You can use the Chrome audit log to see events related to managed Chrome browsers and Chrome OS devices. For example, you can see when there has been an unsafe site visit.
For other services and activities, such as Google Drive and user activity, go to the list of available audit logs.
Before you begin
To see all Chrome events:
- The browser must be managed by either Chrome Browser Cloud Management or a Chrome OS device that has been enrolled into a domain.
- For Chrome Threat and Chrome Data Protection events, you must set up BeyondCorp Enterprise. For more information, go to Protect Chrome users with BeyondCorp Threat and Data Protection.
From the Admin console Home page, go to Reports.
- On the left, click AuditChrome.
(Optional) To customize what data you see, on the right, click Manage columns . Select the columns that you want to see or hideclick Save.
(Optional) Review ways to filter and export log data and create alerts.
Data you can view
The Chrome audit log provides the following information:
|Event name||The action that was logged, such as Content unscanned or Unsafe site visit|
|Date||Date and time of the event (displayed in your browser's default time zone)|
|Event reason||Details about the action, such as File is password protected|
|Device name||The name of the device|
|Device user||The user's name as reported by the OS|
|Profile user name||The Chrome browser profile username|
|URL||The URL that generated the event|
|Device platform||The OS that the browser is running on|
|Device ID||The ID of the device. The value is platform-specific.|
|Browser version||Number assigned to the version of Chrome browser, such as 69.0.3497.23|
|Triggered rules reason||The name of the DLP rule that was triggered as a result of the event|
|Event result||The result of the event based on the policies and rules set. Can be one of the following: Bypassed, Blocked, Warned, Allowed, or Detected.|
|Content name||The name of the content downloaded, could be a filename|
|Content size||The size of the downloaded content, in bytes|
|Content hash||The SHA256 hash of the content|
|Content type||The media (MIME) type of content downloaded, such as text/html|
|Trigger type||The user action that triggered the event, such as:
|Trigger user||The username relating to the event:
|User agent||The user agent string of the browser used to access the content. For example, Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4140.0 Safari/537.36.|
At Add a filter, select an Event name to filter data for that event. The Chrome audit log shows various events related to Chrome.
Chrome Threat events
Chrome Threat events are available only for customers who have purchased BeyondCorp Enterprise. For more information about BeyondCorp and how to set it up, go to Protect Chrome users with BeyondCorp Threat and Data Protection.
|Malware transfer||The content uploaded or downloaded by the user is considered to be malicious, dangerous, or unwanted|
|Unsafe site visit||The URL visited by the user is considered to be deceptive or malicious|
|Password reuse||The user has entered a password into a URL that’s outside of the list of allowed enterprise login URLs|
|Password changed||The user resets their password for the first-signed-in user account|
Chrome Data Protection events
Chrome Data Protection events are available only for customers who have purchased BeyondCorp Enterprise. For more information about BeyondCorp and how to set it up, go to Protect Chrome users with BeyondCorp Threat and Data Protection.
|Sensitive data transfer||The content uploaded, downloaded, or pasted by the user is considered to contain sensitive data, as detected by the Data Protection rules|
|Content unscanned||There are multiple reasons why a file is unscanned, including
|Content transfer||Content was uploaded or downloaded from Chrome and sent for Malware or Sensitive data scanning|
When and how long is data available?
Go to Data retention and lag times.