This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
@chrismc could you re-check? Based on my test, the audit log record was
generated the moment user attempted to share a file and got blocked by
the rule. In the Audit Log row you can find a column 'Triggering User'.
@chrismc I'd suggest to run a query in the Security Investigation Tool
for:Source: Rules Log Events Data range if needed (maximum of 180 days
back) Triggered Action = Drive Block External Sharing Rule ID if
required to investigate a specific data pro...
Hello @chrismc ! You should be able to do what you describe using the
Beta functionality released in December 2023.
https://workspaceupdates.googleblog.com/2023/12/data-loss-prevention-rule-violation-snippets.html