Rules Audit Activity Events

Stay organized with collections Save and categorize content based on your preferences.

This document lists the events and parameters for various types of Rules Audit activity events. You can retrieve these events by calling Activities.list() with applicationName=rules.

Action complete type

Audit event type which indicates action complete events. Events of this type are returned with type=action_complete_type.

Action complete

Audit event indicating action complete event.

Event details
Event name action_complete
Parameters
access_level

string

Label for a list of access levels.

actor_ip_address

string

IP of the entity who was responsible for the original event which triggered the rule.

conference_id

string

The unique identifier of a Google Meet conference.

data_source

string

Source of the data. Possible values:

  • ADMIN
    Enum value of Admin data source.
  • CALENDAR
    Enum value of Calendar data source.
  • CHAT
    Enum value of Chat data source.
  • CHROME
    Enum value of Chrome data source.
  • DEVICE
    Enum value of Device data source.
  • DRIVE
    Enum value of Drive data source.
  • GMAIL
    Enum value of Gmail data source.
  • GROUPS
    Enum value of Groups data source.
  • MEET
    Enum value of Hangouts Meet data source.
  • RULE
    Enum value of Rule data source.
  • USER
    Enum value of User data source.
  • VOICE
    Enum value of Voice data source.
device_id

string

ID of the device on which the action was triggered.

device_type

string

Type of device referred to by device ID. Possible values:

  • CHROME_BROWSER
    Device type label when the device is a managed Chrome browser.
  • CHROME_OS
    Device type label when the device is a managed Chrome OS device.
  • CHROME_PROFILE
    Device type label when the device is a managed Chrome profile.
evaluation_context

message

Evaluation metadata, such as contextual messages used in a rule evaluation.

has_alert

boolean

Whether or not the triggered rule has alert enabled.

matched_detectors

message

A list of detectors that matched against the resource.

matched_threshold

string

Threshold that matched in the rule.

matched_trigger

string

Trigger of the rule evaluation: email sent or received, document shared. Possible values:

  • CALENDAR_EVENTS
    Event label when the rule triggered because of a Calendar event.
  • CHAT_ATTACHMENT_UPLOADED
    Event label when the rule triggered because a Chat attachment containing sensitive info was uploaded.
  • CHAT_MESSAGE_SENT
    Event label when the rule triggered because a Chat message containing sensitive info was sent.
  • CHROME_EVENTS
    Event label when the rule triggered because of a Chrome event.
  • CHROME_FILE_DOWNLOAD
    Event label when the rule triggered because a file was downloaded.
  • CHROME_FILE_UPLOAD
    Event label when the rule triggered because a file was uploaded.
  • CHROME_WEB_CONTENT_UPLOAD
    Event label when the rule triggered because web content was uploaded.
  • DEVICE_EVENTS
    Event label when the rule triggered because of a Device event.
  • DRIVE_EVENTS
    Event label when the rule triggered because of a Drive event.
  • DRIVE_SHARE
    Event label when the rule triggered because a file was shared.
  • GMAIL_EVENTS
    Event label when the rule triggered because of a Gmail event.
  • GROUPS_EVENTS
    Event label when the rule triggered because of a Groups event.
  • MAIL_BEING_RECEIVED
    Event label when the rule triggered because a message was received.
  • MAIL_BEING_SENT
    Event label when the rule triggered because a message was sent.
  • MEET_EVENTS
    Event label when the rule triggered because of a Meet event.
  • OAUTH_EVENTS
    Event label when the rule triggered because of an OAuth event.
  • USER_EVENTS
    Event label when the rule triggered because of a User event.
  • VOICE_EVENTS
    Event label when the rule triggered because of a Voice event.
resource_id

string

Identifier of the resource which matched the rule.

resource_owner_email

string

Email address of the owner of the resource.

resource_recipients

string

A list of users that a Drive document or an email message was shared with when the rule was triggered.

resource_recipients_omitted_count

integer

The number of resource recipients omitted due to exceeding the size limit.

resource_title

string

Title of the resource which matched the rule: email subject, or document title.

resource_type

string

Type of the resource which matched the rule. Possible values:

  • CHAT_ATTACHMENT
    Chat attachment resource type.
  • CHAT_MESSAGE
    Chat message resource type.
  • DEVICE
    Device resource type.
  • DOCUMENT
    Document resource type.
  • EMAIL
    Email resource type.
  • USER
    User resource type.
rule_name

string

Name of the rule.

rule_resource_name

string

Resource name that uniquely identifies a rule.

rule_type

string

Type of the rule. Possible values:

  • ACTIVITY_RULE
    Activity rule type.
  • DLP
    Data Loss Prevention (DLP) rule type.
scan_type

string

Scan mode for the rule evaluation. Possible values:

  • CHAT_SCAN_CONTENT_BEFORE_SEND
    Scan type that stands for scanning Chat content before sending it out.
  • DRIVE_OFFLINE_SCAN
    Scan type that stands for evaluating rules that were updated on all Drive items.
  • DRIVE_ONLINE_SCAN
    Scan type that stands for evaluating rules on a single Drive item that was changed.
severity

string

Severity of violating a rule. Possible values:

  • HIGH
    Severity of violating the rule is high.
  • LOW
    Severity of violating the rule is low.
  • MEDIUM
    Severity of violating the rule is medium.
space_id

string

ID of the space where the rule was triggered.

space_type

string

Type of space referred to by the space ID. Possible values:

  • CHAT_DIRECT_MESSAGE
    Space type label when the space is a Chat direct message.
  • CHAT_EXTERNALLY_OWNED
    Space type label when the conversation is owned by an external organization.
  • CHAT_GROUP
    Space type label when the space is a Chat group.
  • CHAT_ROOM
    Space type label when the space is a Chat room.
suppressed_actions

message

A list of actions that were not taken due to other actions with higher priority.

triggered_actions

message

A list of actions that were taken as a consequence of the rule being triggered.

Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/rules?eventName=action_complete&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
Action completed

Label applied type

Audit event type which indicates label applied events. Events of this type are returned with type=label_applied_type.

Label applied

Audit event indicating label applied events.

Event details
Event name label_applied
Parameters
actor_ip_address

string

IP of the entity who was responsible for the original event which triggered the rule.

conference_id

string

The unique identifier of a Google Meet conference.

data_source

string

Source of the data. Possible values:

  • ADMIN
    Enum value of Admin data source.
  • CALENDAR
    Enum value of Calendar data source.
  • CHAT
    Enum value of Chat data source.
  • CHROME
    Enum value of Chrome data source.
  • DEVICE
    Enum value of Device data source.
  • DRIVE
    Enum value of Drive data source.
  • GMAIL
    Enum value of Gmail data source.
  • GROUPS
    Enum value of Groups data source.
  • MEET
    Enum value of Hangouts Meet data source.
  • RULE
    Enum value of Rule data source.
  • USER
    Enum value of User data source.
  • VOICE
    Enum value of Voice data source.
device_id

string

ID of the device on which the action was triggered.

device_type

string

Type of device referred to by device ID. Possible values:

  • CHROME_BROWSER
    Device type label when the device is a managed Chrome browser.
  • CHROME_OS
    Device type label when the device is a managed Chrome OS device.
  • CHROME_PROFILE
    Device type label when the device is a managed Chrome profile.
evaluation_context

message

Evaluation metadata, such as contextual messages used in a rule evaluation.

has_alert

boolean

Whether or not the triggered rule has alert enabled.

label_title

string

Title of the label to which the item belongs.

matched_detectors

message

A list of detectors that matched against the resource.

matched_threshold

string

Threshold that matched in the rule.

matched_trigger

string

Trigger of the rule evaluation: email sent or received, document shared. Possible values:

  • CALENDAR_EVENTS
    Event label when the rule triggered because of a Calendar event.
  • CHAT_ATTACHMENT_UPLOADED
    Event label when the rule triggered because a Chat attachment containing sensitive info was uploaded.
  • CHAT_MESSAGE_SENT
    Event label when the rule triggered because a Chat message containing sensitive info was sent.
  • CHROME_EVENTS
    Event label when the rule triggered because of a Chrome event.
  • CHROME_FILE_DOWNLOAD
    Event label when the rule triggered because a file was downloaded.
  • CHROME_FILE_UPLOAD
    Event label when the rule triggered because a file was uploaded.
  • CHROME_WEB_CONTENT_UPLOAD
    Event label when the rule triggered because web content was uploaded.
  • DEVICE_EVENTS
    Event label when the rule triggered because of a Device event.
  • DRIVE_EVENTS
    Event label when the rule triggered because of a Drive event.
  • DRIVE_SHARE
    Event label when the rule triggered because a file was shared.
  • GMAIL_EVENTS
    Event label when the rule triggered because of a Gmail event.
  • GROUPS_EVENTS
    Event label when the rule triggered because of a Groups event.
  • MAIL_BEING_RECEIVED
    Event label when the rule triggered because a message was received.
  • MAIL_BEING_SENT
    Event label when the rule triggered because a message was sent.
  • MEET_EVENTS
    Event label when the rule triggered because of a Meet event.
  • OAUTH_EVENTS
    Event label when the rule triggered because of an OAuth event.
  • USER_EVENTS
    Event label when the rule triggered because of a User event.
  • VOICE_EVENTS
    Event label when the rule triggered because of a Voice event.
resource_id

string

Identifier of the resource which matched the rule.

resource_owner_email

string

Email address of the owner of the resource.

resource_recipients

string

A list of users that a Drive document or an email message was shared with when the rule was triggered.

resource_recipients_omitted_count

integer

The number of resource recipients omitted due to exceeding the size limit.

resource_title

string

Title of the resource which matched the rule: email subject, or document title.

resource_type

string

Type of the resource which matched the rule. Possible values:

  • CHAT_ATTACHMENT
    Chat attachment resource type.
  • CHAT_MESSAGE
    Chat message resource type.
  • DEVICE
    Device resource type.
  • DOCUMENT
    Document resource type.
  • EMAIL
    Email resource type.
  • USER
    User resource type.
rule_name

string

Name of the rule.

rule_resource_name

string

Resource name that uniquely identifies a rule.

rule_type

string

Type of the rule. Possible values:

  • ACTIVITY_RULE
    Activity rule type.
  • DLP
    Data Loss Prevention (DLP) rule type.
scan_type

string

Scan mode for the rule evaluation. Possible values:

  • CHAT_SCAN_CONTENT_BEFORE_SEND
    Scan type that stands for scanning Chat content before sending it out.
  • DRIVE_OFFLINE_SCAN
    Scan type that stands for evaluating rules that were updated on all Drive items.
  • DRIVE_ONLINE_SCAN
    Scan type that stands for evaluating rules on a single Drive item that was changed.
severity

string

Severity of violating a rule. Possible values:

  • HIGH
    Severity of violating the rule is high.
  • LOW
    Severity of violating the rule is low.
  • MEDIUM
    Severity of violating the rule is medium.
space_id

string

ID of the space where the rule was triggered.

space_type

string

Type of space referred to by the space ID. Possible values:

  • CHAT_DIRECT_MESSAGE
    Space type label when the space is a Chat direct message.
  • CHAT_EXTERNALLY_OWNED
    Space type label when the conversation is owned by an external organization.
  • CHAT_GROUP
    Space type label when the space is a Chat group.
  • CHAT_ROOM
    Space type label when the space is a Chat room.
suppressed_actions

message

A list of actions that were not taken due to other actions with higher priority.

triggered_actions

message

A list of actions that were taken as a consequence of the rule being triggered.

Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/rules?eventName=label_applied&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
DLP Rule applied Label {label_title}.

Label field value changed type

Audit event type which indicates label field value changed events. Events of this type are returned with type=label_field_value_changed_type.

Label field value changed

Audit event indicating label field value changed event.

Event details
Event name label_field_value_changed
Parameters
actor_ip_address

string

IP of the entity who was responsible for the original event which triggered the rule.

conference_id

string

The unique identifier of a Google Meet conference.

data_source

string

Source of the data. Possible values:

  • ADMIN
    Enum value of Admin data source.
  • CALENDAR
    Enum value of Calendar data source.
  • CHAT
    Enum value of Chat data source.
  • CHROME
    Enum value of Chrome data source.
  • DEVICE
    Enum value of Device data source.
  • DRIVE
    Enum value of Drive data source.
  • GMAIL
    Enum value of Gmail data source.
  • GROUPS
    Enum value of Groups data source.
  • MEET
    Enum value of Hangouts Meet data source.
  • RULE
    Enum value of Rule data source.
  • USER
    Enum value of User data source.
  • VOICE
    Enum value of Voice data source.
device_id

string

ID of the device on which the action was triggered.

device_type

string

Type of device referred to by device ID. Possible values:

  • CHROME_BROWSER
    Device type label when the device is a managed Chrome browser.
  • CHROME_OS
    Device type label when the device is a managed Chrome OS device.
  • CHROME_PROFILE
    Device type label when the device is a managed Chrome profile.
evaluation_context

message

Evaluation metadata, such as contextual messages used in a rule evaluation.

has_alert

boolean

Whether or not the triggered rule has alert enabled.

label_field

string

Field of the label to which the item belongs.

label_title

string

Title of the label to which the item belongs.

matched_detectors

message

A list of detectors that matched against the resource.

matched_threshold

string

Threshold that matched in the rule.

matched_trigger

string

Trigger of the rule evaluation: email sent or received, document shared. Possible values:

  • CALENDAR_EVENTS
    Event label when the rule triggered because of a Calendar event.
  • CHAT_ATTACHMENT_UPLOADED
    Event label when the rule triggered because a Chat attachment containing sensitive info was uploaded.
  • CHAT_MESSAGE_SENT
    Event label when the rule triggered because a Chat message containing sensitive info was sent.
  • CHROME_EVENTS
    Event label when the rule triggered because of a Chrome event.
  • CHROME_FILE_DOWNLOAD
    Event label when the rule triggered because a file was downloaded.
  • CHROME_FILE_UPLOAD
    Event label when the rule triggered because a file was uploaded.
  • CHROME_WEB_CONTENT_UPLOAD
    Event label when the rule triggered because web content was uploaded.
  • DEVICE_EVENTS
    Event label when the rule triggered because of a Device event.
  • DRIVE_EVENTS
    Event label when the rule triggered because of a Drive event.
  • DRIVE_SHARE
    Event label when the rule triggered because a file was shared.
  • GMAIL_EVENTS
    Event label when the rule triggered because of a Gmail event.
  • GROUPS_EVENTS
    Event label when the rule triggered because of a Groups event.
  • MAIL_BEING_RECEIVED
    Event label when the rule triggered because a message was received.
  • MAIL_BEING_SENT
    Event label when the rule triggered because a message was sent.
  • MEET_EVENTS
    Event label when the rule triggered because of a Meet event.
  • OAUTH_EVENTS
    Event label when the rule triggered because of an OAuth event.
  • USER_EVENTS
    Event label when the rule triggered because of a User event.
  • VOICE_EVENTS
    Event label when the rule triggered because of a Voice event.
new_value

string

New value.

old_value

string

Old value.

resource_id

string

Identifier of the resource which matched the rule.

resource_owner_email

string

Email address of the owner of the resource.

resource_recipients

string

A list of users that a Drive document or an email message was shared with when the rule was triggered.

resource_recipients_omitted_count

integer

The number of resource recipients omitted due to exceeding the size limit.

resource_title

string

Title of the resource which matched the rule: email subject, or document title.

resource_type

string

Type of the resource which matched the rule. Possible values:

  • CHAT_ATTACHMENT
    Chat attachment resource type.
  • CHAT_MESSAGE
    Chat message resource type.
  • DEVICE
    Device resource type.
  • DOCUMENT
    Document resource type.
  • EMAIL
    Email resource type.
  • USER
    User resource type.
rule_name

string

Name of the rule.

rule_resource_name

string

Resource name that uniquely identifies a rule.

rule_type

string

Type of the rule. Possible values:

  • ACTIVITY_RULE
    Activity rule type.
  • DLP
    Data Loss Prevention (DLP) rule type.
scan_type

string

Scan mode for the rule evaluation. Possible values:

  • CHAT_SCAN_CONTENT_BEFORE_SEND
    Scan type that stands for scanning Chat content before sending it out.
  • DRIVE_OFFLINE_SCAN
    Scan type that stands for evaluating rules that were updated on all Drive items.
  • DRIVE_ONLINE_SCAN
    Scan type that stands for evaluating rules on a single Drive item that was changed.
severity

string

Severity of violating a rule. Possible values:

  • HIGH
    Severity of violating the rule is high.
  • LOW
    Severity of violating the rule is low.
  • MEDIUM
    Severity of violating the rule is medium.
space_id

string

ID of the space where the rule was triggered.

space_type

string

Type of space referred to by the space ID. Possible values:

  • CHAT_DIRECT_MESSAGE
    Space type label when the space is a Chat direct message.
  • CHAT_EXTERNALLY_OWNED
    Space type label when the conversation is owned by an external organization.
  • CHAT_GROUP
    Space type label when the space is a Chat group.
  • CHAT_ROOM
    Space type label when the space is a Chat room.
suppressed_actions

message

A list of actions that were not taken due to other actions with higher priority.

triggered_actions

message

A list of actions that were taken as a consequence of the rule being triggered.

Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/rules?eventName=label_field_value_changed&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
DLP Rule changed the value of field {label_field} (Label: {label_title}) from '{old_value}' to '{new_value}'.

Label removed type

Audit event type which indicates label removed events. Events of this type are returned with type=label_removed_type.

Label removed

Audit event indicating label removed event.

Event details
Event name label_removed
Parameters
actor_ip_address

string

IP of the entity who was responsible for the original event which triggered the rule.

conference_id

string

The unique identifier of a Google Meet conference.

data_source

string

Source of the data. Possible values:

  • ADMIN
    Enum value of Admin data source.
  • CALENDAR
    Enum value of Calendar data source.
  • CHAT
    Enum value of Chat data source.
  • CHROME
    Enum value of Chrome data source.
  • DEVICE
    Enum value of Device data source.
  • DRIVE
    Enum value of Drive data source.
  • GMAIL
    Enum value of Gmail data source.
  • GROUPS
    Enum value of Groups data source.
  • MEET
    Enum value of Hangouts Meet data source.
  • RULE
    Enum value of Rule data source.
  • USER
    Enum value of User data source.
  • VOICE
    Enum value of Voice data source.
device_id

string

ID of the device on which the action was triggered.

device_type

string

Type of device referred to by device ID. Possible values:

  • CHROME_BROWSER
    Device type label when the device is a managed Chrome browser.
  • CHROME_OS
    Device type label when the device is a managed Chrome OS device.
  • CHROME_PROFILE
    Device type label when the device is a managed Chrome profile.
evaluation_context

message

Evaluation metadata, such as contextual messages used in a rule evaluation.

has_alert

boolean

Whether or not the triggered rule has alert enabled.

label_title

string

Title of the label to which the item belongs.

matched_detectors

message

A list of detectors that matched against the resource.

matched_threshold

string

Threshold that matched in the rule.

matched_trigger

string

Trigger of the rule evaluation: email sent or received, document shared. Possible values:

  • CALENDAR_EVENTS
    Event label when the rule triggered because of a Calendar event.
  • CHAT_ATTACHMENT_UPLOADED
    Event label when the rule triggered because a Chat attachment containing sensitive info was uploaded.
  • CHAT_MESSAGE_SENT
    Event label when the rule triggered because a Chat message containing sensitive info was sent.
  • CHROME_EVENTS
    Event label when the rule triggered because of a Chrome event.
  • CHROME_FILE_DOWNLOAD
    Event label when the rule triggered because a file was downloaded.
  • CHROME_FILE_UPLOAD
    Event label when the rule triggered because a file was uploaded.
  • CHROME_WEB_CONTENT_UPLOAD
    Event label when the rule triggered because web content was uploaded.
  • DEVICE_EVENTS
    Event label when the rule triggered because of a Device event.
  • DRIVE_EVENTS
    Event label when the rule triggered because of a Drive event.
  • DRIVE_SHARE
    Event label when the rule triggered because a file was shared.
  • GMAIL_EVENTS
    Event label when the rule triggered because of a Gmail event.
  • GROUPS_EVENTS
    Event label when the rule triggered because of a Groups event.
  • MAIL_BEING_RECEIVED
    Event label when the rule triggered because a message was received.
  • MAIL_BEING_SENT
    Event label when the rule triggered because a message was sent.
  • MEET_EVENTS
    Event label when the rule triggered because of a Meet event.
  • OAUTH_EVENTS
    Event label when the rule triggered because of an OAuth event.
  • USER_EVENTS
    Event label when the rule triggered because of a User event.
  • VOICE_EVENTS
    Event label when the rule triggered because of a Voice event.
resource_id

string

Identifier of the resource which matched the rule.

resource_owner_email

string

Email address of the owner of the resource.

resource_recipients

string

A list of users that a Drive document or an email message was shared with when the rule was triggered.

resource_recipients_omitted_count

integer

The number of resource recipients omitted due to exceeding the size limit.

resource_title

string

Title of the resource which matched the rule: email subject, or document title.

resource_type

string

Type of the resource which matched the rule. Possible values:

  • CHAT_ATTACHMENT
    Chat attachment resource type.
  • CHAT_MESSAGE
    Chat message resource type.
  • DEVICE
    Device resource type.
  • DOCUMENT
    Document resource type.
  • EMAIL
    Email resource type.
  • USER
    User resource type.
rule_name

string

Name of the rule.

rule_resource_name

string

Resource name that uniquely identifies a rule.

rule_type

string

Type of the rule. Possible values:

  • ACTIVITY_RULE
    Activity rule type.
  • DLP
    Data Loss Prevention (DLP) rule type.
scan_type

string

Scan mode for the rule evaluation. Possible values:

  • CHAT_SCAN_CONTENT_BEFORE_SEND
    Scan type that stands for scanning Chat content before sending it out.
  • DRIVE_OFFLINE_SCAN
    Scan type that stands for evaluating rules that were updated on all Drive items.
  • DRIVE_ONLINE_SCAN
    Scan type that stands for evaluating rules on a single Drive item that was changed.
severity

string

Severity of violating a rule. Possible values:

  • HIGH
    Severity of violating the rule is high.
  • LOW
    Severity of violating the rule is low.
  • MEDIUM
    Severity of violating the rule is medium.
space_id

string

ID of the space where the rule was triggered.

space_type

string

Type of space referred to by the space ID. Possible values:

  • CHAT_DIRECT_MESSAGE
    Space type label when the space is a Chat direct message.
  • CHAT_EXTERNALLY_OWNED
    Space type label when the conversation is owned by an external organization.
  • CHAT_GROUP
    Space type label when the space is a Chat group.
  • CHAT_ROOM
    Space type label when the space is a Chat room.
suppressed_actions

message

A list of actions that were not taken due to other actions with higher priority.

triggered_actions

message

A list of actions that were taken as a consequence of the rule being triggered.

Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/rules?eventName=label_removed&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
DLP Rule removed Label {label_title}.

Rule Match Type

Audit event type which inidicates rule matching events. Events of this type are returned with type=rule_match_type.

Rule Match

Audit event indicating rule match event.

Event details
Event name rule_match
Parameters
actions

string

List of actions taken. Possible values:

  • AccountWipeMobileDevice
    Account wipe mobile device action name.
  • ApproveMobileDevice
    Approve mobile device action name.
  • BlockMobileDevice
    Block mobile device action name.
  • FlagDocument
    Action which indicates that the item was flagged.
  • SendNotification
    Action which indicates that notification was sent.
  • UnflagDocument
    Action which indicates that the item was unflagged.
application

string

Name of the application to which the flagged item belongs. Possible values:

  • drive
    Application name for Google Drive.
  • mobile
    Device Management app.
drive_shared_drive_id

string

Shared drive Id to which the drive item belongs, if applicable.

has_content_match

boolean

Whether the resource has content which matches the criteria in the rule. Possible values:

  • false
    Boolean whose value is false.
  • true
    Boolean whose value is true.
matched_templates

string

List of content detector templates that matched.

mobile_device_type

string

Type of device on which rule was applied.

mobile_ios_vendor_id

string

iOS Vendor Id of device on which rule was applied, if applicable.

resource_id

string

Identifier of the resource which matched the rule.

resource_name

string

Name of the resource which matched the rule.

resource_owner_email

string

Email address of the owner of the resource.

rule_id

integer

Unique identifier for a rule. Rules are created by admins in Google Workspace.

rule_name

string

Name of the rule.

rule_update_time_usec

integer

Update time (microseconds since epoch) indicating the version of rule which is used.

Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/rules?eventName=rule_match&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
Rule matched

Rule trigger type

Audit event type which indicates rule triggered events. Events of this type are returned with type=rule_trigger_type.

Rule trigger

Audit event indicating rule triggered event.

Event details
Event name rule_trigger
Parameters
data_source

string

Source of the data. Possible values:

  • ADMIN
    Enum value of Admin data source.
  • CALENDAR
    Enum value of Calendar data source.
  • CHAT
    Enum value of Chat data source.
  • CHROME
    Enum value of Chrome data source.
  • DEVICE
    Enum value of Device data source.
  • DRIVE
    Enum value of Drive data source.
  • GMAIL
    Enum value of Gmail data source.
  • GROUPS
    Enum value of Groups data source.
  • MEET
    Enum value of Hangouts Meet data source.
  • RULE
    Enum value of Rule data source.
  • USER
    Enum value of User data source.
  • VOICE
    Enum value of Voice data source.
matched_threshold

string

Threshold that matched in the rule.

matched_trigger

string

Trigger of the rule evaluation: email sent or received, document shared. Possible values:

  • CALENDAR_EVENTS
    Event label when the rule triggered because of a Calendar event.
  • CHAT_ATTACHMENT_UPLOADED
    Event label when the rule triggered because a Chat attachment containing sensitive info was uploaded.
  • CHAT_MESSAGE_SENT
    Event label when the rule triggered because a Chat message containing sensitive info was sent.
  • CHROME_EVENTS
    Event label when the rule triggered because of a Chrome event.
  • CHROME_FILE_DOWNLOAD
    Event label when the rule triggered because a file was downloaded.
  • CHROME_FILE_UPLOAD
    Event label when the rule triggered because a file was uploaded.
  • CHROME_WEB_CONTENT_UPLOAD
    Event label when the rule triggered because web content was uploaded.
  • DEVICE_EVENTS
    Event label when the rule triggered because of a Device event.
  • DRIVE_EVENTS
    Event label when the rule triggered because of a Drive event.
  • DRIVE_SHARE
    Event label when the rule triggered because a file was shared.
  • GMAIL_EVENTS
    Event label when the rule triggered because of a Gmail event.
  • GROUPS_EVENTS
    Event label when the rule triggered because of a Groups event.
  • MAIL_BEING_RECEIVED
    Event label when the rule triggered because a message was received.
  • MAIL_BEING_SENT
    Event label when the rule triggered because a message was sent.
  • MEET_EVENTS
    Event label when the rule triggered because of a Meet event.
  • OAUTH_EVENTS
    Event label when the rule triggered because of an OAuth event.
  • USER_EVENTS
    Event label when the rule triggered because of a User event.
  • VOICE_EVENTS
    Event label when the rule triggered because of a Voice event.
rule_name

string

Name of the rule.

rule_resource_name

string

Resource name that uniquely identifies a rule.

rule_type

string

Type of the rule. Possible values:

  • ACTIVITY_RULE
    Activity rule type.
  • DLP
    Data Loss Prevention (DLP) rule type.
severity

string

Severity of violating a rule. Possible values:

  • HIGH
    Severity of violating the rule is high.
  • LOW
    Severity of violating the rule is low.
  • MEDIUM
    Severity of violating the rule is medium.
triggered_actions

message

A list of actions that were taken as a consequence of the rule being triggered.

Sample request
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/rules?eventName=rule_trigger&maxResults=10&access_token=YOUR_ACCESS_TOKEN
Admin Console message format
Rule triggered