Recommended actions: Take action in response to alerts

Supported editions for this feature: Enterprise Plus; Education Standard and Plus. Compare your edition

As a Google Workspace administrator, you can keep your domain more secure by quickly taking action in response to many of the alerts in the alert center. You can do this from the Recommended actions section on the alert details page.

For example, if you receive a Gmail potential employee spoofing alert, you can go to the Recommended actions section, and then click Mark as phishing to move messages to your users' spam folders, or you can block a device when you receive a Compromised device alert. 

Use recommended actions

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Securityand thenAlert center.
  3. Click one of the items on the page to open the Alert details page.
  4. From the Recommended action section, click the recommended action—for example, Delete message or Mark as phishing.
  5. Enter an explanation or reason for the action, and then click the action to confirm—for example, click Delete message or Mark as phishing.

    For the complete list of recommended actions that are available in the alert center, and for the required privileges, see the section below.

If details are missing for Gmail alerts, the most common reasons are:

  • The alert was generated due to spam classification by a user. For example, Actor email might be absent for the User-reported phishing alert. When alert details are missing, recommended actions for that alert might fail, and an error message might be displayed that reads, Something went wrong.
  • You created a data regions policy to store your covered data in a specific geographic location. In this case, personally identifiable information (PII) is removed from Gmail log events, which are used to generate Gmail alerts.

Alerts, recommended actions, and required privileges

The following recommended actions are available for some alerts in the alert center:

  • Mark as phishing—Mark the message as phishing that triggered the alert.
  • Delete message—Delete the message that triggered the alert.
  • Quarantine message—Send the message that triggered the alert to quarantine.
  • Restore message—Restore wrongly classified emails (marked as spam or quarantined) to their folder of origin.
  • Appeal suspension—Appeal an account suspension specified in the Account suspension warning alert.
  • Suspend user—Suspend users specified in the alert.
  • Restore user—Restore users specified in the alert.
  • Block device—​Block the device that triggered the alert. This blocks access to Google Workspace data on the device until you can confirm the device is safe. The user can still access their Gmail, Calendar, and contacts from a desktop computer or mobile browser.​
  • Wipe account—The user's account and Google Workspace data is deleted from the device.

    Note: If you have set up offline access to Google accounts for devices in your organization, those accounts can't be wiped from offline devices. For more details about wiping accounts from devices, go to Remove corporate data from a device.

To use recommended actions in the alert center, you need privileges for the investigation tool. Super administrators have these privileges by default, or you can add them to a custom administrator role. For instructions on setting privileges, see Admin privileges for the investigation tool.

For a list of alerts that include recommended actions, and for the required privileges for each alert, see the table below.

Alert name Recommended actions Required privileges
Gmail potential employee spoofing Mark as phishing

Investigation Tool > Gmail > Update or Delete

Investigation Tool > Gmail > View Metadata and Attributes

Malware message detected post-delivery
  • Delete message
  • Retore message

Investigation Tool > Gmail > Update or Delete

Investigation Tool > Gmail > View Metadata and Attributes

Phishing message detected post-delivery
  • Delete message
  • Restore message

Investigation Tool > Gmail > Update or Delete

Investigation Tool > Gmail > View Metadata and Attributes

User-reported phishing
  • Delete message
  • Restore message

Investigation Tool > Gmail > Update or Delete

Investigation Tool > Gmail > View Metadata and Attributes

Phishing in inboxes due to bad whitelist Delete message

Investigation Tool > Gmail > Update or Delete

Investigation Tool > Gmail > View Metadata and Attributes

Spike in user reported spam Delete message

Investigation Tool > Gmail > Update or Delete

Investigation Tool > Gmail > View Metadata and Attributes

Suspicious message reported
  • Delete message
  • Quarantine message
  • Restore message

Investigation Tool > Gmail > Update or Delete

Investigation Tool > Gmail > View Metadata and Attributes

Account suspension warning Appeal suspension Available to all administrators who access the alert center
Leaked password Suspend user

Investigation Tool > User > Update or Delete

Investigation Tool > User > View Metadata and Attributes

Suspicious login Suspend user

Investigation Tool > User > Update or Delete

Investigation Tool > User > View Metadata and Attributes

Suspicious programmatic login Suspend user

Investigation Tool > User > Update or Delete

Investigation Tool > User > View Metadata and Attributes

User suspended Restore user

Investigation Tool > User > Update or Delete

Investigation Tool > User > View Metadata and Attributes

User suspended due to suspicious activity Restore user

Investigation Tool > User > Update or Delete

Investigation Tool > User > View Metadata and Attributes

User suspended for spamming Restore user

Investigation Tool > User > Update or Delete

Investigation Tool > User > View Metadata and Attributes

User suspended for spamming through relay Restore user

Investigation Tool > Device > Update or Delete

Investigation Tool > Device > View Metadata and Attributes

Device compromised Block device

Investigation Tool > Device > Update or Delete

Investigation Tool > Device > View Metadata and Attributes

Suspicious device activity
  • Block device
  • Wipe account

Investigation Tool > Device > Update or Delete

Investigation Tool > Device > View Metadata and Attributes

How long recommended actions are available

Recommended actions are available for a limited amount of time after an event is logged. The table below displays the duration for which specific recommended actions are available. For example, you won't be able to use the Delete message action if the event that triggered the alert happened more than 30 days ago.

Action Active for
Mark as phishing     30 days
Delete message 30 days
Restore message 30 days
Account suspension warning 3 days
Suspend user 6 months
Appeal suspension 6 months
Restore user 6 months
Block device 6 months

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Main menu
11576098539709024181
true
Search Help Center
true
true
true
true
true
73010
false
false