Stop data loss with DLP for Drive

Create DLP for Drive rules and custom content detectors

DLP for Drive rules and content detectors

Supported editions for this feature: Enterprise; Education Fundamentals, Standard, Teaching and Learning Upgrade, and PlusCompare your edition

DLP for Drive is also available to Cloud Identity Premium users who are also licensed for Workspace editions that include Drive audit log.

Using the data loss prevention (DLP) for Drive, you can create complex rules that combine triggers and conditions. You can also specify an action that sends a message to the user that their content has been blocked. 

Create DLP for Drive rules and custom content detectors

Step 1: Plan your rules

Plan and then create rules

DLP allows you to create rules to protect sensitive content. Before creating these rules, decide on the conditions you will add to the rules. Go to DLP rule examples for examples of nested conditions. Rule conditions can stand alone, or can nest in other conditions, using AND, OR or NOT operators. Go to DLP for Drive rule nested conditions operators examples for examples of nested conditions.

Rule conditions can use custom content detectors that you create, such as a content detector that contains a list of words or a regular expression. Creating these is described in Step 2. Create a custom detector. Or, create conditions that use predefined content detectors, that you can use to scan for personal information, such as a driver’s license number or taxpayer ID. Go to How to use predefined content detectors for descriptions of these predefined content detectors.

For suggestions on how to improve rules testing, including setting up a rules test environment, go to Best practices for faster rules testing.

Use audit-only rules to test rule results (optional, but recommended)

You can create an audit-only rule to test rules you create in DLP. This allows you to test the potential impact of a rule for Google Drive. Like all rules, these rules trigger, but in this case take no action but to write results to the Rule audit log and the investigation tool.

For suggestions on how to improve rules testing, including setting up a rules test environment, go to Best practices for faster rules testing.

To create and use an audit-only rule:

  1. Follow the rule creation steps in Step 3. Create rules.
  2. When you get to the Action section of rule creation, do not select an action. The actions are optional. The rule will trigger without an action associated with it, and all incidents are logged in the Rules audit log. In this case, the rule shows the designation Audit only in the Action section.
  3. Continue and complete rule configuration. Make sure the rule is Active.
  4. Test the functionality yourself, or wait for the users in your domain to a naturally share data that might be affected by this rule.
  5. View the Rules audit log. Go to Rules audit log or Investigation tool for details. The audit log will list rules with no triggered action when you use an audit-only rule.
  6. When you are sure the rule is configured exactly as you want, change the rule to have an action apply (as described in Step 3. Create rules).

What are recommended rules?

Recommended rules are DLP rules recommended to you based on the results of the Data protection insights report. For example, if the report lists passport numbers as a shared data type in your organization, DLP recommends a rule to prevent the sharing of passport numbers.

You receive rule recommendations only if you have the Data protection insights report turned on. Go to Prevent data leaks with Data protection recommended rules for details.

Step 2: Create a custom detector (optional)

Create custom detector if needed

These are general instructions for creating a custom detector, if you need to use one in rule conditions.

Create a DLP detector to use with rules

Before you begin, sign in to your super administrator account or a delegated admin account with these privileges:

  • Organizational unit administrator privileges. 
  • Groups administrator privileges.
  • View DLP rule and Manage DLP rule privileges. Note that you must enable both View and Manage permissions to have complete access for creating and editing rules. We recommend you create a custom role that has both privileges. 
  • View Metadata and Attributes privileges (required for the use of the investigation tool only): Security Centerand thenInvestigation Tooland thenRuleand thenView Metadata and Attributes.

Learn more about administrator privileges and creating custom administrator roles.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Securityand thenData protection.

    To see Security on the Home page, you might have to click More controls at the bottom.

  3. Click Manage Detectors.
  4. Click Add detector. Add the name and description.

    You can select:

    • Regular expression—A regular expression, also called a regex, is a method for matching text with patterns. Click Test Expression to verify the regular expression. See Examples of regular expressions.
    • Word list—A custom word list you create. This is a comma-separated list of words to detect. Capitalization is ignored. Only complete words are matched. You can add a pop-up message to appear when content is detected. Words in word list detectors must contain at least 2 characters that are letters or digits. 
  5. Click Create. Later, use the custom detector when you add conditions to a rule.

Step 3: Create rules

These are general instructions for creating rules.

Create a DLP rule

Before you begin, sign in to your super administrator account or a delegated admin account with these privileges:

  • Organizational unit administrator privileges. 
  • Groups administrator privileges.
  • View DLP rule and Manage DLP rule privileges. Note that you must enable both View and Manage permissions to have complete access for creating and editing rules. We recommend you create a custom role that has both privileges. 
  • View Metadata and Attributes privileges (required for the use of the investigation tool only): Security Centerand thenInvestigation Tooland thenRuleand thenView Metadata and Attributes.

Learn more about administrator privileges and creating custom administrator roles.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Securityand thenData protection.

    To see Security on the Home page, you might have to click More controls at the bottom.

  3. Click Manage Rules. Then click Add ruleand thenNew rule or click Add ruleand thenNew rule from template. For templates, select a template from the Templates page.
  4. In the Name section, add the name and description of the rule.
  5. In the Scope section, choose Apply to all <domain.name> or choose to search for and include or exclude  organizational units or groups the rule applies to. The rule scans files owned by users in the selected organizations or groups. If there is a conflict between organizational units and groups in terms of inclusion or exclusion, the group takes precedence.
  6. Click Continue. In the Triggers section, choose the trigger for Google Drive, File modified.
  7. In the Conditions section, click Add Condition and select a field type. Values for these field types let you create specific conditions that control scans of the Drive document content.

    Rules can scan these field types (which are various parts of documents):

    • Title: Document title
    • Body: Body of the document
    • Suggestions: Content added to the document while in Suggestions mode
    • All content: All of the document content, including the document title, body, and any suggestions

    This table lists the values and their attributes for each field type:

    Field Value Attributes
    • All content
    • Body
    • Suggestions
    • Title
    • URL
    Contains Enter contents to match—Enter a substring, number, or other characters to search on. Specify if the content is case sensitive.  In the case of the substring, the rule can contain the word key, and if the document contains the word key, there is a match.
    • All content
    • Body
    • Suggestions
    • Title
    • URL
    Matches default detector Default detector—Select a predefined classifier.

    Likelihood Threshold—Select a likelihood threshold. Available thresholds are:

    • Very low confidence
    • Low confidence
    • Possible
    • Likely
    • Very likely

    These thresholds reflect the DLP system’s confidence in the match result. In general, the Very Likely threshold will match fewer content and will be more precise. The Very Low confidence is a wider net expected to match more files but will have lower precision.

    Minimum match count—The minimum number of times any matched results must appear in a document to trigger the action. 

    Minimum unique matches—The minimum number of times a matched result must uniquely occur in a document to trigger the action. 

    How do Minimum match count and Minimum unique matches work? For example, think of two lists of Social Security Numbers: the first list has 50 copies of the exact same number, and the second list has 50 unique numbers.

    In this case, if the Minimum match count value equals 10, results will trigger on both lists since there are at least 10 matches in both.

    Or, if the Minimum unique matches value equals 10, and the Minimum match count value equals 1, results will trigger only on the second list, since there are 10 matches and they're all matching unique values.

    • All content
    • Body
    • Suggestions
    • Title
    • URL
    Matches regex detector Regex detector—a regular expression custom detector.

    Minimum times the pattern detected—The minimum number of times the pattern expressed by the regular expression appears in a document to trigger the action.

    • All content
    • Body
    • Suggestions
    • Title
    Matches word list detector Word list—Select a custom word list.

    Match mode—Select either Match any word or Match minimum number of unique words.

    Minimum unique words detected—The least number of unique words that must be detected to trigger the action.

    Minimum total times any word detected—The least number of times a word can be detected to trigger the action (for Match minimum number of unique words option only).

    Title Contains word Enter contents to match—Enter the word, number, or other characters to search on. Specify if the content is case sensitive.
    • Title
    • URL
    Ends with Enter contents to match—Enter the word, number, or other characters to search on. Specify if the content is case sensitive.
    Title Starts with Enter contents to match—Enter the word, number, or other characters to search on. Specify if the content is case sensitive.

    You can use AND, OR, or NOT operators with conditions. Go to DLP for Drive rule nested condition operator examples for details on using AND, OR, or NOT operators with conditions.

  8. Click Continue. In the Action section,  you can optionally select the action to occur if sensitive data is detected in the scan:
    • Block external sharing—Prevents sharing of the document.
    • Warn on external sharing—Share the document, but warn of the violation.
    • Beta: Disable download, print, and copy for commenters and viewers—Prevents downloading, printing, and copying unless the user has editor privilege or greater. This feature is DLP Information Rights Management (IRM),  and uses Drive sharing settings as policies, so users can’t download, print, or copy Google Drive docs, sheets, or slides on all platforms. Go to IRM FAQs for more details.

    Want to test a rule before adding an action to it?
    You can create an audit-only rule to test a rule that writes to the audit log without taking an action. Selecting an action is optional. Go to Use audit-only rules to test rule results (optional, but recommended) for details.

  9. In the Severity & Alerts section, choose a severity level (Low, Medium, High). The severity level affects how incidents are plotted in the DLP Incident dashboard (the number of incidents with High, Medium or Low severity) over time.
  10. Optionally, click the Alerts button to trigger notifications. Alerts are supported for Google Drive only. Go to View alert details for more information.

    Check the box to alert all super admins, or add the email addresses of additional recipients. Only recipients that belong to the user can be added. External recipients are ignored. Recipients can be users or groups. Remember that you must set up access for selected groups so these groups can receive the email sent to them. Go to Configure alert center email notifications for details on setting group access for email notifications.

    Alerts are listed in the Alert Center. Note that there is a time lag between when an alert occurs and when it is logged. There is a lag between the time when an alert is shown in the Alert Center and when the Rules audit log and the DLP security dashboards are updated. You may receive an alert and view the alert summary, however, the incident count on the dashboards or audit logs in the Investigation Tool need time to update. There can be up to 50 alerts per rule per day. Alerts occur until this threshold is met.

  11. Click Continue and review the rule details.
  12. Click Create and choose:
    • Active—Your rule runs immediately.
    • Inactive—Your rule exists, but does not run immediately. This gives you time to review the rule and share it with team members before implementing. Activate the rule later by going to Securityand thenData protectionand thenManage Rules. Click the Inactive status for the rule and select Active. The rule runs after you activate it, and DLP scans for sensitive content.
  13. Click Complete. It can take up 24 hours for the rule to apply to all user accounts in the selected organizational units and groups.

Step 4: Tell users about the new rule

Set user expectations about new rules

Set user expectations as to behavior and consequences of the new rule.  For example, if you might choose to block external sharing if sensitive data is shared. In that case, tell users that it’s possible that sometimes they might not be able to share docs, and let them know why this could occur.

DLP rule examples

Examples of using a predefined classifier, a custom detector, and a rule template.

Example 1: Protect Social Security numbers using a predefined classifier

This example shows how to use a predefined classifier to prevent users in specific organizations and groups from sharing sensitive data. You can use predefined classifiers to specify commonly entered data. In this example, that data is Social Security numbers.

Before you begin, sign in to your super administrator account or a delegated admin account with these privileges:

  • Organizational unit administrator privileges. 
  • Groups administrator privileges.
  • View DLP rule and Manage DLP rule privileges. Note that you must enable both View and Manage permissions to have complete access for creating and editing rules. We recommend you create a custom role that has both privileges. 
  • View Metadata and Attributes privileges (required for the use of the investigation tool only): Security Centerand thenInvestigation Tooland thenRuleand thenView Metadata and Attributes.

Learn more about administrator privileges and creating custom administrator roles.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Securityand thenData protection.

    To see Security on the Home page, you might have to click More controls at the bottom.

  3. Click Manage Rules. Then click Add ruleand thenNew rule
  4. Add the name and description for the rule.
  5. In the Scope section, choose Apply to all <domain.name> or choose to search for and include or exclude organizational units or groups the rule applies to. If there is a conflict between organizational units and groups in terms of inclusion or exclusion, the group takes precedence.
  6. Click Continue. Under Triggers, for Google Drive select File modified.
  7. In the Conditions section, click Add Condition and select the following values:
    • Field—All content.
    • Value—Matches default detector.
    • Default detector—United States - Social Security Number.
    • Likelihood Threshold—Very likely. An extra measure used to determine whether messages trigger the action.
    • Minimum unique matches—1. The minimum number of times a unique match must occur in a document to trigger the action.
    • Minimum match count—1. The number of times the content must appear in a message to trigger the action. For example, if you select 2, content must appear at least twice in a message to trigger the action. 
  8. Click Continue. Under Google Drive, select Block external sharing.
  9. Under Severity & Alerts, choose the severity level High. Activate an alert and enter recipients.

    There is a time lag between when an alert occurs and when it is logged. Admins can receive up to 50 alerts per rule per day, receiving alerts until this threshold is met.

  10. Click Continue to review the rule details.
  11. Click Create and choose:
    • Active—Your rule runs immediately
    • Inactive—Your rule exists, but does not run immediately. This gives you time to review the rule and share it with team members before implementing. Activate the rule later by going to Securityand thenData protectionand thenManage Rules. Click the Inactive status for the rule and select Active. The rule runs after you activate it, and DLP scans for sensitive content.
  12. Click Complete.

    It can take up to 24 hours for the rule to apply to all user accounts in the selected organizational units and groups.

Example 2: Protect internal names using a custom detector

This example shows how to set up a custom detector. You can list words to be detected in a custom detector. Use trigger settings in rules to prevent users from sharing documents with external recipients that mentions sensitive data, such as internal project names.

Before you begin, sign in to your super administrator account or a delegated admin account with these privileges:

  • Organizational unit administrator privileges. 
  • Groups administrator privileges.
  • View DLP rule and Manage DLP rule privileges. Note that you must enable both View and Manage permissions to have complete access for creating and editing rules. We recommend you create a custom role that has both privileges. 
  • View Metadata and Attributes privileges (required for the use of the investigation tool only): Security Centerand thenInvestigation Tooland thenRuleand thenView Metadata and Attributes.

Learn more about administrator privileges and creating custom administrator roles.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Securityand thenData protection.

    To see Security on the Home page, you might have to click More controls at the bottom.

  3. Click Manage Detectors. Then click Add detectorand thenWord list.
  4. Provide a name and a description for the detector.
  5. Enter words to detect, separated by commas. In custom word lists:
    • Capitalization is ignored. For example, BAD matches bad, Bad, and BAD.
    • Only complete words are matched. For example, if you add bad to the custom word list, badminton isn't matched.
  6. Click Create.
  7. Click Manage Rules. Then click Add Ruleand thenNew rule.
  8. In the Rule name section, enter the name and, optionally, a description of the rule.
  9. In the Scope section, search for and select the organizational units or groups the rule applies to.
  10. Click Continue. In the Triggers section, under Google Drive check the File Modified box.
  11. In the Conditions section, click Add Condition and select the following values:
    • Field—All content
    • Value—Matches word list detector
    • Word list—Scroll to find the detector you created above.
    • Match mode—Select a Match mode:
    • Match any word—Counts matches of any words in the predefined word list
    • Match minimum number of unique words—Specify the minimum distinct words detected and the minimum total times any word is detected (of words in the predefined word list)
    • Minimum total times any word detected—1
  12. Click Continue. Under Google Drive, select the Block external sharing action.
  13. Under Severity & Alerts, choose the severity level High. Activate an alert, and specify recipients. Note that there is a time lag between when an alert occurs and when it is logged. Admins can receive up to 50 alerts per rule per day, receiving alerts until this threshold is met.
  14. Click Continue to review the rule details.
  15. Click Create and choose:
    • Active—Your rule runs immediately
    • Inactive—Your rule exists, but does not run immediately. This gives you time to review the rule and share it with team members before implementing. Activate the rule later by going to Securityand thenData protectionand thenManage Rules. Click the Inactive status for the rule and select Active. The rule runs after you activate it, and DLP scans for sensitive content.
  16. Click Complete. It can take up to 24 hours for the rule to apply to all user accounts in the selected organizational units and groups.
Example 3: Protect personally identifiable information using a rule template

A rule template provides a set of conditions that cover many typical data protection scenarios. Use a rule template to set up policies for common data protection situations.

This example uses a rule template to block sending or sharing of a Drive document or email containing US personally identifiable information (PII).

Before you begin, sign in to your super administrator account or a delegated admin account with these privileges:

  • Organizational unit administrator privileges. 
  • Groups administrator privileges.
  • View DLP rule and Manage DLP rule privileges. Note that you must enable both View and Manage permissions to have complete access for creating and editing rules. We recommend you create a custom role that has both privileges. 
  • View Metadata and Attributes privileges (required for the use of the investigation tool only): Security Centerand thenInvestigation Tooland thenRuleand thenView Metadata and Attributes.

Learn more about administrator privileges and creating custom administrator roles.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Securityand thenData protection.

    To see Security on the Home page, you might have to click More controls at the bottom.

  3. Click Manage Rules
  4. Click Add Ruleand thenNew rule from template.
  5. On the Templates page, click Prevent PII information sharing (US).
  6. In the Name section, accept the default name and description of the rule or enter new values.
  7. In the Scope section, search for and select the organizational units groups the rule applies to.
  8. Click Continue. Under Trigger, for Google Drive, the File modified box is checked. Conditions are preselected for the rule template. Review them if you want to see the specific conditions that apply to the rule. Security is set to Low, and alerts are disabled.
  9. For Google Drive, Block external sharing is selected. Blocking sharing keeps users from sharing files that meet the conditions with users outside your organization.
  10. Click Continue to review the rule details.
  11. Click Create and choose:
    • Active—Your rule runs immediately
    • Inactive—Your rule exists, but does not run immediately. This gives you time to review the rule and share it with team members before implementing. Activate the rule later by going to Securityand thenData protectionand thenManage Rules. Click the Inactive status for the rule and select Active. The rule runs after you activate it, and DLP scans for sensitive content.
  12. Click Complete. It can take up to 24 hours for the rule to apply to all user accounts in the selected organizational units and groups.

Maintain DLP rules and custom content detectors

After you create DLP rules or custom detectors, you can view, edit, activate or inactivate, and otherwise maintain them. 

View existing rules and custom detectors

Before you begin, sign in to your super administrator account or a delegated admin account with these privileges:

  • Organizational unit administrator privileges. 
  • Groups administrator privileges.
  • View DLP rule and Manage DLP rule privileges. Note that you must enable both View and Manage permissions to have complete access for creating and editing rules. We recommend you create a custom role that has both privileges. 
  • View Metadata and Attributes privileges (required for the use of the investigation tool only): Security Centerand thenInvestigation Tooland thenRuleand thenView Metadata and Attributes.

Learn more about administrator privileges and creating custom administrator roles.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Securityand thenData protection.

    To see Security on the Home page, you might have to click More controls at the bottom.

  3. Click Manage Rules or Manage Detectors. The rules page is under Security > Data protection > Rules. The detectors page is under Security > Data protection > Detectors.
Work with DLP rules

Sort rules

You can sort rules by Name or Last modified columns in ascending or descending order. 

  1. On the rules page, click the Name or Last Modified column name.
  2. Click the up or down arrow to sort the column.

Activate or deactivate rules

If you activate a rule, DLP runs a scan on the documents that use that rule.

  1. On the rules page, under the Status column for a rule, select Active or Inactive
  2. Confirm that you want to activate or deactivate the rule. 

Delete a rule

Deleting rules is permanent.

  1. On the rules page, point to a row to show the trash can "" at the end of the row. 
  2. Click the trash can "".
  3. Verify that you want to delete the rule. 

Export rules

You can export rules to a .txt file.

  1. On the rules page, click Export rules
  2. The rules list downloads into a text file. Click the .txt file in the lower left corner to see the downloaded rules.

Edit rule details

When you edit rules, this triggers a new scan of the documents affected by those rules.

  1. In the rules list, click the rule that you want to edit.
  2. Click Edit rule.
  3. Edit the rule as needed. The flow is the same as rule creation. 
  4. When complete, click Update and choose:
  5. Active—Your rule runs immediately
  6. Inactive—Your rule exists, but does not run immediately. This gives you time to review the rule and share it with team members before implementing. Activate the rule later by going to Securityand thenData protectionand thenManage Rules. Click the Inactive status for the rule and select Active. The rule runs after you activate it, and DLP scans for sensitive content.
  7. Click Complete. It can take up to 24 hours for the rule to apply to all user accounts in the selected organizational units and groups.

Investigate a rule with the Security investigation tool

Supported editions for this feature: Enterprise; Education Standard and Plus.  Compare your edition

DLP uses the security investigation tool to show how often a rule is triggered. The tool lists the results of a search on the rule, and shows the triggered actions for each incident.

To use the investigation tool, you must have View Metadata and Attributes privileges, located at Security Centerand thenInvestigation Tooland thenRuleand thenView Metadata and Attributes.

To investigate a rule:

  1. In the rules list, click the rule to investigate.
  2. Click Investigate rule.
  3. You see search results for the rule. Note that there is a time lag between when a rule triggers and the audit log is updated.  Go to Investigation tool for details. 

Tip: You can activate or deactivate a rule from the investigation tool. In the table of results, point to the column heading Rule ID. Click and then select Actionsand thenActivate rule or Actionsand thenDeactivate rule

Tip: To see results for all DLP rules, click the X to delete the specific rule search criteria and click Search.

Work with custom detectors

Filter custom detectors

You can filter the list of custom detectors by detector name and detector type.

  1. On the custom detector page, click Add a filter.
  2. Filter by detector name or type:
    • Detector name—Enter a string to search on
    • Detector type—Select a detector type
  3. Click Apply. The filter persists until you dismiss it.

Export detectors

You can export detectors to a .txt file.

  1. On the detectors page, click Export detectors
  2. The detectors list downloads into a text file. Click the .txt file in the lower left corner to see the downloaded detectors .

Edit word list custom detector 

When you edit custom detectors that are used in rules, this triggers a new scan of the documents affected by the rules that contain the modified detectors.

To edit a custom detector name and description:

  1. Click a word list custom detector in the list.
  2. Click Edit info.
  3. Edit the title and description.
  4. Click Save.

To add words to the list:

  1. Click a work list custom detector in the list.
  2. Click Add words.
  3. Add words to the list of words. 
  4. Click Save.

To edit words in the list:

  1. Click a custom words custom detector in the list.
  2. Click Edit words.
  3. Edit the words in the list.
  4. Click Save.

Edit Regular Expression custom detector

When you edit custom detectors that are used in rules, this triggers a new scan of the documents affected by the rules that contain the modified detectors.

To edit the regular expression custom detector name, description, or regular expression

  1. On the custom detector page, click a regular expression custom detector.
  2. In the pop-up, edit the title, description, or regular expression.
  3. If you edited the regular expression, click Test Expression. Enter test data to verify.
  4. Click Save.

Delete a custom detector

Deleting detectors is permanent.

  1. On the custom detector page, point to a row to show the trash can "" at the end of the row.
  2. Select the trash can "".
  3. Verify that you want to delete the detector.

Related topics

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue

Search
Clear search
Close search
Google apps
Main menu
Search Help Center
true
73010
false