Create rules to automate actions and alerts through the security center
We’re adding a new rule type to the security center that will help G Suite admins and analysts automate security management tasks and improve their organization’s security posture. Specifically, with these updates you can now:
- Create Activity Rules, which are automated rules based on log events within the security center investigation tool.
- Configure Activity Rules to create alerts or perform remediation actions.
- See specific log entries showing when Activity Rules got triggered, what actions were taken, what entities were affected, and more.
- Put Activity Rules in monitor mode to test setup and effectiveness before implementation.
- See Activity Rules in the rules list at Admin console > Security > Security rules.
- Get informed of and investigate rule triggers through alert center alerts.
Read below for more information.
Why you’d use it
The security center is a powerful tool to help admins and analysts identify, investigate, and remediate security issues. However, we’ve also heard that it is important to be able to automate detection and remediation in order to decrease the time it takes to address issues after they occur.
This launch will make it easier to set up alerts, automate remediation actions, and understand the function and impact of rules, all while reducing the manual effort needed from admins.
How to get started
- Use our Help Center to learn more about the security center and how to use the investigation tool.
- Use our Help Center to learn more about creating activity rules with the investigation tool and viewing and managing security rules.
- End users: No action needed.
Create and configure rules within the security center investigation tool.
We’ve added the ability to create and configure Activity Rules within the security center investigation tool. Activity Rules can be based on any log event query in the investigation tool, and can run and perform remediation actions automatically. This will function in a similar way to how you may create rules today to perform data loss prevention (DLP) for Gmail and Drive. We’ve also added the ability to turn rules on or off when searching for a rule or the audit logs from a rule in the investigation tool.
See specific log entries with details on rule trigger events.
After an Activity Rule is created, we’ll record and show more specific log entries. The entries will include when the rule got triggered, what actions were taken when the rule was triggered, what entities were affected, and the result of those actions. For example, when a rule marks an email as spam, we will record an audit event that shows you exactly what happened and which condition within the rule was triggered. These logs will improve investigation capabilities, help admins to create effective rules, and make it easier to identify outdated rules.
Test Activity Rules with monitor mode before real implementation.
You can also put Activity Rules in monitor mode. While in monitor mode, triggered actions will not be actually executed, and alerts won’t be sent to the alert center. Logs, however, will still be recorded about what the rule would have done if it were in active mode. This can help you assess rule effectiveness without worrying about potential negative impacts. When you’re ready, you can simply switch the rule to active mode.
See and manage rules in the rules list.
Rules set up in the security center will also show alongside other rules in the Admin console security rules list at Admin console > Security > Security Rules.
See rule triggers in the alert center.
You’ll be able to see and investigate these rule-based alerts in the alert center.