Create and manage reporting rules

Set up alerts based on log event data

Reporting rules are custom rules that enable you to set up alerts based on log event data (previously called audit logs) that's displayed on the audit and investigation page.

To configure a rule, you set up conditions for the rule, and specify what actions to perform when the conditions are met. A rule is simply a way of saying, if x happens, automatically do y. For example, you can set up a reporting rule to alert you when a user makes a Drive file visible on the web. You can also set up the rule to receive email notifications and/or an alert center alerts when the rule is triggered.

Note:

Create a reporting rule

You can create reporting rules from the Rules page, where you can set up a maximum of 50 alerts.

Follow these steps:

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Rules, and then click Create rule > Reporting.
  3. Enter a Rule name—for example, External data sharing.
  4. Enter a Description—for example, Notify if documents are shared outside the company.
  5. Click Next: View conditions.
  6. Choose a data source—for example, Admin log events.
  7. Click Add a filter.
  8. Choose one of the attributes for the filter—for example, Actor, Device type, or Event.

    Note: For a complete list of attributes and attribute descriptions for each data source, go to Data sources for the audit and investigation page, and choose help articles from the list of data sources.
     
  9. Choose a value for the filter—for example, the type of event such as transfer document ownership, or the email address for the actor.
    You can add multiple filters to the rule by clicking Add a filter again, choosing an attribute, and entering a value.
  10. Click Next: Add actions.
  11. Choose whether or not you want this rule to trigger an alert in the alert center.
    You can choose a severity of High, Medium, or Low. You can also choose to send email notifications by checking the All super administrators box, and/or by clicking Add email recipients to send emails to select administrators when the rule is triggered.
  12. To review or edit the rule details, click Next: Review.
  13. Click Create rule.

Note: When setting up a reporting rule, you can use the Condition builder tab, where filters are represented as conditions with AND/OR operators. You can also use the Filter tab to include simple parameter and value pairs to filter the search results.

Rules page: View and edit your reporting rules

After you create a reporting rule, you can go to the Rules page to view the rule’s details.

From the Rules page, you can also see a list of all rules that have been created by administrators in your domain. Go to the Google Admin console home page, and click Rules.

You can use the Rules page to take the following actions:

  • Filter the list of rules by clicking Add a filter.
  • View and edit rule details by clicking one of the rules listed on the Rules page.
  • Delete rules.
  • Create new rules.

Note: To create, view, or edit a reporting rule, you need the Reporting privilege.

Email alerts

If you set up email notifications for your rule, emails are sent to specified recipients when the rule is triggered. The email notification contains a summary of the rule that triggered the alert, including the rule name, the threshold details, source data, and more. Administrators who receive the email notification can click View Alert to be taken to the Alert details page in the alert center.

Related articles

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue

Search
Clear search
Close search
Google apps
Main menu
Search Help Center
true
73010
false
false