Rules Audit Activity Events

This document lists the events and parameters for various types of Rules Audit activity events. You can retrieve these events by calling Activities.list() with applicationName=rules.

Action complete type

Audit event type which indicates action complete events. Events of this type are returned with type=action_complete_type.

Action complete

Audit event indicating action complete event.

Event details

Event name action_complete

Parameters

`access_level`	`string` Label for a list of access levels.
`actor_ip_address`	`string` IP of the entity who was responsible for the original event which triggered the rule.
`conference_id`	`string` The unique identifier of a Google Meet conference.
`data_source`	`string` Source of the data. Possible values: `ADMIN` Enum value of Admin data source. `CALENDAR` Enum value of Calendar data source. `CHAT` Enum value of Chat data source. `CHROME` Enum value of Chrome data source. `DEVICE` Enum value of Device data source. `DRIVE` Enum value of Drive data source. `GMAIL` Enum value of Gmail data source. `GROUPS` Enum value of Groups data source. `MEET` Enum value of Hangouts Meet data source. `RULE` Enum value of Rule data source. `USER` Enum value of User data source. `VOICE` Enum value of Voice data source.
`device_id`	`string` ID of the device on which the action was triggered.
`device_type`	`string` Type of device referred to by device ID. Possible values: `CHROME_BROWSER` Device type label when the device is a managed Chrome browser. `CHROME_OS` Device type label when the device is a managed Chrome OS device. `CHROME_PROFILE` Device type label when the device is a managed Chrome profile.
`evaluation_context`	`message` Evaluation metadata, such as contextual messages used in a rule evaluation.
`has_alert`	`boolean` Whether or not the triggered rule has alert enabled.
`matched_detectors`	`message` A list of detectors that matched against the resource.
`matched_threshold`	`string` Threshold that matched in the rule.
`matched_trigger`	`string` Trigger of the rule evaluation: email sent or received, document shared. Possible values: `CALENDAR_EVENTS` Event label when the rule triggered because of a Calendar event. `CHAT_ATTACHMENT_UPLOADED` Event label when the rule triggered because a Chat attachment containing sensitive info was uploaded. `CHAT_MESSAGE_SENT` Event label when the rule triggered because a Chat message containing sensitive info was sent. `CHROME_EVENTS` Event label when the rule triggered because of a Chrome event. `CHROME_FILE_DOWNLOAD` Event label when the rule triggered because a file was downloaded. `CHROME_FILE_UPLOAD` Event label when the rule triggered because a file was uploaded. `CHROME_WEB_CONTENT_UPLOAD` Event label when the rule triggered because web content was uploaded. `DEVICE_EVENTS` Event label when the rule triggered because of a Device event. `DRIVE_EVENTS` Event label when the rule triggered because of a Drive event. `DRIVE_SHARE` Event label when the rule triggered because a file was shared. `GMAIL_EVENTS` Event label when the rule triggered because of a Gmail event. `GROUPS_EVENTS` Event label when the rule triggered because of a Groups event. `MAIL_BEING_RECEIVED` Event label when the rule triggered because a message was received. `MAIL_BEING_SENT` Event label when the rule triggered because a message was sent. `MEET_EVENTS` Event label when the rule triggered because of a Meet event. `OAUTH_EVENTS` Event label when the rule triggered because of an OAuth event. `USER_EVENTS` Event label when the rule triggered because of a User event. `VOICE_EVENTS` Event label when the rule triggered because of a Voice event.
`resource_id`	`string` Identifier of the resource which matched the rule.
`resource_owner_email`	`string` Email address of the owner of the resource.
`resource_recipients`	`string` A list of users that a Drive document or an email message was shared with when the rule was triggered.
`resource_recipients_omitted_count`	`integer` The number of resource recipients omitted due to exceeding the size limit.
`resource_title`	`string` Title of the resource which matched the rule: email subject, or document title.
`resource_type`	`string` Type of the resource which matched the rule. Possible values: `CHAT_ATTACHMENT` Chat attachment resource type. `CHAT_MESSAGE` Chat message resource type. `DEVICE` Device resource type. `DOCUMENT` Document resource type. `EMAIL` Email resource type. `USER` User resource type.
`rule_name`	`string` Name of the rule.
`rule_resource_name`	`string` Resource name that uniquely identifies a rule.
`rule_type`	`string` Type of the rule. Possible values: `ACTIVITY_RULE` Activity rule type. `DLP` Data Loss Prevention (DLP) rule type.
`scan_type`	`string` Scan mode for the rule evaluation. Possible values: `CHAT_SCAN_CONTENT_BEFORE_SEND` Scan type that stands for scanning Chat content before sending it out. `DRIVE_OFFLINE_SCAN` Scan type that stands for evaluating rules that were updated on all Drive items. `DRIVE_ONLINE_SCAN` Scan type that stands for evaluating rules on a single Drive item that was changed.
`severity`	`string` Severity of violating a rule. Possible values: `HIGH` Severity of violating the rule is high. `LOW` Severity of violating the rule is low. `MEDIUM` Severity of violating the rule is medium.
`snippets`	`message` Heading title for a small piece of context that matched a rule.
`space_id`	`string` ID of the space where the rule was triggered.
`space_type`	`string` Type of space referred to by the space ID. Possible values: `CHAT_DIRECT_MESSAGE` Space type label when the space is a Chat direct message. `CHAT_EXTERNALLY_OWNED` Space type label when the conversation is owned by an external organization. `CHAT_GROUP` Space type label when the space is a Chat group. `CHAT_ROOM` Space type label when the space is a Chat room.
`suppressed_actions`	`message` A list of actions that were not taken due to other actions with higher priority.
`triggered_actions`	`message` A list of actions that were taken as a consequence of the rule being triggered.

Sample request

GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/rules?eventName=action_complete&maxResults=10&access_token=YOUR_ACCESS_TOKEN

Admin Console message format

Action completed

Label applied type

Audit event type which indicates label applied events. Events of this type are returned with type=label_applied_type.

Label applied

Audit event indicating label applied events.

Event details

Event name label_applied

Parameters

`actor_ip_address`	`string` IP of the entity who was responsible for the original event which triggered the rule.
`conference_id`	`string` The unique identifier of a Google Meet conference.
`data_source`	`string` Source of the data. Possible values: `ADMIN` Enum value of Admin data source. `CALENDAR` Enum value of Calendar data source. `CHAT` Enum value of Chat data source. `CHROME` Enum value of Chrome data source. `DEVICE` Enum value of Device data source. `DRIVE` Enum value of Drive data source. `GMAIL` Enum value of Gmail data source. `GROUPS` Enum value of Groups data source. `MEET` Enum value of Hangouts Meet data source. `RULE` Enum value of Rule data source. `USER` Enum value of User data source. `VOICE` Enum value of Voice data source.
`device_id`	`string` ID of the device on which the action was triggered.
`device_type`	`string` Type of device referred to by device ID. Possible values: `CHROME_BROWSER` Device type label when the device is a managed Chrome browser. `CHROME_OS` Device type label when the device is a managed Chrome OS device. `CHROME_PROFILE` Device type label when the device is a managed Chrome profile.
`evaluation_context`	`message` Evaluation metadata, such as contextual messages used in a rule evaluation.
`has_alert`	`boolean` Whether or not the triggered rule has alert enabled.
`label_title`	`string` Title of the label to which the item belongs.
`matched_detectors`	`message` A list of detectors that matched against the resource.
`matched_threshold`	`string` Threshold that matched in the rule.
`matched_trigger`	`string` Trigger of the rule evaluation: email sent or received, document shared. Possible values: `CALENDAR_EVENTS` Event label when the rule triggered because of a Calendar event. `CHAT_ATTACHMENT_UPLOADED` Event label when the rule triggered because a Chat attachment containing sensitive info was uploaded. `CHAT_MESSAGE_SENT` Event label when the rule triggered because a Chat message containing sensitive info was sent. `CHROME_EVENTS` Event label when the rule triggered because of a Chrome event. `CHROME_FILE_DOWNLOAD` Event label when the rule triggered because a file was downloaded. `CHROME_FILE_UPLOAD` Event label when the rule triggered because a file was uploaded. `CHROME_WEB_CONTENT_UPLOAD` Event label when the rule triggered because web content was uploaded. `DEVICE_EVENTS` Event label when the rule triggered because of a Device event. `DRIVE_EVENTS` Event label when the rule triggered because of a Drive event. `DRIVE_SHARE` Event label when the rule triggered because a file was shared. `GMAIL_EVENTS` Event label when the rule triggered because of a Gmail event. `GROUPS_EVENTS` Event label when the rule triggered because of a Groups event. `MAIL_BEING_RECEIVED` Event label when the rule triggered because a message was received. `MAIL_BEING_SENT` Event label when the rule triggered because a message was sent. `MEET_EVENTS` Event label when the rule triggered because of a Meet event. `OAUTH_EVENTS` Event label when the rule triggered because of an OAuth event. `USER_EVENTS` Event label when the rule triggered because of a User event. `VOICE_EVENTS` Event label when the rule triggered because of a Voice event.
`resource_id`	`string` Identifier of the resource which matched the rule.
`resource_owner_email`	`string` Email address of the owner of the resource.
`resource_recipients`	`string` A list of users that a Drive document or an email message was shared with when the rule was triggered.
`resource_recipients_omitted_count`	`integer` The number of resource recipients omitted due to exceeding the size limit.
`resource_title`	`string` Title of the resource which matched the rule: email subject, or document title.
`resource_type`	`string` Type of the resource which matched the rule. Possible values: `CHAT_ATTACHMENT` Chat attachment resource type. `CHAT_MESSAGE` Chat message resource type. `DEVICE` Device resource type. `DOCUMENT` Document resource type. `EMAIL` Email resource type. `USER` User resource type.
`rule_name`	`string` Name of the rule.
`rule_resource_name`	`string` Resource name that uniquely identifies a rule.
`rule_type`	`string` Type of the rule. Possible values: `ACTIVITY_RULE` Activity rule type. `DLP` Data Loss Prevention (DLP) rule type.
`scan_type`	`string` Scan mode for the rule evaluation. Possible values: `CHAT_SCAN_CONTENT_BEFORE_SEND` Scan type that stands for scanning Chat content before sending it out. `DRIVE_OFFLINE_SCAN` Scan type that stands for evaluating rules that were updated on all Drive items. `DRIVE_ONLINE_SCAN` Scan type that stands for evaluating rules on a single Drive item that was changed.
`severity`	`string` Severity of violating a rule. Possible values: `HIGH` Severity of violating the rule is high. `LOW` Severity of violating the rule is low. `MEDIUM` Severity of violating the rule is medium.
`space_id`	`string` ID of the space where the rule was triggered.
`space_type`	`string` Type of space referred to by the space ID. Possible values: `CHAT_DIRECT_MESSAGE` Space type label when the space is a Chat direct message. `CHAT_EXTERNALLY_OWNED` Space type label when the conversation is owned by an external organization. `CHAT_GROUP` Space type label when the space is a Chat group. `CHAT_ROOM` Space type label when the space is a Chat room.
`suppressed_actions`	`message` A list of actions that were not taken due to other actions with higher priority.
`triggered_actions`	`message` A list of actions that were taken as a consequence of the rule being triggered.

Sample request

GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/rules?eventName=label_applied&maxResults=10&access_token=YOUR_ACCESS_TOKEN

Admin Console message format

DLP Rule applied Label {label_title}.

Label field value changed type

Audit event type which indicates label field value changed events. Events of this type are returned with type=label_field_value_changed_type.

Label field value changed

Audit event indicating label field value changed event.

Event details

Event name label_field_value_changed

Parameters

`actor_ip_address`	`string` IP of the entity who was responsible for the original event which triggered the rule.
`conference_id`	`string` The unique identifier of a Google Meet conference.
`data_source`	`string` Source of the data. Possible values: `ADMIN` Enum value of Admin data source. `CALENDAR` Enum value of Calendar data source. `CHAT` Enum value of Chat data source. `CHROME` Enum value of Chrome data source. `DEVICE` Enum value of Device data source. `DRIVE` Enum value of Drive data source. `GMAIL` Enum value of Gmail data source. `GROUPS` Enum value of Groups data source. `MEET` Enum value of Hangouts Meet data source. `RULE` Enum value of Rule data source. `USER` Enum value of User data source. `VOICE` Enum value of Voice data source.
`device_id`	`string` ID of the device on which the action was triggered.
`device_type`	`string` Type of device referred to by device ID. Possible values: `CHROME_BROWSER` Device type label when the device is a managed Chrome browser. `CHROME_OS` Device type label when the device is a managed Chrome OS device. `CHROME_PROFILE` Device type label when the device is a managed Chrome profile.
`evaluation_context`	`message` Evaluation metadata, such as contextual messages used in a rule evaluation.
`has_alert`	`boolean` Whether or not the triggered rule has alert enabled.
`label_field`	`string` Field of the label to which the item belongs.
`label_title`	`string` Title of the label to which the item belongs.
`matched_detectors`	`message` A list of detectors that matched against the resource.
`matched_threshold`	`string` Threshold that matched in the rule.
`matched_trigger`	`string` Trigger of the rule evaluation: email sent or received, document shared. Possible values: `CALENDAR_EVENTS` Event label when the rule triggered because of a Calendar event. `CHAT_ATTACHMENT_UPLOADED` Event label when the rule triggered because a Chat attachment containing sensitive info was uploaded. `CHAT_MESSAGE_SENT` Event label when the rule triggered because a Chat message containing sensitive info was sent. `CHROME_EVENTS` Event label when the rule triggered because of a Chrome event. `CHROME_FILE_DOWNLOAD` Event label when the rule triggered because a file was downloaded. `CHROME_FILE_UPLOAD` Event label when the rule triggered because a file was uploaded. `CHROME_WEB_CONTENT_UPLOAD` Event label when the rule triggered because web content was uploaded. `DEVICE_EVENTS` Event label when the rule triggered because of a Device event. `DRIVE_EVENTS` Event label when the rule triggered because of a Drive event. `DRIVE_SHARE` Event label when the rule triggered because a file was shared. `GMAIL_EVENTS` Event label when the rule triggered because of a Gmail event. `GROUPS_EVENTS` Event label when the rule triggered because of a Groups event. `MAIL_BEING_RECEIVED` Event label when the rule triggered because a message was received. `MAIL_BEING_SENT` Event label when the rule triggered because a message was sent. `MEET_EVENTS` Event label when the rule triggered because of a Meet event. `OAUTH_EVENTS` Event label when the rule triggered because of an OAuth event. `USER_EVENTS` Event label when the rule triggered because of a User event. `VOICE_EVENTS` Event label when the rule triggered because of a Voice event.
`new_value`	`string` New value.
`old_value`	`string` Old value.
`resource_id`	`string` Identifier of the resource which matched the rule.
`resource_owner_email`	`string` Email address of the owner of the resource.
`resource_recipients`	`string` A list of users that a Drive document or an email message was shared with when the rule was triggered.
`resource_recipients_omitted_count`	`integer` The number of resource recipients omitted due to exceeding the size limit.
`resource_title`	`string` Title of the resource which matched the rule: email subject, or document title.
`resource_type`	`string` Type of the resource which matched the rule. Possible values: `CHAT_ATTACHMENT` Chat attachment resource type. `CHAT_MESSAGE` Chat message resource type. `DEVICE` Device resource type. `DOCUMENT` Document resource type. `EMAIL` Email resource type. `USER` User resource type.
`rule_name`	`string` Name of the rule.
`rule_resource_name`	`string` Resource name that uniquely identifies a rule.
`rule_type`	`string` Type of the rule. Possible values: `ACTIVITY_RULE` Activity rule type. `DLP` Data Loss Prevention (DLP) rule type.
`scan_type`	`string` Scan mode for the rule evaluation. Possible values: `CHAT_SCAN_CONTENT_BEFORE_SEND` Scan type that stands for scanning Chat content before sending it out. `DRIVE_OFFLINE_SCAN` Scan type that stands for evaluating rules that were updated on all Drive items. `DRIVE_ONLINE_SCAN` Scan type that stands for evaluating rules on a single Drive item that was changed.
`severity`	`string` Severity of violating a rule. Possible values: `HIGH` Severity of violating the rule is high. `LOW` Severity of violating the rule is low. `MEDIUM` Severity of violating the rule is medium.
`space_id`	`string` ID of the space where the rule was triggered.
`space_type`	`string` Type of space referred to by the space ID. Possible values: `CHAT_DIRECT_MESSAGE` Space type label when the space is a Chat direct message. `CHAT_EXTERNALLY_OWNED` Space type label when the conversation is owned by an external organization. `CHAT_GROUP` Space type label when the space is a Chat group. `CHAT_ROOM` Space type label when the space is a Chat room.
`suppressed_actions`	`message` A list of actions that were not taken due to other actions with higher priority.
`triggered_actions`	`message` A list of actions that were taken as a consequence of the rule being triggered.

Sample request

GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/rules?eventName=label_field_value_changed&maxResults=10&access_token=YOUR_ACCESS_TOKEN

Admin Console message format

DLP Rule changed the value of field {label_field} (Label: {label_title}) from '{old_value}' to '{new_value}'.

Label removed type

Audit event type which indicates label removed events. Events of this type are returned with type=label_removed_type.

Label removed

Audit event indicating label removed event.

Event details

Event name label_removed

Parameters

`actor_ip_address`	`string` IP of the entity who was responsible for the original event which triggered the rule.
`conference_id`	`string` The unique identifier of a Google Meet conference.
`data_source`	`string` Source of the data. Possible values: `ADMIN` Enum value of Admin data source. `CALENDAR` Enum value of Calendar data source. `CHAT` Enum value of Chat data source. `CHROME` Enum value of Chrome data source. `DEVICE` Enum value of Device data source. `DRIVE` Enum value of Drive data source. `GMAIL` Enum value of Gmail data source. `GROUPS` Enum value of Groups data source. `MEET` Enum value of Hangouts Meet data source. `RULE` Enum value of Rule data source. `USER` Enum value of User data source. `VOICE` Enum value of Voice data source.
`device_id`	`string` ID of the device on which the action was triggered.
`device_type`	`string` Type of device referred to by device ID. Possible values: `CHROME_BROWSER` Device type label when the device is a managed Chrome browser. `CHROME_OS` Device type label when the device is a managed Chrome OS device. `CHROME_PROFILE` Device type label when the device is a managed Chrome profile.
`evaluation_context`	`message` Evaluation metadata, such as contextual messages used in a rule evaluation.
`has_alert`	`boolean` Whether or not the triggered rule has alert enabled.
`label_title`	`string` Title of the label to which the item belongs.
`matched_detectors`	`message` A list of detectors that matched against the resource.
`matched_threshold`	`string` Threshold that matched in the rule.
`matched_trigger`	`string` Trigger of the rule evaluation: email sent or received, document shared. Possible values: `CALENDAR_EVENTS` Event label when the rule triggered because of a Calendar event. `CHAT_ATTACHMENT_UPLOADED` Event label when the rule triggered because a Chat attachment containing sensitive info was uploaded. `CHAT_MESSAGE_SENT` Event label when the rule triggered because a Chat message containing sensitive info was sent. `CHROME_EVENTS` Event label when the rule triggered because of a Chrome event. `CHROME_FILE_DOWNLOAD` Event label when the rule triggered because a file was downloaded. `CHROME_FILE_UPLOAD` Event label when the rule triggered because a file was uploaded. `CHROME_WEB_CONTENT_UPLOAD` Event label when the rule triggered because web content was uploaded. `DEVICE_EVENTS` Event label when the rule triggered because of a Device event. `DRIVE_EVENTS` Event label when the rule triggered because of a Drive event. `DRIVE_SHARE` Event label when the rule triggered because a file was shared. `GMAIL_EVENTS` Event label when the rule triggered because of a Gmail event. `GROUPS_EVENTS` Event label when the rule triggered because of a Groups event. `MAIL_BEING_RECEIVED` Event label when the rule triggered because a message was received. `MAIL_BEING_SENT` Event label when the rule triggered because a message was sent. `MEET_EVENTS` Event label when the rule triggered because of a Meet event. `OAUTH_EVENTS` Event label when the rule triggered because of an OAuth event. `USER_EVENTS` Event label when the rule triggered because of a User event. `VOICE_EVENTS` Event label when the rule triggered because of a Voice event.
`resource_id`	`string` Identifier of the resource which matched the rule.
`resource_owner_email`	`string` Email address of the owner of the resource.
`resource_recipients`	`string` A list of users that a Drive document or an email message was shared with when the rule was triggered.
`resource_recipients_omitted_count`	`integer` The number of resource recipients omitted due to exceeding the size limit.
`resource_title`	`string` Title of the resource which matched the rule: email subject, or document title.
`resource_type`	`string` Type of the resource which matched the rule. Possible values: `CHAT_ATTACHMENT` Chat attachment resource type. `CHAT_MESSAGE` Chat message resource type. `DEVICE` Device resource type. `DOCUMENT` Document resource type. `EMAIL` Email resource type. `USER` User resource type.
`rule_name`	`string` Name of the rule.
`rule_resource_name`	`string` Resource name that uniquely identifies a rule.
`rule_type`	`string` Type of the rule. Possible values: `ACTIVITY_RULE` Activity rule type. `DLP` Data Loss Prevention (DLP) rule type.
`scan_type`	`string` Scan mode for the rule evaluation. Possible values: `CHAT_SCAN_CONTENT_BEFORE_SEND` Scan type that stands for scanning Chat content before sending it out. `DRIVE_OFFLINE_SCAN` Scan type that stands for evaluating rules that were updated on all Drive items. `DRIVE_ONLINE_SCAN` Scan type that stands for evaluating rules on a single Drive item that was changed.
`severity`	`string` Severity of violating a rule. Possible values: `HIGH` Severity of violating the rule is high. `LOW` Severity of violating the rule is low. `MEDIUM` Severity of violating the rule is medium.
`space_id`	`string` ID of the space where the rule was triggered.
`space_type`	`string` Type of space referred to by the space ID. Possible values: `CHAT_DIRECT_MESSAGE` Space type label when the space is a Chat direct message. `CHAT_EXTERNALLY_OWNED` Space type label when the conversation is owned by an external organization. `CHAT_GROUP` Space type label when the space is a Chat group. `CHAT_ROOM` Space type label when the space is a Chat room.
`suppressed_actions`	`message` A list of actions that were not taken due to other actions with higher priority.
`triggered_actions`	`message` A list of actions that were taken as a consequence of the rule being triggered.

Sample request

GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/rules?eventName=label_removed&maxResults=10&access_token=YOUR_ACCESS_TOKEN

Admin Console message format

DLP Rule removed Label {label_title}.

Rule Match Type

Audit event type which inidicates rule matching events. Events of this type are returned with type=rule_match_type.

Rule Match

Audit event indicating rule match event.

Event details

Event name rule_match

Parameters

`actions`	`string` List of actions taken. Possible values: `AccountWipeMobileDevice` Account wipe mobile device action name. `ApproveMobileDevice` Approve mobile device action name. `BlockMobileDevice` Block mobile device action name. `FlagDocument` Action which indicates that the item was flagged. `SendNotification` Action which indicates that notification was sent. `UnflagDocument` Action which indicates that the item was unflagged.
`application`	`string` Name of the application to which the flagged item belongs. Possible values: `drive` Application name for Google Drive. `mobile` Device Management app.
`drive_shared_drive_id`	`string` Shared drive Id to which the drive item belongs, if applicable.
`has_content_match`	`boolean` Whether the resource has content which matches the criteria in the rule. Possible values: `false` Boolean whose value is false. `true` Boolean whose value is true.
`matched_templates`	`string` List of content detector templates that matched.
`mobile_device_type`	`string` Type of device on which rule was applied.
`mobile_ios_vendor_id`	`string` iOS Vendor Id of device on which rule was applied, if applicable.
`resource_id`	`string` Identifier of the resource which matched the rule.
`resource_name`	`string` Name of the resource which matched the rule.
`resource_owner_email`	`string` Email address of the owner of the resource.
`rule_id`	`integer` Unique identifier for a rule. Rules are created by admins in Google Workspace.
`rule_name`	`string` Name of the rule.
`rule_update_time_usec`	`integer` Update time (microseconds since epoch) indicating the version of rule which is used.

Sample request

GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/rules?eventName=rule_match&maxResults=10&access_token=YOUR_ACCESS_TOKEN

Admin Console message format

Rule matched

Rule trigger type

Audit event type which indicates rule triggered events. Events of this type are returned with type=rule_trigger_type.

Rule trigger

Audit event indicating rule triggered event.

Event details

Event name rule_trigger

Parameters

`data_source`	`string` Source of the data. Possible values: `ADMIN` Enum value of Admin data source. `CALENDAR` Enum value of Calendar data source. `CHAT` Enum value of Chat data source. `CHROME` Enum value of Chrome data source. `DEVICE` Enum value of Device data source. `DRIVE` Enum value of Drive data source. `GMAIL` Enum value of Gmail data source. `GROUPS` Enum value of Groups data source. `MEET` Enum value of Hangouts Meet data source. `RULE` Enum value of Rule data source. `USER` Enum value of User data source. `VOICE` Enum value of Voice data source.
`matched_threshold`	`string` Threshold that matched in the rule.
`matched_trigger`	`string` Trigger of the rule evaluation: email sent or received, document shared. Possible values: `CALENDAR_EVENTS` Event label when the rule triggered because of a Calendar event. `CHAT_ATTACHMENT_UPLOADED` Event label when the rule triggered because a Chat attachment containing sensitive info was uploaded. `CHAT_MESSAGE_SENT` Event label when the rule triggered because a Chat message containing sensitive info was sent. `CHROME_EVENTS` Event label when the rule triggered because of a Chrome event. `CHROME_FILE_DOWNLOAD` Event label when the rule triggered because a file was downloaded. `CHROME_FILE_UPLOAD` Event label when the rule triggered because a file was uploaded. `CHROME_WEB_CONTENT_UPLOAD` Event label when the rule triggered because web content was uploaded. `DEVICE_EVENTS` Event label when the rule triggered because of a Device event. `DRIVE_EVENTS` Event label when the rule triggered because of a Drive event. `DRIVE_SHARE` Event label when the rule triggered because a file was shared. `GMAIL_EVENTS` Event label when the rule triggered because of a Gmail event. `GROUPS_EVENTS` Event label when the rule triggered because of a Groups event. `MAIL_BEING_RECEIVED` Event label when the rule triggered because a message was received. `MAIL_BEING_SENT` Event label when the rule triggered because a message was sent. `MEET_EVENTS` Event label when the rule triggered because of a Meet event. `OAUTH_EVENTS` Event label when the rule triggered because of an OAuth event. `USER_EVENTS` Event label when the rule triggered because of a User event. `VOICE_EVENTS` Event label when the rule triggered because of a Voice event.
`rule_name`	`string` Name of the rule.
`rule_resource_name`	`string` Resource name that uniquely identifies a rule.
`rule_type`	`string` Type of the rule. Possible values: `ACTIVITY_RULE` Activity rule type. `DLP` Data Loss Prevention (DLP) rule type.
`severity`	`string` Severity of violating a rule. Possible values: `HIGH` Severity of violating the rule is high. `LOW` Severity of violating the rule is low. `MEDIUM` Severity of violating the rule is medium.
`triggered_actions`	`message` A list of actions that were taken as a consequence of the rule being triggered.

Sample request

GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/rules?eventName=rule_trigger&maxResults=10&access_token=YOUR_ACCESS_TOKEN

Admin Console message format

Rule triggered