View alert details - Google Workspace Admin Help (2024)

From your list of alerts in the alert center, you can drill down to view more details about individual alerts. Each alert type has different details and provides you with different options when responding to an alert.

To view alert details:

  1. Sign in to your GoogleAdminconsole.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to MenuView alert details - Google Workspace Admin Help (1)View alert details - Google Workspace Admin Help (2)View alert details - Google Workspace Admin Help (3)SecurityView alert details - Google Workspace Admin Help (4)Alert center.

  3. To view more details, click any item on the page to open the alert details page.

    From the alert details page, you can view details about an alert, delete analert, access detailsabout therule that generatedthe alert,andtake other actions.

Note:The alert center doesn’t display timezone details. Times in the alert center are formatted to your Google Admin console timezone preference.

Access the alert centerfrom anywherein the Admin console

From anywhere in theGoogleAdmin console, you can view the Alerts widget to get a quick view of alerts affecting your organization. The Alerts widget includes a list of alerts, a short descriptionfor each alert, and the severity level(High, Medium, or Low).

To open the Alerts widget, click the bell iconView alert details - Google Workspace Admin Help (5)at the top of any page in the Admin console. To access the alert details for a specific alert, click one of the line items in the widget. To access the complete list of alerts in the alert center, click View all.

Gmail alerts

Note: Gmail alert notifications may arrive up to 4 hours after an alert rule is triggered.

Open all | Close all

Gmail potential employee spoofing

This alert informs you when an external sender may be spoofing users with a similar name in your organization by using a display name that matches a user in your global address book. The external sender may have a history of sending spam or has limited/no history of sending emails to your organization.

Note: This alert is triggered only if the spoofing and authentication protection option for employee name spoofing is disabled. For instructions onenabling or disablingthis feature, seeTurn on spoofing and authentication protectioninAdvanced phishing and malware protection.

To view which messages users have interacted with, and toremove those messages from user inboxes, go to the investigation tool. For instructions, seeTake action based on search results. To block the sender, see Block specific senders based on email address or domain.

From the Alert details page, you can view important details about this alert:

  • Summary—Includes a summary of the alert—for example, the number of potential spoofing messages, the display name used, and the number of recipients.
  • Date—Date and time of the event
  • Sender—Username of the sender
  • Total user reports
  • Received by—Lists the number of recipients and the usernames of the recipients

The details page also includes a table with message details including the date, message ID, subject hash, message body hash, username of the recipient, attachment hashes, and your primary domain name to help with your investigation. The investigation tool can provide additional details to continue your investigation.

Note: To control the volume of alerts, an alert isn't created if there'san existing, open alert from the same external sender.

Malware message detected post-delivery

Unopened messages that are detected as malwarepost-delivery are automatically reclassified and removed from the user's inbox. However, if a recipient has opened or otherwise interacted with such a message, it will remain in their inbox until manually removed. It is strongly recommended that all opened malware messages be removed from user inboxes as soon as possible.

TheAlert details page includes the following information:

  • Summary—This section includes a summary of the alert—for example, the number of malware messages and the number of recipients.
  • Date—Date and time of the event
  • Sender—Username of the sender
  • Total message delivery events
  • Received by—Lists the number of recipients and the usernames of the recipients

The details page also includes a list of samples of message delivery events. This list is included in a table at the bottom of the page. Each item in the list includes the date, message ID, subject hash, message body hash, recipient, attachment hashes, and your primary domain name.

To view which messages users have interacted with and remove them from user inboxes, go to the investigation tool (see Take action based on search results). To block the sender, seeBlock specific senders based on email or domain.

Phishing in inboxes due to bad whitelist

Messages classified as spam by Gmail filters might be delivered to user inboxes due to whitelisting settings in the Google Admin console that override the spam filters. As a result, users in your organizationmight receive phishing messages. The Phishing in inboxes due to bad whitelist alert provides details about such a security event.

From the Alert details page, you can view important details about this alert:

  • Summary—This section includes a summary of the alert—for example, the number of phishing messages and the number of recipients.
  • Date—Date and time of the event
  • Sender—Username of the sender
  • Source IP—IP address of the sender's domain
  • Whitelist type—Setting in the Google Admin console that overrode the spam filters
  • Message delivery events—Number of events
  • Received by—Lists the number of recipients and the usernames of the recipients.

The details page also includes a list of samples of message delivery events. This list is included in a table at the bottom of the page. Each item in the list includes the date, message ID, subject hash, message body hash, username of the recipient, attachment hashes, and your primary domain name.

Using the details from this alert, you can take action to block the sender.

Phishing message detected post-delivery

Unopened messages that are detected as phishing post-delivery are automatically reclassified and removed from the user's inbox. However, if a recipient has opened or otherwise interacted with such a message, it will remain in their inbox until manually removed. It is strongly recommended that all opened phishing messages be removed from user inboxes as soon as possible.

To view which messages users have interacted with and remove them from user inboxes, go to the investigation tool (see Take action based on search results). To block the sender, seeBlock specific senders based on email or domain.

From the Alert details page, you can view important details about this alert:

  • Summary—This section includes a summary of the alert—for example, the number of phishing messages and the number of recipients.
  • Date—Date and time of the event
  • Sender—Username of the sender
  • Total message delivery events
  • Received by—Lists the number of recipients and the usernames of the recipients

The details page also includes a list of samples of message delivery events. This list is included in a table at the bottom of the page. Each item in the list includes the date, message ID, subject hash, message body hash, recipient, attachment hashes, and your primary domain name.

Spike in user reported spam

With this alert, an unusually high volume of messages have been marked as spam by users in your organization.

For instructions on blocking this sender, see Block specific senders based on email or domain. To find similar messages that users may not have reported, to reclassify messages, and to remove these messages from user inboxes, go to the investigation tool (for instructions, see Take action based on search results).

From the Alert details page, you can view important details about this alert:

  • Summary—This section includes a summary of the alert—for example, the number of spam messages and the number of recipients.
  • Date—Date and time of the event (this isusually the date of the first message that's reported within the spike grouping)
  • Total user reports
  • Received by—Lists the number of recipients and the usernames of the recipients

The details page also includes a list of samples of user reports. This list is included in a table at the bottom of the page. Each item in the list includes the date, message ID, subject hash, message body hash, username of the recipient, attachment hashes, and your primary domain name.

Suspicious message reported

With this alert, an external sender has sent messages to your organization that users have classified as spam.

Messages may be classified as suspicious if they meet certain characteristics typical of spam messages, but when Google does not have a strong enough signal to mark them as spam. This alert is generated when a user marks such messages as spam, thus confirming Google's suspicions.

For instructions on blocking this sender, see Block specific senders based on email or domain. To find similar messages that users may not have reported, to reclassify messages, and to remove these messages from user inboxes, go to the investigation tool (for instructions, see Take action based on search results).

From the Alert details page, you can view important details about this alert:

  • Summary—This section includes a summary of the alert—for example, the number of suspicious messages and the number of recipients.
  • Date—Date and time of the event
  • Sender—Username of the sender
  • Total user reports
  • Received by—Lists the number of recipients and the usernames of the recipients

The details page also includes a list of samples of user reports. This list is included in a table at the bottom of the page. Each item in the list includes the date, message ID, subject hash, message body hash, username of the recipient, attachment hashes, and your primary domain name.

User-reported phishing

A spike in user-reported phishing emails could mean that your organization is experiencing a phishing attack. The User-reported phishing alert provides details about such a security event.

From the Alert details page, you can view important details about this alert:

  • Summary—This section includes a summary of the alert—for example, the number of phishing messages and the number of recipients.
  • Date—Date and time of the event
  • Sender—Username of the sender
  • Total user reports—Number of user reports
  • Received by—Lists the number of recipients and the usernames of the recipients.

The details page also includes a list of samples of user reports. This list is included in a table at the bottom of the page. Each item in the list includes the date, message ID, subject hash, message body hash, username of the recipient, attachment hashes, and your primary domain name.

Using the details from this alert, you can take action to block the sender.

User alerts

Open all | Close all

Leaked password

When Google detects compromised credentials, we require a reset of the user's password before the user can sign in again.

Common causes of password theft are viruses, user responses to phishing emails, or the use of the same password on many different websites, of which one or more have been compromised by attackers.

We recommend resetting the user's password, and checking to see if their account has been compromised. We also recommend having the user go through the Gmail security checklist.

From the Alert details page, you can view important details about this alert:

  • Summary—This section includes a summary of the alert with an overview of the details.
  • Date of login
  • Userimpacted—Username with compromised credentials

For more information on how Google detects compromised credentials, seeChange unsafe passwords in your Google Account >Learn about compromised passwords.

New user added

TheNew user added alertinforms you that a new user has been added to your organization.

From the Alert details page, you can view important details about the New user addedalert:

  • Summary—Includes a summary of the alert with an overview of the details
  • Date—Date and time of the event
  • User—User that was added to your organization
  • Changed by—User that added the new user to your organization

Suspicious login blocked

Important:Suspicious login blocked alerts are hidden from the default alert center list view. They can be viewed by selecting the alert type filter for Suspicious login. Even though the alerts are hidden from the list view, new alerts will still trigger email notifications if enabled.

Google considers login activity suspicious if there's a sign-in attempt that doesn't match a user's normal behavior, such as a sign-in from an unusual location, or if an unauthorized personmay have attempted to access a user's account.

In most cases, before we send you an alert, we'll show the user a login challenge. If the user fails or abandons the challenge, we'll send you a suspicious login alert.

We recommend suspending this user until you've gone through these security steps. You can suspend the user from their settings page, or by using the investigation tool.

You can restore the user and reset their password once you've determined it's safe to do so. We recommend having the user go through the Gmail security checklist.Enabling 2-step verification for the domain and enforcing security keys for your users is strongly recommended.

From the Alert details page, you can view important details about this alert:

  • Summary—This section includes a summary of the alert with an overview of the details
  • Date login was marked as suspicious
  • Date of login attempt
  • Userimpacted—Username affected by the suspicious login
  • IP from which the login was detected

Suspicious login from a less secure app

Google considers login activity suspicious if there's a sign-in attempt that doesn't match a user's normal behavior, such as a sign-in from an unusual location, or if an unauthorized personmay have attempted to access a user's account.

Apps that are less secure don't use modern security standards, such as OAuth. Using apps and devices that don’t use modern security standards increases the risk of accounts being compromised.

Examples of apps that don’t support modern security standards include:

  • ​Native mail, contacts, and calendar sync applications on older versions of iOS and OSX​
  • ​Some computer mail clients, such as older versions of Microsoft Outlook

From the Alert details page, you can view important details about the Suspicious login from a less secure appalert,including a summary of the alert, and the date and time of the event.

For more information, see Control access to less secure apps.

Suspicious programmatic login

Google considers login activity suspicious if there's a sign-in attempt that doesn't match a user's normal behavior, such as a sign-in from an unusual location, or if an unauthorized personmay have attempted to access a user's account.

Like conventional web logins, programmatic logins (through apps) are subject to risk analysis. To help keep Google accounts (through work, school, or other groups) more secure, Google blocks suspicious programmatic logins from accessing Google accounts.

We strongly recommend using OAuth for any connection to your users’ data. If a user tries to sign in with a programmatic login, we recommend contacting the user to identify the app they’re using and make sure they were the user attempting to access their account. Subsequently, upgrade the user to an app that uses OAuth and to turn off access to less secure apps for this user and as many others as possible.

From the Alert details page, you can view important details about this alert:

  • Summary—This section includes a summary of the alert with an overview of the details
  • Date login was marked as suspicious
  • Date of login attempt
  • Userimpacted—Username affected by the suspicious login
  • IP from which the login was detected

Suspended user made active

The Suspended user made active alertinforms you that a suspended user in your organization has been made active.

From the Alert details page, you can view important details about the Suspended user made activealert:

  • Summary—Includes a summary of the alert with an overview of the details
  • Date—Date and time of the event
  • User—Suspended user that was made active
  • Changed by—User that changed a suspended user to active

User deleted

The Userdeleted alertinforms you that a user has been deleted from your organization.

From the Alert details page, you can view important details about the User deletedalert:

  • Summary—Includes a summary of the alert with an overview of the details
  • Date—Date and time of the event
  • User—User that was deleted from your organization
  • Changed by—User that deleted the user from your organization

User granted Admin privilege

The User granted Admin privilege alertinforms you that a user in your organization has been granted an admin privilege.

From the Alert details page, you can view important details about the User granted Admin privilegealert:

  • Summary—Includes a summary of the alert with an overview of the details
  • Date—Date and time of the event
  • User—User that was granted an admin privilege
  • Changed by—User that granted an admin privilege to a user

User suspended

When Google detects suspicious activity that suggests an account has been compromised, we proactively suspend the affected user's account.

As anadministrator, you can also suspend users from their settings page, or by using the investigation tool.

You can restore the user and reset their password once you've determined it's safe to do so. Before restoring a user, we recommend that you follow these security steps.

We also recommend having the user go through the Gmail security checklist. Enabling 2-step verification for the domain and enforcing security keys for your users is strongly recommended.

From the Alert details page, you can view important details about this alert:

  • Summary—This section includes a summary of the alert with an overview of the details
  • Date of login
  • Userimpacted—Username affected by the suspicious activity

User suspended (by admin)

The User suspended (by admin) alertinforms you that a user in your organization has been suspended byan administrator.

From the Alert details page, you can view important details about the User suspended (by admin)alert:

  • Summary—Includes a summary of the alert with an overview of the details
  • Date—Date and time of the event
  • User—User that was suspended
  • Changed by—Admin that suspended the user

User suspended due to suspicious activity

This alert is a generic alert that lets you know that a user has been suspended due to suspicious activity. As a response to this alert, you can follow up with the user, or—if needed—you can contact Google support to see if they can provide more information.

From the Alert details page, you can view important details about this alert:

  • Summary—This section includes a summary of the alert with an overview of the details.
  • Date login was marked as suspicious
  • Date of login attempt
  • Userimpacted—Username affected by suspicious activity
  • IP address from which the login was detected

User suspended for spamming

When Google detects suspicious activity that suggests an account compromise, such as evidence that a user is sending spam, we proactively suspend the affected user's account.

You can restore the user and reset their password once you've determined it's safe to do so. We recommend having the user go through the Gmail security checklist. Enabling 2-step verification for the domain and enforcing security keys for your users is strongly recommended.

From the Alert details page, you can view important details about this alert:

  • Summary—This section includes a summary of the alert with an overview of the details.
  • Date
  • Userimpacted—Username affected by suspicious activity

User suspended for spamming through relay

When Google detects suspicious activity that suggests an account compromise, such as evidence that a user is sending spam through the SMTP relay service, we proactively suspend the affected user's account.

You can restore the account once you have resolved the issue with relay spam. During the suspension period, the user won't be able to sign in to Google services, or send email via this account, but we will continue to deliver incoming email as normal.

From the Alert details page, you can view important details about this alert:

  • Summary—This section includes a summary of the alert with an overview of the details.
  • Date
  • Userimpacted—Username affected by suspicious activity

User's Admin privilege revoked

The User's Admin privilege revoked alertinforms you that an admin has revoked the admin privileges of auser in your organization.

From the Alert details page, you can view important details about the User's Admin privilege revokedalert:

  • Summary—Includes a summary of the alert with an overview of the details
  • Date—Date and time of the event
  • User—User that had the admin privilegerevoked
  • Changed by—Admin that revoked the admin privilege

User's password changed

The User's password changed alertinforms you that a user's password was changedin your organization.

From the Alert details page, you can view important details about the User's password changedalert:

  • Summary—Includes a summary of the alert with an overview of the details
  • Date—Date and time of the event
  • User—User that had their password changed

Device alerts

Open all | Close all

APNS certificate has expired

Your Apple Push Notification Service (APNS) certificate expired. The certificate establishes a trusted connection between iOS devices and your organization's domain. You need it to use advanced mobile management with iOS devices. For details, go to Renew an Apple push certificate.

From the Alert details page, you can view important details about this alert:

  • Summary—Summary of the alert.
  • APNS certificate expiration date—Date and time the certificate expired.
  • Apple ID used to create the APNS certificate—ID that was used to create the APNS certificate. Use the same Apple ID to renew the certificate.
  • APNS certificate UID—Identifier for the APNS certificate. Make sure you renew the certificate with the same UID.
  • Next steps—Steps you need to take to fix the problem.

APNS certificate is expiring soon

Your Apple Push Notification Service (APNS) certificate expires soon. The certificate establishes a trusted connection between iOS devices and your organization's domain. You need it to use advanced mobile management with iOS devices. You have 30 days to renew the certificate after it expires. For details, go to Renew an Apple push certificate.

From the Alert details page, you can view important details about this alert:

  • Summary—Summary of the alert.
  • APNS certificate expiration date—Date and time the certificate expires.
  • Apple ID used to create the APNS certificate—ID that was used to create the APNS certificate. Use the same Apple ID to renew the certificate.
  • APNS certificate UID—Identifier for the APNS certificate. Make sure you renew the certificate with the same UID.
  • Next steps—Steps you need to take to fix the problem.

Device compromised

The Device compromisedalert provides details about devices in your organization that have entered a compromised state. A device is considered compromised if it'srooted (for Android devices), if it's jailbroken (for iOS devices), or if it experiencesan unusual state change.

From theAlert detailspage, you can view important details about this alert:

  • Summary—This section includes a summary of the alert—for example, the type of device andthe device ID.
  • Date—Date and time of the event
  • Device owner—Username of the device owner
  • Device impacted—This section includes device details, such as the device ID, serial number, device type, device model name, and resource ID name.

Suspicious device activity

If a device property is updated—for example, the device ID, serial number, type of device, or device manufacturer—it'sconsidered suspicious device activity. The Suspicious device activity alert provides details about such a security event.

From theAlert detailspage, you can view important details about this alert:

  • Summary—This section includes a summary of the alert—for example, the number of device properties that were updated, and the device ID.
  • Date—Date and time of the event
  • Device owner—Username of the device owner
  • Device impacted—This section includes details such as the device ID, serial number, device type, model name, and the resource ID name.
  • Received by—Lists the number of recipients and the usernames of the recipients.

The details page also includes a list of device-property updates. This list is included in a table at the bottom of the page. The old value and the new value are displayed for each device property that was updated.

Administrative alerts

Open all | Close all

Google Voice configuration problem

When there's a problem with a Google Voice configuration, auto attendants and ring groups can potentially hang up the call at unexpected times. For example, if an auto attendant is configured to send the caller to voicemail, but all voicemail recipients were deleted because the recipientsleft the company, then the auto attendant cannot send voicemail and will hang up instead.

When this happens, Google Workspace administratorsreceiveaGoogle Voice configuration problemalert in the alert center. Thisalert lets you know about theproblematic state and provides instructions to help you resolve the issue. This helps you ensurethat callers are successful in reaching the intended party when calling Google Voice phone numbers.

Thisalert is Onby default, and email notifications tosuper admins are also On by default.

Here are some typical Google Voice configurations that cause this alert:

  • There are no voicemail recipients.
  • The quota is full for the voicemail recipients.
  • The target for a transfer is invalid—for example, the transfer target was deleted or suspended.
  • There are novalid ring group members—for example, all members were deleted or suspended.

From the Alert details page, you can view the following important details about the Google Voice configuration problemalert:

  • Summary—Includes a summary of the alert with an overview of the details
  • Mitigation—Description of the actions that are requiredto resolve the issue
  • Start date—Date and time of the event
  • Users impacted—Usersaffected by the event

Calendar settings changed

The Calendar settings changedalertinforms you when anadmin has changed Google Workspace Calendar settings.

From the Alert details page, you can view important details about the Calendar settings changedalert:

  • Summary—Includes a summary of the alert with an overview of the details
  • Date—Date and time of the event
  • Settings—Setting that was changed by the admin
  • New value—New value for the setting
  • Old value—Old value for the setting
  • By—Admin that changed the setting

Click Search in audit logsto view more details about the event that triggered the alert.

Client-side encryption service unavailable

If there’s an error with a third-party service, such as a misconfiguration or an outage with the identity provider (IdP) or key access control list service (KACLS), you get a client-side encryption (CSE) alert. You might also see this alert if a user in your organization tries to access client-side encrypted content outside of your organization and their IdP or key service is not working.

There are 2 types of CSE alerts:

  • KACLS alert—There's a problem with your external key service. To confirm it's configured correctly, test the connection.
  • IdP alert—There's a problem with your IdP configuration. To test for outages, check your IdP settings and try reconnecting.

On the Alert details page, you can review important details, such as:

  • Problem—Description of the error
  • Date—Date and timestamp of the issue
  • Endpoint—Endpoint URL that had the error (if known)
  • HTTP status code—HTTP status (if the endpoint returned an error)
  • Problem occurrences—Number of times the error occurred since the date timestamp

You can inspect the service logs to determine the cause of the error.

For more information on setting up third-party services, go to:

  • About client-side encryption
  • Build a custom key service for client-side encryption

Domain data export initiated

The Domain data export initiated alert provides details about asuper administrator foryour Google account who has started exporting data from your organization. Once initiated, there is a 48 hour window in which a domain data export may be cancelled before the export process actually begins. If you think this export wasn't intentional, contact Google Workspace Support.

Data export typically takes 72 hours or more, depending on the size of your organization. You can see the status of the export in the Data Export tool. For more information about the Data Export tool, see Export your organization’s data.

From the Alert details page, you can view important details about this alert:

  • Summary—Includes a summary of the alert with an overview of the details.
  • Date
  • Actor—User who initiated the data export

Drive settings changed

The Drive settings changedalertinforms you when anadmin has changed Google Workspace Drive settings.

From the Alert details page, you can view important details about the Drive settings changedalert:

  • Summary—Includes a summary of the alert with an overview of the details
  • Date—Date and time of the event
  • Settings—Setting that was changed by the admin
  • New value—New value for the setting
  • Old value—Old value for the setting
  • By—Admin that changed the setting

Click Search in audit logsto view more details about the event that triggered the alert.

Email settings changed

The Email settings changedalertinforms you when anadmin has changed Google Workspace Gmailsettings.

From the Alert details page, you can view important details about the Email settings changedalert:

  • Summary—Includes a summary of the alert with an overview of the details
  • Date—Date and time of the event
  • Settings—Setting that was changed by the admin
  • New value—New value for the setting
  • Old value—Old value for the setting
  • By—Admin that changed the setting

Click Search in audit logsto view more details about the event that triggered the alert.

Mobile settings changed

The Mobile settings changedalertinforms you when anadmin has changed mobile management settings.

From the Alert details page, you can view important details about the Mobile settings changedalert:

  • Summary—Includes a summary of the alert with an overview of the details
  • Date—Date and time of the event
  • Settings—Setting that was changed by the admin
  • New value—New value for the setting
  • Old value—Old value for the setting
  • By—Admin that changed the setting

Click Search in audit logsto view more details about the event that triggered the alert.

Primary adminchanged

The Primary admin changedalertinforms you when your primary admin account has been changed.

This is important becauseyour primary admin account has access to sensitive information: They receivebilling and other important account notifications from Google.

From the Alert details page, you can view details about the Primary admin changedalert:

  • Summary—Summary of the alert with an overview of the changes, including the email addresses of the old and new primary admin accounts
  • Date—Date and time of the event
  • Actor—Email address of the admin who made the change

Super admin password reset

The Super admin password resetalertinforms you when a password was reset fora super admin account.

This is important because a super admin has access to sensitive information: They can manage all features in your Admin console and Admin APIs.

From the Alert details page, you can view details about the Super admin password resetalert:

  • Summary—Summary of the alert with an overview of the changes and details, including the email address of the super admin
  • Date—Date and time of the event
  • Actor—Email address of the admin who made the change

SSO profile added

The SSO profile addedalertinforms you when a third-party SSO profile has been added and enabled for your organization.

This is an important change: Adding and enablingathird-party SSO profile enables all users in your organization to sign in to Google services through your third-party identity provider.

From the Alert details page, you can view details about the SSO profile addedalert:

  • Summary—Includes a summary of the alert with an overview of the changes
  • Date—Date and time of the event
  • Actor—Email address of the adminwho made thechange
  • SSO profile ID—Name of the SSO profile that was added

SSO profile updated

The SSO profile updatedalertinforms you when a third-party SSO profile has been updated for your organization.

A third-party SSO profile enables all users in your organizationto sign in to Google services through your third-party identity provider, so updating the SSO profile is an important change.

From the Alert details page, you can view details about the SSO profile updatedalert:

  • Summary—Includes a summary of the alert with an overview of the changes
  • Date—Date and time of the event
  • Actor—Email address of the adminwho made thechange
  • SSO profile ID—Name of the SSO profile that was updated

SSO profile deleted

The SSO profile deletedalertinforms you when a third-party SSO profile has been deleted for your organization.

This is an important change: If athird-party SSO profile is deleted for your organization, all users in your organization will lose the ability to sign in to Google services via your third-party identity provider.

From the Alert details page, you can view details about the SSO profile deletedalert:

  • Summary—Includes a summary of the alert with an overview of the changes
  • Date—Date and time of the event
  • Actor—Email address of the adminwho made thechange
  • SSO profile ID—Name of the SSO profile that was deleted

Customer abuse alerts

The Customer abuse detected alert notifies you about user activities that might violate Google terms of service:

  • Google Workspace Terms of Service
  • Google Workspace for Education Terms of Service
  • Google Cloud Platform Terms of Service
  • Cloud Identity Terms of Service

Depending on the type, severity, or frequency of abuse, Workspace might proactively suspend user accounts or your organization's account.

From the Alert details page, you can view important details about this alert:

  • Summary—A description of the alert details.
  • Date—Date and time the alert was published.
  • Additional details—Notification details based on the alert type or subtype. Some types might not have details, while others might have details such as the content type, or the name of the content owner.

Google Drive content

This alert informs you when Google Drive content owned by users in your organization might put your users at risk by violating the Google Workspace Terms of Service or the Google Workspace for Education Terms of Service.

In the alert, the “Additional details” table lists the users that triggered this alert, along with information on the contents’ file name, file URL, document ID, and abuse violation type. If you have Enterprise Plus or Education Plus, you can use the security investigation tool for further analysis. Contact the end user for questions about the content or actions they have taken.

Note: For most abuse violation types, the file owner can continue to access the file and

request a review

of the violation.

Users with restricted access to services or features

This alert informs you when users in your organization have had their access to services or features restricted due to violating the Google Workspace Terms of Service or the Google Workspace for Education Terms of Service.

In the alert, the “Additional details” table lists the users involved in this alert, along with information about the abuse violation type and the services or features that were restricted. Notify users about their restricted access and let them know they can submit an appeal at account.google.com. Most requests take 2 business days to review, but some might take longer.

This alert may appear in the alert center up to 24 hours after a user's access to a service or feature was restricted.

Custom rule alerts

Open all | Close all

Activity rule

An activity rule is a set of conditions and actions defined by an administrator. If a policy’s conditions are met, the rule is triggered, and corresponding actions are executed automatically. Activity rules automate processes that would otherwise need to be done manually, and can be customized to serve your organization's specific business needs.

As an administrator, you can create a rule that alerts you or takes action based on any search that you configure in the investigation tool. If you configure this rule to trigger an alert, the alert is displayed as an Activity rule in the alert center (for more details, see Create rules with the investigation tool).

From the Alert details page, you can view important details about this alert:

  • Summary—This section includes a summary of the alert with an overview of the details.
  • Date
  • Threshold
  • Alert status
  • Alert severity—Low, Medium, or High
  • Rulethat triggered the alert

Data Loss Prevention (DLP)

You receiveaData Loss Prevention (DLP)alert in the alert center when a DriveDLP rule is triggered.

As an administrator, you can prevent users from sharing sensitive content in Google Drive or shared drives with people outside of your organization. DLPrules enable youto scan files for sensitive content. For example, if a user shares a file with bank account or tax ID numbers, you can send an email to super admins to let them know. You can also warn users when they try to share a file or completely block anyone outside of your organization from accessing the file.

From the Alert details page, you can view important details about the Data Loss Prevention (DLP)alert:

  • Summary—Includes a summary of the alert with an overview of the details
  • Date—Date and time of the event
  • Triggering user—User that modified a file by addingsensitive content to it
  • Recipients—ForDrive files, the userthe file was shared with; for Chat content, the user to whom Chat content was sent. (The Recipients field doesn't appear for Chrome content.)
  • Document ID—Unique identifier for the Drive document
  • Document title—Title of the Drive document
  • Detector names—Namesof user-defined content detectors, or predefined content detectors—for example, Social Security number or driver's license number.
  • Triggered actions—Actions that were triggered from theDLP rule; for example, Block external sharing or Alert.
  • Suppressed actions—Actions that were suppressed due to conflicts with actions configured in other rules

Note: When a rule isn't configured correctly, admins are potentially overwhelmed with a very large number of DLP alerts. To prevent this, DLP alerts are limited to50 alerts per rule per day.

Reporting rule

The Reporting rulealertinforms you when a custom reporting rule related to audit-log events is triggered by a specific activity.

In addition to triggering an alert in the alert center, custom reporting rules also trigger an email notification (for more details about reporting rules, see ).

From the Alert details page, you can view important details about the Reporting rulealert,including a summary of the alert, date and time of the event, event description, and the name of the related audit log.

Click Search in audit logsto view more details about the event that triggered the alert.

General alerts

Open all | Close all

Google Operations

The Google Operationsalert provides details aboutsecurity and privacy issuesaffecting your organization's Google Workspace services.

From the Alert details page, you can view important details about this alert:

  • Summary—In this section, Google provides a message that includes specific details about the issue or incident.This section variesin size from a few sentences to several paragraphs.
  • Attachments—If available, you can downloadattachments with any additional details about the incident or issue.

Note: When editing the Google Operations rule, you cannot remove the primary super administrator from the recipient list for email notifications.

Apps outage

The Apps outage alert provides details about an outage of one or more Google Workspace services that might affect your organization.

From the Alert details page, you can view important details about this alert:

  • Summary—In this section, Google provides a message that includes specific details about the issue or incident.
  • Date—Date and time of the event
  • Status—Current status of theoutage(new, ongoingor resolved)
  • Details—Details of the outage, which usually includes a link to theGoogle Workspace Status Dashboard
  • Affected services—List of affected services
  • Next update by—Promised date and time by which the next update will arrive (subject to unintentionaldelays)
  • Intended resolutionby—Date and time by which the outage should be—or has been—resolved (if known)

Government-backed attacks

With this alert, administrators receive warnings about potential government-backed attacks. For example, in rare instances, government-backed attackers may try to steal a user's password within your organization.

To further improve the security in your organization, we highly recommend that you reset the passwords of affected users,enforce 2-step verification for the domain, andenforce security keys for your users.

For more details about government-backed attacks, see Government-backed attack alerts.

From the Alert details page, you can view important details about this alert:

  • Summary—Description of the alert
  • Date—Date and time of the event
  • Actor

Account suspension warning

The Account suspension warning alert provides a warning about suspicious activities that have been detected on your Google Workspace (or user) account.

Important: If this alert is not acted on within the timeframe specified via the Appeal option in the alert, then your Google Workspace account will be suspended.

From the Alert details page, you can view important details about this alert:

  • Summary—In this section, Google provides a message that includes specific details about the issue or incident.
  • Date—Date and time of the event
  • Abuse reason—The type of suspicious activity detected
  • Product—The product from which this alert originated
  • Recommended action—Information about what action is recommended

Note: Depending on the status of the warning, some of these fields might not be present.

Google mandatory service announcement

TheGoogle mandatory service announcement(MSA) alert is a communication that's necessary for the continued use of a product or service, or that's considered a necessary legal update. An MSA is a contractually obligated notification about existing Google Workspace products or features. The announcement is available for primary administrators. Admins can't opt-out from receiving MSAs.

Four types of MSA alerts are available in the alert center:

  • Google mandatory service announcement - Product—Details about important productchanges to your Google Workspace product or account.
  • Google mandatory service announcement - Security—Details about important security changes to your Google Workspace product or account.
  • Google mandatory service announcement - Billing—Details about important billing changes to your Google Workspace product or account.
  • Google mandatory service announcement - Legal—Details about important legal changes to your Google Workspace product or account.

From the Alert details page, you can view details about the Google mandatory service announcementalert:

  • Summary—Includes the textof the alert message
  • Date—Date and time of the mandatory service announcement

Access Approvals

Access Approvals for Google Workspace requires Google staff (who can take support actions related to your organization's data) to request approval before viewing data necessary for support.

TheAccess Approvalsalert is a communication that a Google staff member has requested access to your organization's Google Workspace data. As an administrator, you can then approve or decline the request when viewing the alert in the alert center.

Note: To set up Access Approvals alerts, and to manage Access Approvals requests, see Set up Access Approvals.

From the Alert details page, you can view details about the Access Approvalsalert:

  • Summary—Includes a summaryof the alert.
  • Scope—Notes the username of the user who owns the resources that the Google staff memberis trying to access.
  • Justification—Text entered by the Google staff member who has requested access.
  • Access region—Region of the user who's requesting access.
  • Access duration—Length of time that access is requested for—for example, 5 days.
  • Status—Whether the request is pending,approved, or declined.
  • Request expiration date—Date when the request expires.
  • Request ID—Text stringthat uniquely identifies the request.

In the Recommended action section of the Alert details page, you can approve or decline the request.

Configure alert center email notifications

In addition to viewing alert center alerts in the Google Admin console, you can set up alert center email notifications. For details and instructions, see Configure alert center email notifications.

Important: When addingrecipients to email notifications, you have the option to add groups. To make sure users outside of your organization are able to send email notifications to the group, you'll need to correctly configure access settings for that group. For instructions, see View or edit group access settings for email notifications.


Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companieswith which they are associated.

Was this helpful?

How can we improve it?

Need more help?

Try these next steps:

Post to the help community Get answers from community members Contact us Tell us more and we’ll help you get there

Start your free 14-day trial today

Professional email, online storage, shared calendars, video meetings and more. Start your free Google Workspace trial today.

View alert details - Google Workspace Admin Help (2024)
Top Articles
Latest Posts
Recommended Articles
Article information

Author: Duncan Muller

Last Updated:

Views: 5738

Rating: 4.9 / 5 (79 voted)

Reviews: 86% of readers found this page helpful

Author information

Name: Duncan Muller

Birthday: 1997-01-13

Address: Apt. 505 914 Phillip Crossroad, O'Konborough, NV 62411

Phone: +8555305800947

Job: Construction Agent

Hobby: Shopping, Table tennis, Snowboarding, Rafting, Motor sports, Homebrewing, Taxidermy

Introduction: My name is Duncan Muller, I am a enchanting, good, gentle, modern, tasty, nice, elegant person who loves writing and wants to share my knowledge and understanding with you.