View and edit system-defined rules

Set up admin email alerts based on default rules

As your organization's administrator, you can use system-defined rules to be notified of specific activity within your domain, such as a suspicious sign-in attempt, a compromised mobile device, or when another administrator changes settings.

You don't create system-defined rules—they are default rules supplied by Google. From the Rules page, you can view and edit system-defined rules—for example, to turn alerts on or off, send email notifications, send alerts to the alert center, or change the severity level (Low, Medium, or High).

Each system-defined rule includes a default set of conditions, and you specify what actions to perform when the conditions are met. A rule is simply a way of saying, if x happens, automatically do y.

View and edit system-defined rules & email alerts

  1. In the Google Admin console, go to Menu and then Rules.

    Requires having the View Trust Rules administrator privilege.

  2. Click Add a filter, and then select Type.
  3. Check the System defined box.

  4. Click Apply.

    A list of system defined rules is displayed.

  5. Select one of the rules from the list by clicking the table row for that rule—for example, the Device compromised rule.

    From the Rule details page, you can view the conditions and actions for the rule—for example, to confirm if email notifications are turned on, and to confirm the recipients for those email notifications.

  6. Click Edit Rule.

  7. Click Next: View Conditions.

  8. Click Next: Add Actions.

    From the Actions page, you can change the severity for the alert to Low, Medium, or High, send an alert to the alert center if the rule's conditions are met, set up admin email notifications, and specify recipients for those notifications.

  9. Click Next: Review.

  10. Review the updated rule details, and then click Update Rule.

Note:

  • On the Rules page, a system-defined rule is listed as Inactive if you have turned off alerts for that rule.
  • When you turn on an alert for a rule, you'll receive an email each time the conditions for that rule are met, up to 25 emails in 2 hours.
  • Some alerts are limited or unavailable if you're using an external SSO ldP.
  • System-defined rules can only be configured to send email to internal domain users. However, administrators can still configure external email alerts via Google Groups.

Types of admin alerts based on system-defined rules

User activity alerts

  • Approaching Gemini usage limit—User is approaching a Gemini for Workspace usage limit.
  • Apps outage alert—New, updated, or resolved outage on the Status Dashboard (Google Workspace only).
  • Gmail potential employee spoofing—Incoming messages were received where a sender's name is in your Google Workspace directory, but the mail is not from your company's domains or domain aliases.
  • Leaked password—Google detected compromised credentials requiring a reset of a user's password.
  • New user added—A new user was added to the domain.
  • Suspended user made active—An admin restored a suspended user.
  • Suspicious login—Google detected a sign-in attempt that doesn't match a user's normal behavior, such as a sign-in from an unusual location.
  • Suspicious message reported—Users at your domain received messages that they've classified as spam.
  • Suspicious programmatic login—Google detected suspicious login attempts from applications or computer programs.
  • User deleted—A user was deleted from the domain.
  • User granted Admin privilege—A user was granted an admin privilege.
  • User-reported phishing—Users at your domain received messages that they've classified as phishing.
  • User suspended (by admin)—An admin suspended a user.
  • User suspended due to suspicious activity—Google suspended a user's account due to detection of a potential compromise.
  • User suspended for spamming—Google detected suspicious activity, such as spamming, and suspended the account.
  • User suspended for spamming through relay—Google detected suspicious activity, such as spamming through an SMTP relay service, and suspended the account.
  • User suspended (Google identity alert)—Google detected suspicious activity and suspended the account.
  • User's Admin privilege revoked—A user's admin privilege was revoked.
  • User's password changed—An admin changed a user's password.

Note: Changes made to the following rules can take up to 24 hours to take effect: New user added, Suspended user made active, User deleted, User granted Admin privilege, User suspended (by admin), User's Admin privilege revoked, and User's password changed.

Mobile device activity alerts

  • Device compromised—Provides details about devices in your domain that have entered a compromised state.
  • Suspicious device activity—Provides details if device properties, such as device ID, serial number, type of device, or device manufacturer, are updated.

Email activity alerts (Google Workspace only)

  • Exchange journaling failure—Failures with Exchange journaling, which ensures email traffic generated by Microsoft Exchange server users is properly archived in Google Vault.
  • Malware message detected post-delivery—Messages detected as malware post-delivery that were automatically reclassified.
  • Phishing in inboxes due to bad whitelist—Messages classified as spam by Gmail filters delivered to user inboxes due to allowlist settings in the Google Admin console that override the spam filters.
  • Phishing message detected post-delivery—Messages detected as phishing post-delivery that are automatically reclassified.
  • Rate limited recipient—A high rate of incoming email indicating a potential malicious attack or misconfigured setting.
  • Smarthost failure—If you set up a smart host for incoming or outgoing mail, this alert informs you if a large number of messages can't be delivered to one of your smart host servers.
  • Spike in user-reported spam—An unusually high volume of messages from a sender that users have marked as spam.
  • TLS failure—Messages requiring Transport Layer Security (TLS) can't be delivered.

Alerts for setting changes by other administrators

  • Calendar settings changed (Google Workspace only)—An admin has changed Google Workspace Calendar settings.
  • Domain data export initiated—A super administrator for your Google account has started exporting data from your domain.
  • Drive settings changed (Google Workspace only)—An admin has changed Google Workspace Drive settings.
  • Email settings changed (Google Workspace only)—An admin has changed Google Workspace Gmail settings.
  • Mobile settings changed—An admin has changed mobile management settings.

Note: Changes made to the following rules can take up to 24 hours to take effect: Calendar settings changed, Drive settings changed, Email settings changed, and Mobile settings changed.

General alerts

  • Access Approvals—A Google staff member has requested access to your organization's Google Workspace data.
  • Google mandatory service announcement—Email communication to primary admins that's necessary for the continued use of a product or service, or that's considered a necessary legal update.
  • Google Operations—Provides details about security and privacy issues that affect your Google Workspace services.
  • Government-backed attacks—Warnings about potential government-backed attacks.

Note: When editing the Google Operations rule, you can't remove the primary super administrator from the recipient list for email notifications.

Default states for system-defined rules

Number System defined rule Default state
1 Access Approvals request Active
2 Account suspension warning Active
3 APNS certificate has expired Active
4 APNS certificate is expiring soon Active
5 App Maker Cloud SQL setup Active
6 Apps outage alert Inactive
7 Calendar settings changed Inactive
8 Client-side encryption service unavailable Active
9 Customer abuse detected Active
10 Device compromised Active
11 Directory sync canceled due to safeguard threshold exceeded Active
12 Domain data export initiated Active
13 Drive settings changed Inactive
14 Email settings changed Inactive
15 Exchange journaling failure Inactive
16 Gmail potential employee spoofing Active
17 Google Mandatory Service Announcement - Billing Active
18 Google Mandatory Service Announcement - Legal Active
19 Google Mandatory Service Announcement - Product Active
20 Google Mandatory Service Announcement - Security Active
21 Google Operations Active
22 Google Voice configuration problem Active
23 Government-backed attacks Active
24 Leaked password Active
25 Malware message detected post-delivery Active
26 Mobile settings changed Inactive
27 New user added Inactive
28 Phishing in inboxes due to bad whitelist Active
29 Phishing message detected post-delivery Active
30 Primary admin changed Active
31 Rate limited recipient Inactive
32 Smarthost failure Inactive
33 Spike in user-reported spam Active
34 SSO profile added Active
35 SSO profile deleted Active
36 SSO profile updated Active
37 Super admin password reset Active
38 Suspended user made active Inactive
39 Suspicious device activity Active
40 Suspicious login Active
41 Suspicious message reported Active
42 Suspicious programmatic login Active
43 TLS failure Inactive
44 User deleted Inactive
45 User granted Admin privilege Inactive
46 User suspended (Administrator email alert) Inactive
47 User suspended (Google identity alert) Active
48 User suspended due to suspicious activity Active
49 User suspended for spamming Active
50 User suspended for spamming through relay Active
51 User-reported phishing Active
52 User's Admin privilege revoked Inactive
53 User's password changed Inactive
54 Vault accelerated deletion initiated Active


Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.