DLP Log
The DLP Log page allows you to view and analyze all sensitive data detection events that occurred within your organization. You can enhance data security by tracking sensitive information detected in real-time from user input data and LLM response data.
DLP Log Overview
DLP logs provide the following information:
- Detection Event Tracking: Records all events where sensitive data was detected in chronological order.
- Detailed Analysis: Provides detailed information including detected data types, categories, and confidence levels.
- Filtering and Search: Filter logs by various conditions and quickly find specific events.
Log Viewing and Filtering
Basic Filters
The DLP log page provides various filters to help you efficiently find desired events.
1. Date Range Filter
View only events that occurred during a specific period.
- Click the date range button to select start and end dates.
- By default, it is set to today’s date.
- Click the Apply Filter button to apply the filter.
2. User Search
Search for specific user events by name or email.
- Enter a user name or email in the search box.
- Autocomplete suggestions appear as you type.
- You can also search by the username part or domain part of an email.
3. Actions Filter
Filter by the type of action taken on detected sensitive data.
Action Types:
- Sensitive Data Sent: Sensitive data was detected but transmission was allowed
- Sensitive Data Blocked: Sensitive data was detected and transmission was blocked
How to use the filter:
- Click the Actions dropdown.
- Use Select All / Deselect All to select/deselect all.
- Check/uncheck individual action types.
4. Categories / Types Filter
Filter detected data using a tree structure of categories and types. Data types are nested under their parent categories, displayed in a hierarchical structure.
Main Categories and Sub-types:
Credential
- Auth Token, AWS Credentials, Basic Auth Header, Encryption Key, GCP API Key, HTTP Cookie, JSON Web Token, OAuth Client Secret, Password, Security Data, SSL Certificate, Storage Signed URL, Tink Keyset
Government ID
- Driver’s licenses, passports, national ID numbers from various countries (e.g., Korea RRN, US Social Security Number, Japan Individual Number, etc.)
Financial ID
- Credit Card Number, CVV Number, IBAN Code, Japan Bank Account, etc.
Medical ID
- Medical ID, Medical Record Number, etc.
PII (Personal Identifiable Information)
- Email Address, Phone Number, Person Name, IP Address, Street Address, etc.
SPII (Sensitive Personal Identifiable Information)
- Other highly sensitive personal identifiable information
Technical ID
- IP Address, MAC Address, etc.
How to use the filter:
- Click the Categories / Types dropdown.
- Use the search box to quickly find categories or data types by name.
- Category Selection: Checking a category automatically selects all sub-types under that category.
- Individual Type Selection: Click the arrow icon next to a category to expand the tree, then check/uncheck specific types individually.
- Use the tree structure to filter by entire categories or specific types selectively.
5. Likelihood Filter
Filter by the confidence level of sensitive data detection.
Confidence Levels:
- HIGH: High confidence (95% or higher) - Red indicator
- MEDIUM: Medium confidence (70-95%) - Orange indicator
- LOW: Low confidence (below 70%) - Green indicator
How to use the filter:
- Click the Likelihood dropdown.
- Check/uncheck desired confidence levels.
Filter Management
Clear Button
The Clear button appears when filters are active.
- Clicking the Clear button resets all filters to their default state.
- Search terms, selected filters, and date range are all reset.
Log Table
Table Columns
The log table consists of the following columns:
| Column | Description |
|---|---|
| Timestamp | Event occurrence time |
| User | User who triggered the event |
| Action | Action taken (Sent/Blocked) |
| Reason | Reason for action (False Positive, Business Requirement, etc.) |
| Data Types | Detected data types (shows up to 3, rest shown as +N) |
| Categories | Data categories (shows up to 3, rest shown as +N) |
| Max Likelihood | Highest confidence level among detected data |
| Details | Button to expand/collapse details |
Viewing Details
Click on any log row to expand detailed information.
Detail Information Table:
- Data Type: Specific data type detected
- Category: Categories the data type belongs to
- Likelihood: Confidence level for individual data type
Multiple types of sensitive data can be detected in a single event, and you can check the confidence level and category information for each.
Result Display
The number of currently displayed events and total events are shown at the top of the table.
- Example: “Showing 8 of 8 events” - Total events before filtering
- Example: “Showing 3 of 8 events” - Matched events after filtering
Log Event Examples
Sensitive Data Sent Events
Cases where sensitive data was detected but transmission was allowed for legitimate reasons.
Example 1: GCP API Key Detection
- User: user@email.com
- Action: Sensitive Data Sent
- Reason: False Positive
- Detected Data Types: GCP_API_KEY, EMAIL_ADDRESS
- Categories: CREDENTIAL, PII
- Max Likelihood: HIGH (95%)
Example 2: Phone Number Detection
- User: mike.chen@company.com
- Action: Sensitive Data Sent
- Reason: Business Requirement
- Detected Data Types: PHONE_NUMBER
- Categories: PII
- Max Likelihood: MEDIUM (89%)
Sensitive Data Blocked Events
Cases where sensitive data was detected and transmission was blocked.
Example 1: Credit Card Number Detection
- User: user@email.com
- Action: Sensitive Data Blocked
- Reason: - (Blocked)
- Detected Data Types: CREDIT_CARD_NUMBER
- Categories: FINANCIAL_ID
- Max Likelihood: HIGH (87%)
Example 2: External Email Address Detection
- User: jane.smith@company.com
- Action: Sensitive Data Blocked
- Reason: - (Blocked)
- Detected Data Types: EMAIL_ADDRESS
- Categories: PII
- Max Likelihood: MEDIUM (92%)
References
For detailed information about data types detected by the DLP system, please refer to the Google Cloud DLP InfoTypes Reference .
Usage Tips
Security Auditing
- Regularly review DLP logs to monitor sensitive data leakage attempts.
- Focus on Action: Sensitive Data Blocked events to identify security threats.
- Prioritize Max Likelihood: HIGH events as they are more likely to be actual sensitive data.
False Positive Management
- If Reason: False Positive events occur frequently, you may need to adjust DLP settings.
- Visit the DLP Management page to disable unnecessary data types or modify custom patterns.
User Training
- If a specific user frequently attempts to transmit sensitive data, security training may be needed.
- Use the user search feature to track individual user event history.
Compliance
- Use the date range filter to extract logs for a specific period and create compliance reports.
- Use the Categories filter to understand the handling status of specific types of sensitive data (e.g., MEDICAL_ID, FINANCIAL_ID).