Reporting rules are custom rules that enable you to set up alerts based on log event data (previously called "audit logs") that's displayed on the audit and investigation page.
To configure a rule, you set up conditions for the rule, and specify what actions to perform when the conditions are met. A rule is simply a way of saying, if x happens, automatically do y. For example, you can set up a reporting rule to alert you when a user makes a Drive file visible on the web. You can also set up the rule to receive email notifications and alert center alerts when the rule is triggered.
When creating reporting rules, keep the following in mind:
-
Your ability to create and view reporting rules depends on your Google Workspace edition and your administrative privileges. Additionally, only admins with a domain can create reporting rules. For details, go to Admin access to reporting rules & activity rules.
-
Rather than reporting rules, administrators with premium Google Workspace editions such as Enterprise Plus can create the more advanced activity rules from the security investigation tool. Some admins with premium editions can create reporting rules, but only for specific data sources. For more details, go to Admin access to reporting rules & activity rules and Create activity rules with the investigation tool.
- If you create a new reporting rule, alert center alerts for that rule are turned on by default. If you want to turn on or off an alert for an existing reporting rule, you can do so from the alert center. For instructions, go to Use rules to turn alerts on or off.
- When you create or update a reporting rule, it can take up to 24 hours for the rule to take effect.
Create a reporting rule
You can create reporting rules from the Rules page in the Google Admin Console. You can set up a maximum of 50 alerts.
Follow these steps:
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
From the Google Admin console Home page, click RulesCreate ruleActivity.
- Enter a Rule name (for example, External data sharing).
- Enter a Description (for example, Notify if documents are shared outside the company).
- Click Next: View conditions.
- Choose a data source (for example, Admin log events).
- Click Add a filter.
- Choose one of the attributes for the filter (for example, Actor, Device type, or Event).
Note: For a complete list of attributes and attribute descriptions for each data source, go to Data sources for the audit and investigation page, and choose help articles from the list of data sources. - Choose a value for the filter (for example, the type of event, such as transfer document ownership, or the Actor's email address).
- You can only add a single value for the attribute. For example, Actor can only include one user. To include multiple values, use the Condition Builder to add an OR operator, and then add the same attribute with additional value.
- You can add multiple filters to the rule by clicking Add a filter again, choosing an attribute, and entering a value.
- Click Next: Add actions.
- Choose whether you want this rule to trigger an alert in the alert center.
You can choose a severity of High, Medium, or Low. You can also choose to send email notifications by checking the All super administrators box, or by clicking Add email recipients to send emails to select administrators when the rule is triggered. - To review or edit the rule details, click Next: Review.
- Click Create rule.
Note: Reporting rules don't support conditions joined with the OR operator. When setting up a reporting rule, you can use the Condition builder tab, where filters are represented as conditions with AND operators. You can also use the Filter tab to include simple parameter and value pairs to filter the search results.
View and edit your reporting rules
You can view or edit your rule's details on the Rules page. You can also see a list of all rules that have been created by administrators in your domain.
On the Rules page, you can take the following actions:
- Filter the list of rules by clicking Add a filter.
- View and edit a rule's details by clicking on the rule.
- Delete rules.
- Create new rules.
Note: To create, view, or edit a reporting rule, you need the Reporting privilege.
Email notifications
If you set up email notifications for your rule, emails are sent to specified recipients when the rule is triggered. The email notification contains a summary of the rule that triggered the alert, including the rule name, threshold details, source data, and more. Administrators who receive the email notification can click View Alert to be taken to the Alert details page in the alert center.
Note that reporting rules can only be configured to send email to internal domain users. However, admins can still configure external email alerts via Google Groups.