Data loss prevention (DLP) for Drive detects incidents through scans, and incidents trigger actions and alerts.
The reports described in this article apply to DLP for Drive only.
DLP Security Dashboard incidents
View DLP logged incidents detected during DLP scans in SecurityDashboard. From the Security Dashboard, you can see these incident dashboards (with incidents logged over time):
- DLP Incidents
- Top Policy Incidents
You can triage daily incidents and examine trends to discover the success of implemented DLP policies. Details on single or aggregated incidents are available to help you respond quickly to events, and helps you measure policy success over time. Go to About the security dashboard for details.
If you configure alerts for rules, you receive a DLP alert in the alert center when a DLP rule is triggered. From the Admin console Home page, go to SecurityAlert center. Go to View alert details for more information.
Under the alert Key details, the system records only recipients that were matched before a DLP rule flags the content. Re-sharing a document after it is flagged by DLP does not automatically update the recipient information on the alert.
Note that there is a time lag between when an alert is created in the Alert center and when the corresponding incident or log event is shown in the DLP Security Dashboard and the investigation tool.
Each rule can generate up to 50 alerts per rule per day. You receive alerts until this threshold is met. All incidents for each rule are recorded and shown in the investigation tool and the Rules audit log. Click the Investigate Alert link in the Alert Details page in the Alert Center to access the investigation tool page showing incidents that occurred for a particular rule within a two-day window.
DLP audit events
The Rules audit log shows a record of DLP incidents recorded in your Google Admin console. For example, you can see when a user has tried to share sensitive data such as a driver’s license number. Go to Rules audit log for details. Audit events are also shown in the investigation tool, where DLP individual incidents are shown under Rule log events. Both the Rules audit log and the investigation tool will surface the audit logs for triggered DLP rules.