To help prevent, detect, and remediate security issues more quickly and efficiently, you can automate actions in the investigation tool by creating activity rules.
As an administrator, you can create an activity rule that alerts you or takes action based on any search that you configure in the investigation tool. After you configure the activity rule, Google will continuously perform a search that you have specified in the rule. If the number of results returned by that search exceeds the threshold that you have set up, then Google will perform the actions that you specify. For example, you can set up a rule to send email notifications to certain administrators if Drive documents are shared outside the company.
You can also create an activity rule from the Security rules page. For details and instructions, see Create, edit, and view Security rules.
Important:
When creating activity rules, follow these guidelines:
- You can only create activity rules based on log data sources (for example, Gmail log events or Device log events).
- Available data sources will vary depending on your Google Workspace edition. You can check availability in Data sources & conditions in the investigation tool.
- You must add at least one event attribute to the query.
- You can include an OR operator at the top level only if you include an Event condition along every conditional path.
- You can't use date filters for activity rules (since the rules are evaluated continuously).
- You must add at least one action or alert to the rule.
- Because activity rules are based on log events, they trigger after the event happens. Therefore, activity rules aren't suitable for things like blocking or sharing a document or sending emails.
Privileges for creating rules in the investigation tool
- To create and edit rules for a specific data source (for example, Gmail or Drive) you need the manage rules privilege and the update and delete privilege for that data source.
- To view rules for a specific data source (for example, Gmail or Drive), you need the view rules privilege and the view metadata and attributes privilege for that data source.
Create a rule from a search in the investigation tool
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
On the Admin console Home page, go to Security
Investigation tool.
- Choose a data source for your search; for example, Device log events, Drive log events, or Gmail log events.
Note: Available data sources will vary depending on your Google Workspace edition. You can check availability in Data sources & conditions in the investigation tool.
- Click ADD CONDITION.
You can include one or more conditions in your search. For details about conditions that are available for each data source, see Data sources & conditions in the investigation tool. - From the
menu in the upper-right, select Create activity rule.
- Type a Rule name—for example, External data sharing—and type a Rule description—for example, Notify if documents are shared outside the company.
- Click NEXT: VIEW CONDITIONS.
You can view the search that you configured earlier, or you can continue making changes to your search. You can also click SEARCH to get a preview of your search results before continuing with the process of creating your rule. - Click NEXT: ADD ACTIONS.
- Define a time period and a threshold for the rule. For example, you can configure a threshold of Every 24 hours when the count is greater than 100. This means for any given period of 24 hours, if your search returns more than 100 results, you want this rule to trigger.
- Choose whether or not you want this rule to trigger an alert in the alert center.
If you choose to turn on alerts for this rule, you can choose a severity of High, Medium, or Low. You can also choose to send email notifications by checking the All super administrators box, and/or by clicking ADD RECIPIENTS to send emails to select administrators when the rule is triggered. - Click NEXT: REVIEW.
Use this page to review all of the details of the rule and to make any changes, if needed, before creating the rule. - Review the Rule status.
When creating an activity rule, the rule status is Active by default, which means the system will begin collecting logs, and the rule will be enforced. You also have the option to set the rule status to Monitor, which enables you review logs before enforcing the rule. Later, you can also set the rule to Inactive, which means the system is no longer collecting logs, and the rule isn't enforced. - Click CREATE RULE.
View the list of rules and rule details
After you have created a rule using the investigation tool, you’re directed to the Rule details page, where you can review the rule’s details and scope, the conditions for the rule, and the actions that are triggered when thresholds are met.
The Rule details page also includes breadcrumbs in the upper-left corner:
Security > Rules > Rule details
Click Rules to see a list of all rules that have been created by all administrators in your domain.
From the Rules page, administrators within your domain are able to view rules created by other administrators, depending on the data source for the rule and the privileges of each administrator. For example, an administrator might have view privileges for Drive log events, but not for Gmail log events, and therefore they’re unable to view any rules that are based on Gmail log events.
You can use the Rules page to take the following actions:
- Delete rules.
- Filter the list of rules by clicking Add a filter.
- Click ADD NEW RULE to create new rules. This takes you through the same process described above, which enables you to create a rule based on a search in the investigation tool.
Email alerts
If you set up email notifications for your rule, emails are sent to specified recipients when the rule is triggered. The email notification contains a summary of the rule that triggered the alert, including the rule name, the threshold details, source data, and more. Administrators who receive the email notification can click VIEW ALERT to be taken to the Alert details page in the alert center.
