Create, edit, and view security rules

As an administrator, you can set up security rules in the Google Admin console. To configure a rule, you set up conditions for the rule, and specify what actions to perform when the conditions are met. A rule is simply a way of saying, if x happens, automatically do y.

For example:

  • Set up rules to be notified of specific activity within your domain—such as a suspicious sign-in attempt, a compromised mobile device, or when another administrator changes settings.
  • Set up rules using the security investigation tool to automate actions that happen in response to activity within your domain.
  • Create custom alerts based on your organization’s audit logs.

Multiple rule types are viewable and configurable from the security rules page, including activity rulesdata protection rulesreporting rules, and system defined rules.

For details on how security rules work and how to access the security rules page, see the sections below.

View the security rules page

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. At the top, do one of the following:
    Click Menu "" and select Securityand thenSecurity rules
    Click Menu "" and select Rulesand thenSecurity rules.

 The security rules page includes the following details for each rule:

  • Name—Name and description for the rule
  • Status—Whether a rule is Active or Inactive
  • Actions—Specifies the actions that are triggered if the conditions of a rule are met; for example, to quarantine a message, mark it as spam, delete the message, or send an email notification
  • Alerts—Specifies whether an alert is on or off
  • Rule type—Specifies the rule type; for example, an Activity rule, Data protection rule, Reporting rule, or System defined rule (see the section below for more details)
  • Last modified—Date and time when the rule was created, or when changes were last made to the rule

Note: From the security rules page, you'll see a list of the different rules that have been set up for your organization. You can change what's viewable on this page by clicking Add a filter, and then filtering by various criteria such as Rule type, Rule name, Rule status, and more.

Types of security rules

Administrators can create and view the following types of rules from the security rules page:

  • Activity rules—These are custom rules created by a domain administrator from the security investigation tool or from the Security Rules page. With these rules, you can automate actions that happen in response to activity within your domain.
  • Data protection rules—These are custom rules that are created by a domain administrator from the security rules page. You can use these rules to be notified of specific activity related to the use of Drive files within your domain.
  • Reporting rules—These are custom rules created by a domain administrator. Previously called Custom reporting alerts, you can use these rules to create and manage custom alerts based on your organization’s audit logs.
  • System defined rules—These are default rules supplied by Google. You can use these rules to be notified of specific activity within your domain.

Create and edit rules from the security rules page

You can create new rules from the security rules page by clicking NEW RULE in the upper-right corner of the page, and then selecting the type of rule that you want to create: Activity, Data protection, or Reporting.

For more details and instructions, see the sections below.

Create activity rules

Activity rules are custom rules that are created by a domain administrator from the security investigation tool or from the security rules page. With these rules, you can automate actions that happen in response to activity within your domain.

To create an activity rule:

  1. From the Security Rules page, click NEW RULE in the upper-right corner of the page.
  2. From the drop-down menu, select Activity.
  3. Type a name and description for the rule.
  4. Click NEXT: VIEW CONDITIONS.
  5. Choose from one of the data sources: Device log events, Drive log events, Gmail log events, or User log events.
  6. Create or modify the conditions for the rule (Event is a required condition).
  7. Click NEXT: ADD ACTIONS.
  8. Specify which automated actions and how often the rule should perform. You can add multiple thresholds and multiple actions per threshold.
  9. Select the timeframe—for example, every 1 hour or every 24 hours. 
  10. Click ADD ACTION, and select an action. For example, if you're creating a rule for Gmail log events, you could add an action such as Mark as spam or Send to quarantine
  11. (Optional) Turn alerting to On and select the severity: High, Medium, or Low.
    All alerts are stored in the Alert Center in the Google Admin console. If you want to receive email notifications, add recipients during this step.
  12. Click NEXT: REVIEW to review the criteria for your rule, and then click CREATE RULE.

Note: You can also create an Activity rule from the security investigation tool. For details and instructions, see Create activity rules with the investigation tool.

Important: The creation of activity rules is limited by the following factors:

  • You can only create rules on log data sources.
  • You must add an event attribute to the query.
  • You must base the query on an AND condition at the top level (not OR).
  • You can't use date filters for activity rules (since the rules are evaluated continuously).
  • You must add at least one action or alert to the rule.

Because activity rules are based on log events, they trigger after the event happens. Therefore, activity rules aren't suitable for things like blocking or sharing a document or sending emails.

Create data protection rules

Data protection rules are custom rules that are created by a domain administrator from the Security Rules page. You can use these rules to be notified of specific activity related to the use of Drive files within your domain.

To create a Data protection rule:

  1. From the Security Rules page, click NEW RULE in the upper-right corner of the page.
  2. From the drop-down menu, select Data protection.
  3. Type a name and description for the rule.
  4. Click CONTINUE.
  5. Select the events that will trigger your rule. For example, under Google Drive, check the File modified box. 
  6. Set the conditions for your rule. For example, specify whether the rule applies to all content within the file, the body, suggestions, or to the title.
    (You can add more than one condition by clicking ADD CONDITION.)
  7. Enter a value for the condition—Contains, Matches default detector, Matches regex detector, or Matches word list detector—and enter the criteria for the condition.
    For additional information, see Examples of regular expressions.
  8. Click CONTINUE.
  9. Select the actions to take when conditions find matches—for example, Block external sharing or Warn on external sharing.
  10. Select the severity: High, Medium, or Low.
  11. (Optional) Check the Send to alert center box. If you want to receive email notifications, add recipients during this step.
  12. Click CONTINUE.
  13. Review the criteria for your rule, and then click CREATE.
Create reporting rules

Reporting rules enable you to create custom alerts based on your organization’s audit logs.

To create a Reporting rule:

  1. From the Security Rules page, click NEW RULE in the upper-right corner of the page.
  2. From the drop-down menu, select Reporting.
    The Audit log page is displayed.
  3. From the drop-down menu on the upper-left corner of the page, choose the type of audit log for which you want to create a rule. (By default, the Admin audit log is selected. See the section below for a complete list of the different audit logs.)
  4. Click Add a filter, and select from the filter options.
    For example, for the Drive audit log, click Visibility, click Public on the web, and click APPLY.
  5. Click the bell-shaped icon, Create reporting rule, on the upper-right corner of the page.
  6. Type a name for the rule, and add recipients.
  7. Click CREATE.

You can view or edit the rule by returning to the Security rules page, and scanning the list for it.

From the Reports section of the Google Admin console, you can create and manage the following custom alerts based on your organization’s audit logs.

Note: Exactly which alerts you see depend on your Google services.

For more details and instructions about Reporting rules, see Create and view reporting rules & set up alerts.

View and edit system defined rules

System defined rules are default rules supplied by Google—they are not rules you create yourself. You can use these rules to be notified of specific activity within your domain—such as a suspicious sign-in attempt, a compromised mobile device, or when another administrator changes settings. From the security rules page, you can view and edit system defined rules.

For more details about system defined rules, see Admin email alerts & system defined rules.

To view and edit system defined rules:

  1. From the Security Rules page, click Add a filter.
  2. From the drop-down menu, select Rule type.
  3. Check the System defined box.
  4. Click APPLY.
    A list of system defined rules is displayed.
  5. Select one of the rules from the list by clicking the table row for that rule—for example, the Device compromised rule.
    From the Rule details page, you can view the conditions and actions for the rule—for example, to confirm if email notifications are turned on, and to confirm the recipients for those email notifications.
  6. Click EDIT RULE.
  7. Click NEXT: VIEW CONDITIONS.
  8. Click NEXT: ADD ACTIONS.
    From the Actions page, you can change the severity for the alert to High, Medium, or Low, send an alert to the alert center if the rule's conditions are met, set up admin email notifications, and specify recipients for those notifications.
  9. Click NEXT: REVIEW.
  10. Review the updated rule details, and then click UPDATE RULE.

Note: On the security rules page, a system-defined rule is listed as Inactive if you have turned off alerts for that rule.

View rule details

You can view information about a rule from the Rule details page, which you can access by clicking any row on the Security rules page. The Rule details page includes the name and description for the rule, the scope (for example, Entire domain), the conditions for the rule, and the actions (for example, to email all super administrators if the rule conditions are met).

Note: To find the rules that you're looking for more easily, you can sort columns on the Security rules page.

Edit rules

You can edit a rule from the Rule details page, which you can access by clicking any row on the Security rules page. On the left side of the page, click EDIT RULE, and then follow the instructions in the Edit rule wizard.

Note: You can't edit the filters for a rule. You can only edit the recipients of the alert. To use different filters, you need to create a new rule.

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue