4. Under Data Loss Prevention, select one of the templates from the predefined list.
  5. (Optional) Edit the rule title and rule description.
  6. (Optional) Under Triggers, Conditions, and Actions change or add any settings and click Done. See How to define a rule for details.
  7. Click Create And Activate
Create rules using the blank template
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Rules.

    To see Rules, you might have to click More controls at the bottom. 

  3. Click Add Add or at the top, click Templates to open the list of templates.
  4. Under Data Loss Prevention, click Blank Template.
  5. In the title field, enter your rule name and add a rule description below.
  6. Add Triggers, Conditions, and Actions and click Done. See How to define a rule for details.
  7. Click Create And Activate
Edit rules
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Rules.

    To see Rules, you might have to click More controls at the bottom. 

  3. At the top, click Manage to see the list of DLP rules.
  4. Click the rule you want to modify.
  5. Under Triggers, Conditions, and Actions, edit any settings and click Done. See How to define a rule for details.
  6. Click Save And Activate.
How to define a rule

Triggers

The application files that the rule scans—currently only available for Drive, which includes Team Drives. 

Conditions

Customize how you apply the rule to users and content. 

  • Users—You can apply the rule to an organizational unit, a group in Google Groups, or both. To scan Team Drive files, you have to apply the rule to all users in your organization (top-level organization). The rule scans files owned by users in the selected organizations or groups. You can exempt groups, too. Add and exempt as many groups and organizations as you want. If you don't specify anything, the rule will apply to your top-level organization.
  • Content—You can have the rule trigger if it matches content from a predefined list of content detectors. You can also have the rule trigger if it matches a custom word list or regex (regular expression) that you select or add. Add as many types of content, word lists, and regular expressions as you want. Learn more about predefined content selectors and regular expressions.

    If you choose to match sensitive content, you need to set the confidence threshold. The threshold indicates how likely the detected content meets your criteria. A medium threshold means that more files trigger the action. A high threshold can result in fewer files being shared that should have triggered the action, but possibly more files triggering the action that don’t require it.

Actions

What the rule does when it finds an issue. Even if you don't choose an action, matching files are always flagged and listed in the report data. 

  • Block external accessEnsures that any files with sensitive content are blocked from anyone outside of your organization, even if they're added to a Team Drive.  
  • Warn on external sharingInforms a user that they're sharing a file with sensitive content.
  • Send email to super administratorsSends an email to super admins when a user creates, edits, or uploads a file with sensitive content. An email is sent whenever the type of sensitive content in the file changes.The maximum number of emails sent is 25 emails in 2 hours.

Tip: If you notice a high number of false positives, create a pair of rules. In the first rule, add a strong action, such as Block external access, with the confidence threshold set to high. Next, create a second rule with a medium confidence threshold. For this rule, add the Warn on external sharing action.

Monitor a rule or change

You can track rules that are added, edited, or deleted through the DLP scan. When a scan starts, you can find details about it and any changes in Tasks in the Admin console. For details, see Check the status of large tasks.

  • If you add, edit or delete a rule—A new DLP scan (and task) is triggered. 
  • If you modify a rule while a DLP scan is in progress—The scan restarts. The task associated with the scan is updated to show what was modified.
  • If another admin changes a rule when a DLP scan is in progress—The scan restarts and a new task is created for the other admin. The original task no longer tracks the scan.

Use rule audit data and templates

You must be signed in as a super administrator for this task.

View or export data about flagged items
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Rules.

    To see Rules, you might have to click More controls at the bottom. 

  3. At the top, click Audit to see the DLP rule audit report data.
  4. (Optional) To change the criteria that’s displayed, click Select columns Select columns . Any changes are saved and available the next time you sign in.
  5. To configure the table to only show certain elements, in the Filters section, enter the names or select the element in the following fields:
    1. Rule name—The rule that the flagged item has broken.
    2. Flagged item name—The name of the file that the rule flagged.
    3. Flagged item identifier—The name of the identifier in the file that the rule flagged.
    4. Item owner—The email of the file owner that the rule flagged.
    5. Team Drive ID—The number of the Team Drive where the file that the rule flagged resides.
    6. Matched content detectors—Select one of the custom or predefined matched content detectors.
    7. Date and time range—A start and end date and time for listing events.
      Each entry in the log is associated with a single event.
  6. To export the report data to a Google Sheets file in Drive or to download a CSV file with the report data, click Download Download . The file can contain a maximum of 200,000 cells. The maximum number of rows depends on the number of selected columns.
View or filter DLP templates
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Rules.

    To see Rules, you might have to click More controls at the bottom. 

  3. At the top, click Templates.
  4. (Optional) To change the criteria that’s displayed, click Select columns Select columns . Any changes are saved and available the next time you sign in.
  5. (Optional) To configure the table to only show certain elements, in the Filters section, enter the names or select the element in the following fields:
    1. Template name—The name of the previously defined template.
    2. Template description—The description of the previously defined template.
    3. Category—Currently, Data Loss Prevention is the only category type supported.
    4. App—The application files that the rule scans. Currently, DLP rules are only available for Drive files.

FAQ

Which predefined content detectors are supported?

DLP for Drive supports a large number of predefined detectors. More will be added as the DLP platform evolves.

Is detection 100% guaranteed?

No. We can't guarantee that all sensitive data will get caught and flagged. The DLP-detection system translates predefined templates into regexes (regular expressions) and uses additional content parameters to determine the probability of a match. There might be false positives and negatives, which are triggered by many factors.

Do users find out why they can't share a file?

Users get a DLP-specific message to let them know why sharing is blocked. If there are multiple violations, the message specifies the first detector that's matched.

When rules are modified or added, does the system scan previously created files?

Yes. All files are scanned anytime a rule is added or modified. Scanning the files can take a few hours, a day, or longer depending on a variety of factors, including the number of files in the domain.

Could a file be scanned more than once?

Yes. To help ensure sensitive content is detected, the scanning process sometimes scans documents twice. So, the number of files affected by a rule change can vary between scans.

Was this article helpful?
How can we improve it?