View alert details

From your list of alerts in the alert center, you can drill down to view more details about individual alerts.

To view alert details:

  1. Sign in to your Google Admin console at admin.google.com with your administrator account. 
  2. From the main menu in the upper-left corner of the Admin console, click Security and then Alert center.
    This opens a page that contains a list of the alerts in the alert center.
  3. To view more details, click any item on the page to open the alert-details page.

Each alert type has different details and provides you with different options when responding to an alert. For more information about the alert details for each alert type, see the sections below. See also Understand alert types.

Start an investigation

If you're a G Suite Enterprise administrator, you can start an investigation based on an alert. Click one of the magnifying glass icons on the far-right side of the Alert center page. Or, from the details page, click INVESTIGATE ALERT. You can then use the investigation tool to take action—for example, to wipe a device or suspend a user. For instructions, see Start an investigation.

Device compromised

The Device compromised alert provides details about devices in your domain that have entered a compromised state. A device is considered compromised if it's rooted (for Android devices), if it's jailbroken (for iOS devices), or if it experiences an unusual state change.

The Alert details page includes the following information:

  • Summary—This section includes a summary of the alert—for example, the type of device and the device ID.
  • Date—Date and time of the event
  • Device owner—Username of the device owner
  • Device impacted—This section includes device details, such as the device ID, serial number, device type, device model name, and resource ID name.

Suspicious device activity

If a device property is updated—for example, the device ID, serial number, type of device, or device manufacturer—it's considered suspicious device activity. The Suspicious device activity alert provides details about such a security event. 

The Alert details page includes the following information:

  • Summary—This section includes a summary of the alert—for example, the number of device properties that were updated, and the device ID.
  • Date—Date and time of the event
  • Device owner—Username of the device owner
  • Device impacted—This section includes details such as the device ID, serial number, device type, model name, and the resource ID name. 
  • Received by—Lists the number of recipients and the usernames of the recipients.

The details page also includes a list of device-property updates. This list is included in a table at the bottom of the page. The old value and the new value are displayed for each device property that was updated.

User-reported phishing

A spike in user-reported phishing emails could mean that your domain is experiencing a phishing attack. The User-reported phishing alert provides details about such a security event. 

The Alert details page includes the following information:

  • Summary—This section includes a summary of the alert—for example, the number of phishing messages and the number of recipients.
  • Date—Date and time of the event
  • Sender—Username of the sender
  • Total user reports—Number of user reports
  • Received by—Lists the number of recipients and the usernames of the recipients.

The details page also includes a list of samples of user reports. This list is included in a table at the bottom of the page. Each item in the list includes the date, message ID, subject, subject hash, a snippet from the message, message body hash, username of the recipient, attachment hashes, and your primary domain name.  

Attacks caused by bad whitelists

Messages classified as spam by Gmail filters might be delivered to user inboxes due to whitelisting settings in the Google Admin console that override the spam filters. As a result, users in your organization might receive phishing messages. The Attacks caused by bad whitelists alert provides details about such a security event. 

The Alert details page includes the following information:

  • Summary—This section includes a summary of the alert—for example, the number of phishing messages and the number of recipients.
  • Date—Date and time of the event
  • Sender—Username of the sender
  • Source IP—IP address of the sender's domain
  • Whitelist type—Setting in the Google Admin console that overrode the spam filters
  • Message delivery events—Number of events
  • Received by—Lists the number of recipients and the usernames of the recipients.

The details page also includes a list of samples of message delivery events. This list is included in a table at the bottom of the page. Each item in the list includes the date, message ID, subject hash, message body hash, username of the recipient, attachment hashes, and your primary domain name.

Google Operations

The Google Operations alert provides details about security and privacy issues affecting your organization's G Suite services. 

The Alert details page includes the following information:

  • Summary—In this section, Google provides a message that includes specific details about the issue or incident. This section varies in size from a few sentences to several paragraphs.
  • Start date—Date and time the incident began
  • End date—Date and time the incident was resolved
  • Users impacted—This section summarizes the number of users that were affected by the incident, and also provides a list of those users. If the list is too large to fit into this section, click View all to view the complete list.
  • Attachments—If available, you can download attachments with any additional details about the incident or issue.

Spike in user reported spam

With this alert, an unusually high volume of messages from an external sender have been marked as spam by users in your domain.

The Alert details page includes the following information:

  • Summary—This section includes a summary of the alert—for example, the number of phishing messages and the number of recipients.
  • Date—Date and time of the event
  • Sender—Username of the sender
  • Total user reports
  • Received by—Lists the number of recipients and the usernames of the recipients

The details page also includes a list of samples of user reports. This list is included in a table at the bottom of the page. Each item in the list includes the date, message ID, subject hash, message body hash, username of the recipient, attachment hashes, and your primary domain name.

Suspicious message reported

With this alert, an external sender has sent messages to your domain that users have classified as spam.

The Alert details page includes the following information:

  • Summary—This section includes a summary of the alert—for example, the number of suspicious messages and the number of recipients.
  • Date—Date and time of the event
  • Sender—Username of the sender
  • Total user reports
  • Received by—Lists the number of recipients and the usernames of the recipients

The details page also includes a list of samples of user reports. This list is included in a table at the bottom of the page. Each item in the list includes the date, message ID, subject hash, message body hash, username of the recipient, attachment hashes, and your primary domain name.

Phishing message detected post-delivery

Unopened messages that are detected as phishing post-delivery are automatically reclassified and removed from the user's inbox. However, if a recipient has opened or otherwise interacted with such a message, it will remain in their inbox until manually removed. It is strongly recommended that all opened phishing messages be removed from user inboxes as soon as possible.

The Alert details page includes the following information:

  • Summary—This section includes a summary of the alert—for example, the number of phishing messages and the number of recipients.
  • Date—Date and time of the event
  • Sender—Username of the sender
  • Total message delivery events
  • Received by—Lists the number of recipients and the usernames of the recipients

The details page also includes a list of samples of message delivery events. This list is included in a table at the bottom of the page. Each item in the list includes the date, message ID, subject hash, message body hash, recipient, attachment hashes, and your primary domain name.

Malware message detected post-delivery

Unopened messages that are detected as malware post-delivery are automatically reclassified and removed from the user's inbox. However, if a recipient has opened or otherwise interacted with such a message, it will remain in their inbox until manually removed. It is strongly recommended that all opened malware messages be removed from user inboxes as soon as possible.

The Alert details page includes the following information:

  • Summary—This section includes a summary of the alert—for example, the number of malware messages and the number of recipients.
  • Date—Date and time of the event
  • Sender—Username of the sender
  • Total message delivery events
  • Received by—Lists the number of recipients and the usernames of the recipients

The details page also includes a list of samples of message delivery events. This list is included in a table at the bottom of the page. Each item in the list includes the date, message ID, subject hash, message body hash, recipient, attachment hashes, and your primary domain name. 

Government-backed attack warning

With this alert, administrators receive warnings about potential government-backed attacks. For example, in rare instances, government-backed attackers may try to steal a user's password within your organization.

To further improve the security in your organization, we highly recommend that you reset the passwords of affected users, enforce 2-step verification for the domain, and enforce security keys for your users.

The Alert details page includes the following information:

  • Summary—Description of the alert
  • Date—Date and time of the event
  • Actor

Suspicious login

Google considers login activity suspicious if there's a sign-in attempt that doesn't match a user's normal behavior, such as a sign-in from an unusual location, or if an unauthorized person may have attempted to access a user's account. 

The Alert details page includes the following information:

  • Summary—This section includes a summary of the alert with an overview of the details
  • Date login was marked as suspicious
  • Date of login attempt
  • User impacted—Username affected by the suspicious login
  • IP from which the login was detected

Suspicious programmatic login

Like conventional web logins, programmatic logins (through apps) are subject to risk analysis. To help keep Google accounts (through work, school, or other groups) more secure, Google blocks suspicious programmatic logins from accessing Google accounts.

The Alert details page includes the following information:

  • Summary—This section includes a summary of the alert with an overview of the details
  • Date login was marked as suspicious
  • Date of login attempt
  • User impacted—Username affected by the suspicious login
  • IP from which the login was detected

User suspended

When Google detects suspicious activity that suggests an account has been compromised, we proactively suspend the affected user's account. 

The Alert details page includes the following information:

  • Summary—This section includes a summary of the alert with an overview of the details
  • Date of login
  • User impacted—Username affected by the suspicious activity

Leaked password

When Google detects compromised credentials, we require a reset of the user's password before the user can sign in again.

The Alert details page includes the following information:

  • Summary—This section includes a summary of the alert with an overview of the details.
  • Date of login
  • User impacted—Username with compromised credentials

User suspended due to suspicious activity

This alert is a generic alert that lets you know that a user has been suspended due to suspicious activity. You can follow up with the user or contact Google support to get more information.

The Alert details page includes the following information:

  • Summary—This section includes a summary of the alert with an overview of the details.
  • Date login was marked as suspicious
  • Date of login attempt
  • User impacted—Username affected by suspicious activity
  • IP address from which the login was detected

User suspended for spamming

When Google detects suspicious activity that suggests an account compromise, such as evidence that a user is sending spam, we proactively suspend the affected user's account.

The Alert details page includes the following information:

  • Summary—This section includes a summary of the alert with an overview of the details.
  • Date
  • User impacted—Username affected by suspicious activity

User suspended for spamming through relay

When Google detects suspicious activity that suggests an account compromise, such as evidence that a user is sending spam through the SMTP relay service, we proactively suspend the affected user's account.

The Alert details page includes the following information:

  • Summary—This section includes a summary of the alert with an overview of the details.
  • Date
  • User impacted—Username affected by suspicious activity

Domain data export initiated

The Domain data export initiated alert provides details about a super administrator for your Google account who has started exporting data from your domain. Once initiated, there is a 48 hour window in which a domain data export may be cancelled before the export process actually begins. If you think this export wasn't intentional, contact G Suite Support.

Data export typically takes 72 hours or more, depending on the size of your domain. You can see the status of the export in the Data Export tool. For more information about the Data Export tool, see Export your organization’s data.

The Alert details page includes the following information:

  • Summary—This section includes a summary of the alert with an overview of the details.
  • Date
  • Actor—User who initiated the data export

Activity rule

An activity rule is a set of conditions and actions defined by an administrator. If a policy’s conditions are met, the rule is triggered, and corresponding actions are executed automatically. Activity rules automate processes that would otherwise need to be done manually, and can be customized to serve your domain’s specific business needs. 

As an administrator, you can create a rule that alerts you or takes action based on any search that you configure in the investigation tool. If you configure this rule to trigger an alert, the alert is displayed as an Activity rule in the alert center (for more details, see Create rules with the investigation tool).

Related articles

Was this helpful?
How can we improve it?