Create and manage activity rules (original) (raw)

Set up alerts and take action

As an administrator, you can set up activity rules in the Google Admin console to send notifications or take action in response to activity within your domain. Use activity rules to help prevent, detect, and remediate security issues more quickly and efficiently.

To configure a rule, you set up conditions for the rule, and specify what notifications or actions to perform when the conditions are met. A rule is simply a way of saying, if x happens, automatically do y.

Google will continuously perform the search specified in the activity rule. If the number of results returned by that search exceeds the threshold that you have set up, then Google will perform the notifications and actions that you specify. For example, you can set up a rule to send email notifications to certain administrators if Google Drive documents are shared outside the company.

Before you begin

Your ability to create and view activity rules depends on your Google Workspace edition, administrative privileges, and the data source. For details, go toAdmin access to reporting rules & activity rules.

Features for all editions

• Access activity rules from the Rules page or the audit and investigation tool
• AND filters with up to 5 conditions (not including nested conditions)

Advanced features

Supported editions for this feature: Frontline Plus; Enterprise Standard and Enterprise Plus; Education Plus; Enterprise Essentials Plus; Cloud Identity Premium; Chrome Enterprise Premium. Compare your edition

• Access activity rules from the security investigation tool
• OR filters
• Set actions in triggers
• Set thresholds for triggers
• Set up more than 5 conditions in a rule
• Nested conditions
• Get a notification every time an event occurs

Important guidelines for creating activity rules

• You can only create activity rules based on log event data sources—for example, Gmail log events or Device log events. You can't create activity rules based on live-state data sources such as Chrome browsers,Devices, Gmail messages, and Users.
• Available data sources will vary depending on your Google Workspace edition. For more details, go to Run a search in the security investigation tool.
• You must add at least one event attribute to the search.
• You can include an OR operator at the top level only if you include an Event condition along every conditional path.
• You can only add a single value for the attribute. For example, Actor can only include one user. To include multiple values, use the Condition Builder to add an OR operator, and then add the same attribute with additional value.
• You can't use date filters for activity rules (since the rules are evaluated continuously).
• You must add at least one action or alert to the rule.
• Because activity rules are based on log events, they trigger after the event happens. Therefore, activity rules aren't suitable for things like blocking or sharing a document or sending emails.

Email notifications

If you set up email notifications for your rule, the activity rule will send one notification email per threshold window when the rule is first triggered. The rule will not send notifications for the other times it's triggered. The email notification contains a summary of the rule that triggered the alert, including the rule name, the threshold details, source data, and more. Admins who receive the email notification can click View Alert to go to the Alert detailspage in the alert center.

Rule thresholds & notifications

To minimize notifications, you can create rules with thresholds that trigger notifications only when the event occurs more than a specific number of times over a given time frame. For example, the first time an event triggers a rule, a new alert is added in the Alert Center and an email is sent (if configured for the rule). If the rule has a one-hour threshold, additional events within that time are added to the same alert. Additional email notifications are not sent until the threshold time is passed.

When you set a threshold for a rule, it's applied cumulatively across user actions, not on a per-user basis. For example, if you create a rule to suspend users after 5 failed sign-in attempts within one hour, the threshold is reached when there are 5 failed sign-in attempts for one or more users within one hour. In this case, all users with at least one failed attempt would be suspended.

Notes:

• Emails and alerts triggered by a rule with a threshold do not include an event description.
• Activity rules can only be configured to send email to internal domain users. However, admins can still configure external email alerts using Google Groups.
• You can prevent excessive alerts by spacing them out over an hour.

Create an activity rule

1. Create a rule (all Google Workspace editions), using one of the following methods:
2. Enter the rule details and click Continue:
   • Rule name—for example, External data sharing.
   • Description—for example, Notify if documents are shared outside the company
3. On the Conditions page, define when the rule will trigger:
   1. Choose a Data source for the rule—for example, Admin log events.
      Note: The availability of data sources varies depending on your Google Workspace edition and your admin privileges. You can't add actions for Drive log events. For details, go to Admin access to activity rules andData sources for the security investigation tool.
   2. Click the Filter tab to filter the search results using simple parameters such as Contains, Does not contain, Is or Is not.
   3. Click the Condition builder tab to filter the search results using AND/OR operators. For each condition, choose an attribute, an_operator_, and a value.
      For example, to set up a condition that specifies that the event is a transfer of document ownership, choose Event as the attribute, choose Is as the operator, and Doc Settings > Transfer document ownership as the value.
      Note: Event is a required condition. For details about conditions that are available for each data source, see Data sources for the security investigation tool.
   4. Click Add Condition to add additional conditions, or clickContinue.
4. (Advanced feature) Select an option:
   • Every time the event occurs—Send notifications and/or take actions every time the event occurs.
   • If the event frequency meets a specific threshold— Select the options to trigger notifications and/or actions when the event occurs more than a specific number of times over a given time frame. For example, If the event happens more than 10 times in 1 hour.
5. (Advanced feature) Click Add Action to perform an action when the event occurs or the threshold is passed.
   • For example, suspend users or force a password change when the event occurs.
   • Click Add Action to create additional actions.
6. Under Notification, select the options:
   • Alert center—(Recommended) Send an alert to the Alert Center. Alerts include in-depth details so you can take action against issues and support collaborative resolution with other administrators in your organization.
   • Email—Send email notifications to:
   • All super admins—Send emails to all super administrators.
   • Add email recipients—Send emails to select administrators.
   • Notification frequency—The number of notifications (alerts and emails) sent each hour for the same event. You can space notifications over the hour or get a notification every time the event occurs. Use this setting to prevent excessive notifications for the same event. Choose an option:
   • Up to 5 an hour (Default)—Get a notification every 12 minutes each hour.
   • Up to 2 an hour—Get a notification every 30 minutes each hour.
   • Up to 10 an hour—Get a notification every 6 minutes each hour.
   • Every time the event occurs (if available with your edition).
   • Severity—The severity level that is displayed for the event.
7. Select the Rule status.
   • Active (default)—The system collects logs and the rules are enforced.
   • Monitor—The system collects logs, but the rules are not enforced. Use this option to review logs before enforcing the rule.
   • Inactive—Logs are not collected and the rule isn't enforced.
8. Click Continue. Review the rule details. Click Back to make changes, if needed.
9. Click Create rule.

View and edit your activity rules

After you create an activity rule, you can go to the Rules page to view the rule's details and scope, the conditions for the rule, and the actions that are triggered when thresholds are met.

From the Rules page, you can also see a list of all rules that have been created by administrators in your domain. Go to the Google Admin console home page, and click Rules.

From the Rules page, administrators within your domain are able to view rules created by other administrators, depending on the data source for the rule and the privileges of each administrator. For example, an administrator might have view privileges for Drive log events, but not for Gmail log events, and therefore they're unable to view any rules that are based on Gmail log events.

You can use the Rules page to take the following actions:

• Filter the list of rules by clicking Add a filter.
• View and edit rule details by clicking one of the rules.
• Delete rules.
• Create new rules.
• Click Investigate to open the investigation tool to view data from Rules log events.

Related articles

• Create and manage rules from the Rules page
• Create and manage reporting rules
• Admin access to activity rules