DLP incidents report

This feature is available with G Suite Enterprise, G Suite Enterprise for Education, and Drive Enterprise editions. Compare editions

Available for beta customers only

As an administrator, you can use data loss prevention (DLP) to control what sensitive information users can share. A DLP incident occurs when a DLP rule is broken. For example, a document that contains a personal identification number gets shared externally.

You can use the DLP incidents report to see the number of DLP incidents in a specified date range. The report breaks incidents into 3 levels of severity—high, medium, and low. 

View the DLP incidents report

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Securityand thenDashboard.

    To see Security on the Home page, you might have to click More controls at the bottom.

  3. In the lower-right corner of the DLP incidents panel, click View Report.
  4. (Optional) To download a spreadsheet fo the data to My Drive, click Export Sheet.

Note: You can hide lines in the graph by clicking the legend. For example, click Low Severity to hide this line in the graph. Hiding lines is useful if one line overlaps another.

Customize your report

At the top of the report, use the date range filter to customize data in the report. Customize the report to view data from today, yesterday, this week, last week, this month, last month, or days ago (up to 180 days). Or, you can enter a start date and end date. Click Apply after you set the date range. 

View DLP incidents 

Under the DLP incidents chart, you see a table that lists the daily DLP incident count for each level of severity by data source (Gmail or Google Drive).

The table lists these details: 

  • Date the incident occurred
  • Data source 
  • Number of high, medium, and low-severity incidents 

Tip: To narrow down the incidents in the table, use the filters above the list.

View DLP actions 

You can see a table of the actions that were triggered as a result of DLP incidents. To see the table, under the DLP incidents graph, click Actions.

The table lists these details: 

  • Action that was triggered
  • Data source (Gmail or Drive)
  • Number of high, medium, and low-severity incidents that triggered the action

By default, the table displays data for the time range specified at the top of the page. To view the top incidents for just one date, click the date in the DLP incidents graph.

Tip: To narrow down the actions in the table, use the filters above the list.

Was this helpful?
How can we improve it?