Is there a way to create an Alert Center notification based on criteria returned in the Google Workspace Email Log Search?
For example.. If an email address sends a message to 1000+ recipients or sends 1000 messages to 1000 recipients... We already see the System Defined alert center actions if say... someone flags a message as phishing, but we want to create a triggered alert rule based on the count of messages.
Thanks in advance.
On
Unfortunately the way the Alert Center works would not allow an integration with the Email log search.
They both work on a different way, the Alert center has his own set of parameters to determine the severity, while the Email log search works like a direct tool to audit the data manually.
I believe the best available option to create rules and get notifications an alerts while using the Alert Center dat, is the Investigation tool which is only available with certain versions, check it!
This can be done using the Investigation tool found at ‘Security’ > ‘Investigation Tool’ Be advised this is a feature available for these editions: Enterprise; Education Standard and Plus as documented here
Basically what you are looking to do is build a query like this:
Data Source = Gmail Log Events With Conditions Below:
Event Is User spam classification AND Spam classification Is Phishing
Like this
Then:
12.Finally click on ‘Create Rule’
Keep in mind this may take some propagation time of up to 48hrs. For more information on the Investigation Tool see here