Use the alert center

The alert center includes two types of pages:

  • A list of alerts affecting your domain—This page is displayed after you sign in to the Google Admin console and navigate to the alert center. This list can span several pages, depending on the number of alerts that are active.
  • A details page that provides more information about each alert—You can access the details by clicking any item on the list of alerts. 

To access the alert center:

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Securityand thenAlert center.

Access the alert center from anywhere in the Admin console

From anywhere in the Google Admin console, you can view the Alerts widget to get a quick view of alerts affecting your domain. The Alerts widget includes a list of alerts, a short description for each alert, and the severity level (High, Medium, or Low). 

To open the Alerts widget, click the bell iconat the top of any page in the Admin console. To access the alert details for a specific alert, click one of the line items in the widget. To access the complete list of alerts in the alert center, click View all.

View your list of alerts

After opening the alert center, a list is displayed that specifies the various alerts that are affecting your domain. Using this list, you can quickly determine how many alerts are currently active. Items in this list include a short description for each alert, the alert type, and the date for the alert.

See the sections below for more information.

Use filters to narrow your list of alerts

The alert center provides an overview of the different types of alerts that are affecting your domain. You can narrow the list that's displayed in the Alert Center by filtering for certain types of alerts or by filtering for a range of dates, or both. You can also create filters based on other alert criteria—for example, status, severity, assignee, or user email.

Display specific alert types:

  1. From the list view in the alert center, click Add a filter.
  2. Choose your criteria for the filter from the list—for example, click Alert type.
  3. From the Alert type window, check the boxes for the relevant alert types.
  4. Click APPLY.

    After applying your filter, a list is displayed that corresponds to the relevant alert types. You can then click any item in the list to view details about an alert.

Display alerts in specific date ranges: 

  1. From the list view in the alert center, click Add a filter.
  2. Choose your criteria for the filter from the list—for example, click Date range.
  3. From the Date range window, select a date range for the alert.
  4. Click APPLY.

    After applying your filter, a list is displayed that corresponds to the alerts in the date range that you specified. You can then click any item in the list to view details about an alert.

Save a set of alert filters

If you need to use a set of filters in the alert center more than once, you can save that set of filters, and then return to them later as needed. To save a set of alert filters:

  1. From the list view in the alert center, click Add a filter.
  2. Choose your criteria for the filter from the list—for example, click Status.
  3. From the Status window, check Not started, In progress, or Closed.
  4. Click APPLY.
  5. Click Saved Filters.
  6. Click SAVE CURRENT FILTER.
  7. Type a name for the filter—for example, type Status not started.
  8. Click SAVE.

Note:

  • You can later access your saved filters by clicking Saved Filters and clicking a previously saved filter name.
  • You can delete a saved filter by clicking Saved Filters, highlighting one of the filters, and clicking the delete icon.
  • You can save up to 20 filters at one time.

Another option for saving filters: When you apply a filter on the alert center's list page, a query parameter is added to the URL on your browser. You can save this URL and enter it in a separate session to display your previously applied filters.

Start an investigation

If you're an Enterprise administrator, you can start an investigation based on an alert. Click one of the magnifying glass icons on the far-right side of the Alert center page. Or, from the details page, click INVESTIGATE ALERT. You can then use the investigation tool to take action—for example, to wipe a device or suspend a user. For instructions, see Start an investigation from the alert center.

View alert details

To view more details about any alert, click any item on the page to open the alert-details page. For more information, see View alert details.

Provide feedback on alerts

Alerts are generated based on a machine-learning system so that billions of signals can be taken into consideration to discover threats. For these alerts, you can tell us if this alert was correct or useful—which improves the accuracy of the alerts over time. This feedback is only used to improve signals for your domain, and is not shared outside of your organization.

Any administrator in your domain with full access to the alert center can provide feedback.

For more details, see Provide feedback on alerts.

View alert history

You can view an alert's history on the Alert details page by going to the Alert history section. This enables you to view changes administrators make to an alert, capture other historical details, and keep an audit history of alerts that have been resolved.

For example, if an administrator changes the alert status from Not started to Closed, or if there's a change to the alert assignee or the alert severity, the Alert history section provides a record of that change, including the email address of the administrator, and the date and time the change was made. 

Add comments to alerts

As an administrator, you can add comments to the Alert history section of the Alert details page.

Adding comments enables you to keep a more detailed record—for audit/historical reasons—of any actions you take in relation to an alert. For example, you might want to type a reminder that you performed a password reset on a certain date and notified the user. By adding a note to the comments section, you can more easily remember what happened at a later time.

Adding comments also enables you to share the history of an alert with colleagues, and discuss the next steps. You can also provide more details when you change an alert's status—for example, if you change it from In progress to Closed. You can also add a comment when you're reassigning an alert, or to provide links to related resources.

From the Alert history section of the Alert details page, type your comment, and click SAVE. Your username is then displayed next to the comment, as well as the date and time. If needed, you can later delete a comment that you added to this page.

View related alerts

From the alert details page, you can view a list of related alerts. This list enables you to quickly scan for alerts that have similar details, such as the same user email address.

Similar to the main alert center page, you can use the list of related alerts to give alert quality feedback or start an investigation related to that alert. You can click any alert in the list to open the details page for that alert.

About the 'Last updated' column on the list page

The list page in the alert center includes a Last updated column, which provides the date and time that each alert was last updated.

An alert is considered updated if new data from the alert’s source has been added. For example, a Gmail alert involving 10 emails one day may involve 20 the next day, and such a change is considered an update on the list page. However, user-driven changes—such as edits to assigneestatus, or severity—are not considered alert updates.

Admin privileges for rule-based alerts

As a Google Workspace administrator, you can only view and manage rule-based alerts if you have admin privileges for those specific rules:

  • To view and manage the Data loss prevention (DLP) alert, you'll need the DLP > View DLP rule privilege, and the DLP > Manage DLP rule privilege.
  • To view and manage the Activity rule alert, you'll need the Security Center > Activity Rules > View privilege, and the Security Center > Activity Rules > Manage privilege.
  • To view and manage all other alert types, you'll need the Reports privilege.

For details, go to Grant access to the alert center and About administrator roles.

For details about rules, go to Create and manage rules from the Rules page.

Related articles

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Main menu
3802186535447455432
true
Search Help Center
true
true
true
true
true
73010
false
false