Create and manage rules from the Rules page
As an administrator, you can set up rules in the Google Admin console. To configure a rule, you set up conditions for the rule, and specify what actions to perform when the conditions are met. A rule is simply a way of saying, if x happens, automatically do y.
- Set up rules to be notified of specific activity within your domain—such as a suspicious sign-in attempt, a compromised mobile device, or when another administrator changes settings.
- Set up rules using the security investigation tool to automate actions that happen in response to activity within your domain.
- Create custom alerts based on your organization's log event data (previous called audit logs).
Multiple rule types are viewable and configurable from the Rules page, including activity rules, reporting rules, data protection rules, system defined rules, and trust rules. For more details and instructions, go to the sections below.
Types of rules & required admin privilegesReporting rules
Reporting rules are custom rules created by administrators from the Rules page. Previously called Custom reporting alerts, you can use these rules to create and manage custom alerts based on your organization's log event data (previously called audit logs).
Your ability to create and view reporting rules depends on your Google Workspace edition and your administrative privileges. To create or view reporting rules, you need the Reports privilege. For details, go to Admin access to reporting rules & activity rules.
Activity rules are custom rules created by administrators from the security investigation tool or from the Rules page. With these rules, you can automate actions that happen in response to activity within your domain.
Your ability to create and view activity rules depends on your Google Workspace edition, your administrative privileges, and the data source. To create or view activity rules, you need the following privileges:
- Security Center > Activity Rules > View
- Security Center > Activity Rules > Manage
For details, go to Admin access to reporting rules & activity rules.
Data protection rules are custom rules that are created by an administrator from the Rules page. You can use these rules to be notified of specific activity related to the use of Drive files within your domain.
To create or view data protection rules, you need the following privileges:
- DLP > View DLP rule
- DLP > Manage DLP rule
System defined rules are default rules supplied by Google. You can use these rules to be notified of specific activity within your domain.
To create or view system defined rules, you need the Reports privilege.
Trust rules give you more control over who your users collaborate with. You can control who users can share Drive files with, who they can receive Drive files from, who can be invited to a document, and who can add items to shared drives.
To understand which admin privileges you need to manage trust rules, see Create and manage trust rules for Drive sharing.
To access the Rules page, go to the Admin console Home page, and click Rules. From there, you'll see a list of the different rules that have been set up for your organization. You can change what's viewable on this page by clicking Add a filter, and then filtering by various criteria such as Rule type, Rule name, Rule status, and more.
For more details and step-by-step instructions, go to these articles:
- Create and manage reporting rules
- Create and manage activity rules
- Admin access to reporting rules & activity rules
- Create data protection rules
- View and edit system-defined rules
- Create and manage trust rules for Drive sharing
Note: When creating a rule, you can also use one of several rule cards at the top of the page. The cards enable you to create new rules based on common use-case examples. You can also use the cards to review existing rules. From one of the rule cards, click View list to view a list of existing rules, or click Create rule to create a new rule.
Manage rulesView the Rules page & rule details
To access the Rules page, go to the Admin console Home page at admin.google.com, and then click Rules. From there, you'll see a list of the different rules that have been set up for your organization. You can change what's viewable on this page by clicking Add a filter, and then filtering by various criteria such as Rule type, Rule name, Rule status, and more.
Note: To find the rules that you're looking for more easily, you can sort columns on the Rules page. The Rules page includes the following details for each rule:
- Name—Name and description for the rule
- Status—Whether a rule is Active or Inactive
- Actions—Specifies the actions that are triggered if the conditions of a rule are met; for example, to quarantine a message, mark it as spam, delete the message, or send an email notification
- Alerts—Specifies whether an alert is on or off
- Rule type—Specifies the rule type; such as Activity rule, Data protection rule, Reporting rule, System defined rule, or Trust rule (see the section below for more details)
- Last modified—Date and time when the rules was created, or when changes were last made to the rule
You can view information about a specific rule from the Rule details page, which you can access by clicking any row on the Rules page. The Rule details page includes the name and description for the rule, the scope (for example, Entire domain), the conditions for the rule, and the actions (for example, to email all super administrators if the rule conditions are met).
You can edit a rule from the Rule details page, which you can access by clicking any row on the Rules page. On the left side of the page, click Edit Rule, and then follow the instructions in the Edit rule wizard.
Note: You can't edit the filters for a rule. You can only edit the recipients of the alert. To use different filters, you need to create a new rule.
From the Rules page, you can download the rule details into a txt file. The txt file will include all of the rules related to a specific rule type.
- Click Download.
- From the Rule details window, choose the rule type—for example, Data protection rule or Activity rule.
- Click Download.
Start an investigation from the Rules page
If you have access to the security investigation tool, you can start an investigation to analyze the results of the rules you have created. From the Rules page, click Investigate to start an investigation based on the Rule log events data source. You can also start the same investigation from the investigation tool. For details and instructions, see Rules log events: Security investigation tool.
Post a Comment