Enhancing Gmail DLP Visibility: Sensitive Content Snippets for Smarter Investigations

All editions

Google Workspace’s Data Loss Prevention (DLP) is a security feature within the Google Admin Console that helps organizations prevent sensitive information from being accidentally or maliciously shared via Gmail or Drive. DLP rules are configured by administrators to automatically detect and act on such content, helping to enforce compliance and protect data integrity.

With this update, Gmail DLP now includes sensitive content snippets—small, targeted portions of email content that triggered a DLP rule. These snippets are displayed in audit logs, the investigation tool, and the security center, giving administrators clearer visibility into what specific content caused a rule to fire. This enhancement is especially valuable during security investigations, as it allows admins to quickly assess whether a rule was triggered appropriately or if it resulted in a false positive. By surfacing the exact matched content, admins can fine-tune DLP policies, respond to incidents more effectively, and improve overall data protection strategies.

Caution: Google's support article, Use the investigation tool to view sensitive content, describes this process for Standard and Plus customers using the Security Investigation Tool. Fundamentals and Teaching and Learning can still accomplish this through the Audit and Investigation Tool.

What You Will Learn

Requirements and Configuration
How it works
Additional Resources from Google

Requirements and Configuration

There are two requirements for this:

Admins who need to review the snippets must have the View sensitive content privilege.
Sensitive content storage must be ON.

Edit View Sensitive Content Privilege

Users> [Select User] > User details ~ Admin roles and privileges ~ Privileges ~ [Security Center - This user has full administrative rights for Security Center - View sensitive content

Go to the Admin roles and privileges page.
Verify that the user has the View sensitive content privilege checked. Otherwise, add a role for the user that has that privilege.

Turn on Sensitive Content Storage

Security > Access & Data Control > Data Protection > Data Protection Settings

Go to the Security data protection page.
Click anywhere on the setting to edit it.
Set the Sensitive content storage toggle to ON.
Click Save.

How It Works

When a DLP rule is triggered by an email, Gmail now captures a snippet, a small portion of the email that contains the sensitive content. This snippet is shown to admins to help them understand what triggered the rule and whether it was appropriate. This visibility improves the ability to fine-tune DLP rules and respond to potential data leaks more effectively.

Additional notes:

DLP rule names should be descriptive to clarify why a rule was triggered.
Only super admins can hide/unhide sensitive data in logs.
Admins must provide a justification to view sensitive content; this is logged.
Admins can remove or restore sensitive content from logs (not from the original email).
Snippets remain in logs for 180 days, even if the original email is edited or deleted.

Example: Here we run a rule log event investigation where:

The data source is Gmail
Rule type is DLP
Has sensitive content is True

The search yields these results:

Investigation list Showing Sensitive Content

To view sensitive content:

Click on an action in the list.
In the panel that opens, click Show sensitive content.
Enter the Reason for viewing the content.
Click Confirm.
In the panel, scroll down to Sensitive content snippets and expand the section.
If warranted, click Remove sensitive content to remove that content from logs (not from the original email).