Rules audit log

Track your users' attempts to share sensitive data

You can track your user’s attempts to share sensitive data in the Rules audit log. For example, you can review events triggered by data loss prevention (DLP) rule violation events. Entries usually appear within an hour of the user action.

The Rules audit log also lists data types for BeyondCorp Threat and Data Protection.

Open the Rules audit log

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Reports.
  3. On the left, under Audit log, click Rules.
  4. (Optional) To customize what data you see, on the right, click Manage columns "". Select the columns that you want to see or hideand thenclick Save.

Data you can view

The Rules audit log provides the following information:

Data Type Description
Event name The name of the event that was logged. For DLP rules, the value is Action Complete
Event description The description of the event. The value Is Action Completed for DLP rules
User User that performed the action that triggered the event. The value can be Anonymous user if the events are the results of a rescan.
Rule name Rule name provided by the admin when they created the rule
Rule type DLP is the value for DLP rules
Rule resource name The system-generated unique identifier for the rule
Resource ID The object modified. For DLP, a Drive document.
Resource title The title of the resource that was modified. For DLP, a document title.
Resource type For DLP, the resource is Document
Resource owner User that owns the resource that was scanned and had an action applied to it
Recipients Those who received the shared resource
Data source The application originating the resource
Actor IP address The IP address of the user that triggered the action
Severity The severity assigned to the rule when it was triggered
Scan type Values are Drive continuous scan (when a rule change occurs) or Online scan (occurring as a document is changing)
Matched trigger Matches the trigger assigned in the rule
Matched detectors Matches the detector set in the rule condition
Triggered actions Lists the action taken. This is blank if an audit-only rule was triggered.
Suppressed actions Actions configured on the rule, but suppressed. An action is suppressed if a higher priority action occurs at the same time and is triggered.
Date Date and time the event occurred
Device ID The ID of the device on which the action was triggered. This data type applies to BeyondCorp Threat and Data Protection.
Device type Type of device referred to by the Device ID. This data type applies to BeyondCorp Threat and Data Protection.

Event names

At Add a filter, select an Event name to filter data for that event. The audit log shows entries for each time the particular event occurred during the time range that you set. Event names are self-explanatory.

When and how long is data available?

Go to Data retention and lag times.

Related topics

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue