As your organization's administrator, you can use system-defined rules to be notified of specific activity within your domain, such as a suspicious sign-in attempt, a compromised mobile device, or when another administrator changes settings.
You don't create system-defined rulesâthey are default rules supplied by Google. From the Rules page, you can view and edit system-defined rulesâfor example, to turn alerts on or off, send email notifications, send alerts to the alert center, or change the severity level (Low, Medium, or High).
Each system-defined rule includes a default set of conditions, and you specify what actions to perform when the conditions are met. A rule is simply a way of saying, if x happens, automatically do y.
View and edit system-defined rules & email alerts
-
Sign in to your Google Admin console.
Sign in using an account with super administrator privileges (does not end in @gmail.com).
-
In the Admin console, go to Menu Rules.
- Click Add a filter, and then select Type.
- Check the System defined box.
- Click Apply.
A list of system defined rules is displayed. - Select one of the rules from the list by clicking the table row for that ruleâfor example, the Device compromised rule.
From the Rule details page, you can view the conditions and actions for the ruleâfor example, to confirm if email notifications are turned on, and to confirm the recipients for those email notifications. - Click Edit Rule.
- Click Next: View Conditions.
- Click Next: Add Actions.
From the Actions page, you can change the severity for the alert to Low, Medium, or High, send an alert to the alert center if the rule's conditions are met, set up admin email notifications, and specify recipients for those notifications. - Click Next: Review.
- Review the updated rule details, and then click Update Rule.
Note:
- On the Rules page, a system-defined rule is listed as Inactive if you have turned off alerts for that rule.
- When you turn on an alert for a rule, you'll receive an email each time the conditions for that rule are met, up to 25 emails in 2 hours.
- Some alerts are limited or unavailable if youâre using an external SSO ldP.
- System-defined rules can only be configured to send email to internal domain users. However, administrators can still configure external email alerts via Google Groups.
Types of admin alerts based on system-defined rules
User activity alerts- Approaching Gemini usage limitâUser is approaching a Gemini for Workspace usage limit.
- Apps outage alertâNew, updated, or resolved outage on the Status Dashboard (Google Workspace only).
- Gmail potential employee spoofingâIncoming messages were received where a senderâs name is in your Google Workspace directory, but the mail is not from your companyâs domains or domain aliases.
- Leaked passwordâGoogle detected compromised credentials requiring a reset of a user's password.
- New user addedâA new user was added to the domain.
- Suspended user made activeâAn admin restored a suspended user.
- Suspicious loginâGoogle detected a sign-in attempt that doesn't match a user's normal behavior, such as a sign-in from an unusual location.
- Suspicious message reportedâUsers at your domain received messages that they've classified as spam.
- Suspicious programmatic loginâGoogle detected suspicious login attempts from applications or computer programs.
- User deletedâA user was deleted from the domain.
- User granted Admin privilegeâA user was granted an admin privilege.
- User-reported phishingâUsers at your domain received messages that they've classified as phishing.
- User suspended (by admin)âAn admin suspended a user.
- User suspended due to suspicious activityâGoogle suspended a user's account due to detection of a potential compromise.
- User suspended for spammingâGoogle detected suspicious activity, such as spamming, and suspended the account.
- User suspended for spamming through relayâGoogle detected suspicious activity, such as spamming through an SMTP relay service, and suspended the account.
- User suspended (Google identity alert)âGoogle detected suspicious activity and suspended the account.
- User's Admin privilege revokedâA user's admin privilege was revoked.
- Userâs password changedâAn admin changed a user's password.
Note: Changes made to the following rules can take up to 24 hours to take effect: New user added, Suspended user made active, User deleted, User granted Admin privilege, User suspended (by admin), User's Admin privilege revoked, and Userâs password changed.
- Device compromisedâProvides details about devices in your domain that have entered a compromised state.
- Suspicious device activityâProvides details if device properties, such as device ID, serial number, type of device, or device manufacturer, are updated.
- Exchange journaling failureâFailures with Exchange journaling, which ensures email traffic generated by Microsoft Exchange server users is properly archived in Google Vault.
- Malware message detected post-deliveryâMessages detected as malware post-delivery that were automatically reclassified.
- Phishing in inboxes due to bad whitelistâMessages classified as spam by Gmail filters delivered to user inboxes due to allowlist settings in the Google Admin console that override the spam filters.
- Phishing message detected post-deliveryâMessages detected as phishing post-delivery that are automatically reclassified.
- Rate limited recipientâA high rate of incoming email indicating a potential malicious attack or misconfigured setting.
- Smarthost failureâIf you set up a smart host for incoming or outgoing mail, this alert informs you if a large number of messages canât be delivered to one of your smart host servers.
- Spike in user-reported spamâAn unusually high volume of messages from a sender that users have marked as spam.
- TLS failureâMessages requiring Transport Layer Security (TLS) can't be delivered.
- Calendar settings changed (Google Workspace only)âAn admin has changed Google Workspace Calendar settings.
- Domain data export initiatedâA super administrator for your Google account has started exporting data from your domain.
- Drive settings changed (Google Workspace only)âAn admin has changed Google Workspace Drive settings.
- Email settings changed (Google Workspace only)âAn admin has changed Google Workspace Gmail settings.
- Mobile settings changedâAn admin has changed mobile management settings.
Note: Changes made to the following rules can take up to 24 hours to take effect: Calendar settings changed, Drive settings changed, Email settings changed, and Mobile settings changed.
- Access ApprovalsâA Google staff member has requested access to your organization's Google Workspace data.
- Google mandatory service announcementâEmail communication to primary admins that's necessary for the continued use of a product or service, or that's considered a necessary legal update.
- Google OperationsâProvides details about security and privacy issues that affect your Google Workspace services.
- Government-backed attacksâWarnings about potential government-backed attacks.
Note: When editing the Google Operations rule, you can't remove the primary super administrator from the recipient list for email notifications.
Related articles
- Create and manage rules from the Rules page
- Create and manage activity rules
- Admin access to reporting rules & activity rules
Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.