As your organization's administrator, you can use system-defined rules to be notified of specific activity within your domain—such as a suspicious sign-in attempt, a compromised mobile device, or when another administrator changes settings.
You don't create system defined rules—they are default rules supplied by Google. From the Rules page, you can view and edit system-defined rules—for example, to turn alerts on or off, send email notifications, send alerts to the alert center, or change the severity level (Low, Medium, or High).
Each system-defined rule includes a default set of conditions, and you specify what actions to perform when the conditions are met. A rule is simply a way of saying, if x happens, automatically do y.
View and edit system-defined rules & email alerts
In the Admin console, go to Menu Rules.
- From the Rules page, click Add a filter.
- From the drop-down menu, select Rule type.
- Check the System defined box.
- Click Apply.
A list of system defined rules is displayed.
- Select one of the rules from the list by clicking the table row for that rule—for example, the Device compromised rule.
From the Rule details page, you can view the conditions and actions for the rule—for example, to confirm if email notifications are turned on, and to confirm the recipients for those email notifications.
- Click Edit Rule.
- Click Next: View Conditions.
- Click Next: Add Actions.
From the Actions page, you can change the severity for the alert to High, Medium, or Low, send an alert to the alert center if the rule's conditions are met, set up admin email notifications, and specify recipients for those notifications.
- Click Next: Review.
- Review the updated rule details, and then click Update Rule.
- On the Rules page, a system-defined rule is listed as Inactive if you have turned off alerts for that rule.
- When you turn on an alert for a rule, you'll receive an email each time the conditions for that rule are met, up to 25 emails in 2 hours.
- Some alerts are limited or unavailable if you’re using an external SSO ldP.
Types of admin alerts based on system-defined rulesUser activity alerts
- Apps outage alert—New, updated, or resolved outage on the Status Dashboard (Google Workspace only)
- Gmail potential employee spoofing—Incoming messages were received where a sender’s name is in your Google Workspace directory, but the mail is not from your company’s domains or domain aliases.
- Leaked password—Google detected compromised credentials requiring a reset of a user's password.
- Suspicious message reported—Users at your domain received messages that they've classified as spam.
- Suspicious programmatic login—Google detected suspicious login attempts from applications or computer programs.
- Suspicious login—Google detected a sign-in attempt that doesn't match a user's normal behavior, such as a sign-in from an unusual location.
- User’s password changed—An admin changed a user's password.
- New user added—A new user was added to the domain.
- User deleted—A user was deleted from the domain.
- User suspended (by admin)—An admin suspended a user.
- User suspended (Google identity alert)—Google detected suspicious activity and suspended the account.
- User suspended due to suspicious activity—Google suspended a user's account due to a potential compromise detected.
- User suspended for spamming—Google detected suspicious activity such as spamming and suspended the account.
- User suspended for spamming through relay—Google detected suspicious activity such as spamming through an SMTP relay service and suspended the account.
- User granted Admin privilege—A user was granted an admin privilege.
- User's Admin privilege revoked—A user's admin privilege was revoked.
- Suspended user made active—An admin restored a suspended user.
- User-reported phishing—Users at your domain received messages that they've classified as phishing.
- Device compromised—Provides details about devices in your domain that have entered a compromised state.
- Suspicious device activity—Provides details if device properties such as device ID, serial number, type of device, or device manufacturer are updated.
- Exchange journaling failure—Failures with Exchange journaling, which ensures email traffic generated by Microsoft Exchange server users is properly archived in Google Vault.
- Malware message detected post-delivery—Messages detected as malware post-delivery that were automatically reclassified.
- Phishing in inboxes due to bad whitelist—Messages classified as spam by Gmail filters delivered to user inboxes due to whitelisting settings in the Google Admin console that override the spam filters.
- Phishing message detected post-delivery—Messages detected as phishing post-delivery that are automatically reclassified.
- Rate limited recipient—A high rate of incoming email indicating a potential malicious attack or misconfigured setting.
- Smarthost failure—If you set up a smart host for incoming or outgoing mail, this alert informs you if a large number of messages can’t be delivered to one of your smart host servers.
- Spike in user-reported spam—An unusually high volume of messages from a sender that users have marked as spam.
- TLS failure—Messages requiring Transport Layer Security (TLS) can't be delivered.
- Calendar settings changed (Google Workspace only)—An admin has changed Google Workspace Calendar settings.
- Domain data export initiated—A super administrator for your Google account has started exporting data from your domain.
- Drive settings changed (Google Workspace only)—An admin has changed Google Workspace Drive settings.
- Email settings changed (Google Workspace only)—An admin has changed Google Workspace Gmail settings.
- Mobile settings changed—An admin has changed mobile management settings.
- Access Approvals—A Google staff member has requested access to your organization's Google Workspace data.
- Google mandatory service announcement—Email communication to primary admins that's necessary for the continued use of a product or service, or that's considered a necessary legal update.
- Google Operations—Provides details about security and privacy issues that affect your Google Workspace services.
- Government-backed attacks—Warnings about potential government-backed attacks.
Note: When editing the Google Operations rule, you cannot remove the primary super administrator from the recipient list for email notifications.
- Create and manage rules from the Rules page
- Create activity rules with the investigation tool
- Admin access to reporting rules & activity rules
Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.