Can Google Workspace Alert Center be used with Email Log Search?

Question

Is there a way to create an Alert Center notification based on criteria returned in the Google Workspace Email Log Search?

For example.. If an email address sends a message to 1000+ recipients or sends 1000 messages to 1000 recipients... We already see the System Defined alert center actions if say... someone flags a message as phishing, but we want to create a triggered alert rule based on the count of messages.

Thanks in advance.

Answer 1

This can be done using the Investigation tool found at ‘Security’ > ‘Investigation Tool’ Be advised this is a feature available for these editions: Enterprise; Education Standard and Plus as documented here

Basically what you are looking to do is build a query like this:

Data Source = Gmail Log Events With Conditions Below:

Event Is User spam classification AND Spam classification Is Phishing

Like this

Then:

1. Click on the three dots at the top right, next to the bin icon.
2. Click on ‘Create activity rule’
3. Add a name + description. Click on ‘Next: View conditions’
4. Click on ‘Next: Add Actions’
5. Select the time window: 24hrs o 1hr
6. Scroll down and set the threshold desired and configure it (basically after how many incidents this will be triggered)
7. Add a desired action, eg. Send to quarantine, etc.
8. Select the severity of this rule
9. Check the box to ‘Send to alert center’ 10.Configure Email Notifications. 11.Click on ‘Next: Review’ and make sure it is set to ‘Active’

12.Finally click on ‘Create Rule’

Keep in mind this may take some propagation time of up to 48hrs. For more information on the Investigation Tool see here