Reporting rules are custom rules that enable you to set up alerts based on log event data (previously called audit logs) that's displayed on the audit and investigation page.
To configure a rule, you set up conditions for the rule, and specify what actions to perform when the conditions are met. A rule is simply a way of saying, if x happens, automatically do y. For example, you can set up a reporting rule to alert you when a user makes a Drive file visible on the web. You can also set up the rule to receive email notifications and/or an alert center alerts when the rule is triggered.
Your ability to create and view reporting rules depends on your Google Workspace edition and your administrative privileges. For details, go to Admin access to reporting rules & activity rules.
Rather than reporting rules, administrators with premium Google Workspace editions such as Enterprise Plus can create the more advanced activity rules from the security investigation tool. Some admins with premium editions can create reporting rules, but only for specific data sources. For more details, go to Admin access to reporting rules & activity rules and Create activity rules with the investigation tool.
- If you create a new reporting rule, alert center alerts for that rule are turned on by default. If you want to turn on or off an alert for an existing reporting rule, you can do so from the alert center. For instructions, go to Use rules to turn alerts on or off.
Create a reporting rule
You can create reporting rules from the Rules page, where you can set up a maximum of 50 alerts.
Follow these steps:
From the Admin console Home page, go to Rules, and then click Create rule > Reporting.
- Enter a Rule name—for example, External data sharing.
- Enter a Description—for example, Notify if documents are shared outside the company.
- Click Next: View conditions.
- Choose a data source—for example, Admin log events.
- Click Add a filter.
- Choose one of the attributes for the filter—for example, Actor, Device type, or Event.
Note: For a complete list of attributes and attribute descriptions for each data source, go to Data sources for the audit and investigation page, and choose help articles from the list of data sources.
- Choose a value for the filter—for example, the type of event such as transfer document ownership, or the email address for the actor.
You can add multiple filters to the rule by clicking Add a filter again, choosing an attribute, and entering a value.
- Click Next: Add actions.
- Choose whether or not you want this rule to trigger an alert in the alert center.
You can choose a severity of High, Medium, or Low. You can also choose to send email notifications by checking the All super administrators box, and/or by clicking Add email recipients to send emails to select administrators when the rule is triggered.
- To review or edit the rule details, click Next: Review.
- Click Create rule.
Note: When setting up a reporting rule, you can use the Condition builder tab, where filters are represented as conditions with AND/OR operators. You can also use the Filter tab to include simple parameter and value pairs to filter the search results.
Rules page: View and edit your reporting rules
After you create a reporting rule, you can go to the Rules page to view the rule’s details.
From the Rules page, you can also see a list of all rules that have been created by administrators in your domain. Go to the Google Admin console home page, and click Rules.
You can use the Rules page to take the following actions:
- Filter the list of rules by clicking Add a filter.
- View and edit rule details by clicking one of the rules listed on the Rules page.
- Delete rules.
- Create new rules.
Note: To create, view, or edit a reporting rule, you need the Reporting privilege.
If you set up email notifications for your rule, emails are sent to specified recipients when the rule is triggered. The email notification contains a summary of the rule that triggered the alert, including the rule name, the threshold details, source data, and more. Administrators who receive the email notification can click View Alert to be taken to the Alert details page in the alert center.
Note: Multiple events that trigger the same rule within a threshold time window are aggregated into one email alert.