Rules Audit Activity Events

This document lists the events and parameters for various types of Rules Audit activity events. You can retrieve these events by calling Activities.list() with applicationName=rules .

Action complete type

Audit event type which indicates action complete events. Events of this type are returned with type=action_complete_type .

Action complete

Audit event indicating action complete event.

Event details

Event name

action_complete

Parameters

access_  
level

string

Label for a list of access levels.

actor_  
ip_  
address

string

IP of the entity who was responsible for the original event which triggered the rule.

conference_  
id

string

The unique identifier of a Google Meet conference.

data_  
source

string

Source of the data. Possible values:

ADMIN
Enum value of Admin data source.
CALENDAR
Enum value of Calendar data source.
CHAT
Enum value of Chat data source.
CHROME
Enum value of Chrome data source.
DEVICE
Enum value of Device data source.
DRIVE
Enum value of Drive data source.
GMAIL
Enum value of Gmail data source.
GROUPS
Enum value of Groups data source.
MEET
Enum value of Hangouts Meet data source.
RULE
Enum value of Rule data source.
USER
Enum value of User data source.
VOICE
Enum value of Voice data source.

device_  
id

string

ID of the device on which the action was triggered.

device_  
type

string

Type of device referred to by device ID. Possible values:

CHROME_BROWSER
Device type label when the device is a managed Chrome browser.
CHROME_OS
Device type label when the device is a managed Chrome OS device.
CHROME_PROFILE
Device type label when the device is a managed Chrome profile.

evaluation_  
context

message

Evaluation metadata, such as contextual messages used in a rule evaluation.

has_  
alert

boolean

Whether or not the triggered rule has alert enabled.

matched_  
detectors

message

A list of detectors that matched against the resource.

matched_  
threshold

string

Threshold that matched in the rule.

matched_  
trigger

string

Trigger of the rule evaluation: email sent or received, document shared. Possible values:

CALENDAR_EVENTS
Event label when the rule triggered because of a Calendar event.
CHAT_ATTACHMENT_UPLOADED
Event label when the rule triggered because a Chat attachment containing sensitive info was uploaded.
CHAT_MESSAGE_SENT
Event label when the rule triggered because a Chat message containing sensitive info was sent.
CHROME_EVENTS
Event label when the rule triggered because of a Chrome event.
CHROME_FILE_DOWNLOAD
Event label when the rule triggered because a file was downloaded.
CHROME_FILE_UPLOAD
Event label when the rule triggered because a file was uploaded.
CHROME_WEB_CONTENT_UPLOAD
Event label when the rule triggered because web content was uploaded.
DEVICE_EVENTS
Event label when the rule triggered because of a Device event.
DRIVE_EVENTS
Event label when the rule triggered because of a Drive event.
DRIVE_SHARE
Event label when the rule triggered because a file was shared.
GMAIL_EVENTS
Event label when the rule triggered because of a Gmail event.
GROUPS_EVENTS
Event label when the rule triggered because of a Groups event.
MAIL_BEING_RECEIVED
Event label when the rule triggered because a message was received.
MAIL_BEING_SENT
Event label when the rule triggered because a message was sent.
MEET_EVENTS
Event label when the rule triggered because of a Meet event.
OAUTH_EVENTS
Event label when the rule triggered because of an OAuth event.
USER_EVENTS
Event label when the rule triggered because of a User event.
VOICE_EVENTS
Event label when the rule triggered because of a Voice event.

resource_  
id

string

Identifier of the resource which matched the rule.

resource_  
owner_  
email

string

Email address of the owner of the resource.

resource_  
recipients

string

A list of users that a Drive document or an email message was shared with when the rule was triggered.

resource_  
recipients_  
omitted_  
count

integer

The number of resource recipients omitted due to exceeding the size limit.

resource_  
title

string

Title of the resource which matched the rule: email subject, or document title.

resource_  
type

string

Type of the resource which matched the rule. Possible values:

CHAT_ATTACHMENT
Chat attachment resource type.
CHAT_MESSAGE
Chat message resource type.
DEVICE
Device resource type.
DOCUMENT
Document resource type.
EMAIL
Email resource type.
USER
User resource type.

rule_  
name

string

Name of the rule.

rule_  
resource_  
name

string

Resource name that uniquely identifies a rule.

rule_  
type

string

Type of the rule. Possible values:

ACTIVITY_RULE
Activity rule type.
DLP
Data Loss Prevention (DLP) rule type.

scan_  
type

string

Scan mode for the rule evaluation. Possible values:

CHAT_SCAN_CONTENT_BEFORE_SEND
Scan type that stands for scanning Chat content before sending it out.
DRIVE_OFFLINE_SCAN
Scan type that stands for evaluating rules that were updated on all Drive items.
DRIVE_ONLINE_SCAN
Scan type that stands for evaluating rules on a single Drive item that was changed.

severity

string

Severity of violating a rule. Possible values:

HIGH
Severity of violating the rule is high.
LOW
Severity of violating the rule is low.
MEDIUM
Severity of violating the rule is medium.

snippets

message

Heading title for a small piece of context that matched a rule.

space_  
id

string

ID of the space where the rule was triggered.

space_  
type

string

Type of space referred to by the space ID. Possible values:

CHAT_DIRECT_MESSAGE
Space type label when the space is a Chat direct message.
CHAT_EXTERNALLY_OWNED
Space type label when the conversation is owned by an external organization.
CHAT_GROUP
Space type label when the space is a Chat group.
CHAT_ROOM
Space type label when the space is a Chat room.

suppressed_  
actions

message

A list of actions that were not taken due to other actions with higher priority.

triggered_  
actions

message

A list of actions that were taken as a consequence of the rule being triggered.

Sample request

GET https://admin.googleapis.com  
/admin  
/reports  
/v1  
/activity  
/users  
/all  
/applications  
/ rules 
  
?eventName= action_complete 
  
&maxResults=10  
&access_token= YOUR_ACCESS_TOKEN

Admin Console message format

Action completed

Label applied type

Audit event type which indicates label applied events. Events of this type are returned with type=label_applied_type .

Label applied

Audit event indicating label applied events.

Event details

Event name

label_applied

Parameters

actor_  
ip_  
address

string

IP of the entity who was responsible for the original event which triggered the rule.

conference_  
id

string

The unique identifier of a Google Meet conference.

data_  
source

string

Source of the data. Possible values:

ADMIN
Enum value of Admin data source.
CALENDAR
Enum value of Calendar data source.
CHAT
Enum value of Chat data source.
CHROME
Enum value of Chrome data source.
DEVICE
Enum value of Device data source.
DRIVE
Enum value of Drive data source.
GMAIL
Enum value of Gmail data source.
GROUPS
Enum value of Groups data source.
MEET
Enum value of Hangouts Meet data source.
RULE
Enum value of Rule data source.
USER
Enum value of User data source.
VOICE
Enum value of Voice data source.

device_  
id

string

ID of the device on which the action was triggered.

device_  
type

string

Type of device referred to by device ID. Possible values:

CHROME_BROWSER
Device type label when the device is a managed Chrome browser.
CHROME_OS
Device type label when the device is a managed Chrome OS device.
CHROME_PROFILE
Device type label when the device is a managed Chrome profile.

evaluation_  
context

message

Evaluation metadata, such as contextual messages used in a rule evaluation.

has_  
alert

boolean

Whether or not the triggered rule has alert enabled.

label_  
title

string

Title of the label to which the item belongs.

matched_  
detectors

message

A list of detectors that matched against the resource.

matched_  
threshold

string

Threshold that matched in the rule.

matched_  
trigger

string

Trigger of the rule evaluation: email sent or received, document shared. Possible values:

CALENDAR_EVENTS
Event label when the rule triggered because of a Calendar event.
CHAT_ATTACHMENT_UPLOADED
Event label when the rule triggered because a Chat attachment containing sensitive info was uploaded.
CHAT_MESSAGE_SENT
Event label when the rule triggered because a Chat message containing sensitive info was sent.
CHROME_EVENTS
Event label when the rule triggered because of a Chrome event.
CHROME_FILE_DOWNLOAD
Event label when the rule triggered because a file was downloaded.
CHROME_FILE_UPLOAD
Event label when the rule triggered because a file was uploaded.
CHROME_WEB_CONTENT_UPLOAD
Event label when the rule triggered because web content was uploaded.
DEVICE_EVENTS
Event label when the rule triggered because of a Device event.
DRIVE_EVENTS
Event label when the rule triggered because of a Drive event.
DRIVE_SHARE
Event label when the rule triggered because a file was shared.
GMAIL_EVENTS
Event label when the rule triggered because of a Gmail event.
GROUPS_EVENTS
Event label when the rule triggered because of a Groups event.
MAIL_BEING_RECEIVED
Event label when the rule triggered because a message was received.
MAIL_BEING_SENT
Event label when the rule triggered because a message was sent.
MEET_EVENTS
Event label when the rule triggered because of a Meet event.
OAUTH_EVENTS
Event label when the rule triggered because of an OAuth event.
USER_EVENTS
Event label when the rule triggered because of a User event.
VOICE_EVENTS
Event label when the rule triggered because of a Voice event.

resource_  
id

string

Identifier of the resource which matched the rule.

resource_  
owner_  
email

string

Email address of the owner of the resource.

resource_  
recipients

string

A list of users that a Drive document or an email message was shared with when the rule was triggered.

resource_  
recipients_  
omitted_  
count

integer

The number of resource recipients omitted due to exceeding the size limit.

resource_  
title

string

Title of the resource which matched the rule: email subject, or document title.

resource_  
type

string

Type of the resource which matched the rule. Possible values:

CHAT_ATTACHMENT
Chat attachment resource type.
CHAT_MESSAGE
Chat message resource type.
DEVICE
Device resource type.
DOCUMENT
Document resource type.
EMAIL
Email resource type.
USER
User resource type.

rule_  
name

string

Name of the rule.

rule_  
resource_  
name

string

Resource name that uniquely identifies a rule.

rule_  
type

string

Type of the rule. Possible values:

ACTIVITY_RULE
Activity rule type.
DLP
Data Loss Prevention (DLP) rule type.

scan_  
type

string

Scan mode for the rule evaluation. Possible values:

CHAT_SCAN_CONTENT_BEFORE_SEND
Scan type that stands for scanning Chat content before sending it out.
DRIVE_OFFLINE_SCAN
Scan type that stands for evaluating rules that were updated on all Drive items.
DRIVE_ONLINE_SCAN
Scan type that stands for evaluating rules on a single Drive item that was changed.

severity

string

Severity of violating a rule. Possible values:

HIGH
Severity of violating the rule is high.
LOW
Severity of violating the rule is low.
MEDIUM
Severity of violating the rule is medium.

space_  
id

string

ID of the space where the rule was triggered.

space_  
type

string

Type of space referred to by the space ID. Possible values:

CHAT_DIRECT_MESSAGE
Space type label when the space is a Chat direct message.
CHAT_EXTERNALLY_OWNED
Space type label when the conversation is owned by an external organization.
CHAT_GROUP
Space type label when the space is a Chat group.
CHAT_ROOM
Space type label when the space is a Chat room.

suppressed_  
actions

message

A list of actions that were not taken due to other actions with higher priority.

triggered_  
actions

message

A list of actions that were taken as a consequence of the rule being triggered.

Sample request

GET https://admin.googleapis.com  
/admin  
/reports  
/v1  
/activity  
/users  
/all  
/applications  
/ rules 
  
?eventName= label_applied 
  
&maxResults=10  
&access_token= YOUR_ACCESS_TOKEN

Admin Console message format

DLP Rule applied Label {label_title} 
.

Label field value changed type

Audit event type which indicates label field value changed events. Events of this type are returned with type=label_field_value_changed_type .

Label field value changed

Audit event indicating label field value changed event.

Event details

Event name

label_field_value_changed

Parameters

actor_  
ip_  
address

string

IP of the entity who was responsible for the original event which triggered the rule.

conference_  
id

string

The unique identifier of a Google Meet conference.

data_  
source

string

Source of the data. Possible values:

ADMIN
Enum value of Admin data source.
CALENDAR
Enum value of Calendar data source.
CHAT
Enum value of Chat data source.
CHROME
Enum value of Chrome data source.
DEVICE
Enum value of Device data source.
DRIVE
Enum value of Drive data source.
GMAIL
Enum value of Gmail data source.
GROUPS
Enum value of Groups data source.
MEET
Enum value of Hangouts Meet data source.
RULE
Enum value of Rule data source.
USER
Enum value of User data source.
VOICE
Enum value of Voice data source.

device_  
id

string

ID of the device on which the action was triggered.

device_  
type

string

Type of device referred to by device ID. Possible values:

CHROME_BROWSER
Device type label when the device is a managed Chrome browser.
CHROME_OS
Device type label when the device is a managed Chrome OS device.
CHROME_PROFILE
Device type label when the device is a managed Chrome profile.

evaluation_  
context

message

Evaluation metadata, such as contextual messages used in a rule evaluation.

has_  
alert

boolean

Whether or not the triggered rule has alert enabled.

label_  
field

string

Field of the label to which the item belongs.

label_  
title

string

Title of the label to which the item belongs.

matched_  
detectors

message

A list of detectors that matched against the resource.

matched_  
threshold

string

Threshold that matched in the rule.

matched_  
trigger

string

Trigger of the rule evaluation: email sent or received, document shared. Possible values:

CALENDAR_EVENTS
Event label when the rule triggered because of a Calendar event.
CHAT_ATTACHMENT_UPLOADED
Event label when the rule triggered because a Chat attachment containing sensitive info was uploaded.
CHAT_MESSAGE_SENT
Event label when the rule triggered because a Chat message containing sensitive info was sent.
CHROME_EVENTS
Event label when the rule triggered because of a Chrome event.
CHROME_FILE_DOWNLOAD
Event label when the rule triggered because a file was downloaded.
CHROME_FILE_UPLOAD
Event label when the rule triggered because a file was uploaded.
CHROME_WEB_CONTENT_UPLOAD
Event label when the rule triggered because web content was uploaded.
DEVICE_EVENTS
Event label when the rule triggered because of a Device event.
DRIVE_EVENTS
Event label when the rule triggered because of a Drive event.
DRIVE_SHARE
Event label when the rule triggered because a file was shared.
GMAIL_EVENTS
Event label when the rule triggered because of a Gmail event.
GROUPS_EVENTS
Event label when the rule triggered because of a Groups event.
MAIL_BEING_RECEIVED
Event label when the rule triggered because a message was received.
MAIL_BEING_SENT
Event label when the rule triggered because a message was sent.
MEET_EVENTS
Event label when the rule triggered because of a Meet event.
OAUTH_EVENTS
Event label when the rule triggered because of an OAuth event.
USER_EVENTS
Event label when the rule triggered because of a User event.
VOICE_EVENTS
Event label when the rule triggered because of a Voice event.

new_  
value

string

New value.

old_  
value

string

Old value.

resource_  
id

string

Identifier of the resource which matched the rule.

resource_  
owner_  
email

string

Email address of the owner of the resource.

resource_  
recipients

string

A list of users that a Drive document or an email message was shared with when the rule was triggered.

resource_  
recipients_  
omitted_  
count

integer

The number of resource recipients omitted due to exceeding the size limit.

resource_  
title

string

Title of the resource which matched the rule: email subject, or document title.

resource_  
type

string

Type of the resource which matched the rule. Possible values:

CHAT_ATTACHMENT
Chat attachment resource type.
CHAT_MESSAGE
Chat message resource type.
DEVICE
Device resource type.
DOCUMENT
Document resource type.
EMAIL
Email resource type.
USER
User resource type.

rule_  
name

string

Name of the rule.

rule_  
resource_  
name

string

Resource name that uniquely identifies a rule.

rule_  
type

string

Type of the rule. Possible values:

ACTIVITY_RULE
Activity rule type.
DLP
Data Loss Prevention (DLP) rule type.

scan_  
type

string

Scan mode for the rule evaluation. Possible values:

CHAT_SCAN_CONTENT_BEFORE_SEND
Scan type that stands for scanning Chat content before sending it out.
DRIVE_OFFLINE_SCAN
Scan type that stands for evaluating rules that were updated on all Drive items.
DRIVE_ONLINE_SCAN
Scan type that stands for evaluating rules on a single Drive item that was changed.

severity

string

Severity of violating a rule. Possible values:

HIGH
Severity of violating the rule is high.
LOW
Severity of violating the rule is low.
MEDIUM
Severity of violating the rule is medium.

space_  
id

string

ID of the space where the rule was triggered.

space_  
type

string

Type of space referred to by the space ID. Possible values:

CHAT_DIRECT_MESSAGE
Space type label when the space is a Chat direct message.
CHAT_EXTERNALLY_OWNED
Space type label when the conversation is owned by an external organization.
CHAT_GROUP
Space type label when the space is a Chat group.
CHAT_ROOM
Space type label when the space is a Chat room.

suppressed_  
actions

message

A list of actions that were not taken due to other actions with higher priority.

triggered_  
actions

message

A list of actions that were taken as a consequence of the rule being triggered.

Sample request

GET https://admin.googleapis.com  
/admin  
/reports  
/v1  
/activity  
/users  
/all  
/applications  
/ rules 
  
?eventName= label_field_value_changed 
  
&maxResults=10  
&access_token= YOUR_ACCESS_TOKEN

Admin Console message format

DLP Rule changed the value of field {label_field} 
(Label: {label_title} 
) from ' {old_value} 
' to ' {new_value} 
'.

Label removed type

Audit event type which indicates label removed events. Events of this type are returned with type=label_removed_type .

Label removed

Audit event indicating label removed event.

Event details

Event name

label_removed

Parameters

actor_  
ip_  
address

string

IP of the entity who was responsible for the original event which triggered the rule.

conference_  
id

string

The unique identifier of a Google Meet conference.

data_  
source

string

Source of the data. Possible values:

ADMIN
Enum value of Admin data source.
CALENDAR
Enum value of Calendar data source.
CHAT
Enum value of Chat data source.
CHROME
Enum value of Chrome data source.
DEVICE
Enum value of Device data source.
DRIVE
Enum value of Drive data source.
GMAIL
Enum value of Gmail data source.
GROUPS
Enum value of Groups data source.
MEET
Enum value of Hangouts Meet data source.
RULE
Enum value of Rule data source.
USER
Enum value of User data source.
VOICE
Enum value of Voice data source.

device_  
id

string

ID of the device on which the action was triggered.

device_  
type

string

Type of device referred to by device ID. Possible values:

CHROME_BROWSER
Device type label when the device is a managed Chrome browser.
CHROME_OS
Device type label when the device is a managed Chrome OS device.
CHROME_PROFILE
Device type label when the device is a managed Chrome profile.

evaluation_  
context

message

Evaluation metadata, such as contextual messages used in a rule evaluation.

has_  
alert

boolean

Whether or not the triggered rule has alert enabled.

label_  
title

string

Title of the label to which the item belongs.

matched_  
detectors

message

A list of detectors that matched against the resource.

matched_  
threshold

string

Threshold that matched in the rule.

matched_  
trigger

string

Trigger of the rule evaluation: email sent or received, document shared. Possible values:

CALENDAR_EVENTS
Event label when the rule triggered because of a Calendar event.
CHAT_ATTACHMENT_UPLOADED
Event label when the rule triggered because a Chat attachment containing sensitive info was uploaded.
CHAT_MESSAGE_SENT
Event label when the rule triggered because a Chat message containing sensitive info was sent.
CHROME_EVENTS
Event label when the rule triggered because of a Chrome event.
CHROME_FILE_DOWNLOAD
Event label when the rule triggered because a file was downloaded.
CHROME_FILE_UPLOAD
Event label when the rule triggered because a file was uploaded.
CHROME_WEB_CONTENT_UPLOAD
Event label when the rule triggered because web content was uploaded.
DEVICE_EVENTS
Event label when the rule triggered because of a Device event.
DRIVE_EVENTS
Event label when the rule triggered because of a Drive event.
DRIVE_SHARE
Event label when the rule triggered because a file was shared.
GMAIL_EVENTS
Event label when the rule triggered because of a Gmail event.
GROUPS_EVENTS
Event label when the rule triggered because of a Groups event.
MAIL_BEING_RECEIVED
Event label when the rule triggered because a message was received.
MAIL_BEING_SENT
Event label when the rule triggered because a message was sent.
MEET_EVENTS
Event label when the rule triggered because of a Meet event.
OAUTH_EVENTS
Event label when the rule triggered because of an OAuth event.
USER_EVENTS
Event label when the rule triggered because of a User event.
VOICE_EVENTS
Event label when the rule triggered because of a Voice event.

resource_  
id

string

Identifier of the resource which matched the rule.

resource_  
owner_  
email

string

Email address of the owner of the resource.

resource_  
recipients

string

A list of users that a Drive document or an email message was shared with when the rule was triggered.

resource_  
recipients_  
omitted_  
count

integer

The number of resource recipients omitted due to exceeding the size limit.

resource_  
title

string

Title of the resource which matched the rule: email subject, or document title.

resource_  
type

string

Type of the resource which matched the rule. Possible values:

CHAT_ATTACHMENT
Chat attachment resource type.
CHAT_MESSAGE
Chat message resource type.
DEVICE
Device resource type.
DOCUMENT
Document resource type.
EMAIL
Email resource type.
USER
User resource type.

rule_  
name

string

Name of the rule.

rule_  
resource_  
name

string

Resource name that uniquely identifies a rule.

rule_  
type

string

Type of the rule. Possible values:

ACTIVITY_RULE
Activity rule type.
DLP
Data Loss Prevention (DLP) rule type.

scan_  
type

string

Scan mode for the rule evaluation. Possible values:

CHAT_SCAN_CONTENT_BEFORE_SEND
Scan type that stands for scanning Chat content before sending it out.
DRIVE_OFFLINE_SCAN
Scan type that stands for evaluating rules that were updated on all Drive items.
DRIVE_ONLINE_SCAN
Scan type that stands for evaluating rules on a single Drive item that was changed.

severity

string

Severity of violating a rule. Possible values:

HIGH
Severity of violating the rule is high.
LOW
Severity of violating the rule is low.
MEDIUM
Severity of violating the rule is medium.

space_  
id

string

ID of the space where the rule was triggered.

space_  
type

string

Type of space referred to by the space ID. Possible values:

CHAT_DIRECT_MESSAGE
Space type label when the space is a Chat direct message.
CHAT_EXTERNALLY_OWNED
Space type label when the conversation is owned by an external organization.
CHAT_GROUP
Space type label when the space is a Chat group.
CHAT_ROOM
Space type label when the space is a Chat room.

suppressed_  
actions

message

A list of actions that were not taken due to other actions with higher priority.

triggered_  
actions

message

A list of actions that were taken as a consequence of the rule being triggered.

Sample request

GET https://admin.googleapis.com  
/admin  
/reports  
/v1  
/activity  
/users  
/all  
/applications  
/ rules 
  
?eventName= label_removed 
  
&maxResults=10  
&access_token= YOUR_ACCESS_TOKEN

Admin Console message format

DLP Rule removed Label {label_title} 
.

Rule Match Type

Audit event type which inidicates rule matching events. Events of this type are returned with type=rule_match_type .

Rule Match

Audit event indicating rule match event.

Event details

Event name

rule_match

Parameters

actions

string

List of actions taken. Possible values:

AccountWipeMobileDevice
Account wipe mobile device action name.
ApproveMobileDevice
Approve mobile device action name.
BlockMobileDevice
Block mobile device action name.
FlagDocument
Action which indicates that the item was flagged.
SendNotification
Action which indicates that notification was sent.
UnflagDocument
Action which indicates that the item was unflagged.

application

string

Name of the application to which the flagged item belongs. Possible values:

drive
Application name for Google Drive.
mobile
Device Management app.

drive_  
shared_  
drive_  
id

string

Shared drive Id to which the drive item belongs, if applicable.

has_  
content_  
match

boolean

Whether the resource has content which matches the criteria in the rule. Possible values:

false
Boolean whose value is false.
true
Boolean whose value is true.

matched_  
templates

string

List of content detector templates that matched.

mobile_  
device_  
type

string

Type of device on which rule was applied.

mobile_  
ios_  
vendor_  
id

string

iOS Vendor Id of device on which rule was applied, if applicable.

resource_  
id

string

Identifier of the resource which matched the rule.

resource_  
name

string

Name of the resource which matched the rule.

resource_  
owner_  
email

string

Email address of the owner of the resource.

rule_  
id

integer

Unique identifier for a rule. Rules are created by admins in Google Workspace.

rule_  
name

string

Name of the rule.

rule_  
update_  
time_  
usec

integer

Update time (microseconds since epoch) indicating the version of rule which is used.

Sample request

GET https://admin.googleapis.com  
/admin  
/reports  
/v1  
/activity  
/users  
/all  
/applications  
/ rules 
  
?eventName= rule_match 
  
&maxResults=10  
&access_token= YOUR_ACCESS_TOKEN

Admin Console message format

Rule matched

Rule trigger type

Audit event type which indicates rule triggered events. Events of this type are returned with type=rule_trigger_type .

Rule trigger

Audit event indicating rule triggered event.

Event details

Event name

rule_trigger

Parameters

data_  
source

string

Source of the data. Possible values:

ADMIN
Enum value of Admin data source.
CALENDAR
Enum value of Calendar data source.
CHAT
Enum value of Chat data source.
CHROME
Enum value of Chrome data source.
DEVICE
Enum value of Device data source.
DRIVE
Enum value of Drive data source.
GMAIL
Enum value of Gmail data source.
GROUPS
Enum value of Groups data source.
MEET
Enum value of Hangouts Meet data source.
RULE
Enum value of Rule data source.
USER
Enum value of User data source.
VOICE
Enum value of Voice data source.

matched_  
threshold

string

Threshold that matched in the rule.

matched_  
trigger

string

Trigger of the rule evaluation: email sent or received, document shared. Possible values:

CALENDAR_EVENTS
Event label when the rule triggered because of a Calendar event.
CHAT_ATTACHMENT_UPLOADED
Event label when the rule triggered because a Chat attachment containing sensitive info was uploaded.
CHAT_MESSAGE_SENT
Event label when the rule triggered because a Chat message containing sensitive info was sent.
CHROME_EVENTS
Event label when the rule triggered because of a Chrome event.
CHROME_FILE_DOWNLOAD
Event label when the rule triggered because a file was downloaded.
CHROME_FILE_UPLOAD
Event label when the rule triggered because a file was uploaded.
CHROME_WEB_CONTENT_UPLOAD
Event label when the rule triggered because web content was uploaded.
DEVICE_EVENTS
Event label when the rule triggered because of a Device event.
DRIVE_EVENTS
Event label when the rule triggered because of a Drive event.
DRIVE_SHARE
Event label when the rule triggered because a file was shared.
GMAIL_EVENTS
Event label when the rule triggered because of a Gmail event.
GROUPS_EVENTS
Event label when the rule triggered because of a Groups event.
MAIL_BEING_RECEIVED
Event label when the rule triggered because a message was received.
MAIL_BEING_SENT
Event label when the rule triggered because a message was sent.
MEET_EVENTS
Event label when the rule triggered because of a Meet event.
OAUTH_EVENTS
Event label when the rule triggered because of an OAuth event.
USER_EVENTS
Event label when the rule triggered because of a User event.
VOICE_EVENTS
Event label when the rule triggered because of a Voice event.

rule_  
name

string

Name of the rule.

rule_  
resource_  
name

string

Resource name that uniquely identifies a rule.

rule_  
type

string

Type of the rule. Possible values:

ACTIVITY_RULE
Activity rule type.
DLP
Data Loss Prevention (DLP) rule type.

severity

string

Severity of violating a rule. Possible values:

HIGH
Severity of violating the rule is high.
LOW
Severity of violating the rule is low.
MEDIUM
Severity of violating the rule is medium.

triggered_  
actions

message

A list of actions that were taken as a consequence of the rule being triggered.

Sample request

GET https://admin.googleapis.com  
/admin  
/reports  
/v1  
/activity  
/users  
/all  
/applications  
/ rules 
  
?eventName= rule_trigger 
  
&maxResults=10  
&access_token= YOUR_ACCESS_TOKEN

Admin Console message format

Rule triggered

Rules Audit Activity Events Stay organized with collections Save and categorize content based on your preferences.

Action complete type

Action complete

Label applied type

Label applied

Label field value changed type

Label field value changed

Label removed type

Label removed

Rule Match Type

Rule Match

Rule trigger type

Rule trigger

Rules Audit Activity Events