To help prevent, detect, and remediate security issues more quickly and efficiently, you can set up alerts and automate actions in the investigation tool by creating activity rules.
To configure a rule, you set up conditions for the rule, and specify what actions to perform when the conditions are met. A rule is simply a way of saying, if x happens, automatically do y.
As an administrator, you can create an activity rule that alerts you or takes action based on any search that you configure in the investigation tool. After you configure the activity rule, Google will continuously perform a search that you have specified in the rule. If the number of results returned by that search exceeds the threshold that you have set up, then Google will perform the actions that you specify. For example, you can set up a rule to send email notifications to certain administrators if Drive documents are shared outside the company.
Admin access to activity rules
Your ability to create and view activity rules depends on your Google Workspace edition, your administrative privileges, and the data source. For details, go to Admin access to reporting rules & activity rules.
Important guidelines for creating activity rules
- You can only create activity rules based on log event data sources—for example, Gmail log events or Device log events. You can't create activity rules based on live-state data sources such as Chrome browsers, Devices, Gmail messages, and Users.
- Available data sources will vary depending on your Google Workspace edition. For more details, go to Customize searches with the investigation tool.
- You must add at least one event attribute to the search.
- You can include an OR operator at the top level only if you include an Event condition along every conditional path.
- You can only add a single value for the attribute. For example, Actor can only include one user. To include multiple values, use the Condition Builder to add an OR operator, and then add the same attribute with additional value.
- You can't use date filters for activity rules (since the rules are evaluated continuously).
- You must add at least one action or alert to the rule.
- Because activity rules are based on log events, they trigger after the event happens. Therefore, activity rules aren't suitable for things like blocking or sharing a document or sending emails.
How rule thresholds work
When you set a threshold for a rule, it's applied cumulatively across user actions, not on a per-user basis. For example, let's say you create a rule to suspend users after 5 failed login attempts within 1 hour. The threshold is reached when there are 5 failed login attempts for one or more users within 1 hour. In this case, all users with at least one failed login attempt would be suspended.
Create an activity rule
You can create an activity rule either from the security investigation tool or from the Rules page.
Follow these steps:
From the Admin console Home page, go to Security > Investigation tool, and click Create activity rule.
From the Admin console Home page, go to Rules, and then click Create rule > Activity.
- Enter a Rule name—for example, External data sharing.
- Enter a Description—for example, Notify if documents are shared outside the company.
- Click Next: View conditions.
- Choose a Data source for the rule—for example, Admin log events.
Note: The availability of data sources varies depending on your Google Workspace edition and your admin privileges. For details, go to Admin access to reporting rules & activity rules and Data sources & conditions in the investigation tool.
- Set up one or more conditions for the rule. For each condition, choose an attribute, an operator, and a value.
For example, to set up a condition that specifies that the event is a transfer of document ownership, choose Event as the attribute, choose Is as the operator, and Doc Settings > Transfer document ownership as the value.
Note: Event is a required condition. For details about conditions that are available for each data source, see Data sources & conditions in the investigation tool.
- Click Next: Add actions.
Note: When creating an activity rule, you can't add actions for Drive log events.
- Define a time period and a threshold for the rule. For example, you can configure a threshold of Every 24 hours when the count is greater than 100. This means for any given period of 24 hours, if your search returns more than 100 results, you want this rule to trigger.
- Select an Action for the rule—for example, to suspend users or force a password change.
- Choose whether or not you want this rule to trigger an alert in the alert center.
- Choose a severity of High, Medium, or Low.
- If you choose to trigger an alert to the alert center, you can also choose to send email notifications by checking the All super administrators box, and/or by clicking Add email recipients to send emails to select administrators when the rule is triggered.
- Click Next: Review.
Use this page to review all of the details of the rule and to make any changes, if needed, before creating the rule.
- Review the Rule status.
When creating an activity rule, the rule status is Active by default, which means the system will begin collecting logs, and the rule will be enforced. You also have the option to set the rule status to Monitor, which enables you review logs before enforcing the rule. Later, you can also set the rule to Inactive, which means the system is no longer collecting logs, and the rule isn't enforced.
- Click Create rule.
Note: When setting up an activity rule, you can use the Condition builder tab, where filters are represented as conditions with AND/OR operators. You can also use the Filter tab to include simple parameter and value pairs to filter the search results.
Rules page: View and edit your activity rules
After you create an activity rule, you can go to the Rules page to view the rule’s details and scope, the conditions for the rule, and the actions that are triggered when thresholds are met.
From the Rules page, you can also see a list of all rules that have been created by administrators in your domain. Go to the Google Admin console home page, and click Rules.
From the Rules page, administrators within your domain are able to view rules created by other administrators, depending on the data source for the rule and the privileges of each administrator. For example, an administrator might have view privileges for Drive log events, but not for Gmail log events, and therefore they’re unable to view any rules that are based on Gmail log events.
You can use the Rules page to take the following actions:
- Filter the list of rules by clicking Add a filter.
- View and edit rule details by clicking one of the rules listed on the Rules page.
- Delete rules.
- Create new rules.
- Click Investigate to open the investigation tool to view data from Rules log events.
If you set up email notifications for your rule, emails are sent to specified recipients when the rule is triggered. The email notification contains a summary of the rule that triggered the alert, including the rule name, the threshold details, source data, and more. Administrators who receive the email notification can click View Alert to be taken to the Alert details page in the alert center.
Note: Multiple events that trigger the same rule within the alert threshold time window are aggregated into one email.