GAT+ has an alarms feature which assists Admins by detecting unusual behaviour on their Google Apps domain. The alarms report is run every time an Admin logs into GAT or when a scheduled job is run against the domain.
Because every domain has different ‘normal’ behaviour we allow Admins to set the variable thresholds on the alerts so that the these are configured to best suit the circumstances of each particular domain.
We also recognize that not every feature we alarm for is an alarm the Admin wants/needs to receive, which is why you can turn them off individually by toggling the ‘Enable alarms’.
You can set up different alarms for each user OU you have.
The alarms are self-explanatory, however, one worth drawing attention to is ‘alert on new IP address with negative logins’. This combines the information that it is the first time the domain has been accessed from this IP address, with the information that the login also failed. The combination of these two details might indicate a high level of risk that this is the start of a break-in attempt.
Note: ‘Alert when account idle for a period greater than XX days is used again’ will also trigger when a previously un-accessed delegated account has been accessed by one of the delegates OR when an email is sent which includes that account as a ‘from’ address.