Create and manage rules from the Rules page

Use rules to set up alerts and actions

As an administrator, you can set up rules in the Google Admin console. To configure a rule, you set up conditions for the rule, and specify what actions to perform when the conditions are met. A rule is simply a way of saying, if x happens, automatically do y.

For example:

  • Set up rules to be notified of specific activity within your domain—such as a suspicious sign-in attempt, a compromised mobile device, or when another administrator changes settings.
  • Set up rules using the security investigation tool to automate actions that happen in response to activity within your domain.
  • Create custom alerts based on your organization’s log event data (previous called audit logs).

Multiple rule types are viewable and configurable from the Rules page, including activity rulesreporting rules, data protection rules, Chrome action rulessystem defined rules, and trust rules. For more details and instructions, go to the sections below.

Types of rules & required admin privileges

Reporting rules

Reporting rules are custom rules created by administrators from the Rules page. Previously called Custom reporting alerts, you can use these rules to create and manage custom alerts based on your organization’s log event data (previously called audit logs).

Your ability to create and view reporting rules depends on your Google Workspace edition and your administrative privileges. To create or view reporting rules, you need the Reports privilege. For details, go to Admin access to reporting rules & activity rules.

Activity rules

Activity rules are custom rules created by administrators from the security investigation tool or from the Rules page. With these rules, you can automate actions that happen in response to activity within your domain.

Your ability to create and view activity rules depends on your Google Workspace edition, your administrative privileges, and the data source. To create or view activity rules, you need the following privileges:

  • Security Center > Activity Rules > View
  • Security Center > Activity Rules > Manage

For details, go to Admin access to reporting rules & activity rules.

Chrome action rules

Chrome action rules are custom rules that are created by an administrator from the Rules page. You can use these rules to restrict users from defined ChromeOS actions, such as copying or pasting content from specific URLs, or blocking screen capture or screen sharing from endpoints in your domain using Chrome.

Your ability to create and view Chrome action rules depends on your Google Workspace edition, your administrative privileges, and the data source. To create or view Chrome action rules, you need the following privileges:

  • Services > Chrome Management > Settings > Manage User Settings
Data protection rules

Data protection rules are custom rules that are created by an administrator from the Rules page. You can use these rules to be notified of specific activity related to the use of Drive files within your domain.

To create or view data protection rules, you need the following privileges:

  • DLP > View DLP rule
  • DLP > Manage DLP rule
System defined rules

System defined rules are default rules supplied by Google. You can use these rules to be notified of specific activity within your domain.

To create or view system defined rules, you need the Reports privilege.

Trust rules

Trust rules give you more control over who your users collaborate with. You can control who users can share Drive files with, who they can receive Drive files from, who can be invited to a document, and who can add items to shared drives.

To understand which admin privileges you need to manage trust rules, see Create and manage trust rules for Drive sharing.

Create rules

To access the Rules page, go to the Admin console Home page, and click Rules. From there, you'll see a list of the different rules that have been set up for your organization. You can change what's viewable on this page by clicking Add a filter, and then filtering by various criteria such as Rule type, Rule name, Rule status, and more.

For more details and step-by-step instructions, go to these articles:

Note: When creating a rule, you can also use one of several rule cards at the top of the page. The cards enable you to create new rules based on common use-case examples. You can also use the cards to review existing rules. From one of the rule cards, click View list to view a list of existing rules, or click Create rule to create a new rule.

Manage rules

View the Rules page & rule details

To access the Rules page, go to the Admin console Home page at admin.google.com, and then click Rules. From there, you'll see a list of the different rules that have been set up for your organization. You can change what's viewable on this page by clicking Add a filter, and then filtering by various criteria such as Rule type, Rule name, Rule status, and more.

Note: To find the rules that you're looking for more easily, you can sort columns on the Rules page. The Rules page includes the following details for each rule:

  • Name—Name and description for the rule
  • Status—Whether a rule is Active or Inactive
  • Actions—Specifies the actions that are triggered if the conditions of a rule are met; for example, to quarantine a message, mark it as spam, delete the message, or send an email notification
  • Alerts—Specifies whether an alert is on or off
  • Rule type—Specifies the rule type; such as Activity rule, Data protection rule, Reporting rule, System defined rule, or Trust rule (see the section below for more details)
  • Last modified—Date and time when the rules was created, or when changes were last made to the rule

Rule details

You can view information about a specific rule from the Rule details page, which you can access by clicking any row on the Rules page. The Rule details page includes the name and description for the rule, the scope (for example, Entire domain), the conditions for the rule, and the actions (for example, to email all super administrators if the rule conditions are met).

Edit rules

You can edit a rule from the Rule details page, which you can access by clicking any row on the Rules page. On the left side of the page, click Edit Rule, and then follow the instructions in the Edit rule wizard.

Note: You can't edit the filters for a rule. You can only edit the recipients of the alert. To use different filters, you need to create a new rule.

Download rules from the Rules page

From the Rules page, you can download the rule details into a txt file. The txt file will include all of the rules related to a specific rule type.

  1. Click Download.
  2. From the Rule details window, choose the rule type—for example, Data protection rule or Activity rule.
  3. Click Download.

Start an investigation from the Rules page 

If you have access to the security investigation tool, you can start an investigation to analyze the results of the rules you have created. From the Rules page, click Investigate to start an investigation based on the Rule log events data source. You can also start the same investigation from the investigation tool. For details and instructions, see Rules log events: Security investigation tool.

Related articles

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu
10533924794620614703
true
Search Help Center
true
true
true
false
false