# 61 Audit-the-auditors alerting

> v0.1.3 · role: Detect · edition: Rules: all editions; Vault log events need a Vault license · [policy: #30 · #18, #31](https://docs.google.com/spreadsheets/d/1nOztaPd1Y7eNeRSR_hdovYy-ncpx-bAx/edit?usp=sharing&ouid=115159875779023172526&rtpof=true&sd=true)

Vault searches and exports, investigation-tool queries and mailbox-delegation grants are the lawful privileged reads: they are how someone with legitimate access reads everyone else's mail without breaking anything. Activity rules on Vault log events and Admin log events raise a high-severity alert whenever they happen, routed to a recipient who is not an auditor or Vault admin — self-notification is not oversight.

## Caveats

- A rule that notifies the auditors about the auditors is theatre — the recipient must sit outside the group being watched.
- A Vault admin with rule-edit privilege can disable the rule that watches them — pair this with the config-drift sentinel (№59).
- Basic activity rules are available in all editions, but Vault log events need a Vault add-on license and the investigation tool needs Enterprise Standard+, Frontline Standard+, Education Standard+ or Cloud Identity Premium — without those this control is partially blind.

## Setup steps

1. Open Audit and investigation and pick the data source that records auditor behaviour: Vault log events (exports, holds, searches), Admin log events (privilege grants), Gmail log events (delegate activity, via the Delegate attribute). — `Reporting › Audit and investigation`

   - **Data source** = Vault log events

   docs: [Vault log events](https://knowledge.workspace.google.com/admin/reports/vault-log-events)

2. Create an activity rule on Vault log events for search/export/hold-change actions — the people who can read everything must be the most-watched. — `Rules › Create rule › Activity`

   Condition: Vault event in {search, export, hold created/deleted}; Severity = High

   docs: [Create and manage activity rules](https://knowledge.workspace.google.com/admin/security/create-and-manage-activity-rules)

3. Add rules for the other two auditor behaviours: investigation-tool use in Admin log events, and delegate activity in Gmail log events — filter on the Delegate / Has delegate attributes to catch actions performed through a delegated mailbox. — `Rules › Create rule › Activity`

   Rule: Admin log events, investigation-tool query; Rule: Gmail log events, Has delegate = true; Severity = High

   docs: [Admin log events](https://knowledge.workspace.google.com/admin/reports/admin-log-events) · [Gmail log events](https://knowledge.workspace.google.com/admin/reports/gmail-log-events)

4. Route both rules to a recipient who is NOT an auditor/Vault admin — self-notification is not oversight.

   - **Recipients** = oversight alias outside the Vault admin group

5. Trigger one benign Vault search and confirm the alert lands in the alert center and in the oversight mailbox. — `Security › Alert center`

   docs: [About the alert center](https://knowledge.workspace.google.com/admin/security/about-the-alert-center)

## Ongoing maintenance

- **[requires a human]** Weekly: review auditor-activity alerts — the point is that someone other than the auditor reads them.

## How to verify

1. Perform a benign privileged audit action (e.g. an investigation-tool search) and confirm the corresponding alert fires to the second-person channel.

## Settings screens

- Rules > Create rule > Activity
  - console: https://admin.google.com/ac/ax
  - screenshot: ../screenshots/admin.google.com/ac/ax.png
- Reporting > Audit and investigation (Vault / Admin / Gmail log events)
  - console: https://admin.google.com/ac/sc/investigation
  - screenshot: ../screenshots/admin.google.com/ac/sc/investigation.png
- Security > Alert center (verify the rule fires here)
  - console: https://admin.google.com/ac/ac
  - screenshot: ../screenshots/admin.google.com/ac/ac.png
