Recommended actions: Take action in response to alerts

Supported editions for this feature: Enterprise Plus; Education Standard and Plus. Compare your edition

As a Google Workspace administrator, you can keep your domain more secure by quickly taking action in response to many of the alerts in the alert center. You can do this from the Recommended actions section on the alert details page.

For example, if you receive a Gmail potential employee spoofing alert, you can go to the Recommended actions section, and then click Mark as phishing to move messages to your users' spam folders, or you can block a device when you receive a Compromised device alert. 

Use recommended actions

1. Sign in to your Google Admin console.

   Sign in using your administrator account (does not end in @gmail.com).

2. In the Admin console, go to Menu  SecurityAlert center.
3. Click one of the items on the page to open the Alert details page.
4. From the Recommended action section, click the recommended action—for example, Delete message or Mark as phishing.
5. Enter an explanation or reason for the action, and then click the action to confirm—for example, click Delete message or Mark as phishing.
   
   For the complete list of recommended actions that are available in the alert center, and for the required privileges, see the section below.

If details are missing for Gmail alerts, the most common reasons are:

• The alert was generated due to spam classification by a user. For example, Actor email might be absent for the User-reported phishing alert. When alert details are missing, recommended actions for that alert might fail, and an error message might be displayed that reads, Something went wrong.
• You created a data regions policy to store your covered data in a specific geographic location. In this case, personally identifiable information (PII) is removed from Gmail log events, which are used to generate Gmail alerts.

Alerts, recommended actions, and required privileges

The following recommended actions are available for some alerts in the alert center:

• Mark as phishing—Mark the message as phishing that triggered the alert.
• Delete message—Delete the message that triggered the alert.
• Quarantine message—Send the message that triggered the alert to quarantine.
• Restore message—Restore wrongly classified emails (marked as spam or quarantined) to their folder of origin.
• Appeal suspension—Appeal an account suspension specified in the Account suspension warning alert.
• Suspend user—Suspend users specified in the alert.
• Restore user—Restore users specified in the alert.
• Block device—​Block the device that triggered the alert. This blocks access to Google Workspace data on the device until you can confirm the device is safe. The user can still access their Gmail, Calendar, and contacts from a desktop computer or mobile browser.​
• Wipe account—The user's account and Google Workspace data is deleted from the device.
  
  Note: If you have set up offline access to Google accounts for devices in your organization, those accounts can't be wiped from offline devices. For more details about wiping accounts from devices, go to Remove corporate data from a device.

To use recommended actions in the alert center, you need privileges for the investigation tool. Super administrators have these privileges by default, or you can add them to a custom administrator role. For instructions on setting privileges, see Admin privileges for the investigation tool.

For a list of alerts that include recommended actions, and for the required privileges for each alert, see the table below.

How long recommended actions are available

Recommended actions are available for a limited amount of time after an event is logged. The table below displays the duration for which specific recommended actions are available. For example, you won't be able to use the Delete message action if the event that triggered the alert happened more than 30 days ago.