This will tell me when a DLP rule is turned on for a document, which is helpful to identify documents that have sensitive content.

What I want to know is when someone is prevented from sharing because this is in place...

You can do that with the same query

Here is an example (here I also created an alert when creating the DLP policy)

This is the alert that is generated (blurred out some details)


Then when you Investigate Alert (or just use the query for the RuleID) you find this info, and see which user triggered it, and if it was by sharing on drive, and which doc, when, what content, which source

I may not be explaining what I'm looking for well.

When Google finds a document with sensitive data, it applies the rule of "prevent external sharing" and there is an alert generated. This is not what I am looking for.

Once the rule is in place on the document, is it possible to see when a person is prevented from sharing the document? See image below. Are there logs for this?

Hello @chrismc !  You should be able to do what you describe using the Beta functionality released in December 2023.  https://workspaceupdates.googleblog.com/2023/12/data-loss-prevention-rule-violation-snippets.html 

This will not help.

I still don't think we have a shared understanding of my question. 

Can you point me to logs that are created when a user receives the message I pasted into this conversation earlier? The logs are not the same as when DLP turns on a DLP rule for a file.

Thank you.

@chrismc I'd suggest to run a query in the Security Investigation Tool for:

Source: Rules Log Events

Data range if needed (maximum of 180 days back)

Triggered Action = Drive Block External Sharing

Rule ID if required to investigate a specific data protection rule

I would expect it to give you what you are looking for

Based on my testing, what you have described will return logs for when Google finds a document with sensitive data and applies the rule. It does not return logs for when a person is prevented from sharing the document.

Please test for yourself. Or, I'm happy to get on a quick Meet and show you my experience.

I just tested. I tried to share a document protected by DLP rules to prevent sharing of documents with sensitive information externally. I was prevented from doing so by this message:

I then waited 10 minutes and ran this search:

No logs appear because of my action and Google DLP blocking the external share.

Just ran the search again after about 35 minutes--still no logs

@evgenymeer and I have been chatting privately. This behavior (not logging blocked share attempts) is apparently as-designed. I've got a ticket open with Google support.