Investigate Chat messages to moderate content and protect your data

Security investigation tool

As an administrator, you can use the security investigation tool to monitor Chat activity in your organization—including messages and files that are sent outside your domain. You can review reports of inappropriate content such as harassment, spam, or sensitive information, and create data protection rules to prevent harassment and sensitive content leaks.

Review reported Chat messages

Supported editions:

  • Reviewing Chat messages: Frontline Standard; Enterprise Standard and Enterprise Plus; Education Standard and Education Plus; Enterprise Essentials Plus; Cloud Identity Premium. 
  • Content reporting in Chat: Enterprise Plus; Education Standard and Education Plus. 

If you enable content reporting in Chat, users can report messages which are inappropriate or violate organization guidelines. You can use the security investigation tool to review reported Chat messages.

Note: As an administrator, you can proactively monitor Chat messages for inappropriate content by creating an activity rule that alerts you to Message reported events. For instructions, see Create and manage activity rules.

If a reported message was posted in a Chat space, you can contact a space manager who has permissions to delete a message or assign a new space manager with appropriate access to carry out the task. You can't take action from the security investigation tool.

To investigate reported Chat messages:

  1. In the Admin console, go to Menu and then Securityand thenSecurity centerand thenInvestigation tool.
  2. Click Data source and select Chat log events.
  3. Click Add Condition.
  4. Click Attributeand thenand select Event.
  5. Select Message reported from the third drop-down list.
  6. Click Search.
    From the search results at the bottom of the page, you can view a list of reported messages.
  7. To drill down and view additional details, click the Message ID for any line in the search results.
  8. If prompted, enter text to justify the business need for viewing Chat content, and click Confirm.
    A side panel is displayed with additional details about your investigation:

Message details tab—This tab displays the content of the Chat message. Other important details include the sender of the message, date the message was sent, the message ID, and all all associated reports and attachments. Content in attachments is downloadable.

Conversation info tab—This tab includes information about the Chat conversation. Details include the type of conversation—for example, 1:1 Chat or Space. Note: For Space, up to 5 space manager emails are displayed, and you can contact space managers to take action if needed.

Chat transcript tab—This tab provides context about the Chat conversation—including text from some messages and details about message status such as whether they have been edited or deleted; messages are tagged as "reported" only when the current revision of the message was reported. Content in attachments is not included or downloadable from this tab.

Note: The security investigation tool does not include any quoted content within a Chat reply. 

Create a data protection rule for Chat messages

Supported editions for this feature: Enterprise Standard and Enterprise Plus; Education Standard and Education Plus; Cloud Identity Premium. Compare your edition

To use the security investigation tool to monitor and prevent Chat data leaks, you need to set up a data protection rule for Chat. This is a custom rule that you create from the rules page. You can use this rule to be notified of specific activity related to the use of Chat messages within your domain.

Once you set up the data protection rule, you can then use the security investigation tool to investigate Chat messages in your organization.

Note: An administrator might have already set up a data protection rule for Chat messages. If not, you'll need to do this yourself. For instructions, see Create data protection rules.

Run a search for Rule log events

Supported editions for this feature: Frontline Standard; Enterprise Standard and Enterprise Plus; Education Standard and Education Plus; Enterprise Essentials Plus; Cloud Identity Premium. Compare your edition

To run a search in the security investigation tool, first choose a data source. Optionally, you can then choose one or more conditions for your search. For each condition, choose an attribute, an operator, and a value

Note: The steps in the instructions below are presented as an example search for investigating Chat messages. You have the option to use other conditions in your search, or you can run a search using no conditions at all.

To run a search in the security investigation tool for Rule log events:

  1. In the Admin console, go to Menu and then Securityand thenSecurity centerand thenInvestigation tool.
  2. Click Data source and select Rule log events.
  3. Click Add Conditionand thenAttributeand thenDate.
    Choose a date range for your search.
  4. Click Add Conditionand thenAttributeand thenRule type.
    Choose DLP.
  5. Click Search.
    Search results are displayed at the bottom of the page.
  6.  To save your investigation, click Saveand thenenter a title and descriptionand thenclick Save.
    Note: By saving the search results for future use, you can conduct the same investigation on multiple occasions.

Investigate Chat messages that trigger data protection rules

After you create a data protection rule for Chat messages, and then run a search for Rule log events, you can then investigate Chat messages in the search results of your investigation.

To investigate Chat messages:

  1. In the Admin console, go to Menu and then Securityand thenSecurity centerand thenInvestigation tool.
  2. From the right menu, click View investigations.
  3. Click the investigation from the list. (Choose an investigation that you created using the instructions in the section above.) 
  4. Click Search.
    From the search results at the bottom of the page, you can view a list of events, with details about each event. These details include the triggered action, the rule name, the container type (for example, 1:1 Chat or Chat Space), and the rule name.
  5. To drill down and view additional details, click the Resource ID for any line in the search results.
  6. If prompted, enter text to justify the business need for viewing Chat content, and click Confirm.
    A side panel is displayed with additional details about your investigation:

Incident details tab—This tab specifies the name of the rule that was triggered, and also displays the content within the Chat message that triggered the rule. Other important details include the sender of the message, date the message was sent, and message ID.

Conversation info tab—This tab includes information about the Chat conversation. Details include the type of conversation—for example, 1:1 Chat or Space. Note: For Space, up to 5 space manager emails are displayed, and you can contact space managers to take action if needed.

Chat transcript tab—This tab provides context about the Chat conversation—including text from some messages and details about message status such as whether they have been edited or deleted; messages are tagged as "reported" only when the current revision of the message was reported. Content in attachments is not included or downloadable from this tab.

Related topics

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu
1672183479627951016
true
Search Help Center
true
true
true
true
true
73010
false
false