InspectConfig

Configuration description of the scanning process. When used with redactContent only infoTypes and minLikelihood are currently used.

JSON representation
{
  "infoTypes": [
    {
      object(InfoType)
    }
  ],
  "minLikelihood": enum(Likelihood),
  "limits": {
    object(FindingLimits)
  },
  "includeQuote": boolean,
  "excludeInfoTypes": boolean,
  "customInfoTypes": [
    {
      object(CustomInfoType)
    }
  ],
  "contentOptions": [
    enum(ContentOption)
  ],
  "ruleSet": [
    {
      object(InspectionRuleSet)
    }
  ]
}
Fields
infoTypes[]

object(InfoType)

Restricts what infoTypes to look for. The values must correspond to InfoType values returned by infoTypes.list or listed at https://cloud.google.com/dlp/docs/infotypes-reference.

When no InfoTypes or CustomInfoTypes are specified in a request, the system may automatically choose what detectors to run. By default this may be all types, but may change over time as detectors are updated.

The special InfoType name "ALL_BASIC" can be used to trigger all detectors, but may change over time as new InfoTypes are added. If you need precise control and predictability as to what detectors are run you should specify specific InfoTypes listed in the reference.

minLikelihood

enum(Likelihood)

Only returns findings equal or above this threshold. The default is POSSIBLE. See https://cloud.google.com/dlp/docs/likelihood to learn more.

limits

object(FindingLimits)

includeQuote

boolean

When true, a contextual quote from the data that triggered a finding is included in the response; see Finding.quote.

excludeInfoTypes

boolean

When true, excludes type information of the findings.

customInfoTypes[]

object(CustomInfoType)

CustomInfoTypes provided by the user. See https://cloud.google.com/dlp/docs/creating-custom-infotypes to learn more.

contentOptions[]

enum(ContentOption)

List of options defining data content to scan. If empty, text, images, and other content will be included.

ruleSet[]

object(InspectionRuleSet)

Set of rules to apply to the findings for this InspectConfig. Exclusion rules, contained in the set are executed in the end, other rules are executed in the order they are specified for each info type.

Likelihood

Categorization of results based on how likely they are to represent a match, based on the number of elements they contain which imply a match.

Enums
LIKELIHOOD_UNSPECIFIED Default value; same as POSSIBLE.
VERY_UNLIKELY Few matching elements.
UNLIKELY
POSSIBLE Some matching elements.
LIKELY
VERY_LIKELY Many matching elements.

FindingLimits

JSON representation
{
  "maxFindingsPerItem": number,
  "maxFindingsPerRequest": number,
  "maxFindingsPerInfoType": [
    {
      object(InfoTypeLimit)
    }
  ]
}
Fields
maxFindingsPerItem

number

Max number of findings that will be returned for each item scanned. When set within InspectDataSourceRequest, the maximum returned is 1000 regardless if this is set higher. When set within InspectContentRequest, this field is ignored.

maxFindingsPerRequest

number

Max number of findings that will be returned per request/job. When set within InspectContentRequest, the maximum returned is 1000 regardless if this is set higher.

maxFindingsPerInfoType[]

object(InfoTypeLimit)

Configuration of findings limit given for specified infoTypes.

InfoTypeLimit

Max findings configuration per infoType, per content item or long running DlpJob.

JSON representation
{
  "infoType": {
    object(InfoType)
  },
  "maxFindings": number
}
Fields
infoType

object(InfoType)

Type of information the findings limit applies to. Only one limit per infoType should be provided. If InfoTypeLimit does not have an infoType, the DLP API applies the limit against all infoTypes that are found but not specified in another InfoTypeLimit.

maxFindings

number

Max findings limit for the given infoType.

CustomInfoType

Custom information type provided by the user. Used to find domain-specific sensitive information configurable to the data in question.

JSON representation
{
  "infoType": {
    object(InfoType)
  },
  "likelihood": enum(Likelihood),
  "detectionRules": [
    {
      object(DetectionRule)
    }
  ],
  "exclusionType": enum(ExclusionType),

  // Union field type can be only one of the following:
  "dictionary": {
    object(Dictionary)
  },
  "regex": {
    object(Regex)
  },
  "surrogateType": {
    object(SurrogateType)
  },
  "storedType": {
    object(StoredType)
  }
  // End of list of possible types for union field type.
}
Fields
infoType

object(InfoType)

CustomInfoType can either be a new infoType, or an extension of built-in infoType, when the name matches one of existing infoTypes and that infoType is specified in content.inspect.info_types field. Specifying the latter adds findings to the one detected by the system. If built-in info type is not specified in content.inspect.info_types list then the name is treated as a custom info type.

likelihood

enum(Likelihood)

Likelihood to return for this CustomInfoType. This base value can be altered by a detection rule if the finding meets the criteria specified by the rule. Defaults to VERY_LIKELY if not specified.

detectionRules[]

object(DetectionRule)

Set of detection rules to apply to all findings of this CustomInfoType. Rules are applied in order that they are specified. Not supported for the surrogateType CustomInfoType.

exclusionType

enum(ExclusionType)

If set to EXCLUSION_TYPE_EXCLUDE this infoType will not cause a finding to be returned. It still can be used for rules matching.

Union field type.

type can be only one of the following:

dictionary

object(Dictionary)

A list of phrases to detect as a CustomInfoType.

regex

object(Regex)

Regular expression based CustomInfoType.

surrogateType

object(SurrogateType)

Message for detecting output from deidentification transformations that support reversing.

storedType

object(StoredType)

Load an existing StoredInfoType resource for use in InspectDataSource. Not currently supported in content.inspect.

Dictionary

Custom information type based on a dictionary of words or phrases. This can be used to match sensitive information specific to the data, such as a list of employee IDs or job titles.

Dictionary words are case-insensitive and all characters other than letters and digits in the unicode Basic Multilingual Plane will be replaced with whitespace when scanning for matches, so the dictionary phrase "Sam Johnson" will match all three phrases "sam johnson", "Sam, Johnson", and "Sam (Johnson)". Additionally, the characters surrounding any match must be of a different type than the adjacent characters within the word, so letters must be next to non-letters and digits next to non-digits. For example, the dictionary word "jen" will match the first three letters of the text "jen123" but will return no matches for "jennifer".

Dictionary words containing a large number of characters that are not letters or digits may result in unexpected findings because such characters are treated as whitespace. The limits page contains details about the size limits of dictionaries. For dictionaries that do not fit within these constraints, consider using LargeCustomDictionaryConfig in the StoredInfoType API.

JSON representation
{

  // Union field source can be only one of the following:
  "wordList": {
    object(WordList)
  },
  "cloudStoragePath": {
    object(CloudStoragePath)
  }
  // End of list of possible types for union field source.
}
Fields

Union field source.

source can be only one of the following:

wordList

object(WordList)

List of words or phrases to search for.

cloudStoragePath

object(CloudStoragePath)

Newline-delimited file of words in Cloud Storage. Only a single file is accepted.

WordList

Message defining a list of words or phrases to search for in the data.

JSON representation
{
  "words": [
    string
  ]
}
Fields
words[]

string

Words or phrases defining the dictionary. The dictionary must contain at least one phrase and every phrase must contain at least 2 characters that are letters or digits. [required]

Regex

Message defining a custom regular expression.

JSON representation
{
  "pattern": string
}
Fields
pattern

string

Pattern defining the regular expression. Its syntax (https://github.com/google/re2/wiki/Syntax) can be found under the google/re2 repository on GitHub.

SurrogateType

Message for detecting output from deidentification transformations such as CryptoReplaceFfxFpeConfig. These types of transformations are those that perform pseudonymization, thereby producing a "surrogate" as output. This should be used in conjunction with a field on the transformation such as surrogateInfoType. This CustomInfoType does not support the use of detectionRules.

StoredType

A reference to a StoredInfoType to use with scanning.

JSON representation
{
  "name": string,
  "createTime": string
}
Fields
name

string

Resource name of the requested StoredInfoType, for example organizations/433245324/storedInfoTypes/432452342 or projects/project-id/storedInfoTypes/432452342.

createTime

string (Timestamp format)

Timestamp indicating when the version of the StoredInfoType used for inspection was created. Output-only field, populated by the system.

A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".

DetectionRule

Rule for modifying a CustomInfoType to alter behavior under certain circumstances, depending on the specific details of the rule. Not supported for the surrogateType custom info type.

JSON representation
{
  "hotwordRule": {
    object(HotwordRule)
  }
}
Fields
hotwordRule

object(HotwordRule)

Hotword-based detection rule.

HotwordRule

The rule that adjusts the likelihood of findings within a certain proximity of hotwords.

JSON representation
{
  "hotwordRegex": {
    object(Regex)
  },
  "proximity": {
    object(Proximity)
  },
  "likelihoodAdjustment": {
    object(LikelihoodAdjustment)
  }
}
Fields
hotwordRegex

object(Regex)

Regular expression pattern defining what qualifies as a hotword.

proximity

object(Proximity)

Proximity of the finding within which the entire hotword must reside. The total length of the window cannot exceed 1000 characters. Note that the finding itself will be included in the window, so that hotwords may be used to match substrings of the finding itself. For example, the certainty of a phone number regex "(\d{3}) \d{3}-\d{4}" could be adjusted upwards if the area code is known to be the local area code of a company office using the hotword regex "(xxx)", where "xxx" is the area code in question.

likelihoodAdjustment

object(LikelihoodAdjustment)

Likelihood adjustment to apply to all matching findings.

Proximity

Message for specifying a window around a finding to apply a detection rule.

JSON representation
{
  "windowBefore": number,
  "windowAfter": number
}
Fields
windowBefore

number

Number of characters before the finding to consider.

windowAfter

number

Number of characters after the finding to consider.

LikelihoodAdjustment

Message for specifying an adjustment to the likelihood of a finding as part of a detection rule.

JSON representation
{

  // Union field adjustment can be only one of the following:
  "fixedLikelihood": enum(Likelihood),
  "relativeLikelihood": number
  // End of list of possible types for union field adjustment.
}
Fields

Union field adjustment.

adjustment can be only one of the following:

fixedLikelihood

enum(Likelihood)

Set the likelihood of a finding to a fixed value.

relativeLikelihood

number

Increase or decrease the likelihood by the specified number of levels. For example, if a finding would be POSSIBLE without the detection rule and relativeLikelihood is 1, then it is upgraded to LIKELY, while a value of -1 would downgrade it to UNLIKELY. Likelihood may never drop below VERY_UNLIKELY or exceed VERY_LIKELY, so applying an adjustment of 1 followed by an adjustment of -1 when base likelihood is VERY_LIKELY will result in a final likelihood of LIKELY.

ExclusionType

Enums
EXCLUSION_TYPE_UNSPECIFIED A finding of this custom info type will not be excluded from results.
EXCLUSION_TYPE_EXCLUDE A finding of this custom info type will be excluded from final results, but can still affect rule execution.

ContentOption

Options describing which parts of the provided content should be scanned.

Enums
CONTENT_UNSPECIFIED Includes entire content of a file or a data stream.
CONTENT_TEXT Text content within the data, excluding any metadata.
CONTENT_IMAGE Images found in the data.

InspectionRuleSet

Rule set for modifying a set of infoTypes to alter behavior under certain circumstances, depending on the specific details of the rules within the set.

JSON representation
{
  "infoTypes": [
    {
      object(InfoType)
    }
  ],
  "rules": [
    {
      object(InspectionRule)
    }
  ]
}
Fields
infoTypes[]

object(InfoType)

List of infoTypes this rule set is applied to.

rules[]

object(InspectionRule)

Set of rules to be applied to infoTypes. The rules are applied in order.

InspectionRule

A single inspection rule to be applied to infoTypes, specified in InspectionRuleSet.

JSON representation
{

  // Union field type can be only one of the following:
  "hotwordRule": {
    object(HotwordRule)
  },
  "exclusionRule": {
    object(ExclusionRule)
  }
  // End of list of possible types for union field type.
}
Fields

Union field type.

type can be only one of the following:

hotwordRule

object(HotwordRule)

Hotword-based detection rule.

exclusionRule

object(ExclusionRule)

Exclusion rule.

ExclusionRule

The rule that specifies conditions when findings of infoTypes specified in InspectionRuleSet are removed from results.

JSON representation
{
  "matchingType": enum(MatchingType),

  // Union field type can be only one of the following:
  "dictionary": {
    object(Dictionary)
  },
  "regex": {
    object(Regex)
  },
  "excludeInfoTypes": {
    object(ExcludeInfoTypes)
  }
  // End of list of possible types for union field type.
}
Fields
matchingType

enum(MatchingType)

How the rule is applied, see MatchingType documentation for details.

Union field type.

type can be only one of the following:

dictionary

object(Dictionary)

Dictionary which defines the rule.

regex

object(Regex)

Regular expression which defines the rule.

excludeInfoTypes

object(ExcludeInfoTypes)

Set of infoTypes for which findings would affect this rule.

ExcludeInfoTypes

List of exclude infoTypes.

JSON representation
{
  "infoTypes": [
    {
      object(InfoType)
    }
  ]
}
Fields
infoTypes[]

object(InfoType)

InfoType list in ExclusionRule rule drops a finding when it overlaps or contained within with a finding of an infoType from this list. For example, for InspectionRuleSet.info_types containing "PHONE_NUMBER"and exclusionRulecontainingexcludeInfoTypes.info_types` with "EMAIL_ADDRESS" the phone number findings are dropped if they overlap with EMAIL_ADDRESS finding. That leads to "555-222-2222@example.org" to generate only a single finding, namely email address.

MatchingType

Type of the match which can be applied to different ways of matching, like Dictionary, regular expression and intersecting with findings of another info type.

Enums
MATCHING_TYPE_UNSPECIFIED Invalid.
MATCHING_TYPE_FULL_MATCH

Full match.

  • Dictionary: join of Dictionary results matched complete finding quote
  • Regex: all regex matches fill a finding quote start to end
  • Exclude info type: completely inside affecting info types findings
MATCHING_TYPE_PARTIAL_MATCH

Partial match.

  • Dictionary: at least one of the tokens in the finding matches
  • Regex: substring of the finding matches
  • Exclude info type: intersects with affecting info types findings
MATCHING_TYPE_INVERSE_MATCH

Inverse match.

  • Dictionary: no tokens in the finding match the dictionary
  • Regex: finding doesn't match the regex
  • Exclude info type: no intersection with affecting info types findings
Was this page helpful? Let us know how we did:

Send feedback about...

Data Loss Prevention API