# 2 Alert recipient hygiene + suspicious-login alerts

> v0.1.2 · role: Detect · [policy: #33 · #11](https://docs.google.com/spreadsheets/d/1nOztaPd1Y7eNeRSR_hdovYy-ncpx-bAx/edit?usp=sharing&ouid=115159875779023172526&rtpof=true&sd=true)

Google raises security alerts of its own — suspicious logins, leaked passwords, compromised devices, admin-privilege changes — through system-defined rules that are already active. This control points those rules at a monitored mailbox with a named owner instead of the default 'all super admins', and fixes the organisation's admin contact addresses so Google's own notifications do not land in a departed admin's inbox. The detection already exists; the usual failure is that nobody receives it.

Documentation: [About the alert center](https://knowledge.workspace.google.com/admin/security/about-the-alert-center)

## Caveats

- Alerts default to every super admin — a recipient list that broad means nobody owns it, and nobody reads it.
- Rule recipients must be users in your own domain — external addresses are not accepted. A Google Group only receives the alerts if its access settings allow senders from outside the organisation; a freshly created restricted group, or one that files Google's mail into a folder, silently drops them — test the whole path with a synthetic trigger (№52).
- Turning a rule off only hides it from the alert center — the underlying event is still written to the audit logs, so you lose the alert, not the evidence.

## Setup steps

1. Open the alert center and confirm alerts are actually arriving (an empty alert board on a live tenant usually means the alert routing is misconfigured — not that nothing is happening). — `Security › Alert center`

   - **Filter** = last 30 days, all severities

   docs: [Use the alert center](https://knowledge.workspace.google.com/admin/security/use-the-alert-center)

2. On the Rules page, open the system-defined rules for suspicious login, leaked password, device compromised and user granted Admin privilege. — `Rules`

   - **Status** = Active
   - **Alert center** = On

   docs: [View and edit system-defined rules](https://knowledge.workspace.google.com/admin/reports/view-and-edit-system-defined-rules)

3. Replace the default 'all super admins' recipients with a monitored distribution address that a human reads, and remove ex-admins. — `Rules › <rule> › Actions`

   - **Email notifications** = On
   - **Recipients** = security-alerts@<domain> (monitored group whose access settings allow senders from outside the organisation)

   docs: [Configure alert center email notifications](https://knowledge.workspace.google.com/admin/security/configure-alert-center-email-notifications)

4. Check the organisation's admin contact addresses so Google's own notifications do not fall into a departed admin's mailbox. — `Account › Account settings › Profile`

   - **Secondary email** = a monitored address outside your Workspace domain (the console rejects in-domain addresses here)

   docs: [Ensure you receive critical notifications and updates for your Google Workspace account](https://knowledge.workspace.google.com/admin/getting-started/ensure-you-receive-critical-notifications-and-updates-for-your-google-workspace-account)

## Ongoing maintenance

- **[requires a human]** Quarterly: re-check rule recipients after admin departures — alerts routed to a leaver’s mailbox fail silently.
- **[automatable: AI agent]** Weekly: review the alert center for unhandled alerts.

## How to verify

1. Trigger a harmless rule (e.g. sign in from a fresh browser profile to raise a suspicious-login event) and confirm the alert reaches the monitored mailbox.

2. Read the recipient list on each system-defined rule in Rules — every alert should route to the monitored security address.

## Settings screens

- Security > Alert center
  - console: https://admin.google.com/ac/ac
  - screenshot: ../screenshots/admin.google.com/ac/ac.png
- Rules (system-defined alert rules)
  - console: https://admin.google.com/ac/ax
  - screenshot: ../screenshots/admin.google.com/ac/ax.png
- Account > Account settings > Profile (organisation contact / admin notification addresses)
  - console: https://admin.google.com/ac/accountsettings/profile
  - screenshot: ../screenshots/admin.google.com/ac/accountsettings/profile.png
