Use the alert center

The alert center includes two types of pages:

  • A list of alerts affecting your domain—This page is displayed after you sign in to the Google Admin console and navigate to the alert center. This list can span several pages, depending on the number of alerts that are active.
  • A details page that provides more information about each alert—You can access the details by clicking any item on the list of alerts. 

To get started with the alert center:

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Menu and then Security and then Alert center.

 

View your list of alerts

After opening the alert center, a list is displayed that specifies the various alerts that are affecting your domain. Using this list, you can quickly determine how many alerts are currently active. Items in this list include a short description for each alert, the alert type, and the date for the alert.

See the sections below for more information.

Use filters to narrow your list of alerts

The alert center provides an overview of the different types of alerts that are affecting your domain. You can narrow the list that's displayed in the Alert Center by filtering for certain types of alerts or by filtering for a range of dates, or both. You can also create filters based on other alert criteria—for example, status, severity, assignee, or user email.

Display specific alert types:

  1. From the list view in the alert center, click Add a filter.
  2. Choose your criteria for the filter from the list—for example, click Alert type.
  3. From the Alert type window, check the boxes for the relevant alert types.
  4. Click APPLY.

    After applying your filter, a list is displayed that corresponds to the relevant alert types. You can then click any item in the list to view details about an alert.

Display alerts in specific date ranges: 

  1. From the list view in the alert center, click Add a filter.
  2. Choose your criteria for the filter from the list—for example, click Date range.
  3. From the Date range window, select a date range for the alert.
  4. Click APPLY.

    After applying your filter, a list is displayed that corresponds to the alerts in the date range that you specified. You can then click any item in the list to view details about an alert.

Save a set of alert filters

If you need to use a set of filters in the alert center more than once, you can save that set of filters, and then return to them later as needed. To save a set of alert filters:

  1. From the list view in the alert center, click Add a filter.
  2. Choose your criteria for the filter from the list—for example, click Status.
  3. From the Status window, check Not started, In progress, or Closed.
  4. Click APPLY.
  5. Click Saved Filters.
  6. Click SAVE CURRENT FILTER.
  7. Type a name for the filter—for example, type Status not started.
  8. Click SAVE.

Note:

  • You can later access your saved filters by clicking Saved Filters and clicking a previously saved filter name.
  • You can delete a saved filter by clicking Saved Filters, highlighting one of the filters, and clicking the delete icon.
  • You can save up to 20 filters at one time.

Another option for saving filters: When you apply a filter on the alert center's list page, a query parameter is added to the URL on your browser. You can save this URL and enter it in a separate session to display your previously applied filters.

Start an investigation

If you're a G Suite Enterprise administrator, you can start an investigation based on an alert. Click one of the magnifying glass icons on the far-right side of the Alert center page. Or, from the details page, click INVESTIGATE ALERT. You can then use the investigation tool to take action—for example, to wipe a device or suspend a user. For instructions, see Start an investigation.

View alert details

To view more details about any alert, click any item on the page to open the alert-details page. For more information, see View alert details.

Provide feedback on alerts

Alerts are generated based on a machine-learning system so that billions of signals can be taken into consideration to discover threats. For these alerts, you can tell us if this alert was correct or useful—which improves the accuracy of the alerts over time. This feedback is only used to improve signals for your domain, and is not shared outside of your organization.

Any administrator in your domain with full access to the alert center can provide feedback.

For more details, see Provide feedback on alerts.

View alert history

You can view an alert's history on the Alert details page by going to the Alert history section. This enables you to view changes administrators make to an alert, capture other historical details, and keep an audit history of alerts that have been resolved.

For example, if an administrator changes the alert status from Not started to Closed, or if there's a change to the alert assignee or the alert severity, the Alert history section provides a record of that change, including the email address of the administrator, and the date and time the change was made. 

Add comments to alerts

As an administrator, you can add comments to the Alert history section of the Alert details page.

Adding comments enables you to keep a more detailed record—for audit/historical reasons—of any actions you take in relation to an alert. For example, you might want to type a reminder that you performed a password reset on a certain date and notified the user. By adding a note to the comments section, you can more easily remember what happened at a later time.

Adding comments also enables you to share the history of an alert with colleagues, and discuss the next steps. You can also provide more details when you change an alert's status—for example, if you change it from In progress to Closed. You can also add a comment when you're reassigning an alert, or to provide links to related resources.

From the Alert history section of the Alert details page, type your comment, and click SAVE. Your username is then displayed next to the comment, as well as the date and time. If needed, you can later delete a comment that you added to this page.

View related alerts

From the alert details page, you can view a list of related alerts. This list enables you to quickly scan for alerts that have similar details, such as the same user email address.

Similar to the main alert center page, you can use the list of related alerts to give alert quality feedback or start an investigation related to that alert. You can click any alert in the list to open the details page for that alert.

About the 'Last updated' column on the list page

The list page in the alert center includes a Last updated column, which provides the date and time that each alert was last updated.

An alert is considered updated if new data from the alert’s source has been added. For example, a Gmail alert involving 10 emails one day may involve 20 the next day, and such a change is considered an update on the list page. However, user-driven changes—such as edits to assigneestatus, or severity—are not considered alert updates.

Related articles

Was this helpful?
How can we improve it?