Stop data loss with DLP

Create DLP for Drive rules and custom content detectors

DLP for Drive rules and content detectors

Supported editions for this feature: Frontline Standard; Enterprise Standard and Enterprise Plus; Education Fundamentals, Education Standard, Teaching and Learning Upgrade, and Education Plus; Enterprise Essentials Plus. Compare your edition

Drive DLP and Chat DLP are available to Cloud Identity Premium users who also have a Google Workspace license. For Drive DLP, the license must include the Drive log events.

Using the data loss prevention (DLP) for Drive, you can create complex rules that combine triggers and conditions. You can also specify an action that sends a message to the user that their content has been blocked. 

Create DLP for Drive rules and custom content detectors

Step 1: Plan your rules

Decide on rule conditions

The DLP rule conditions determines what kind of sensitive content the rule will detect. See DLP rule examples below for basic examples. A rule might need only a single condition, or it can combine multiple conditions, using AND, OR or NOT operators. Go to DLP for Drive rule nested conditions operators examples for examples of nested conditions.

  • To detect standard personal information such as a driver’s license number or taxpayer ID, your rule can use predefined content detectors. Go to How to use predefined content detectors for a complete list of available detectors.
  • Your rule conditions can also use custom content detectors that you create, such as a content detector that contains a list of words or a regular expression. For instructions see Step 2. Create a custom detector.

For suggestions on how to improve rules testing, including setting up a rules test environment, go to Best practices for faster rules testing.

Use audit-only rules to test rule results (optional, but recommended)

You can create an audit-only rule to test rules you create in DLP. This allows you to test the potential impact of a rule for Google Drive. Like all rules, these rules trigger, but in this case take no action but to write results to the Rule audit log and the investigation tool.

For suggestions on how to improve rules testing, including setting up a rules test environment, go to Best practices for faster rules testing.

To create and use an audit-only rule:

  1. Follow the rule creation steps in Step 3. Create rules.
  2. When you get to the Action section of rule creation, do not select an action. The actions are optional. The rule will trigger without an action associated with it, and all incidents are logged in the Rules audit log. In this case, the rule shows the designation Audit only in the Action section.
  3. Continue and complete rule configuration. Make sure the rule is Active.
  4. Test the functionality yourself, or wait for the users in your domain to a naturally share data that might be affected by this rule.
  5. View the Rules audit log. Go to Rules audit log or Investigation tool for details. The audit log will list rules with no triggered action when you use an audit-only rule.
  6. When you are sure the rule is configured exactly as you want, change the rule to have an action apply (as described in Step 3. Create rules).

What are recommended rules?

Recommended rules are DLP rules recommended to you based on the results of the Data protection insights report. For example, if the report lists passport numbers as a shared data type in your organization, DLP recommends a rule to prevent the sharing of passport numbers.

You receive rule recommendations only if you have the Data protection insights report turned on. Go to Prevent data leaks with Data protection recommended rules for details.

Which types of groups can I select for a rule's scope?
You can choose admin- or user-created groups in your Groups list in the Admin console. Group addresses must end with your organization's domain—you can't choose external groups for a rule's scope.
Here are some types of groups to consider for DLP rules:
  • Dynamic groups—Manage memberships automatically when users join, move within, or leave your organization. Available in the Admin console or with the Cloud Identity API, dynamic groups help you reduce time spent managing group membership manually. To use a dynamic group for a DLP rule, make sure it's also a security group (which has the Security label). Learn more about dynamic groups.

  • Security groups—Convert a standard or dynamic group to a security group, which helps you regulate, audit, and monitor the group for permission and access control. You can create security groups in the Admin console or with the Cloud Identity Groups API, by adding the Security label to them. Learn more about security groups.

  • Migrated groups—Use Google Cloud Directory Sync (GCDS) to sync groups you create in Microsoft Active Directory or other tools with Google Workspace. Then, you use those synced groups in DLP rules. Learn more about GCDS.

Step 2: Create a custom detector (optional)

Create custom detector if needed

These are general instructions for creating a custom detector, if you need to use one in rule conditions.

Create a DLP detector to use with rules

Before you begin, sign in to your super administrator account or a delegated admin account with these privileges:

  • Organizational unit administrator privileges. 
  • Groups administrator privileges.
  • View DLP rule and Manage DLP rule privileges. Note that you must enable both View and Manage permissions to have complete access for creating and editing rules. We recommend you create a custom role that has both privileges. 
  • View Metadata and Attributes privileges (required for the use of the investigation tool only): Security Centerand thenInvestigation Tooland thenRuleand thenView Metadata and Attributes.

Learn more about administrator privileges and creating custom administrator roles.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Securityand thenAccess and data controland thenData protection.
  3. Click Manage Detectors.
  4. Click Add detector. Add the name and description.

    You can select:

    • Regular expression—A regular expression, also called a regex, is a method for matching text with patterns. Click Test Expression to verify the regular expression. See Examples of regular expressions.
    • Word list—A custom word list you create. This is a comma-separated list of words to detect. Capitalization and symbols are ignored. Only complete words are matched. You can add a pop-up message to appear when content is detected. Words in word list detectors must contain at least 2 characters that are letters or digits. 
  5. Click Create. Later, use the custom detector when you add conditions to a rule.

Step 3: Create rules

These are general instructions for creating rules.

Create a DLP rule

Before you begin, sign in to your super administrator account or a delegated admin account with these privileges:

  • Organizational unit administrator privileges. 
  • Groups administrator privileges.
  • View DLP rule and Manage DLP rule privileges. Note that you must enable both View and Manage permissions to have complete access for creating and editing rules. We recommend you create a custom role that has both privileges. 
  • View Metadata and Attributes privileges (required for the use of the investigation tool only): Security Centerand thenInvestigation Tooland thenRuleand thenView Metadata and Attributes.

Learn more about administrator privileges and creating custom administrator roles.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Securityand thenAccess and data controland thenData protection.
  3. Click Manage Rules. Then click Add ruleand thenNew rule or click Add ruleand thenNew rule from template. For templates, select a template from the Templates page.
  4. Add the name and description of the rule.
  5. In the Scope section, choose All in <domain.name> or choose to apply this rule only to users in selected organizational units or groups. If there's a conflict between organizational units and groups in terms of inclusion or exclusion, the group takes precedence.

    Note: If you want to apply the rule to a dynamic group, the group must also have the Security label. For more information see What types of groups can I select for a rule's scope?.

  6. Click Continue.
  7. In the Apps section, choose Drive files.
  8. Click Continue.
  9. In the Conditions section, click Add Condition.
  10. Choose the Content type to scan
    • All content: All of the document, including the document title, body, and any suggested edits
    • Body: Body of the document
    • Drive label: Any labels applied to the document. For details, see Get started as a Drive labels admin.
    • Suggested edits: Content added to the document while in Suggestions mode
    • Title: Document title
  11. Choose What to scan for, then fill out the needed attributes for that type of scan, listed in the table below. 

    Note that the What to scan for options vary according to the Content type to scan you chose in the previous step. For example, if you choose 'Title' as the content type to scan, the What to scan for options will include Ends with and Starts with.

    What to scan for Attributes
    Matches predefined data type Data type—Select a predefined data type. Get more information on predefined data types here.

    Likelihood Threshold—Select a likelihood threshold. Available thresholds are:

    • Very low
    • Low
    • Medium
    • High
    • Very high

    These thresholds reflect the DLP system’s confidence in the match result. In general, the Very high threshold will match fewer content and will be more precise. The Very low threshold is a wider net expected to match more files but will have lower precision.

    Minimum unique matches—The minimum number of times a matched result must uniquely occur in a document to trigger the action. 

    Minimum match count—The minimum number of times any matched results must appear in a document to trigger the action. 

    How do Minimum match count and Minimum unique matches work? For example, think of two lists of Social Security Numbers: the first list has 50 copies of the exact same number, and the second list has 50 unique numbers.

    In this case, if the Minimum match count value equals 10, results will trigger on both lists since there are at least 10 matches in both.

    Or, if the Minimum unique matches value equals 10, and the Minimum match count value equals 1, results will trigger only on the second list, since there are 10 matches and they're all matching unique values.

    Contains text string Enter contents to match—Enter a substring, number, or other characters to search on. Specify if the content is case sensitive.  In the case of the substring, the rule can contain the word key, and if the document contains the word key, there is a match.
    Contains word Enter contents to match—Enter the word, number, or other characters to search on. 
    Matches regular expression Regular expression name—a regular expression custom detector.

    Minimum times the pattern detected—The minimum number of times the pattern expressed by the regular expression appears in a document to trigger the action.

    Matches words from word list Word list name—Select a custom word list.

    Match mode—Select either Match any word or Match minimum number of unique words.

    Minimum total times any word detected—The least number of times a word can be detected to trigger the action.

    Minimum unique words detected—The least number of unique words that must be detected to trigger the action (available for the Match minimum number of unique words option only).

    Ends with Enter contents to match—Enter the word, number, or other characters to search on. Specify if the content is case sensitive.
    Starts with Enter contents to match—Enter the word, number, or other characters to search on. Specify if the content is case sensitive.
    Is (Drive label  content type only) Drive label—Choose an available Drive label from the dropdown list.
    Label field—Choose an available label field for the selected Drive label.
    Field option—Choose an available field option for the selected field.

    You can use AND, OR, or NOT operators with conditions. Go to DLP for Drive rule nested condition operator examples for details on using AND, OR, or NOT operators with conditions.

    Note: If you create a DLP rule with no condition, the rule applies the specified action to all Drive files.

  12. Click Continue.
  13. In the Actions section,  you can optionally select the action to occur if sensitive data is detected in the scan:

    Want to test a rule before adding an action to it?
    You can create an audit-only rule to test a rule that writes to the audit log without taking an action. Selecting an action is optional. Go to Use audit-only rules to test rule results (optional, but recommended) for details.

    • Block external sharing—Prevents sharing of the document.
    • Warn on external sharing—If a user attempts to share the file, they are warned that the file contains sensitive content. They can cancel or 'Share anyway'.

      Note: If you enable alerts for this action, they're triggered when sensitive content is detected, whether or not the file was shared at that time. Detection usually occurs after a file is created or updated, or after rules applied to the file change—for example, a rule is created or updated. It can also occur when a system upgrade improves detection ability. Detection events are recorded in the Rule log.

    • Disable download, print, and copy for commenters and viewers—Prevents downloading, printing, and copying unless the user has editor privilege or greater. This feature is DLP Information Rights Management (IRM),  and uses Drive sharing settings as policies, so users can’t download, print, or copy Google Drive docs, sheets, or slides on all platforms. Go to IRM FAQs for more details.
    • Apply Drive labels—Applies an existing Drive label to matching files. Follow these steps to configure:
      1. Choose an available label from the Drive label dropdown list, then select an available Field and Field option for the label. Only badged labels and standard labels with Options list field type are supported. For details, see Get started as a Drive labels admin.
      2. (Optional) Click Add label to add additional labels. 
      3. Choose whether to allow users to change labels and field values applied to their files.
  14. In the Alerting section, choose a severity level (Low, Medium, High). The severity level affects how incidents are plotted in the DLP Incident dashboard (the number of incidents with High, Medium or Low severity) over time.
  15. Optionally, check Send to alert center to trigger notifications. Alerts are supported for Google Drive only. Go to View alert details for more information.

    Check the box to alert all super admins, or add the email addresses of additional recipients. Only recipients that belong to the user can be added. External recipients are ignored. Recipients can be users or groups. Remember that you must set up access for selected groups so these groups can receive the email sent to them. Go to Configure alert center email notifications for details on setting group access for email notifications.

    Alerts are listed in the Alert Center. Note that there is a time lag between when an alert occurs and when it is logged. There is a lag between the time when an alert is shown in the Alert Center and when the Rules audit log and the DLP security dashboards are updated. You may receive an alert and view the alert summary, however, the incident count on the dashboards or audit logs in the Investigation Tool need time to update. There can be up to 50 alerts per rule per day. Alerts occur until this threshold is met.

  16. Click Continue and review the rule details.
  17. In Rule status, choose an initial status for the rule:
    • Active—Your rule runs immediately.
    • Inactive—Your rule exists, but does not run immediately. This gives you time to review the rule and share it with team members before implementing. Activate the rule later by going to Securityand thenData protectionand thenManage Rules. Click the Inactive status for the rule and select Active. The rule runs after you activate it, and DLP scans for sensitive content.
  18. Click Create

Changes can take up to 24 hours but typically happen more quickly. Learn more

Step 4: Tell users about the new rule

Set user expectations about new rules

Set user expectations as to behavior and consequences of the new rule.  For example, if you might choose to block external sharing if sensitive data is shared. In that case, tell users that it’s possible that sometimes they might not be able to share docs, and let them know why this could occur.

DLP rule examples

Examples of using a predefined classifier, a custom detector, and a rule template.

Example 1: Protect Social Security numbers using a predefined classifier

This example shows how to use a predefined classifier to prevent users in specific organizations and groups from sharing sensitive data. You can use predefined classifiers to specify commonly entered data. In this example, that data is Social Security numbers.

Before you begin, make sure you're signed in to your super administrator account or a delegated admin account with the privileges listed in Create a DLP rule, above. 

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Securityand thenAccess and data controland thenData protection.
  3. Click Manage Rules. Then click Add ruleand thenNew rule
  4. Add the name and description for the rule.
  5. In the Scope section, choose Apply to all <domain.name> or choose to search for and include or exclude organizational units or groups the rule applies to. If there is a conflict between organizational units and groups in terms of inclusion or exclusion, the group takes precedence.
  6. Click Continue
  7. In the Conditions section, click Add Condition and select the following values:
    • Field—All content.
    • Value—Matches default detector.
    • Default detector—United States - Social Security Number.
    • Likelihood Threshold—Very likely. An extra measure used to determine whether messages trigger the action.
    • Minimum unique matches—1. The minimum number of times a unique match must occur in a document to trigger the action.
    • Minimum match count—1. The number of times the content must appear in a message to trigger the action. For example, if you select 2, content must appear at least twice in a message to trigger the action. 
  8. Click Continue. Under Google Drive, select Block external sharing.
  9. Under Severity & Alerts, choose the severity level High. Activate an alert and enter recipients.

    There is a time lag between when an alert occurs and when it is logged. Admins can receive up to 50 alerts per rule per day, receiving alerts until this threshold is met.

  10. Click Continue to review the rule details.
  11. Click Create and choose:
    • Active—Your rule runs immediately
    • Inactive—Your rule exists, but does not run immediately. This gives you time to review the rule and share it with team members before implementing. Activate the rule later by going to Securityand thenData protectionand thenManage Rules. Click the Inactive status for the rule and select Active. The rule runs after you activate it, and DLP scans for sensitive content.
  12. Click Complete.

Changes can take up to 24 hours but typically happen more quickly. Learn more

Example 2: Protect internal names using a custom detector

This example shows how to set up a custom detector. You can list words to be detected in a custom detector. Use trigger settings in rules to prevent users from sharing documents with external recipients that mentions sensitive data, such as internal project names.

Before you begin, make sure you're signed in to your super administrator account or a delegated admin account with the privileges listed in Create a DLP rule, above. 

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Securityand thenAccess and data controland thenData protection.
  3. Click Manage Detectors. Then click Add detectorand thenWord list.
  4. Enter a name and a description for the detector.
  5. Enter words to detect, separated by commas. In custom word lists:
    • Capitalization is ignored. For example, BAD matches bad, Bad, and BAD.
    • Only complete words are matched. For example, if you add bad to the custom word list, badminton isn't matched.
  6. Click Create.
  7. Click Manage Rules. Then click Add Ruleand thenNew rule.
  8. In the Rule name section, enter the name and, optionally, a description of the rule.
  9. In the Scope section, search for and select the organizational units or groups the rule applies to.
  10. Click Continue.
  11. In the Conditions section, click Add Condition and select the following values:
    • Field—All content
    • Value—Matches word list detector
    • Word list—Scroll to find the detector you created above.
    • Match mode—Select a Match mode:
    • Match any word—Counts matches of any words in the predefined word list
    • Match minimum number of unique words—Specify the minimum distinct words detected and the minimum total times any word is detected (of words in the predefined word list)
    • Minimum total times any word detected—1
  12. Click Continue. Under Google Drive, select the Block external sharing action.
  13. Under Severity & Alerts, choose the severity level High. Activate an alert, and specify recipients. Note that there is a time lag between when an alert occurs and when it is logged. Admins can receive up to 50 alerts per rule per day, receiving alerts until this threshold is met.
  14. Click Continue to review the rule details.
  15. Click Create and choose:
    • Active—Your rule runs immediately
    • Inactive—Your rule exists, but does not run immediately. This gives you time to review the rule and share it with team members before implementing. Activate the rule later by going to Securityand thenData protectionand thenManage Rules. Click the Inactive status for the rule and select Active. The rule runs after you activate it, and DLP scans for sensitive content.
  16. Click Complete.

Changes can take up to 24 hours but typically happen more quickly. Learn more

Example 3: Protect personally identifiable information using a rule template

A rule template provides a set of conditions that cover many typical data protection scenarios. Use a rule template to set up policies for common data protection situations.

This example uses a rule template to block sending or sharing of a Drive document or email containing US personally identifiable information (PII).

Before you begin, make sure you're signed in to your super administrator account or a delegated admin account with the privileges listed in Create a DLP rule, above. 

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Securityand thenAccess and data controland thenData protection.
  3. Click Manage Rules
  4. Click Add Ruleand thenNew rule from template.
  5. On the Templates page, click Prevent PII information sharing (US).
  6. Accept the default name and description of the rule or enter new values.
  7. In the Scope section, search for and select the organizational units groups the rule applies to.
  8. Click Continue. Conditions are preselected for the rule template. Review them if you want to see the specific conditions that apply to the rule. Security is set to Low, and alerts are disabled.
  9. For Google Drive, Block external sharing is selected. Blocking sharing keeps users from sharing files that meet the conditions with users outside your organization.
  10. Click Continue to review the rule details.
  11. Click Create and choose:
    • Active—Your rule runs immediately
    • Inactive—Your rule exists, but does not run immediately. This gives you time to review the rule and share it with team members before implementing. Activate the rule later by going to Securityand thenData protectionand thenManage Rules. Click the Inactive status for the rule and select Active. The rule runs after you activate it, and DLP scans for sensitive content.
  12. Click Complete.

Changes can take up to 24 hours but typically happen more quickly. Learn more

Example 4: Block download of sensitive content on iOS or Android devices

This example combines a DLP rule with a Context-Aware Access condition. When you combine a DLP rule with a context condition, the rule is only applied when the condition is met.

In this example, the DLP rule blocks Google doc users with comment or view access from downloading, printing, or copying sensitive content. The context condition is that users are accessing content from iOS or Android devices.

Important: To apply device or device OS-based context conditions to mobile devices, basic or advanced device management must be enabled. 

Before you begin, make sure you're signed in to your super administrator account or a delegated admin account with the privileges listed in Create a DLP rule, above.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Securityand thenAccess and data controland thenData protection.
  3. Click Manage Rules. Then click Add ruleand thenNew rule.
  4. Add a name and description for the rule.
  5. In the Scope section, search for and select the organizational units groups the rule applies to.
  6. Click Continue.
  7. In Apps, under Google Drive, check Drive files
  8. Click Continue.
  9. In the Conditions section, click Add condition.
  10. For Content type to scan, choose All content.
  11. For What to scan for, choose a DLP scan type and select attributes. For more information on available attributes, see Create a DLP rule.
  12. In the Context conditions section, click Select an access level to display your existing Access levels.
  13. Click Create new access level.
  14. Enter a name and description for the new access level.
  15. In Context conditions, click Add condition.
  16. Select Meets all attributes.
  17. Click Select attributeand thenDevice OS,  then click Select OS and select iOS from the dropdown list.
  18. For Minimum version, leave the default choice of Any version, or select a specific version.
  19. Click Add condition, then repeat steps 17-18, selecting Android as the device OS.
  20. Set the Join multiple conditions with toggle (located above Conditions) to OR. This means the DLP rule will be applied if users are accessing sensitive content with either iOS or Android devices.
  21. Click Create. You return to the Create Rule page. Your new access level is added to the list, and its attributes are shown at right.
  22. Click Continue.
  23. On the Actions page, for Google Drive action, choose Disable download, print, and copy for commenters and viewers.

    Note: The action is only applied when both content conditions and context conditions are met.

  24. (Optional) Choose an alert severity level (Low, Medium, or High) and whether to send an alert and email alert notifications.
  25. Click Continue to review the rule details.
  26.  Choose a status for the rule:
    • Active—Your rule runs immediately.
    • Inactive—Your rule exists, but is not in effect. This gives you time to review the rule and share it with team members before implementing. Activate the rule later by going to Security and then Access and data control and then Data Protection and then Manage Rules. Click the Inactive status for the rule and select Active. The rule runs after you activate it, and DLP scans for sensitive content.
  27. Click Create.

Changes can take up to 24 hours but typically happen more quickly. Learn more.

For more examples, see Combine DLP rules with Context-Aware Access conditions.

Maintain DLP rules and custom content detectors

After you create DLP rules or custom detectors, you can view, edit, activate or inactivate, and otherwise maintain them. 

View existing rules and custom detectors

Before you begin, sign in to your super administrator account or a delegated admin account with these privileges:

  • Organizational unit administrator privileges. 
  • Groups administrator privileges.
  • View DLP rule and Manage DLP rule privileges. Note that you must enable both View and Manage permissions to have complete access for creating and editing rules. We recommend you create a custom role that has both privileges. 
  • View Metadata and Attributes privileges (required for the use of the investigation tool only): Security Centerand thenInvestigation Tooland thenRuleand thenView Metadata and Attributes.

Learn more about administrator privileges and creating custom administrator roles.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Securityand thenAccess and data controland thenData protection.
  3. Click Manage Rules or Manage Detectors. The rules page is under Security > Data protection > Rules. The detectors page is under Security > Data protection > Detectors.
Work with DLP rules

Sort rules

You can sort rules by Name or Last modified columns in ascending or descending order. 

  1. On the rules page, click the Name or Last Modified column name.
  2. Click the up or down arrow to sort the column.

Activate or deactivate rules

If you activate a rule, DLP runs a scan on the documents that use that rule.

  1. On the rules page, under the Status column for a rule, select Active or Inactive
  2. Confirm that you want to activate or deactivate the rule. 

Delete a rule

Deleting rules is permanent.

  1. On the rules page, point to a row to show the trash can at the end of the row. 
  2. Click the trash can .
  3. Verify that you want to delete the rule. 

Export rules

You can export rules to a .txt file.

  1. On the rules page, click Export rules
  2. The rules list downloads into a text file. Click the .txt file in the lower left corner to see the downloaded rules.

Edit rule details

When you edit rules, this triggers a new scan of the documents affected by those rules.

  1. In the rules list, click the rule that you want to edit.
  2. Click Edit rule.
  3. Edit the rule as needed. The flow is the same as rule creation. 
  4. When complete, click Update and choose:
  5. Active—Your rule runs immediately
  6. Inactive—Your rule exists, but does not run immediately. This gives you time to review the rule and share it with team members before implementing. Activate the rule later by going to Securityand thenData protectionand thenManage Rules. Click the Inactive status for the rule and select Active. The rule runs after you activate it, and DLP scans for sensitive content.
  7. Click Complete.

Changes can take up to 24 hours but typically happen more quickly. Learn more

Investigate a rule with the Security investigation tool

Supported editions for this feature: Frontline Standard; Enterprise Standard and Enterprise Plus; Education Standard and Education Plus; Enterprise Essentials Plus. Compare your edition

DLP uses the security investigation tool to show how often a rule is triggered. The tool lists the results of a search on the rule, and shows the triggered actions for each incident.

To use the investigation tool, you must have View Metadata and Attributes privileges, located at Security Centerand thenInvestigation Tooland thenRuleand thenView Metadata and Attributes.

To investigate a rule:

  1. In the rules list, click the rule to investigate.
  2. Click Investigate rule.
  3. You see search results for the rule. Note that there is a time lag between when a rule triggers and the audit log is updated.  Go to Investigation tool for details. 

Tip: You can activate or deactivate a rule from the investigation tool. In the table of results, point to the column heading Rule ID. Click and then select Actionsand thenActivate rule or Actionsand thenDeactivate rule

Tip: To see results for all DLP rules, click the X to delete the specific rule search criteria and click Search.

Work with custom detectors

Filter custom detectors

You can filter the list of custom detectors by detector name and detector type.

  1. On the custom detector page, click Add a filter.
  2. Filter by detector name or type:
    • Detector name—Enter a string to search on
    • Detector type—Select a detector type
  3. Click Apply. The filter persists until you dismiss it.

Export detectors

You can export detectors to a .txt file.

  1. On the detectors page, click Export detectors
  2. The detectors list downloads into a text file. Click the .txt file in the lower left corner to see the downloaded detectors .

Edit word list custom detector 

When you edit custom detectors that are used in rules, this triggers a new scan of the documents affected by the rules that contain the modified detectors.

To edit a custom detector name and description:

  1. Click a word list custom detector in the list.
  2. Click Edit info.
  3. Edit the title and description.
  4. Click Save.

To add words to the list:

  1. Click a work list custom detector in the list.
  2. Click Add words.
  3. Add words to the list of words. 
  4. Click Save.

To edit words in the list:

  1. Click a custom words custom detector in the list.
  2. Click Edit words.
  3. Edit the words in the list.
  4. Click Save.

Edit Regular Expression custom detector

When you edit custom detectors that are used in rules, this triggers a new scan of the documents affected by the rules that contain the modified detectors.

To edit the regular expression custom detector name, description, or regular expression

  1. On the custom detector page, click a regular expression custom detector.
  2. In the pop-up, edit the title, description, or regular expression.
  3. If you edited the regular expression, click Test Expression. Enter test data to verify.
  4. Click Save.

Delete a custom detector

Deleting detectors is permanent.

  1. On the custom detector page, point to a row to show the trash can at the end of the row.
  2. Select the trash can .
  3. Verify that you want to delete the detector.

Related topics

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Main menu
1311861922160955359
true
Search Help Center
true
true
true
true
true
73010
false
false