Manage rules to set up alerts and actions

As an administrator, you can set up rules in the Google Admin console. To configure a rule, you set up conditions for the rule, and specify what actions to perform when the conditions are met. A rule is simply a way of saying, if x happens, automatically do y.

From the rules page, you can do the following:

  • Manage alerts for System defined rules—Use the rules page to manage alert notifications for Google-provided out-of-box system defined rules. Some of these rules are ON by default—providing alerts in the Alert center and email notifications to super admins. We recommend that you review the available list to enable any notifications that are helpful for your domain. You can also use system defined rules to control alerting and email notifications for several predefined activities.
  • Create custom rules—Depending on the type of Google Workspace account you're signed up for, you can create different types of custom rules. Most Google Workspace customers can create reporting rules, while specific licenses enable you to create data protection rules. To create activity rules, you need an Enterprise Plus license.

Here are some common uses for the rules page:

  • Set up email notifications about specific activity within your domain—such as a suspicious sign-in attempt, a compromised mobile device, or when another administrator changes settings.
  • Set up activity rules (Enterprise Plus only) using the security investigation tool. Activity rules automate actions that happen in response to activity within your domain.
  • Create custom alerts based on your organization’s audit logs.

For details on how rules work and how to access the rules page, see the sections below.

Types of rules

Administrators can create and view the following types of rules from the rules page:

  • System defined—These are Google supplied default rules that provide notifications when important events occur in your domain, like phishing, malware, suspicious activities, and more.
  • Reporting—These are custom rules created by a domain administrator. Previously called Custom reporting alerts, you can use these rules to create and manage custom alerts based on your organization’s audit logs.
  • Data protection—These are custom rules that are created by a domain administrator from the rules page. You can use these rules to be notified of specific activity related to the use of Drive files within your domain.
  • Activity—These are custom rules created by a domain administrator from the security investigation tool or from the rules page. With these rules, you can automate actions that happen in response to activity within your domain.

View the rules page

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. At the top, do one of the following:
    Click Menu "" and select Rules.
    Click Menu "" and select Securityand thenSecurity rules.

 The rules page includes the following details for each rule:

  • Name—Name and description for the rule
  • Status—Whether a rule is Active or Inactive
  • Actions—Specifies the actions that are triggered if the conditions of a rule are met; for example, to quarantine a message, mark it as spam, delete the message, or send an email notification
  • Alerts—Specifies whether an alert is on or off
  • Rule type—Specifies the rule type; for example, an Activity rule, Data protection rule, Reporting rule, or System defined rule (see the section below for more details)
  • Last modified—Date and time when the rule was created, or when changes were last made to the rule

Note: From the rules page, you'll see a list of the different rules that have been set up for your organization. You can change what's viewable on this page by clicking Add a filter, and then filtering by various criteria such as Rule type, Rule name, Rule status, and more.

View rule details

You can view information about a rule from the Rule details page, which you can access by clicking any row on the rules page. The Rule details page includes the name and description for the rule, the scope (for example, Entire domain), the conditions for the rule, and the actions (for example, to email all super administrators if the rule conditions are met).

Note: To find the rules that you're looking for more easily, you can sort columns on the rules page.

Edit rules

You can edit a rule from the Rule details page, which you can access by clicking any row on the rules page. On the left side of the page, click EDIT RULE, and then follow the instructions in the Edit rule wizard.

Investigate and troubleshoot rules

You can analyze the results of data protection and activity rules you have created using the investigation tool. From the rules page, click Investigate to start an investigation based on the Rule log events data source.

You can also hover over a specific rule in the list and will see the Investigate option. Click Investigate to start an investigation based the results of the selected rule. This is available for Data protection and Activity rule types.

For details and instructions, see Customize searches within the investigation tool, and go to the Rule log events section.

Create rules using rule cards

When creating a rule, you can use one of several rule cards at the top of the page. The cards enable you to create new rules based on common use-case examples. You can also use the cards to quickly filter to view those rules.

The rule cards enable you to do the following:

  • Customize alert and email distribution list notifications for Google-provided system defined rules.
  • Create alerts from audit log events using reporting rules.
  • Protect your sensitive content using data protection rules.
  • Automate actions on specific activity using activity rules.
  • Manage devices to keep your devices secure using device management rules. These rules are managed in a separate section.

From the rule card, click View list to filter the list for existing rules, or click Create rule to start the new rule creation process.

Create or edit rules from the rules page

You can edit system defined rules to adjust alert and email notification settings, create new custom rules (reporting, data protection or activity), or edit existing custom rules.

For more details and instructions, see the sections below.

Edit system defined rules

System defined rules are default rules supplied by Google—they are not rules you create yourself. You can use these rules to be notified of specific activity within your domain—such as a suspicious sign-in attempt, a compromised mobile device, or when another administrator changes settings. From the rules page, you can view and edit system defined rules.

For more details about system defined rules, see Admin email alerts & system defined rules.

To edit system defined rules:

  1. From the Rules page, click Add a filter.
  2. From the drop-down menu, select Rule type.
  3. Check the System defined box.
  4. Click APPLY.
    A list of system defined rules is displayed.
  5. Select one of the rules from the list by clicking the table row for that rule—for example, the Device compromised rule.
    From the Rule details page, you can view the conditions and actions for the rule—for example, to confirm if email notifications are turned on, and to confirm the recipients for those email notifications.
  6. Click EDIT RULE.
  7. Click NEXT: VIEW CONDITIONS.
  8. Click NEXT: ADD ACTIONS.
    From the Actions page, you can change the severity for the alert to High, Medium, or Low, send an alert to the alert center, and customize the email distribution list for these notifications.
  9. Click NEXT: REVIEW.
  10. Review the updated rule details, and then click UPDATE RULE.

Note: On the rules page, a system defined rule is listed as Inactive if you have turned off alerts and email notifications for that rule.

Create reporting rules

Reporting rules enable you to create custom alerts based on your organization’s audit logs.

To create a Reporting rule:

  1. From the Rules page, click Create rule.
  2. From the drop-down menu, select Reporting.
    The Audit log page is displayed.
  3. From the drop-down menu on the upper-left corner of the page, choose the type of audit log for which you want to create a rule. (By default, the Admin audit log is selected. See the section below for a complete list of the different audit logs.)
  4. Click Add a filter, and select from the filter options.
    For example, for the Drive audit log, click Visibility, click Public on the web, and click APPLY.
  5. Click the bell-shaped icon, Create reporting rule, on the upper-right corner of the page.
  6. Type a name for the rule, and add recipients.
  7. Click CREATE.

You can view or edit the rule by returning to the rules page, and scanning the list for it.

From the Reports section of the Google Admin console, you can create and manage the following custom alerts based on your organization’s audit logs.

Note: Exactly which alerts you see depends on your Google services.

For more details and instructions about Reporting rules, see Create and view reporting rules & set up alerts.

Note: You can't edit the filters for a reporting rule. You can only edit the recipients of the alert. To use different filters, you need to create a new rule.

Create data protection rules

Data protection rules are custom rules that are created by a domain administrator from the rules page. You can use these rules to be notified of specific activity related to the use of Drive files within your domain.

To create a Data protection rule:

  1. From the Rules page, click Create rule.
  2. From the drop-down menu, select Data protection.
  3. Type a name and description for the rule.
  4. Click CONTINUE.
  5. Select the events that will trigger your rule. For example, under Google Drive, check the File modified box. 
  6. Set the conditions for your rule. For example, specify whether the rule applies to all content within the file, the body, suggestions, or to the title.
    (You can add more than one condition by clicking ADD CONDITION.)
  7. Enter a value for the condition—Contains, Matches default detector, Matches regex detector, or Matches word list detector—and enter the criteria for the condition.
    For additional information, see Examples of regular expressions.
  8. Click CONTINUE.
  9. Select the actions to take when conditions find matches—for example, Block external sharing or Warn on external sharing.
  10. Select the severity: High, Medium, or Low.
  11. (Optional) Check the Send to alert center box. If you want to receive email notifications, add recipients during this step.
  12. Click CONTINUE.
  13. Review the criteria for your rule, and then click CREATE.

Note: You can also create data protection rules based on predefined templates. For instructions, see Create data protection rules using predefined templates.

Create activity rules

Activity rules are custom rules that are created by a domain administrator from the security investigation tool or from the rules page. With these rules, you can automate actions that happen in response to activity within your domain.

To create an activity rule:

  1. From the Rules page, click Create rule.
  2. From the drop-down menu, select Activity.
  3. Type a name and description for the rule.
  4. Click NEXT: VIEW CONDITIONS.
  5. Choose from one of the data sources: Device log events, Drive log events, Gmail log events, or User log events.
  6. Create or modify the conditions for the rule (Event is a required condition).
  7. Click NEXT: ADD ACTIONS.
  8. Specify which automated actions and how often the rule should perform. You can add multiple thresholds and multiple actions per threshold.
  9. Select the timeframe—for example, every 1 hour or every 24 hours. 
  10. Click ADD ACTION, and select an action. For example, if you're creating a rule for Gmail log events, you could add an action such as Mark as spam or Send to quarantine
  11. (Optional) Turn alerting to On and select the severity: High, Medium, or Low.
    All alerts are stored in the Alert Center in the Google Admin console. If you want to receive email notifications, add recipients during this step.
  12. Click NEXT: REVIEW to review the criteria for your rule, and then click CREATE RULE.

Note: You can also create an Activity rule from the security investigation tool. For details and instructions, see Create activity rules with the investigation tool.

Important: The creation of activity rules is limited by the following factors:

  • You can only create rules on log data sources.
  • You must add an event attribute to the query.
  • You must base the query on an AND condition at the top level (not OR).
  • You can't use date filters for activity rules (since the rules are evaluated continuously).
  • You must add at least one action or alert to the rule.

Because activity rules are based on log events, they trigger after the event happens. Therefore, activity rules aren't suitable for things like blocking or sharing a document or sending emails.

Create rules using predefined templates

You can quickly set up and create rules using predefined templates.

Templates enable you to choose from a list of recommended rules that are based on common use cases and best practices. For example, there are rule templates to prevent the sharing of financial information, health information, and personally identifiable information. 

You can create a rule based on the default settings of a template, or you can customize the template to change the scope, conditions, actions, or alerts.

  1. Sign in to your Google Admin console.

    Sign in using an account with super administrator privileges (does not end in @gmail.com).

  2. From the Admin console Home page, go to Rules.
  3. Click Templates.
  4. Click one of the templates in the list—for example, Prevent financial information sharing (International) or Prevent health information sharing (US).
  5. (Optional) Edit the rule name and rule description.
  6. Choose your rule's scope. You can apply to all in your domain (the default setting), or you can apply to specific organizational units or groups.
  7. Click Continue.
  8. (Optional) Under Triggers, Conditions, and Actions, change or add any settings and click Done. For details, see How to define a rule.
  9. Click Create and activate

Download rules from the rules page

From the rules page, you can download the rule details into a txt file. The txt file will include all of the rules related to a specific rule type.

  1. Click Download.
  2. From the Rule details window, choose the rule type—for example, Data protection rule or Activity rule.
  3. Click Download.
Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue