User reports: Security

View your users' account settings and exposure to security risks

As your organization's administrator, you can monitor your users' exposure to data compromise by opening a security report. The security report gives you a comprehensive view of how people share and access data and whether they take appropriate security precautions. You can also see who installs external apps, shares a lot of files, skips 2-Step Verification, uses security keys, and more. 

Step 1: Open your Security report

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. On the left, go to Reportingand thenReportsand thenUser Reports and click Security. For details, see Step 2: Understand security reports data.

Step 2: Understand security reports data

General
Report column Description
External apps Number of third-party applications authorized to access the user's data.
Note: To view application names for each user and revoke the access of external apps, see View user security settings and revoke access.
2-Step verification enrollment

Number of users in your domains who are enrolled in 2-Step Verification. 

Note: This data could be delayed up to 48 hours. To view real-time 2-Step Verification status for each user, see View user security settings and revoke access..

2-Step verification enforcement Number of users in your domains who are required to be enrolled in 2-Step Verification.
Password length compliance Whether the user is compliant or non-compliant with password-length requirements. For instructions on setting password requirements, see Enforce and monitor users' password requirements.
Password strength Whether the user has a strong or weak password based on the password requirements set by an administrator. For instructions on setting password requirements, see Enforce and monitor users' password requirements.
User account status

User’s account status (Active, Blocked, or Suspended).

  • A blocked user has violated the Terms of Service. Our systems automatically suspend them and mark them Abusive. For more information, you can contact Support.
  • A suspended user has an account that has been temporarily disabled by an administrator. As an administrator, you can suspend a user account without deleting the domain profile or associated information, such as documents and presentations. Suspended users can't sign in until an administrator has restored the suspended user account.
Admin status User's administrative access (Super Admin, Delegated Admin, or None).
Less secure apps access Whether the user has the option to block or allow (Allowed or Denied​) less secure app access to their own accounts.
Gmail (G Suite only)
Report column Description
Gmail (POP) Last used time Last time the user used a Post Office Protocol (POP) access Gmail.
Gmail (IMAP) Last used time Last time the user used Internet Message Access Protocol (IMAP) mail server access Gmail.
Gmail (Web) Last used time Last time the user used web-based Gmail. Note that this timestamp is not synced with the Last Login timestamp.
Drive (G Suite only)

The new metrics definitions include “added”. This differs from previous metrics because it counts when “addition” events occur. Addition type events include creating a file, uploading, untrashing, or ownership transfer. This activity gets reported regardless of the final state of the item. Multiple addition events to the same file do not increment the count.

 

Report column Description
External shares Number of external file sharing events performed by the user.
Internal shares Number of internal file sharing events performed by the user.
Public  Number of files that are made publicly available.
Anyone with link Number of Drive made available to anyone with the link.
Anyone in the domain with link Number of Drive files that are shared with anyone in the domain with link.
Visible to anyone with link in domain Number of Drive files the user has that are visible to anyone in your domain who has the link.
Outside Domain Number of Drive files shared explicitly with individuals or groups outside the domain.
Inside Domain Number of Drive files that are shared explicitly with a user or group within the domain.
Private  Number of Drive files that are not shared at all.

Step 3: Change the data you see in the chart

  1. Open your report as shown above.
  2. Next to the title above the chart, click the Down arrow Down Arrow .
  3. Select an option from the list or click a column in the table.
  4. Hover your cursor over any point in the chart to see specific data over the timeline.

Step 4: Change the data you see in reports

  1. Open your report as shown above.
  2. On the toolbar, click Select reports "" to view all available columns.
  3. Click the box next to each column you want to display and click Apply.
You'll see the same columns the next time you open this report.

Step 5: Customize and export your report data

Filter the report data by user or activity

You can narrow your report to show specific events or users. For example, you can create a filter to find all users who are using 2-Step Verification. Or, you can create a filter to list people who share a lot of external links.

  1. Open your report as shown above.
  2. If you don't see the Filters section, on the toolbar, click Filter Filter.
  3. Enter or select the criteria for your filter. You can filter on any combination of the data you can view in the report.

Filter by organizational unit

You can filter by organizational unit to compare statistics between child organizations in a domain.

  1. Open your report as described above.
  2. At the top of the report, select an organizational unit from the list.

You can only filter the current organization hierarchy, even when searching for older data. Data before December 20, 2018 will not appear in the filtered results.

Filter by group

You can also filter the data in your report by group. Before a group will appear in this filter, you'll need to whitelist that group:

  1. Open your report as described above.
  2. At the top of the report, click Group filter.
  3. Click Whitelist groups.
    The Whitelist groups page is displayed.
  4. Click ADD GROUPS.
  5. Choose from the list of groups, or enter text to search for a group name.
  6. Click ADD to add specific groups to the list.
  7. Click SAVE.
  8. To customize your report data, return to your report, and click Group filter to filter by group.
    Note: After you add a group to the whitelist, changes may take up to 24 hours to propagate.

Show data for a particular date

Select View by date and use the date selector to show data for a particular date, or select Latest to show the latest available data for each application. Many metrics are available for the past 6 months, although some are available for a shorter time.

Export your report data

You can export your report data to a Google Sheet, or download it as a CSV file.

  1. Open your report as shown above.
  2. (Optional) To change the data to include in your export, on the toolbar, click Select reports "" to view all available columns.
  3. Click the box next to each column with data you want to export and click Apply.
  4. On the toolbar, click Download "".

You can export up to 210,000 cells. The maximum number of rows depends on the number of columns you select.

How old is the data I'm seeing?

You won’t see complete data up to the present day. Instead, under the graph heading you'll see the latest date for the column data. The table under the graph shows 1-day data for the latest date.

Occasionally, you'll see an asterisk "*" next to a column name. This indicates that the data in this particular column might be stale compared to the data in other columns on the same page.

For details on exactly when data becomes available and how long it's retained, see Data retention and lag times.

Was this helpful?
How can we improve it?