Administrators with the Reports privilege were automatically assigned the Audit and Investigation View, Activity Rules View, and Activity Rules Manage privileges.
As an administrator, you can set up activity rules in the Google Admin console to send notifications or take action in response to activity within your domain. Use activity rules to help prevent, detect, and remediate security issues more quickly and efficiently. Activity rules can be created from the security investigation tool or from the Rules page.
To configure a rule, you set up conditions for the rule, and specify what notifications or actions to perform when the conditions are met. A rule is simply a way of saying, if x happens, automatically do y.
Google will continuously perform the search specified in the activity rule. If the number of results returned by that search exceeds the threshold that you have set up, then Google will perform the notifications and actions that you specify. For example, you can set up a rule to send email notifications to certain administrators if Drive documents are shared outside the company.
Guidelines for creating activity rules
Access to activity rules and features
Admin access to activity rules
Your ability to create and view activity rules depends on your administrative privileges, and the data source. For details, go to Admin access to activity rules.
Features for all Google Workspace editions
All Google Workspace editions can create and edit that send notifications. Notifications include alerts and emails. Administrators can access Activity Rules from the Rules page or from Reporting > Audit and investigation > data source.
Non-premium Google Workspace editions support:
- AND filters and up to 5 conditions
- Nested conditions are not allowed
Features for premium Google Workspace editions
Google Workspace premium editions (for example, Enterprise Plus) can also use the security investigation tool to create activity rules that automatically take action when activity occurs.
Premium Google Workspace editions also support:
- OR filters
- Setting actions in the triggers
- Setting thresholds for the triggers
- More than 5 conditions in the rule
- The rule can have more than one level of conditions
Note: Administrators with premium Workspace editions can edit activity rules from non-premium users. Administrators with non-premium Workspace editions cannot edit rules that use premium features
Important guidelines for creating activity rules
- You can only create activity rules based on log event data sources—for example, Gmail log events or Device log events. You can't create activity rules based on live-state data sources such as Chrome browsers, Devices, Gmail messages, and Users.
- Available data sources will vary depending on your Google Workspace edition. For more details, go to Customize searches with the investigation tool.
- You must add at least one event attribute to the search.
- You can include an OR operator at the top level only if you include an Event condition along every conditional path.
- You can only add a single value for the attribute. For example, Actor can only include one user. To include multiple values, use the Condition Builder to add an OR operator, and then add the same attribute with additional value.
- You can't use date filters for activity rules (since the rules are evaluated continuously).
- You must add at least one action or alert to the rule.
- Because activity rules are based on log events, they trigger after the event happens. Therefore, activity rules aren't suitable for things like blocking or sharing a document or sending emails.
Email notifications
If you set up email notifications for your rule, the activity rule will only send one notification email per threshold window when the rule is first triggered and won't send notifications for the other times it's triggered. The email notification contains a summary of the rule that triggered the alert, including the rule name, the threshold details, source data, and more. Administrators who receive the email notification can click View Alert to be taken to the Alert details page in the alert center.
To minimize notifications, organizations with a premium Workspace edition can create rules with thresholds that trigger notifications only when the event occurs more than a specific number of times over a given timeframe. For example, the first time an event triggers a rule, a new alert is added in the Alert Center and an email is sent (if configured for the rule). If the rule has a 1-hour threshold, additional events within that time are added to the same alert. Additional email notifications are not sent until the threshold time is passed.
Notes:
- Emails and alerts triggered by a rule with a threshold do not include an event description.
- Activity rules can only be configured to send email to internal domain users. However, admins can still configure external email alerts using Google Groups.
How rule thresholds work
When you set a threshold for a rule, it's applied cumulatively across user actions, not on a per-user basis. For example, let's say you create a rule to suspend users after 5 failed login attempts within 1 hour. The threshold is reached when there are 5 failed login attempts for one or more users within 1 hour. In this case, all users with at least one failed login attempt would be suspended.
Create an activity rule
You can create an activity rule either from the security investigation tool or from the Rules page.
-
Sign in with an administrator account to the Google Admin console.
If you aren’t using an administrator account, you can’t access the Admin console.
-
Create a rule (all Google Workspace editions):
From the Admin console Home page, go to Rules, and then click Create activity rule.
—OR—
Go to Reporting > Audit and investigation > select a data source > Create activity rule.
Note: Premium Google Workspace editions can also go to Security > Security Center > Investigation tool, and click Create activity rule. - Enter the rule details and click Continue:
- Rule name—for example, External data sharing.
- Description—for example, Notify if documents are shared outside the company
-
In the Conditions page, define when the rule will trigger:
-
Choose a Data source for the rule—for example, Admin log events.Note: The availability of data sources varies depending on your Google Workspace edition and your admin privileges. You can't add actions for Drive log events. For details, go to Admin access to activity rules and Data sources for the security investigation tool.
- Click the Filter tab to filter the search results using simple parameters such as Contains, Does not contain, Is or Is not.
- Click the Condition builder tab to filter the search results using AND/OR operators. For each condition, choose an attribute, an operator, and a value.
For example, to set up a condition that specifies that the event is a transfer of document ownership, choose Event as the attribute, choose Is as the operator, and Doc Settings > Transfer document ownership as the value.
Note: Event is a required condition. For details about conditions that are available for each data source, see Data sources for the security investigation tool. - Click Add Condition to add additional conditions, or click Continue.
-
- (Premium editions only) Select an option:
- Every time the event occurs—Send notifications and/or take actions every time the event occurs.
- If the event frequency meets a specific threshold— Select the options to trigger notifications and/or actions when the event occurs more than a specific number of times over a given timeframe. For example, If the event happens more than 10 times in 1 hour.
- (Premium editions only) Click Add Action to perform an action when the event occurs or the threshold is passed.
- For example, suspend users or force a password change when the event occurs.
- Click Add Action to create additional actions.
- Under Notification, select the options:
- Alert center—(Recommended) Send an alert to the Alert Center. Alerts include in-depth details so you can take action against issues and support collaborative resolution with other administrators in your organization.
- Email—Send email notifications to:
- All super admins—Send emails to all super administrators.
- Add email recipients—Send emails to select administrators.
- Notification frequency—The maximum number of alerts and/or emails that will be sent in a given time. Use this setting to prevent excessive alerts and emails for the same event.
- All Workspace editions—Enter a threshold. The default is Up to 5 an hour.
- Premium Workspace editions—Can also select Every time the event occurs.
- Severity—The severity level that is displayed for the event.
- Select the Rule status.
- Active (default)—The system collects logs and the rules are enforced.
- Monitor—The system collects logs, but the rules are not enforced. Use this option to review logs before enforcing the rule.
- Inactive—Logs are not collected and the rule isn't enforced.
- Click Continue.
Review the rule details. Click Back to make changes, if needed. - Click Create rule.
View and edit your activity rules
After you create an activity rule, you can go to the Rules page to view the rule’s details and scope, the conditions for the rule, and the actions that are triggered when thresholds are met.
From the Rules page, you can also see a list of all rules that have been created by administrators in your domain. Go to the Google Admin console home page, and click Rules.
From the Rules page, administrators within your domain are able to view rules created by other administrators, depending on the data source for the rule and the privileges of each administrator. For example, an administrator might have view privileges for Drive log events, but not for Gmail log events, and therefore they’re unable to view any rules that are based on Gmail log events.
You can use the Rules page to take the following actions:
- Filter the list of rules by clicking Add a filter.
- View and edit rule details by clicking one of the rules.
- Delete rules.
- Create new rules.
- Click Investigate to open the investigation tool to view data from Rules log events.