View and edit system-defined rules

Set up admin email alerts based on default rules

As your organization's administrator, you can use system-defined rules to be notified of specific activity within your domain, such as a suspicious sign-in attempt, a compromised mobile device, or when another administrator changes settings.

You don't create system-defined rules—they are default rules supplied by Google. From the Rules page, you can view and edit system-defined rules—for example, to turn alerts on or off, send email notifications, send alerts to the alert center, or change the severity level (Low, Medium, or High). 

Each system-defined rule includes a default set of conditions, and you specify what actions to perform when the conditions are met. A rule is simply a way of saying, if x happens, automatically do y.

View and edit system-defined rules & email alerts

  1. Sign in to your Google Admin console.

    Sign in using an account with super administrator privileges (does not end in

  2. In the Admin console, go to Menu and then Rules.
  3. Click Add a filter, and then select Type.
  4. Check the System defined box.
  5. Click Apply.
    A list of system defined rules is displayed.
  6. Select one of the rules from the list by clicking the table row for that rule—for example, the Device compromised rule.
    From the Rule details page, you can view the conditions and actions for the rule—for example, to confirm if email notifications are turned on, and to confirm the recipients for those email notifications.
  7. Click Edit Rule.
  8. Click Next: View Conditions.
  9. Click Next: Add Actions.
    From the Actions page, you can change the severity for the alert to Low, Medium, or High, send an alert to the alert center if the rule's conditions are met, set up admin email notifications, and specify recipients for those notifications.
  10. Click Next: Review.
  11. Review the updated rule details, and then click Update Rule.


  • On the Rules page, a system-defined rule is listed as Inactive if you have turned off alerts for that rule.
  • When you turn on an alert for a rule, you'll receive an email each time the conditions for that rule are met, up to 25 emails in 2 hours.
  • Some alerts are limited or unavailable if you’re using an external SSO ldP.
  • System-defined rules can only be configured to send email to internal domain users.

Types of admin alerts based on system-defined rules

User activity alerts
  • Approaching Gemini usage limit—User is approaching a Gemini for Workspace usage limit.
  • Apps outage alert—New, updated, or resolved outage on the Status Dashboard (Google Workspace only).
  • Gmail potential employee spoofing—Incoming messages were received where a sender’s name is in your Google Workspace directory, but the mail is not from your company’s domains or domain aliases.
  • Leaked password—Google detected compromised credentials requiring a reset of a user's password.
  • New user added—A new user was added to the domain.
  • Suspended user made active—An admin restored a suspended user.
  • Suspicious login—Google detected a sign-in attempt that doesn't match a user's normal behavior, such as a sign-in from an unusual location.
  • Suspicious message reported—Users at your domain received messages that they've classified as spam.
  • Suspicious programmatic login—Google detected suspicious login attempts from applications or computer programs.
  • User deleted—A user was deleted from the domain.
  • User granted Admin privilege—A user was granted an admin privilege.
  • User-reported phishing—Users at your domain received messages that they've classified as phishing.
  • User suspended (by admin)—An admin suspended a user.
  • User suspended due to suspicious activity—Google suspended a user's account due to detection of a potential compromise.
  • User suspended for spamming—Google detected suspicious activity, such as spamming, and suspended the account.
  • User suspended for spamming through relay—Google detected suspicious activity, such as spamming through an SMTP relay service, and suspended the account.
  • User suspended (Google identity alert)—Google detected suspicious activity and suspended the account.
  • User's Admin privilege revoked—A user's admin privilege was revoked.
  • User’s password changed—An admin changed a user's password.

Note: Changes made to the following rules can take up to 24 hours to take effect: New user added, Suspended user made active, User deleted, User granted Admin privilege, User suspended (by admin), User's Admin privilege revoked, and User’s password changed.

Mobile device activity alerts
  • Device compromised—Provides details about devices in your domain that have entered a compromised state.
  • Suspicious device activity—Provides details if device properties, such as device ID, serial number, type of device, or device manufacturer, are updated.
Email activity alerts (Google Workspace only)
  • Exchange journaling failure—Failures with Exchange journaling, which ensures email traffic generated by Microsoft Exchange server users is properly archived in Google Vault.
  • Malware message detected post-delivery—Messages detected as malware post-delivery that were automatically reclassified.
  • Phishing in inboxes due to bad whitelist—Messages classified as spam by Gmail filters delivered to user inboxes due to allowlist settings in the Google Admin console that override the spam filters.
  • Phishing message detected post-delivery—Messages detected as phishing post-delivery that are automatically reclassified.
  • Rate limited recipient—A high rate of incoming email indicating a potential malicious attack or misconfigured setting.
  • Smarthost failure—If you set up a smart host for incoming or outgoing mail, this alert informs you if a large number of messages can’t be delivered to one of your smart host servers.
  • Spike in user-reported spam—An unusually high volume of messages from a sender that users have marked as spam.
  • TLS failure—Messages requiring Transport Layer Security (TLS) can't be delivered.
Alerts for setting changes by other administrators
  • Calendar settings changed (Google Workspace only)—An admin has changed Google Workspace Calendar settings.
  • Domain data export initiated—A super administrator for your Google account has started exporting data from your domain.
  • Drive settings changed (Google Workspace only)—An admin has changed Google Workspace Drive settings.
  • Email settings changed (Google Workspace only)—An admin has changed Google Workspace Gmail settings.
  • Mobile settings changed—An admin has changed mobile management settings.

Note: Changes made to the following rules can take up to 24 hours to take effect: Calendar settings changed, Drive settings changed, Email settings changed, and Mobile settings changed.

General alerts
  • Access Approvals—A Google staff member has requested access to your organization's Google Workspace data.
  • Google mandatory service announcement—Email communication to primary admins that's necessary for the continued use of a product or service, or that's considered a necessary legal update.
  • Google Operations—Provides details about security and privacy issues that affect your Google Workspace services.
  • Government-backed attacks—Warnings about potential government-backed attacks.

Note: When editing the Google Operations rule, you can't remove the primary super administrator from the recipient list for email notifications.

Related articles

Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?

How can we improve it?
Clear search
Close search
Google apps
Main menu