Create rules to automate actions and alerts through the security center

14/11/2019

Agenda

What changed?

We've added a new kind of rule to security center sẽ giúp quản trị viên và nhà phân tích G Suite (Google Workspace customers) tự động hóa các nhiệm vụ quản lý bảo mật và cải thiện hành động bảo mật của tổ chức của họ. Cụ thể, với những cập nhật này, bây giờ bạn có thể:

Create Activity Rules, which are automated rules based on log events in the security center's investigation tool.
Configure Activity Rules to generate alerts or take corrective actions
See specific log entries showing when Activity Rules were fired, what actions were taken, which entities were affected, and more.
Put Activity Rules in monitor mode to test setup and performance before implementation.
See Activity Rules in the list of rules at Admin console > Security > Security rules.
Receive notifications and investigate rule triggers through alert center alerts.

See below for more details

Who is affected?

Admins only

Tại sao nên sử dụng

Security Center is a powerful tool to help administrators and analysts identify, investigate, and remediate security issues. However, we've also heard that it's important to be able to automate detection and remediation to reduce the time it takes to resolve issues after they occur.

This launch will make it easier to set up alerts, automate remedial actions, and understand the function and impact of rules, while reducing manual work for administrators.

How to get started

Admins:
- Use our Help Center to learn more about security center and how to use survey tool
- Use our Help Center to learn more about how to create a rule that works with the survey tool and view and manage privacy rules
End users: There is no action.

Additional information

Create and configure rules in the security center investigation tool.

We've added the ability to create and configure Activity Rules in the security center investigation tool. Activity Rules can be based on any log event query in the investigation tool and can automatically run and take corrective actions. It will work in a similar way to how you can create a rule today to do it ngăn ngừa mất dữ liệu (DLP) cho Gmail và Drive. We also added the ability to enable or disable rules when searching for rules or audit logs from rules in the investigation tool.

View specific log entries with details of rule trigger events

Once the Activity Rule is created, we will record and display more specific log entries. Items will include when the rule is triggered, what actions are taken when the rule is triggered, which entities are affected, and the results of those actions. For example, when a rule marks an email as spam, we'll log an audit event that shows you exactly what happened and under what conditions in the rule triggered. These logs improve investigation, help administrators create effective rules, and make it easier to identify outdated rules.

Test Activity Rules with monitor mode before doing so.

You can also put Activity Rules in desktop mode. While in monitor mode, triggered actions will not actually be executed and alerts will not be sent to the alert center. Logs, however, will still be logged about what the rule will do if it is active. This can help you effectively evaluate your rule without worrying about potential negative effects. When you're ready, simply switch the rule to active mode.

View and manage rules in the rule list.

Rules set up in the security center will also show up along with other rules in the Admin Console security rules list at Admin console > Security > Security Rules.