# 52 Alert-pipeline heartbeat

> v0.1.2 · role: Assure · [policy: #33 · #12, #11](https://docs.google.com/spreadsheets/d/1nOztaPd1Y7eNeRSR_hdovYy-ncpx-bAx/edit?usp=sharing&ouid=115159875779023172526&rtpof=true&sd=true)

A synthetic event is fired on a fixed cadence through each alerting path, and a watcher pages when the expected alert fails to arrive inside its window. Detection pipelines fail silently — a rule edited, a recipient group emptied, a mail filter added — and a dead detector looks exactly like a quiet week. The heartbeat is what tells the two apart.

Documentation: [About the alert center](https://knowledge.workspace.google.com/admin/security/about-the-alert-center)

## Caveats

- A heartbeat proves the pipeline is alive, not that any detection logic is correct — a green heartbeat with a broken rule is still a blind spot.
- Suppressing the heartbeat alert to reduce noise silently defeats the control — keep it visible, or assert on the delivery channel instead.
- Activity rules are available in all editions, but the per-event notification the heartbeat relies on ('Get a notification every time an event occurs') needs Enterprise Standard+, Education Plus, Frontline Plus, Enterprise Essentials Plus, Cloud Identity Premium or Chrome Enterprise Premium (№61 hits the same gate) — on other editions, run the heartbeat as a scheduled query on the exported logs (№31) instead.

## Setup steps

1. Create a low-noise activity rule whose condition a scheduled synthetic event will deliberately trip (e.g. a login-audit event on a dedicated heartbeat account). — `Rules › Create rule › Activity`

   - **Action** = Send to alert center + email notification to selected admin accounts (non-admin/external recipients must be reached via a Google Group)
   - **Severity** = Low

   docs: [Create and manage activity rules](https://knowledge.workspace.google.com/admin/security/create-and-manage-activity-rules)

2. Schedule the synthetic trigger (cron/Apps Script/CI) so it fires the event on a fixed cadence, e.g. every 24h.

   - **Cadence** = daily, fixed UTC hour

   docs: [Installable Triggers](https://developers.google.com/apps-script/guides/triggers/installable)

3. Assert receipt: a watcher checks the alert/mail arrived inside the expected window and pages if it did not.

   - **Missing heartbeat within window** = page on-call ('the detector is dead')

   docs: [Alert Center API overview](https://developers.google.com/workspace/admin/alertcenter/guides)

4. Confirm the heartbeat alert lands in the alert center feed and is filterable/suppressible without silencing the rest of the rule set. — `Security › Alert center`

## Ongoing maintenance

- **[automatable: script]** Daily/weekly per design: the heartbeat itself runs and a missing beat pages someone.
- **[requires a human]** Per missing beat: investigate which stage of the pipeline dropped it.

## How to verify

1. Trigger the synthetic event and confirm the alert lands in the monitored mailbox within the expected window — an alert pipeline is only verified by an alert.

## Settings screens

- Rules (Admin Console Home > Rules)
  - console: https://admin.google.com/ac/ax
  - screenshot: ../screenshots/admin.google.com/ac/ax.png
- Security > Alert center
  - console: https://admin.google.com/ac/ac
  - screenshot: ../screenshots/admin.google.com/ac/ac.png
