Recommended actions: Take action in response to alerts

Supported editions for this feature: Enterprise Plus; Education Standard and Plus. Compare your edition

As a Google Workspace administrator, you can keep your domain more secure by quickly taking action in response to many of the alerts in the alert center. You can do this from the Recommended actions section on the alert details page.

For example, if you receive a Gmail potential employee spoofing alert, you can go to the Recommended actions section, and then click Mark as phishing to move messages to your users' spam folders, or you can block a device when you receive a Compromised device alert. 

Use recommended actions

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. On the Admin console Home page, go to Securityand thenAlert center.
  3. Click one of the items on the page to open the Alert details page.
  4. From the Recommended action section, click the recommended action—for example, Delete message or Mark as phishing.
  5. Enter an explanation or reason for the action, and then click the action to confirm—for example, click Delete message or Mark as phishing.

    For the complete list of recommended actions that are available in the alert center, and for the required privileges, see the section below.

Alerts, recommended actions, and required privileges

The following recommended actions are available for some alerts in the alert center:

  • Mark as phishing—Mark the message as phishing that triggered the alert.
  • Delete message—Delete the message that triggered the alert.
  • Appeal suspension—Appeal an account suspension specified in the Account suspension warning alert.
  • Suspend user—Suspend users specified in the alert.
  • Restore user—Restore users specified in the alert.
  • Block device—​Block the device that triggered the alert. This blocks access to Google Workspace data on the device. The user can still access their Gmail, Calendar, and contacts from a desktop computer or mobile browser.​

To use recommended actions in the alert center, you need privileges for the investigation tool. Super administrators have these privileges by default, or you can add them to a custom administrator role. For instructions on setting privileges, see Admin privileges for the investigation tool.

For a list of alerts that include recommended actions, and for the required privileges for each alert, see the table below.

Alert name Action Required privileges
Gmail potential employee spoofing Mark as phishing

Investigation Tool > Gmail > Update or Delete

Investigation Tool > Gmail > View Metadata and Attributes

Malware message detected post-delivery Delete message

Investigation Tool > Gmail > Update or Delete

Investigation Tool > Gmail > View Metadata and Attributes

Phishing message detected post-delivery Delete message

Investigation Tool > Gmail > Update or Delete

Investigation Tool > Gmail > View Metadata and Attributes

User-reported phishing Delete message

Investigation Tool > Gmail > Update or Delete

Investigation Tool > Gmail > View Metadata and Attributes

Phishing in inboxes due to bad whitelist Delete message

Investigation Tool > Gmail > Update or Delete

Investigation Tool > Gmail > View Metadata and Attributes

Spike in user reported spam Delete message

Investigation Tool > Gmail > Update or Delete

Investigation Tool > Gmail > View Metadata and Attributes

Suspicious message reported Delete message

Investigation Tool > Gmail > Update or Delete

Investigation Tool > Gmail > View Metadata and Attributes

Account suspension warning Appeal suspension Available to all administrators who access the alert center
Leaked password Suspend user

Investigation Tool > User > Update or Delete

Investigation Tool > User > View Metadata and Attributes

Suspicious login Suspend user

Investigation Tool > User > Update or Delete

Investigation Tool > User > View Metadata and Attributes

Suspicious programmatic login Suspend user

Investigation Tool > User > Update or Delete

Investigation Tool > User > View Metadata and Attributes

User suspended Restore user

Investigation Tool > User > Update or Delete

Investigation Tool > User > View Metadata and Attributes

User suspended due to suspicious activity Restore user

Investigation Tool > User > Update or Delete

Investigation Tool > User > View Metadata and Attributes

User suspended for spamming Restore user

Investigation Tool > User > Update or Delete

Investigation Tool > User > View Metadata and Attributes

User suspended for spamming through relay Block device

Investigation Tool > Device > Update or Delete

Investigation Tool > Device > View Metadata and Attributes

Device compromised Block device

Investigation Tool > Device > Update or Delete

Investigation Tool > Device > View Metadata and Attributes

Suspicious device activity Block device

Investigation Tool > Device > Update or Delete

Investigation Tool > Device > View Metadata and Attributes

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue

Search
Clear search
Close search
Google apps
Main menu
Search Help Center
true
73010
false