DLP incidents report

Security dashboard

Supported editions for this feature: Frontline Standard; Enterprise Standard and Enterprise Plus; Education Standard and Education Plus; Enterprise Essentials Plus. Compare your edition

As an administrator, you can use data loss prevention (DLP) to control what sensitive information users can share. A DLP incident occurs when a DLP rule is broken. For example, a document that contains a personal identification number gets shared externally.

You can use the DLP incidents report to see the number of DLP incidents in a specified date range. The report breaks incidents into 3 levels of severity—high, medium, and low. 

View the DLP incidents report

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Securityand thenSecurity centerand thenDashboard.
  3. In the lower-right corner of the DLP incidents panel, click View Report.
  4. (Optional) To download a spreadsheet fo the data to My Drive, click Export Sheet.

Note: You can hide lines in the graph by clicking the legend. For example, click Low Severity to hide this line in the graph. Hiding lines is useful if one line overlaps another.

Customize your report

At the top of the report, use the date range filter to customize data in the report. Customize the report to view data from today, yesterday, this week, last week, this month, last month, or days ago (up to 180 days). Or, you can enter a start date and end date. Click Apply after you set the date range. 

View DLP incidents 

Under the DLP incidents chart, you see a table that lists the daily DLP incident count for each level of severity by data source (for example, Google Drive).

The table lists these details: 

  • Date the incident occurred
  • Data source 
  • Number of high, medium, and low-severity incidents 

Tip: To narrow down the incidents in the table, use the filters above the list.

View DLP actions 

You can see a table of the actions that were triggered as a result of DLP incidents. To see the table, under the DLP incidents graph, click Actions.

The table lists these details: 

  • Action that was triggered
  • Data source
  • Number of high, medium, and low-severity incidents that triggered the action

By default, the table displays data for the time range specified at the top of the page. To view the top incidents for just one date, click the date in the DLP incidents graph.

Tip: To narrow down the actions in the table, use the filters above the list.

Was this helpful?

How can we improve it?

Need more help?

Try these next steps:

Post to the help community Get answers from community members
Contact us Tell us more and we’ll help you get there
true
Start your free 14-day trial today

Professional email, online storage, shared calendars, video meetings and more. Start your free Google Workspace trial today.

Search
Clear search
Close search
Google apps
Main menu
12725013337407669782
true
Search Help Center
true
true
true
true
true
73010
false
false