Supported editions for this feature: Frontline Standard; Enterprise Standard and Enterprise Plus; Education Fundamentals, Education Standard, Teaching and Learning Upgrade, and Education Plus; Enterprise Essentials Plus; BeyondCorp Enterprise. Compare your edition
Drive DLP and Chat DLP are available to Cloud Identity Premium users who also have a Google Workspace license. For Drive DLP, the license must include the Drive log events.
As an administrator, you can use data loss prevention (DLP) snippets to investigate whether a DLP rule violation is a real incident or a false positive. DLP snippets capture the content that violates a rule. You can review the snippets in the security investigation tool and on the audit and investigation page.
On this page
- Access to snippets in investigation tool
- Before you begin
- About DLP snippets
- DLP snippet limitations
- Step 1: Start your investigation
- Step 2: Show sensitive content
- Step 3: View sensitive content
- Export sensitive content using BigQuery
- Remove sensitive content from logs
- Restore sensitive content
- Admin Data Action log events
Access to snippets in investigation tool
To access snippets in the investigation tool:
- Admins must have the View sensitive content privilege. For details, go to Admin privileges for the investigation tool.
- To allow admins to view the sensitive content, you need to turn on the View sensitive content setting.
- To remove and restore sensitive content from logs, you must be a super administrator.
Before you begin
Turn sensitive content storage on:
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu SecurityAccess and data controlData protection.
- For Sensitive content storage, change the state to On.
- Click Save.
About DLP snippets
DLP snippets contain any content flagged by a DLP rule that matches a DLP rule's content conditions, such as:
- Contents of scanned files
- Reusable content detectors
- Keywords and word lists
- Regular expressions
- Predefined content detectors
You can review DLP snippets in the logs for 180 days. During this time, if the source content is deleted or changed, the snippets are not deleted. DLP snippets capture matched content detected by DLP rules plus surrounding text (up to 100 unicode characters on each side) providing context for DLP scans.
DLP snippet limitations
- Snippet content larger than 500 unicode characters is truncated.
- For DLP rule log event data, the total size of the snippets parameter is limited to 50 KB. Snippet instances are removed until the overall size is less than 50 KB.
- In Google Chat, snippets are not collected for off-the-record messages (chat history turned off) or conversations sent to a space owned by someone outside of your organization.
- DLP-scanned content and snippets extracted from Google Drive might differ from the original source content in the document.
Step 1: Start your investigation
Option 1: View sensitive content snippets in the investigation tool
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu SecuritySecurity centerInvestigation tool.
- Click Data source and select Rule log events.
- Click Add Condition.
- From the Attribute menu, select Rule type and make sure the operator is set to Is (the default option).
- From the Rule type menu, select DLP.
- Click Search.
Option 2: View sensitive content snippets on the audit & investigation page
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu ReportingAudit and investigationRule log events.
- Click Add a filterRule type.
- In the Rule type box, select IsDLP and click Apply.
- Click Search.
Step 2: Show sensitive content
- From the search results, in the Has sensitive content column, look for True.
- In the Description column, click the text to open the Log details panel.
- Click Show sensitive content.
- If needed, enter the reason why you need to view the sensitive contentclick Confirm.
The panel will refresh and the Sensitive content snippets row will update with the snippets triggered by the rule that you're investigating.
Step 3: View sensitive content
In the Log details panel, next to Sensitive content snippets, click the Right arrow to expand the rows containing sensitive content.
You can review the following attributes:
Attribute | Description |
Content | Content (including surrounding text used for context) matched a DLP rule |
Matched content starting character | Start of content that matched a rule |
Matched content length | Length of match |
Matched detector ID | Detector that matched, if any |
Row index | (Chat files in CSV format) Content row’s zero-based index, if any |
Field name | (Chat files in CSV format) Content’s column name, if any |
Example: DLP rule scans for Social Security numbers
In this example, if a spreadsheet contains a Social Security number, the attributes populate as follows:
- Content: SSN 123-45-6789
- Matched content starting character: 4
- Matched content length: 11
- Matched detector ID: US_SOCIAL_SECURITY_NUMBER
- Row index: 2
- Field name: header2
Export sensitive content using BigQuery
You can export sensitive content snippets to custom tables for further investigation. For details, go to Set up a BigQuery Export configuration.
Remove sensitive content from logs
After investigating an incident, you can remove sensitive content from the logs so you don’t unnecessarily expose the data. Removing the content from the logs doesn’t remove it from the actual file or resource where the content was found or from custom BigQuery tables. If you remove the content, it’s no longer available in the investigation tool or the audit and investigation page and can’t be exported to BigQuery.
You must be signed in as a super administrator for this task.
- Repeat Steps 1, 2, and 3 above on this page to view sensitive content.
- Click Remove sensitive content.
- In the Remove sensitive content box, click Remove to confirm.
Restore sensitive content
If needed, you can restore sensitive content to the log within the 180-day retention period.
You must be signed in as a super administrator for this task.
- Repeat Steps 1, 2, and 3 above on this page to view sensitive content.
- At the top of the Log details panel, click Restore.
- Click Show sensitive content.
- In the Log details panel, next to Sensitive content snippets, click the Right arrow to expand the rows containing sensitive content.
After the original 180-day retention period, the DLP snippets are deleted, regardless of whether you restore them.
Admin Data Action log events
You can search the Admin Data Action log events to keep track of admins who accessed, removed, or restored sensitive content. For details, go to Admin Data Action log events.