← All controls

61 Audit-the-auditors alerting

Vault searches and exports, investigation-tool queries and mailbox-delegation grants are the lawful privileged reads: they are how someone with legitimate access reads everyone else's mail without breaking anything. Activity rules on Vault log events and Admin log events raise a high-severity alert whenever they happen, routed to a recipient who is not an auditor or Vault admin — self-notification is not oversight.

Caveats

Setup steps

  1. open ↗ Reporting › Audit and investigation
    Data source
    Vault log events

    Vault log events ↗

  2. open ↗
    Admin console screen — Rules > Create rule > Activity

    https://admin.google.com/ac/ax · captured 2026-07-15

    Rules › Create rule › Activity

    Condition: Vault event in {search, export, hold created/deleted}; Severity = High

    Create and manage activity rules ↗

  3. Rules › Create rule › Activity

    Rule: Admin log events, investigation-tool query; Rule: Gmail log events, Has delegate = true; Severity = High

    Admin log events ↗ Gmail log events ↗

  4. Recipients
    oversight alias outside the Vault admin group
  5. open ↗
    Admin console screen — Security > Alert center (verify the rule fires here)

    https://admin.google.com/ac/ac · captured 2026-07-15

    Security › Alert center

    About the alert center ↗

Ongoing maintenance

How to verify

  1. Perform a benign privileged audit action (e.g. an investigation-tool search) and confirm the corresponding alert fires to the second-person channel.

v0.1.3Detectedition Rules: all editions; Vault log events need a Vault license policy #30 · #18, #31 ↗