← All controls

2 Alert recipient hygiene + suspicious-login alerts

Google raises security alerts of its own — suspicious logins, leaked passwords, compromised devices, admin-privilege changes — through system-defined rules that are already active. This control points those rules at a monitored mailbox with a named owner instead of the default 'all super admins', and fixes the organisation's admin contact addresses so Google's own notifications do not land in a departed admin's inbox. The detection already exists; the usual failure is that nobody receives it.

Caveats

Setup steps

  1. open ↗
    Admin console screen — Security > Alert center

    https://admin.google.com/ac/ac · captured 2026-07-15

    Security › Alert center
    Filter
    last 30 days, all severities

    Use the alert center ↗

  2. open ↗
    Admin console screen — Rules (system-defined alert rules)

    https://admin.google.com/ac/ax · captured 2026-07-15

    Rules
    Status
    Active
    Alert center
    On

    View and edit system-defined rules ↗

  3. Rules › <rule> › Actions
    Email notifications
    On
    Recipients
    security-alerts@<domain> (monitored group whose access settings allow senders from outside the organisation)

    Configure alert center email notifications ↗

  4. open ↗ Account › Account settings › Profile
    Secondary email
    a monitored address outside your Workspace domain (the console rejects in-domain addresses here)

    Ensure you receive critical notifications and updates for your Google Workspace account ↗

Ongoing maintenance

How to verify

  1. Trigger a harmless rule (e.g. sign in from a fresh browser profile to raise a suspicious-login event) and confirm the alert reaches the monitored mailbox.

  2. Read the recipient list on each system-defined rule in Rules — every alert should route to the monitored security address.

v0.1.2Detect policy #33 · #11 ↗