Rules Audit Activity Events

This document lists the events and parameters for various types of Rules Audit activity events. You can retrieve these events by calling Activities.list() with applicationName=rules.

Action complete type

Audit event type which indicates action complete events. Events of this type are returned with type=action_complete_type.

Action complete

Audit event indicating action complete event.

Event details
Event name action_complete
Parameters
actor_ip_address

string

IP of the entity who was responsible for the original event which triggered the rule.

data_source

string

Source of the data. Possible values:

  • DEVICE
    Enum value of Device data source.
  • DRIVE
    Enum value of Drive data source.
  • GMAIL
    Enum value of Gmail data source.
  • USER
    Enum value of User data source.
matched_detectors

message

A list of detectors that matched against the resource.

matched_threshold

string

Threshold that matched in the rule.

matched_trigger

string

Trigger of the rule evaluation: email sent or received, document shared.

resource_id

string

Identifier of the resource which matched the rule.

resource_owner_email

string

Email address of the owner of the resource.

resource_title

string

Title of the resource which matched the rule: email subject, or document title.

resource_type

string

Type of the resource which matched the rule. Possible values:

  • DEVICE
    Device resource type.
  • DOCUMENT
    Document resource type.
  • EMAIL
    Email resource type.
  • USER
    User resource type.
rule_name

string

Name of the rule.

rule_resource_name

string

Resource name that uniquely identifies a rule.

rule_type

string

Type of the rule. Possible values:

  • ACTIVITY RULE
    Activity rule type.
  • DLP
    Data Loss Prevention (DLP) rule type.
scan_type

string

Scan mode for the rule evaluation. Possible values:

  • DRIVE_OFFLINE_SCAN
    Scan type that stands for evaluating rules that were updated on all Drive items.
  • DRIVE_ONLINE_SCAN
    Scan type that stands for evaluating rules on a single Drive item that was changed.
severity

string

Severity of violating a rule. Possible values:

  • HIGH
    Severity of violating the rule is high.
  • LOW
    Severity of violating the rule is low.
  • MEDIUM
    Severity of violating the rule is medium.
triggered_actions

message

A list of actions that were taken as a consequence of the rule being triggered.

Sample request
GET https://www.googleapis.com/admin/reports/v1/activity/users/all/applications/rules?eventName=action_complete&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
Action completed

Rule Match Type

Audit event type which inidicates rule matching events. Events of this type are returned with type=rule_match_type.

Rule Match

Audit event indicating rule match event.

Event details
Event name rule_match
Parameters
actions

string

List of actions taken. Possible values:

  • AccountWipeMobileDevice
    Account wipe mobile device action name.
  • ApproveMobileDevice
    Approve mobile device action name.
  • BlockMobileDevice
    Block mobile device action name.
  • FlagDocument
    Action which indicates that the item was flagged.
  • SendNotification
    Action which indicates that notification was sent.
  • UnflagDocument
    Action which indicates that the item was unflagged.
application

string

Name of the application to which the flagged item belongs. Possible values:

  • drive
    Application name for Google Drive.
  • mobile
    Device Management app.
drive_shared_drive_id

string

Shared drive Id to which the drive item belongs, if applicable.

has_content_match

boolean

Whether the resource has content which matches the criteria in the rule. Possible values:

  • false
    Boolean whose value is false.
  • true
    Boolean whose value is true.
matched_templates

string

List of content detector templates that matched.

mobile_device_type

string

Type of device on which rule was applied.

mobile_ios_vendor_id

string

iOS Vendor Id of device on which rule was applied, if applicable.

resource_id

string

Identifier of the resource which matched the rule.

resource_name

string

Name of the resource which matched the rule.

resource_owner_email

string

Email address of the owner of the resource.

rule_id

integer

Unique identifier for a rule. Rules are created by admins in G Suite.

rule_name

string

Name of the rule.

rule_update_time_usec

integer

Update time (microseconds since epoch) indicating the version of rule which is used.

Sample request
GET https://www.googleapis.com/admin/reports/v1/activity/users/all/applications/rules?eventName=rule_match&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
Rule matched

Rule trigger type

Audit event type which indicates rule triggered events. Events of this type are returned with type=rule_trigger_type.

Rule trigger

Audit event indicating rule triggered event.

Event details
Event name rule_trigger
Parameters
data_source

string

Source of the data. Possible values:

  • DEVICE
    Enum value of Device data source.
  • DRIVE
    Enum value of Drive data source.
  • GMAIL
    Enum value of Gmail data source.
  • USER
    Enum value of User data source.
matched_threshold

string

Threshold that matched in the rule.

matched_trigger

string

Trigger of the rule evaluation: email sent or received, document shared.

rule_name

string

Name of the rule.

rule_resource_name

string

Resource name that uniquely identifies a rule.

rule_type

string

Type of the rule. Possible values:

  • ACTIVITY RULE
    Activity rule type.
  • DLP
    Data Loss Prevention (DLP) rule type.
severity

string

Severity of violating a rule. Possible values:

  • HIGH
    Severity of violating the rule is high.
  • LOW
    Severity of violating the rule is low.
  • MEDIUM
    Severity of violating the rule is medium.
triggered_actions

message

A list of actions that were taken as a consequence of the rule being triggered.

Sample request
GET https://www.googleapis.com/admin/reports/v1/activity/users/all/applications/rules?eventName=rule_trigger&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
Rule triggered

Enviar comentários sobre…

Precisa de ajuda? Acesse nossa página de suporte.